diff --git a/assets/optional/cert-manager/crd/bases/certificaterequests.cert-manager.io-crd.yaml b/assets/optional/cert-manager/crd/bases/certificaterequests.cert-manager.io-crd.yaml index 3cd5dad8f1..f1c41bc81f 100644 --- a/assets/optional/cert-manager/crd/bases/certificaterequests.cert-manager.io-crd.yaml +++ b/assets/optional/cert-manager/crd/bases/certificaterequests.cert-manager.io-crd.yaml @@ -8,7 +8,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.16.4 + app.kubernetes.io/version: v1.18.4 name: certificaterequests.cert-manager.io spec: group: cert-manager.io diff --git a/assets/optional/cert-manager/crd/bases/certificates.cert-manager.io-crd.yaml b/assets/optional/cert-manager/crd/bases/certificates.cert-manager.io-crd.yaml index 5c28c6ef35..3d4d2536d1 100644 --- a/assets/optional/cert-manager/crd/bases/certificates.cert-manager.io-crd.yaml +++ b/assets/optional/cert-manager/crd/bases/certificates.cert-manager.io-crd.yaml @@ -8,7 +8,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.16.4 + app.kubernetes.io/version: v1.18.4 name: certificates.cert-manager.io spec: group: cert-manager.io @@ -78,10 +78,6 @@ spec: description: |- Defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. - - This is a Beta Feature enabled by default. It can be disabled with the - `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both - the controller and webhook components. items: description: |- CertificateAdditionalOutputFormat defines an additional output format of a @@ -191,17 +187,25 @@ spec: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in - `passwordSecretRef`. + `passwordSecretRef` or `password`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority type: boolean + password: + description: |- + Password provides a literal password used to encrypt the JKS keystore. + Mutually exclusive with passwordSecretRef. + One of password or passwordSecretRef must provide a password with a non-zero length. + type: string passwordSecretRef: description: |- - PasswordSecretRef is a reference to a key in a Secret resource + PasswordSecretRef is a reference to a non-empty key in a Secret resource containing the password used to encrypt the JKS keystore. + Mutually exclusive with password. + One of password or passwordSecretRef must provide a password with a non-zero length. properties: key: description: |- @@ -219,7 +223,6 @@ spec: type: object required: - create - - passwordSecretRef type: object pkcs12: description: |- @@ -231,17 +234,25 @@ spec: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in - `passwordSecretRef`. + `passwordSecretRef` or in `password`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority type: boolean + password: + description: |- + Password provides a literal password used to encrypt the PKCS#12 keystore. + Mutually exclusive with passwordSecretRef. + One of password or passwordSecretRef must provide a password with a non-zero length. + type: string passwordSecretRef: description: |- - PasswordSecretRef is a reference to a key in a Secret resource - containing the password used to encrypt the PKCS12 keystore. + PasswordSecretRef is a reference to a non-empty key in a Secret resource + containing the password used to encrypt the PKCS#12 keystore. + Mutually exclusive with password. + One of password or passwordSecretRef must provide a password with a non-zero length. properties: key: description: |- @@ -266,7 +277,7 @@ spec: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms - (eg. because of company policy). Please note that the security of the algorithm is not that important + (e.g., because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret. enum: - LegacyRC2 @@ -275,7 +286,6 @@ spec: type: string required: - create - - passwordSecretRef type: object type: object literalSubject: @@ -423,7 +433,11 @@ spec: to await user intervention. If set to `Always`, a private key matching the specified requirements will be generated whenever a re-issuance occurs. - Default is `Never` for backward compatibility. + Default is `Always`. + The default was changed from `Never` to `Always` in cert-manager >=v1.18.0. + The new default can be disabled by setting the + `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on + the controller component. enum: - Never - Always @@ -484,8 +498,7 @@ spec: revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. - If unset (`nil`), revisions will not be garbage collected. - Default value is `nil`. + Default value is `1`. format: int32 type: integer secretName: @@ -514,6 +527,21 @@ spec: description: Labels is a key value map to be copied to the target Kubernetes Secret. type: object type: object + signatureAlgorithm: + description: |- + Signature algorithm to use. + Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA. + Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512. + Allowed values for Ed25519 keys: PureEd25519. + enum: + - SHA256WithRSA + - SHA384WithRSA + - SHA512WithRSA + - ECDSAWithSHA256 + - ECDSAWithSHA384 + - ECDSAWithSHA512 + - PureEd25519 + type: string subject: description: |- Requested set of X509 certificate subject attributes. diff --git a/assets/optional/cert-manager/crd/bases/challenges.acme.cert-manager.io-crd.yaml b/assets/optional/cert-manager/crd/bases/challenges.acme.cert-manager.io-crd.yaml index 43fafde7af..11e7489ded 100644 --- a/assets/optional/cert-manager/crd/bases/challenges.acme.cert-manager.io-crd.yaml +++ b/assets/optional/cert-manager/crd/bases/challenges.acme.cert-manager.io-crd.yaml @@ -8,7 +8,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.16.4 + app.kubernetes.io/version: v1.18.4 name: challenges.acme.cert-manager.io spec: group: acme.cert-manager.io @@ -68,9 +68,9 @@ spec: type: string dnsName: description: |- - dnsName is the identifier that this challenge is for, e.g. example.com. + dnsName is the identifier that this challenge is for, e.g., example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the - non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. + non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`. type: string issuerRef: description: |- @@ -257,13 +257,16 @@ spec: If set, ClientID, ClientSecret and TenantID must not be set. properties: clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID + description: client ID of the managed identity, cannot be used at the same time as resourceID type: string resourceID: description: |- - resource ID of the managed identity, can not be used at the same time as clientID + resource ID of the managed identity, cannot be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string + tenantID: + description: tenant ID of the managed identity, cannot be used at the same time as resourceID + type: string type: object resourceGroupName: description: resource group the DNS zone is located in @@ -572,7 +575,7 @@ spec: when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. - If secret values are needed (e.g. credentials for a DNS service), you + If secret values are needed (e.g., credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. @@ -588,7 +591,7 @@ spec: description: |- The name of the solver to use, as defined in the webhook provider implementation. - This will typically be the name of the provider, e.g. 'cloudflare'. + This will typically be the name of the provider, e.g., 'cloudflare'. type: string required: - groupName @@ -600,7 +603,7 @@ spec: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names - (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + (e.g., `*.example.com`) using the HTTP01 challenge mechanism. properties: gatewayHTTPRoute: description: |- diff --git a/assets/optional/cert-manager/crd/bases/clusterissuers.cert-manager.io-crd.yaml b/assets/optional/cert-manager/crd/bases/clusterissuers.cert-manager.io-crd.yaml index 77f80adb0f..982e361675 100644 --- a/assets/optional/cert-manager/crd/bases/clusterissuers.cert-manager.io-crd.yaml +++ b/assets/optional/cert-manager/crd/bases/clusterissuers.cert-manager.io-crd.yaml @@ -8,7 +8,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.16.4 + app.kubernetes.io/version: v1.18.4 name: clusterissuers.cert-manager.io spec: group: cert-manager.io @@ -18,6 +18,8 @@ spec: kind: ClusterIssuer listKind: ClusterIssuerList plural: clusterissuers + shortNames: + - ciss singular: clusterissuer scope: Cluster versions: @@ -156,7 +158,7 @@ spec: PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. - For example, for Let's Encrypt's DST crosssign you would use: + For example, for Let's Encrypt's DST cross-sign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. This value picks the first certificate bundle in the combined set of ACME default and alternative chains that has a root-most certificate with @@ -185,6 +187,11 @@ spec: required: - name type: object + profile: + description: |- + Profile allows requesting a certificate profile from the ACME server. + Supported profiles are listed by the server's ACME directory URL. + type: string server: description: |- Server is the URL used to access the ACME server's 'directory' endpoint. @@ -367,13 +374,16 @@ spec: If set, ClientID, ClientSecret and TenantID must not be set. properties: clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID + description: client ID of the managed identity, cannot be used at the same time as resourceID type: string resourceID: description: |- - resource ID of the managed identity, can not be used at the same time as clientID + resource ID of the managed identity, cannot be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string + tenantID: + description: tenant ID of the managed identity, cannot be used at the same time as resourceID + type: string type: object resourceGroupName: description: resource group the DNS zone is located in @@ -682,7 +692,7 @@ spec: when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. - If secret values are needed (e.g. credentials for a DNS service), you + If secret values are needed (e.g., credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. @@ -698,7 +708,7 @@ spec: description: |- The name of the solver to use, as defined in the webhook provider implementation. - This will typically be the name of the provider, e.g. 'cloudflare'. + This will typically be the name of the provider, e.g., 'cloudflare'. type: string required: - groupName @@ -710,7 +720,7 @@ spec: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names - (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + (e.g., `*.example.com`) using the HTTP01 challenge mechanism. properties: gatewayHTTPRoute: description: |- @@ -3524,6 +3534,11 @@ spec: server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + serverName: + description: |- + ServerName is used to verify the hostname on the returned certificates + by the Vault server. + type: string required: - auth - path @@ -3559,7 +3574,7 @@ spec: url: description: |- URL is the base URL for Venafi Cloud. - Defaults to "https://api.venafi.cloud/v1". + Defaults to "https://api.venafi.cloud/". type: string required: - apiTokenSecretRef diff --git a/assets/optional/cert-manager/crd/bases/issuers.cert-manager.io-crd.yaml b/assets/optional/cert-manager/crd/bases/issuers.cert-manager.io-crd.yaml index 03d8527ee8..0befddce16 100644 --- a/assets/optional/cert-manager/crd/bases/issuers.cert-manager.io-crd.yaml +++ b/assets/optional/cert-manager/crd/bases/issuers.cert-manager.io-crd.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/component: crds app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.16.4 + app.kubernetes.io/version: v1.18.4 name: issuers.cert-manager.io spec: group: cert-manager.io @@ -19,6 +19,8 @@ spec: kind: Issuer listKind: IssuerList plural: issuers + shortNames: + - iss singular: issuer scope: Namespaced versions: @@ -156,7 +158,7 @@ spec: PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. - For example, for Let's Encrypt's DST crosssign you would use: + For example, for Let's Encrypt's DST cross-sign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. This value picks the first certificate bundle in the combined set of ACME default and alternative chains that has a root-most certificate with @@ -185,6 +187,11 @@ spec: required: - name type: object + profile: + description: |- + Profile allows requesting a certificate profile from the ACME server. + Supported profiles are listed by the server's ACME directory URL. + type: string server: description: |- Server is the URL used to access the ACME server's 'directory' endpoint. @@ -367,13 +374,16 @@ spec: If set, ClientID, ClientSecret and TenantID must not be set. properties: clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID + description: client ID of the managed identity, cannot be used at the same time as resourceID type: string resourceID: description: |- - resource ID of the managed identity, can not be used at the same time as clientID + resource ID of the managed identity, cannot be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string + tenantID: + description: tenant ID of the managed identity, cannot be used at the same time as resourceID + type: string type: object resourceGroupName: description: resource group the DNS zone is located in @@ -682,7 +692,7 @@ spec: when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. - If secret values are needed (e.g. credentials for a DNS service), you + If secret values are needed (e.g., credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. @@ -698,7 +708,7 @@ spec: description: |- The name of the solver to use, as defined in the webhook provider implementation. - This will typically be the name of the provider, e.g. 'cloudflare'. + This will typically be the name of the provider, e.g., 'cloudflare'. type: string required: - groupName @@ -710,7 +720,7 @@ spec: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names - (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + (e.g., `*.example.com`) using the HTTP01 challenge mechanism. properties: gatewayHTTPRoute: description: |- @@ -3524,6 +3534,11 @@ spec: server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + serverName: + description: |- + ServerName is used to verify the hostname on the returned certificates + by the Vault server. + type: string required: - auth - path @@ -3559,7 +3574,7 @@ spec: url: description: |- URL is the base URL for Venafi Cloud. - Defaults to "https://api.venafi.cloud/v1". + Defaults to "https://api.venafi.cloud/". type: string required: - apiTokenSecretRef diff --git a/assets/optional/cert-manager/crd/bases/operator.openshift.io_certmanagers.yaml b/assets/optional/cert-manager/crd/bases/operator.openshift.io_certmanagers.yaml index b1d7ed2286..10bd5254e7 100644 --- a/assets/optional/cert-manager/crd/bases/operator.openshift.io_certmanagers.yaml +++ b/assets/optional/cert-manager/crd/bases/operator.openshift.io_certmanagers.yaml @@ -177,6 +177,13 @@ spec: additionalProperties: type: string type: object + overrideReplicas: + description: |- + OverrideReplicas defines the number of replicas for the operand deployment. + If not specified, the default replicas from the deployment manifest will be used. + format: int32 + minimum: 1 + type: integer overrideResources: description: |- CertManagerResourceRequirements describes the compute resource requirements for the cert-manager operands, @@ -413,6 +420,13 @@ spec: additionalProperties: type: string type: object + overrideReplicas: + description: |- + OverrideReplicas defines the number of replicas for the operand deployment. + If not specified, the default replicas from the deployment manifest will be used. + format: int32 + minimum: 1 + type: integer overrideResources: description: |- CertManagerResourceRequirements describes the compute resource requirements for the cert-manager operands, @@ -502,6 +516,26 @@ spec: x-kubernetes-list-type: atomic type: object type: object + defaultNetworkPolicy: + description: |- + DefaultNetworkPolicy enables the default network policy for cert-manager components. + When set to "true", the operator will create default network policies to secure + communication between cert-manager controller, webhook, and cainjector components. + When set to "false" or empty, no default network policies are created. + Valid values are: "true", "false", or empty (default: false). + + This field is immutable once set to "true" for security reasons. Network policies + cannot be disabled once enabled to prevent accidental security degradation. + Users should carefully plan their network policy requirements before enabling this field. + enum: + - "true" + - "false" + - "" + type: string + x-kubernetes-validations: + - message: defaultNetworkPolicy cannot be changed from 'true' to 'false' + once set + rule: oldSelf != 'true' || self == 'true' logLevel: default: Normal description: |- @@ -522,6 +556,256 @@ spec: should manage the component pattern: ^(Managed|Unmanaged|Force|Removed)$ type: string + networkPolicies: + description: |- + NetworkPolicies specifies the egress network policy configuration to be applied to cert-manager + pods/operands when DefaultNetworkPolicy is "true". By default, enabling network policies + creates a deny-all policy that blocks all outgoing traffic from cert-manager components. + Ingress rules are automatically handled by the operator based on the current running ports. + Use this field to provide the necessary egress policy rules that allow required outbound traffic + for cert-manager to function properly (e.g., API server communication, external issuer access, etc.). + + Each NetworkPolicy in this slice will be created as a separate Kubernetes NetworkPolicy + resource. Multiple policies can be defined to organize egress rules logically (e.g., separate + policies for different types of outbound traffic or different security zones). + + This field is only effective when DefaultNetworkPolicy is set to "true". + If DefaultNetworkPolicy is "true" but this field is not provided, cert-manager + components will be isolated with deny-all egress policies. + + This field is immutable once DefaultNetworkPolicy is set to "true" for security reasons. + items: + description: |- + NetworkPolicy represents a custom network policy configuration for operator-managed components. + It includes a name for identification and the network policy rules to be enforced. + properties: + componentName: + description: ComponentName represents the different cert-manager + components that can have network policies applied. + enum: + - CoreController + type: string + egress: + description: |- + egress is a list of egress rules to be applied to the selected pods. Outgoing traffic + is allowed if there are no NetworkPolicies selecting the pod (and cluster policy + otherwise allows the traffic), OR if the traffic matches at least one egress rule + across all of the NetworkPolicy objects whose podSelector matches the pod. If + this field is empty then this NetworkPolicy limits all outgoing traffic (and serves + solely to ensure that the pods it selects are isolated by default). + The operator will automatically handle ingress rules based on the current running ports. + items: + description: |- + NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods + matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. + This type is beta-level in 1.8 + properties: + ports: + description: |- + ports is a list of destination ports for outgoing traffic. + Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. + items: + description: NetworkPolicyPort describes a port to allow + traffic on + properties: + endPort: + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + to: + description: |- + to is a list of destinations for outgoing traffic of pods selected for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all destinations (traffic not restricted by + destination). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the to list. + items: + description: |- + NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of + fields are allowed + properties: + ipBlock: + description: |- + ipBlock defines policy on a particular IPBlock. If this field is set then + neither of the other fields can be. + properties: + cidr: + description: |- + cidr is a string representing the IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + type: string + except: + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - cidr + type: object + namespaceSelector: + description: |- + namespaceSelector selects namespaces using cluster-scoped labels. This field follows + standard label selector semantics; if present but empty, it selects all namespaces. + + If podSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the namespaces selected by namespaceSelector. + Otherwise it selects all pods in the namespaces selected by namespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + podSelector is a label selector which selects pods. This field follows standard label + selector semantics; if present but empty, it selects all pods. + + If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the Namespaces selected by NamespaceSelector. + Otherwise it selects the pods matching podSelector in the policy's own namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + name: + description: |- + Name is a unique identifier for this network policy configuration. + This name will be used as part of the generated NetworkPolicy resource name. + maxLength: 253 + minLength: 1 + type: string + required: + - componentName + - name + type: object + maxItems: 50 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - name + - componentName + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: name and componentName fields in networkPolicies are immutable + rule: oldSelf.all(op, self.exists(p, p.name == op.name && p.componentName + == op.componentName)) observedConfig: description: |- observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because @@ -694,6 +978,13 @@ spec: additionalProperties: type: string type: object + overrideReplicas: + description: |- + OverrideReplicas defines the number of replicas for the operand deployment. + If not specified, the default replicas from the deployment manifest will be used. + format: int32 + minimum: 1 + type: integer overrideResources: description: |- CertManagerResourceRequirements describes the compute resource requirements for the cert-manager operands, diff --git a/assets/optional/cert-manager/crd/bases/operator.openshift.io_istiocsrs.yaml b/assets/optional/cert-manager/crd/bases/operator.openshift.io_istiocsrs.yaml index 0952e63d8a..99a594ab88 100644 --- a/assets/optional/cert-manager/crd/bases/operator.openshift.io_istiocsrs.yaml +++ b/assets/optional/cert-manager/crd/bases/operator.openshift.io_istiocsrs.yaml @@ -4,10 +4,17 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: istiocsr + app.kubernetes.io/part-of: cert-manager-operator name: istiocsrs.operator.openshift.io spec: group: operator.openshift.io names: + categories: + - cert-manager-operator + - istio-csr + - istiocsr kind: IstioCSR listKind: IstioCSRList plural: istiocsrs @@ -15,22 +22,26 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - jsonPath: .status.istioCSRGRPCEndpoint name: GRPC Endpoint type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].message + name: Message + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date name: v1alpha1 schema: openAPIV3Schema: description: |- - IstioCSR describes configuration and information about the managed istio-csr - agent. The name must be `default` to make istiocsr a singleton that is, to - allow only one instance of istiocsr per namespace. + IstioCSR describes the configuration and information about the managed istio-csr agent. + The name must be `default` to make IstioCSR a singleton that is, to allow only one instance of IstioCSR per namespace. - When an IstioCSR is created, a new deployment is created which manages the - istio-csr agent and keeps it in the desired state. + When an IstioCSR is created, istio-csr agent is deployed in the IstioCSR-created namespace. properties: apiVersion: description: |- @@ -54,21 +65,22 @@ spec: IstioCSR. properties: controllerConfig: - description: |- - controllerConfig is for configuring the controller for setting up - defaults to enable istio-csr agent. + description: controllerConfig configures the controller for setting + up defaults to enable the istio-csr agent. properties: labels: additionalProperties: type: string - description: labels to apply to all resources created for istio-csr - agent deployment. + description: |- + labels to apply to all resources created for the istio-csr agent deployment. + This field can have a maximum of 20 entries. + maxProperties: 20 + minProperties: 0 type: object x-kubernetes-map-type: granular type: object istioCSRConfig: - description: istioCSRConfig is for configuring the istio-csr agent - behavior. + description: istioCSRConfig configures the istio-csr agent's behavior. properties: affinity: description: |- @@ -358,7 +370,6 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -373,7 +384,6 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -540,7 +550,6 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -555,7 +564,6 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -720,7 +728,6 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -735,7 +742,6 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -902,7 +908,6 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -917,7 +922,6 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1004,9 +1008,9 @@ spec: properties: issuerRef: description: |- - issuerRef contains details to the referenced object used for - obtaining the certificates. When issuerRef.Kind is Issuer, it must exist in the - .spec.istioCSRConfig.istio.namespace. + issuerRef contains details of the referenced object used for obtaining certificates. + When `issuerRef.Kind` is `Issuer`, it must exist in the `.spec.istioCSRConfig.istio.namespace`. + This field is immutable once set. properties: group: description: Group of the resource being referred to. @@ -1028,6 +1032,33 @@ spec: == 'clusterissuer' - message: group must be 'cert-manager.io' rule: self.group.lowerAscii() == 'cert-manager.io' + istioCACertificate: + description: |- + istioCACertificate when provided, the operator will use the CA certificate from the specified ConfigMap. + If empty, the operator will automatically extract the CA certificate from the Secret containing the istiod certificate obtained from cert-manager. + properties: + key: + description: key name holding the required data. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: name of the ConfigMap. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace in which the ConfigMap exists. + If empty, ConfigMap will be looked up in IstioCSR created + namespace. + maxLength: 63 + minLength: 0 + type: string + required: + - key + - name + type: object required: - issuerRef type: object @@ -1039,7 +1070,11 @@ spec: description: istio is for configuring the istio specifics. properties: namespace: - description: namespace of the istio control-plane. + description: |- + namespace of the Istio control plane. + This field can have a maximum of 63 characters. + maxLength: 63 + minLength: 1 type: string x-kubernetes-validations: - message: namespace is immutable once set @@ -1048,99 +1083,130 @@ spec: default: - default description: |- - revisions are the istio revisions that are currently installed in the cluster. - Changing this field will modify the DNS names that will be requested for - the istiod certificate. + revisions are the Istio revisions that are currently installed in the cluster. + Changing this field will modify the DNS names that will be requested for the istiod certificate. + This field can have a maximum of 25 entries. items: + maxLength: 63 + minLength: 1 type: string - maxItems: 10 + maxItems: 25 + minItems: 0 type: array x-kubernetes-list-type: set - x-kubernetes-validations: - - message: revisions is immutable once set - rule: self.all(x, x in oldSelf) && oldSelf.all(x, x in self) required: - namespace type: object + istioDataPlaneNamespaceSelector: + description: |- + Istio-csr creates a ConfigMap named `istio-ca-root-cert` containing the root CA certificate, which the Istio data plane uses to verify server certificates. Its default behavior is to create and monitor ConfigMaps in all namespaces. + The istioDataPlaneNamespaceSelector restricts the namespaces where the ConfigMap is created by using label selectors, such as maistra.io/member-of=istio-system. This selector is also attached to all desired namespaces that are part of the data plane. + This field can have a maximum of 4096 characters. + example: maistra.io/member-of=istio-system + maxLength: 4096 + minLength: 0 + type: string istiodTLSConfig: description: istiodTLSConfig is for configuring istiod certificate specifics. properties: certificateDNSNames: - description: certificateDNSNames contains the additional DNS - names to be added to the istiod certificate SAN. + description: |- + certificateDNSNames contains the additional DNS names to be added to the istiod certificate SAN. + This field can have a maximum of 25 entries. items: + maxLength: 253 + minLength: 1 type: string + maxItems: 25 + minItems: 0 type: array x-kubernetes-list-type: set certificateDuration: default: 1h - description: certificateDuration is the istio-csr and the - istiod certificates validity period. + description: certificateDuration is the validity period for + the istio-csr and istiod certificates. type: string certificateRenewBefore: default: 30m - description: |- - certificateRenewBefore is the ahead time to renew the istio-csr and the istiod certificates - before expiry. + description: certificateRenewBefore is the time before expiry + to renew the istio-csr and istiod certificates. type: string commonName: description: |- - commonName is the common name to be set in the certificate.cert-manager.io - created for istiod. CommonName will be of the form `istiod..svc` - when not set. + commonName is the common name to be set in the cert-manager.io Certificate created for istiod. + The commonName will be of the form istiod..svc when not set. + This field can have a maximum of 64 characters. + example: istiod.istio-system.svc + maxLength: 64 + minLength: 0 type: string maxCertificateDuration: default: 1h - description: |- - MaxCertificateDuration is the maximum validity duration that can be - requested for a certificate. + description: MaxCertificateDuration is the maximum validity + duration that can be requested for a certificate. type: string - privateKeySize: - default: 2048 - description: |- - privateKeySize is the istio-csr and the istiod certificate's key size. When the SignatureAlgorithm - is RSA, must be >= 2048 and for ECDSA, can only be 256 or 384, corresponding to P-256 and P-384 respectively. - type: integer - x-kubernetes-validations: - - message: privateKeySize is immutable once set - rule: oldSelf == 0 || self == oldSelf - signatureAlgorithm: + privateKeyAlgorithm: default: RSA description: |- - signatureAlgorithm is the signature algorithm to use when generating - private keys. At present only RSA and ECDSA are supported. + privateKeyAlgorithm is the algorithm to use when generating private keys. Allowed values are RSA, and ECDSA. + This field is immutable once set. enum: - RSA - ECDSA type: string x-kubernetes-validations: - - message: signatureAlgorithm is immutable once set + - message: privateKeyAlgorithm is immutable once set rule: oldSelf == '' || self == oldSelf + privateKeySize: + default: 2048 + description: |- + privateKeySize is the key size for the istio-csr and istiod certificates. Allowed values when privateKeyAlgorithm is RSA are 2048, 4096, 8192; and for ECDSA, they are 256, 384. + This field is immutable once set. + enum: + - 256 + - 384 + - 2048 + - 4096 + - 8192 + format: int32 + type: integer + x-kubernetes-validations: + - message: privateKeySize is immutable once set + rule: oldSelf == 0 || self == oldSelf trustDomain: description: |- - trustDomain is the istio cluster's trust domain, which will also be used for deriving - spiffe URI. + trustDomain is the Istio cluster's trust domain, which will also be used for deriving the SPIFFE URI. + This field can have a maximum of 63 characters. + maxLength: 63 + minLength: 1 type: string required: - trustDomain type: object x-kubernetes-validations: - - message: signatureAlgorithm may only be configured during creation - rule: '!has(oldSelf.signatureAlgorithm) && !has(self.signatureAlgorithm) - || has(oldSelf.signatureAlgorithm) && has(self.signatureAlgorithm)' + - message: privateKeyAlgorithm may only be configured during creation + rule: '!has(oldSelf.privateKeyAlgorithm) && !has(self.privateKeyAlgorithm) + || has(oldSelf.privateKeyAlgorithm) && has(self.privateKeyAlgorithm)' - message: privateKeySize may only be configured during creation rule: '!has(oldSelf.privateKeySize) && !has(self.privateKeySize) || has(oldSelf.privateKeySize) && has(self.privateKeySize)' + - message: privateKeySize must match with configured privateKeyAlgorithm + rule: '(!has(self.privateKeyAlgorithm) || self.privateKeyAlgorithm + == ''RSA'') ? (self.privateKeySize in [2048,4096,8192]) : + (self.privateKeySize in [256,384])' logFormat: default: text description: |- - logFormat is for specifying the output format of istio-csr agent logging. - Support log formats are text and json. + logFormat specifies the output format for istio-csr agent logging. + Supported log formats are text and json. + enum: + - text + - json type: string logLevel: default: 1 - description: logLevel supports value range as per [kubernetes + description: logLevel supports a value range as per [Kubernetes logging guidelines](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md#what-method-to-use). format: int32 maximum: 5 @@ -1151,7 +1217,10 @@ spec: type: string description: |- nodeSelector is for defining the scheduling criteria using node labels. + This field can have a maximum of 50 entries. ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + maxProperties: 50 + minProperties: 0 type: object x-kubernetes-map-type: atomic resources: @@ -1217,14 +1286,23 @@ spec: type: object type: object server: - description: |- - server is for configuring the server endpoint used by istio - for obtaining the certificates. + description: server is for configuring the server endpoint used + by istio for obtaining the certificates. properties: + clusterID: + default: Kubernetes + description: |- + clusterID is the Istio cluster ID used to verify incoming CSRs. + This field can have a maximum of 253 characters. + maxLength: 253 + minLength: 0 + type: string port: default: 443 - description: port to serve istio-csr gRPC service. + description: port to serve the istio-csr gRPC service. format: int32 + maximum: 65535 + minimum: 1 type: integer x-kubernetes-validations: - message: port is immutable once set @@ -1233,6 +1311,7 @@ spec: tolerations: description: |- tolerations is for setting the pod tolerations. + This field can have a maximum of 50 entries. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ items: description: |- @@ -1270,6 +1349,8 @@ spec: If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object + maxItems: 50 + minItems: 0 type: array x-kubernetes-list-type: atomic required: @@ -1292,8 +1373,8 @@ spec: istio-csr agent. type: string conditions: - description: conditions holds information of the current state of - the istio-csr agent deployment. + description: conditions holds information about the current state + of the istio-csr agent deployment. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -1353,10 +1434,9 @@ spec: - type x-kubernetes-list-type: map istioCSRGRPCEndpoint: - description: |- - istioCSRGRPCEndpoint is the service endpoint of istio-csr made available for user - to configure the same in istiod config to enable istio to use istio-csr for - certificate requests. + description: istioCSRGRPCEndpoint is the service endpoint of istio-csr, + made available for users to configure in the istiod config to enable + Istio to use istio-csr for certificate requests. type: string istioCSRImage: description: istioCSRImage is the name of the image and the tag used diff --git a/assets/optional/cert-manager/crd/bases/orders.acme.cert-manager.io-crd.yaml b/assets/optional/cert-manager/crd/bases/orders.acme.cert-manager.io-crd.yaml index 716082a8e8..d3f94fa34a 100644 --- a/assets/optional/cert-manager/crd/bases/orders.acme.cert-manager.io-crd.yaml +++ b/assets/optional/cert-manager/crd/bases/orders.acme.cert-manager.io-crd.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/component: crds app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.16.4 + app.kubernetes.io/version: v1.18.4 name: orders.acme.cert-manager.io spec: group: acme.cert-manager.io @@ -110,6 +110,11 @@ spec: required: - name type: object + profile: + description: |- + Profile allows requesting a certificate profile from the ACME server. + Supported profiles are listed by the server's ACME directory URL. + type: string request: description: |- Certificate signing request bytes in DER encoding. @@ -153,7 +158,7 @@ spec: type: string type: description: |- - Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', + Type is the type of challenge being offered, e.g., 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values diff --git a/assets/optional/cert-manager/manager/images-aarch64.yaml b/assets/optional/cert-manager/manager/images-aarch64.yaml new file mode 100644 index 0000000000..06fcd9ece0 --- /dev/null +++ b/assets/optional/cert-manager/manager/images-aarch64.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cert-manager-images + namespace: cert-manager +data: + cert-manager-webhook: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:8227c8925d00d1c81c95e7017209fdc6b5b1925cde2fa4fe3752fb6c81510a2d + cert-manager-ca-injector: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:8227c8925d00d1c81c95e7017209fdc6b5b1925cde2fa4fe3752fb6c81510a2d + cert-manager-controller: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:8227c8925d00d1c81c95e7017209fdc6b5b1925cde2fa4fe3752fb6c81510a2d + cert-manager-acmesolver: registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:b001612ad6362a1b7273e178d9870ab3d020a40ee3339a0f95fef1cd3913356e + cert-manager-istiocsr: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:78564158857ed7f1534597f3ee7faaee23b692f9ed5aa0259e19196f5400167d + controller: registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:9f37a838089d2e3c199a4fd97bea028cb6b66b4214e8233884716efe0a998298 diff --git a/assets/optional/cert-manager/manager/images-x86_64.yaml b/assets/optional/cert-manager/manager/images-x86_64.yaml new file mode 100644 index 0000000000..e947228bea --- /dev/null +++ b/assets/optional/cert-manager/manager/images-x86_64.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cert-manager-images + namespace: cert-manager +data: + cert-manager-webhook: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:40b47054e42363a365b491ccfe0d86f109e19fc317058ba834ffe0f5c733880b + cert-manager-ca-injector: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:40b47054e42363a365b491ccfe0d86f109e19fc317058ba834ffe0f5c733880b + cert-manager-controller: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:40b47054e42363a365b491ccfe0d86f109e19fc317058ba834ffe0f5c733880b + cert-manager-acmesolver: registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a40eb434e032fb2135f369b6fc65266ae0f409db92fd65d12cf13c7f32b5020 + cert-manager-istiocsr: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:0f20d178f980a3fa4527bc1613b8639385e36c367e30c93b4cbb4c4a434d3405 + controller: registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:8eecb53c8c81c0fa8f198260acb273759c0d12b5c01642a128923c5716df19d2 diff --git a/assets/optional/cert-manager/manager/images.yaml b/assets/optional/cert-manager/manager/images.yaml deleted file mode 100644 index 12cba66d8d..0000000000 --- a/assets/optional/cert-manager/manager/images.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: cert-manager-images - namespace: cert-manager -data: - cert-manager-webhook: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659 - cert-manager-ca-injector: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659 - cert-manager-controller: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659 - cert-manager-acmesolver: registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4f7c045819c39e176a6090efdaba6ec736edf772d88fc87dd1c6fb33d3b5b26b - cert-manager-istiocsr: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:9ea2c29a384b964cef14f853278821df3cd30320f25afab8823897192f67fc7e - controller: registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:4d5e238300ce6f427a1045d51d6b37a4e5c5633985208ebb44f91e7dd53897d9 \ No newline at end of file diff --git a/assets/optional/cert-manager/manager/manager.yaml b/assets/optional/cert-manager/manager/manager.yaml index d6b4394d51..68d65b34b5 100644 --- a/assets/optional/cert-manager/manager/manager.yaml +++ b/assets/optional/cert-manager/manager/manager.yaml @@ -75,21 +75,21 @@ spec: - name: OPERATOR_NAME value: cert-manager-operator - name: RELATED_IMAGE_CERT_MANAGER_WEBHOOK - value: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659 + value: quay.io/jetstack/cert-manager-webhook:latest - name: RELATED_IMAGE_CERT_MANAGER_CA_INJECTOR - value: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659 + value: quay.io/jetstack/cert-manager-cainjector:latest - name: RELATED_IMAGE_CERT_MANAGER_CONTROLLER - value: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659 + value: quay.io/jetstack/cert-manager-controller:latest - name: RELATED_IMAGE_CERT_MANAGER_ACMESOLVER - value: registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4f7c045819c39e176a6090efdaba6ec736edf772d88fc87dd1c6fb33d3b5b26b + value: quay.io/jetstack/cert-manager-acmesolver:v1.18.4 - name: RELATED_IMAGE_CERT_MANAGER_ISTIOCSR - value: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:9ea2c29a384b964cef14f853278821df3cd30320f25afab8823897192f67fc7e + value: quay.io/jetstack/cert-manager-istio-csr:v0.14.2 - name: OPERAND_IMAGE_VERSION - value: 1.17.0 + value: 1.18.4 - name: ISTIOCSR_OPERAND_IMAGE_VERSION - value: 0.14.0 + value: 0.14.2 - name: OPERATOR_IMAGE_VERSION - value: 1.17.0 + value: 1.18.1 - name: OPERATOR_LOG_LEVEL value: '2' - name: TRUSTED_CA_CONFIGMAP_NAME @@ -105,6 +105,7 @@ spec: - 'ALL' privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true seccompProfile: type: 'RuntimeDefault' ports: @@ -115,5 +116,11 @@ spec: requests: cpu: 10m memory: 32Mi + volumeMounts: + - name: tmp + mountPath: /tmp serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 + volumes: + - name: tmp + emptyDir: {} diff --git a/assets/optional/cert-manager/rbac/role.yaml b/assets/optional/cert-manager/rbac/role.yaml index c6a646f4ff..c387f3a403 100644 --- a/assets/optional/cert-manager/rbac/role.yaml +++ b/assets/optional/cert-manager/rbac/role.yaml @@ -200,6 +200,7 @@ rules: resources: - ingresses - ingresses/finalizers + - networkpolicies verbs: - create - delete diff --git a/assets/optional/cert-manager/release-cert-manager-aarch64.json b/assets/optional/cert-manager/release-cert-manager-aarch64.json index 643c6e34ef..52ade756ee 100644 --- a/assets/optional/cert-manager/release-cert-manager-aarch64.json +++ b/assets/optional/cert-manager/release-cert-manager-aarch64.json @@ -1,13 +1,13 @@ { "release": { - "base": "1.17.0" + "base": "1.18.0" }, "images": { - "cert-manager-operator": "registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:4d5e238300ce6f427a1045d51d6b37a4e5c5633985208ebb44f91e7dd53897d9", - "cert-manager-webhook": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659", - "cert-manager-ca-injector": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659", - "cert-manager-controller": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659", - "cert-manager-acmesolver": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4f7c045819c39e176a6090efdaba6ec736edf772d88fc87dd1c6fb33d3b5b26b", - "cert-manager-istiocsr": "registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:9ea2c29a384b964cef14f853278821df3cd30320f25afab8823897192f67fc7e" + "cert-manager-operator": "registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:9f37a838089d2e3c199a4fd97bea028cb6b66b4214e8233884716efe0a998298", + "cert-manager-istiocsr": "registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:78564158857ed7f1534597f3ee7faaee23b692f9ed5aa0259e19196f5400167d", + "cert-manager-acmesolver": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:b001612ad6362a1b7273e178d9870ab3d020a40ee3339a0f95fef1cd3913356e", + "cert-manager-webhook": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:8227c8925d00d1c81c95e7017209fdc6b5b1925cde2fa4fe3752fb6c81510a2d", + "cert-manager-ca-injector": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:8227c8925d00d1c81c95e7017209fdc6b5b1925cde2fa4fe3752fb6c81510a2d", + "cert-manager-controller": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:8227c8925d00d1c81c95e7017209fdc6b5b1925cde2fa4fe3752fb6c81510a2d" } } diff --git a/assets/optional/cert-manager/release-cert-manager-x86_64.json b/assets/optional/cert-manager/release-cert-manager-x86_64.json index 643c6e34ef..cad3495978 100644 --- a/assets/optional/cert-manager/release-cert-manager-x86_64.json +++ b/assets/optional/cert-manager/release-cert-manager-x86_64.json @@ -1,13 +1,13 @@ { "release": { - "base": "1.17.0" + "base": "1.18.0" }, "images": { - "cert-manager-operator": "registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:4d5e238300ce6f427a1045d51d6b37a4e5c5633985208ebb44f91e7dd53897d9", - "cert-manager-webhook": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659", - "cert-manager-ca-injector": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659", - "cert-manager-controller": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:96d51e3a64bf30cbd92836c7cbd82f06edca16eef78ab1432757d34c16628659", - "cert-manager-acmesolver": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4f7c045819c39e176a6090efdaba6ec736edf772d88fc87dd1c6fb33d3b5b26b", - "cert-manager-istiocsr": "registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:9ea2c29a384b964cef14f853278821df3cd30320f25afab8823897192f67fc7e" + "cert-manager-operator": "registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:8eecb53c8c81c0fa8f198260acb273759c0d12b5c01642a128923c5716df19d2", + "cert-manager-istiocsr": "registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:0f20d178f980a3fa4527bc1613b8639385e36c367e30c93b4cbb4c4a434d3405", + "cert-manager-acmesolver": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a40eb434e032fb2135f369b6fc65266ae0f409db92fd65d12cf13c7f32b5020", + "cert-manager-webhook": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:40b47054e42363a365b491ccfe0d86f109e19fc317058ba834ffe0f5c733880b", + "cert-manager-ca-injector": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:40b47054e42363a365b491ccfe0d86f109e19fc317058ba834ffe0f5c733880b", + "cert-manager-controller": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:40b47054e42363a365b491ccfe0d86f109e19fc317058ba834ffe0f5c733880b" } } diff --git a/packaging/rpm/microshift.spec b/packaging/rpm/microshift.spec index df982adaa3..8753aac078 100644 --- a/packaging/rpm/microshift.spec +++ b/packaging/rpm/microshift.spec @@ -562,12 +562,22 @@ install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshi install -p -m644 assets/optional/cert-manager/crd/bases/*.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/crd/bases install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/crd/patches install -p -m644 assets/optional/cert-manager/crd/patches/*.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/crd/patches -install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/manager -install -p -m644 assets/optional/cert-manager/manager/*.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/manager install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/rbac install -p -m644 assets/optional/cert-manager/rbac/*.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/rbac install -p -m644 assets/optional/cert-manager/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager +install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/manager +install -p -m644 assets/optional/cert-manager/manager/manager.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/manager +install -p -m644 assets/optional/cert-manager/manager/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/manager + +%ifarch %{arm} aarch64 +cat assets/optional/cert-manager/manager/images-aarch64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/manager/images.yaml +%endif + +%ifarch x86_64 +cat assets/optional/cert-manager/manager/images-x86_64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/manager/images.yaml +%endif + # cert-manager-release-info mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release install -p -m644 assets/optional/cert-manager/release-cert-manager-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/ @@ -779,7 +789,10 @@ fi # Use Git command to generate the log and replace the VERSION string # LANG=C git log --date="format:%a %b %d %Y" --pretty="tformat:* %cd %an <%ae> VERSION%n- %s%n" packaging/rpm/microshift.spec %changelog -* Fri Jan 09 2026 Pablo Acevedo Montserrat 4.22.0 +* Sun Jan 18 2026 Gregory Giguashvili 4.21.0 +- Update cert-manager manifests to use per-platform images + +* Fri Jan 09 2026 Pablo Acevedo Montserrat 4.21.0 - Add rdma-core dependency to SR-IOV RPM * Mon Sep 29 2025 Gregory Giguashvili 4.21.0 diff --git a/scripts/auto-rebase/assets_cert_manager.yaml b/scripts/auto-rebase/assets_cert_manager.yaml index d2bfeb7086..56bbdc4e8d 100644 --- a/scripts/auto-rebase/assets_cert_manager.yaml +++ b/scripts/auto-rebase/assets_cert_manager.yaml @@ -34,11 +34,13 @@ assets: no_clean: True src: cert-manager-operator/config/manager/ files: - - file: kustomization.yaml - ignore: "Provided by MicroShift" - - file: images.yaml - ignore: "Provided by MicroShift" - file: manager.yaml + - file: kustomization.yaml + ignore: "Provided by MicroShift" + - file: images-aarch64.yaml + ignore: "Provided by MicroShift" + - file: images-x86_64.yaml + ignore: "Provided by MicroShift" - dir: optional/cert-manager/rbac/ src: cert-manager-operator/config/rbac/ files: diff --git a/scripts/auto-rebase/last_rebase_cert_manager.sh b/scripts/auto-rebase/last_rebase_cert_manager.sh new file mode 100755 index 0000000000..37e30003b9 --- /dev/null +++ b/scripts/auto-rebase/last_rebase_cert_manager.sh @@ -0,0 +1,2 @@ +#!/bin/bash -x +./scripts/auto-rebase/rebase_cert_manager.sh to "registry.redhat.io/redhat/redhat-operator-index:v4.20" diff --git a/scripts/auto-rebase/rebase_cert_manager.sh b/scripts/auto-rebase/rebase_cert_manager.sh index 54de006264..b28d801e11 100755 --- a/scripts/auto-rebase/rebase_cert_manager.sh +++ b/scripts/auto-rebase/rebase_cert_manager.sh @@ -148,7 +148,7 @@ download_cert_manager(){ } -# helper to update ConfigMap with image references +# helper to update ConfigMap with image references in images.yaml update_configmap_image() { local component_name="$1" local full_image_ref="$2" @@ -158,17 +158,21 @@ update_configmap_image() { write_cert_manager_images_for_arch() { local arch="$1" + local arch_digest + title "Updating images for ${arch}" local cert_manager_release_json="${REPOROOT}/assets/optional/cert-manager/release-cert-manager-${GOARCH_TO_UNAME_MAP[${arch}]}.json" - local cert_manager_operator_yaml="${REPOROOT}/assets/optional/cert-manager/manager/manager.yaml" - local cert_manager_images_yaml="${REPOROOT}/assets/optional/cert-manager/manager/images.yaml" + local cert_manager_images_yaml="${REPOROOT}/assets/optional/cert-manager/manager/images-${GOARCH_TO_UNAME_MAP[${arch}]}.yaml" local operatorVersion=$(yq '.properties[] | select(.type == "olm.package").value.version' "${OPERATOR_CERT_MANAGER_INDEX}") jq -n "{\"release\": {\"base\": \"${operatorVersion}\"}, \"images\": {}}" > "${cert_manager_release_json}" - #containerImage + # controllerImage local operatorImageFull=$(yq '.properties[] | select(.type == "olm.csv.metadata").value.annotations.containerImage' "${OPERATOR_CERT_MANAGER_INDEX}") + arch_digest=$(oc -a "${PULL_SECRET_FILE}" image info -o json --filter-by-os "linux/${arch}" "${operatorImageFull}" | jq -r '.digest') + operatorImageFull="${operatorImageFull%@*}@${arch_digest}" + local operatorImage="${operatorImageFull%:*}" local operatorTag="${operatorImageFull#*:}" @@ -177,28 +181,20 @@ write_cert_manager_images_for_arch() { # update controller image in ConfigMap update_configmap_image "controller" "${operatorImageFull}" "${cert_manager_images_yaml}" - #relatedImages + # relatedImages for index in $(yq '.relatedImages.[] | path | .[-1] ' "${OPERATOR_CERT_MANAGER_INDEX}"); do - local image=$(yq ".relatedImages.${index}.image" "${OPERATOR_CERT_MANAGER_INDEX}" ) - local component=$(yq ".relatedImages.${index}.name" "${OPERATOR_CERT_MANAGER_INDEX}") - if [[ -n "${component}" && "${OPERATOR_COMPONENTS}" == *"${component}"* ]]; then - yq -i -o json ".images += {\"${component}\": \"${image}\"}" "${cert_manager_release_json}" + local image=$(yq ".relatedImages.${index}.image" "${OPERATOR_CERT_MANAGER_INDEX}" ) + arch_digest=$(oc -a "${PULL_SECRET_FILE}" image info -o json --filter-by-os "linux/${arch}" "${image}" | jq -r '.digest') + image="${image%@*}@${arch_digest}" - # update component image in ConfigMap - update_configmap_image "${component}" "${image}" "${cert_manager_images_yaml}" + local component=$(yq ".relatedImages.${index}.name" "${OPERATOR_CERT_MANAGER_INDEX}") + if [[ -n "${component}" && "${OPERATOR_COMPONENTS}" == *"${component}"* ]]; then + yq -i -o json ".images += {\"${component}\": \"${image}\"}" "${cert_manager_release_json}" - # update environment variables in manager.yaml - sed -i "s#value:.*${component}.*#value: ${image}#g" "${cert_manager_operator_yaml}" - - # handle special case istiocsr v istio-csr mismatch - if [[ "${component}" == "cert-manager-istiocsr" ]]; then - sed -i "s#value:.*cert-manager-istio-csr.*#value: ${image}#g" "${cert_manager_operator_yaml}" + # update component image in images.yaml + update_configmap_image "${component}" "${image}" "${cert_manager_images_yaml}" fi - fi - - done - } update_cert_manager_images() { @@ -213,17 +209,39 @@ update_cert_manager_images() { done } - copy_manifests() { title "Copying manifests" "$REPOROOT/scripts/auto-rebase/handle_assets.py" "./scripts/auto-rebase/assets_cert_manager.yaml" } +update_last_cert_manager_rebase() { + local cert_manager_operator_bundle="$1" + + title "## Updating last_rebase_cert_manager.sh" + + local last_rebase_script="${REPOROOT}/scripts/auto-rebase/last_rebase_cert_manager.sh" + + rm -f "${last_rebase_script}" + cat - >"${last_rebase_script}" <