From 51809080686d1664138710930394d4c5914a0ee7 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Tue, 3 Oct 2023 14:32:19 +0100 Subject: [PATCH 1/4] v1.13.1-rc1 Signed-off-by: Richard Wall --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index fe0364e..08ab2b8 100644 --- a/Makefile +++ b/Makefile @@ -6,11 +6,11 @@ SHELL := bash .SUFFIXES: .ONESHELL: -CERT_MANAGER_VERSION ?= 1.12.2 +CERT_MANAGER_VERSION ?= 1.13.1 # Decoupled the BUNDLE_VERSION from the CERT_MANAGER_VERSION so that I can do a # patch release containing the fix for: # https://github.com/cert-manager/cert-manager/issues/5551 -export BUNDLE_VERSION ?= 1.12.2 +export BUNDLE_VERSION ?= 1.13.1-rc1 # DO NOT PUBLISH PRE-RELEASES TO THE STABLE CHANNEL! # For stable releases use: `candidate stable`. # For pre-releases use: `candidate`. From a9e9e4d164c7128adce1af1f3cdd8d3ffc43f182 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Tue, 3 Oct 2023 15:02:28 +0100 Subject: [PATCH 2/4] make bundle-generate Signed-off-by: Richard Wall --- .../acme.cert-manager.io_challenges.yaml | 78 ++++-- .../acme.cert-manager.io_orders.yaml | 2 +- ...c.authorization.k8s.io_v1_clusterrole.yaml | 21 ++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 2 +- ...c.authorization.k8s.io_v1_clusterrole.yaml | 3 +- .../cert-manager-webhook_v1_configmap.yaml | 2 +- .../cert-manager-webhook_v1_service.yaml | 2 +- .../cert-manager.clusterserviceversion.yaml | 41 ++-- .../cert-manager.io_certificaterequests.yaml | 76 +++--- .../cert-manager.io_certificates.yaml | 229 ++++++++++-------- .../cert-manager.io_clusterissuers.yaml | 90 ++++--- bundle/manifests/cert-manager.io_issuers.yaml | 90 ++++--- .../manifests/cert-manager_v1_configmap.yaml | 11 + bundle/manifests/cert-manager_v1_service.yaml | 2 +- 14 files changed, 397 insertions(+), 252 deletions(-) create mode 100644 bundle/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/cert-manager_v1_configmap.yaml diff --git a/bundle/manifests/acme.cert-manager.io_challenges.yaml b/bundle/manifests/acme.cert-manager.io_challenges.yaml index fcf9b9e..1f331e4 100644 --- a/bundle/manifests/acme.cert-manager.io_challenges.yaml +++ b/bundle/manifests/acme.cert-manager.io_challenges.yaml @@ -6,7 +6,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 name: challenges.acme.cert-manager.io spec: group: acme.cert-manager.io @@ -530,10 +530,12 @@ spec: items: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent - of this resource (usually a route). The only kind - of parent resource with \"Core\" support is Gateway. - This API may be extended in the future to support - additional kinds of parent resources, such as HTTPRoute. + of this resource (usually a route). There are two + kinds of parent resources with \"Core\" support: \n + * Gateway (Gateway conformance profile) * Service + (Mesh conformance profile, experimental, ClusterIP + Services only) \n This API may be extended in the + future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." @@ -551,9 +553,12 @@ spec: type: string kind: default: Gateway - description: "Kind is kind of the referent. \n Support: - Core (Gateway) \n Support: Implementation-specific - (Other Resources)" + description: "Kind is kind of the referent. \n There + are two kinds of parent resources with \"Core\" + support: \n * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, experimental, + ClusterIP Services only) \n Support for other + resources is Implementation-Specific." maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -575,6 +580,16 @@ spec: to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. + \n ParentRefs from a Route to a Service in the + same namespace are \"producer\" routes, which + apply default routing rules to inbound connections + from any namespace to the Service. \n ParentRefs + from a Route to a Service in a different namespace + are \"consumer\" routes, and these routing rules + are only applied to outbound connections originating + from the same namespace as the Route, for which + the intended destination of the connections are + a Service targeted as a ParentRef of the Route. \n Support: Core" maxLength: 63 minLength: 1 @@ -593,20 +608,25 @@ spec: port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n - Implementations MAY choose to support other parent - resources. Implementations supporting other types - of parent resources MUST clearly document how/if - Port is interpreted. \n For the purpose of status, - an attachment is considered successful as long - as the parent resource accepts it partially. For - example, Gateway listeners can restrict which - Routes can attach to them by Route kind, namespace, - or hostname. If 1 of 2 Gateway listeners accept - attachment from the referencing Route, the Route - MUST be considered successfully attached. If no - Gateway listeners accept attachment from this - Route, the Route MUST be considered detached from - the Gateway. \n Support: Extended \n " + When the parent resource is a Service, this targets + a specific port in the Service spec. When both + Port (experimental) and SectionName are specified, + the name and port of the selected port must match + both specified values. \n Implementations MAY + choose to support other parent resources. Implementations + supporting other types of parent resources MUST + clearly document how/if Port is interpreted. \n + For the purpose of status, an attachment is considered + successful as long as the parent resource accepts + it partially. For example, Gateway listeners can + restrict which Routes can attach to them by Route + kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing + Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment + from this Route, the Route MUST be considered + detached from the Gateway. \n Support: Extended + \n " format: int32 maximum: 65535 minimum: 1 @@ -618,10 +638,16 @@ spec: * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified - values. \n Implementations MAY choose to support - attaching Routes to other resources. If that is - the case, they MUST clearly document how SectionName - is interpreted. \n When unspecified (empty string), + values. * Service: Port Name. When both Port (experimental) + and SectionName are specified, the name and port + of the selected listener must match both specified + values. Note that attaching Routes to Services + as Parents is part of experimental Mesh support + and is not supported for any other purpose. \n + Implementations MAY choose to support attaching + Routes to other resources. If that is the case, + they MUST clearly document how SectionName is + interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent diff --git a/bundle/manifests/acme.cert-manager.io_orders.yaml b/bundle/manifests/acme.cert-manager.io_orders.yaml index 451d548..007911e 100644 --- a/bundle/manifests/acme.cert-manager.io_orders.yaml +++ b/bundle/manifests/acme.cert-manager.io_orders.yaml @@ -6,7 +6,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 name: orders.acme.cert-manager.io spec: group: acme.cert-manager.io diff --git a/bundle/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000..c5bdaf7 --- /dev/null +++ b/bundle/manifests/cert-manager-cluster-view_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: cert-manager + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" + name: cert-manager-cluster-view +rules: +- apiGroups: + - cert-manager.io + resources: + - clusterissuers + verbs: + - get + - list + - watch diff --git a/bundle/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml index 45a78d4..5407a5c 100644 --- a/bundle/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml +++ b/bundle/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" name: cert-manager-edit diff --git a/bundle/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml index ac311ec..750afa6 100644 --- a/bundle/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml +++ b/bundle/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -7,8 +7,9 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-view: "true" name: cert-manager-view diff --git a/bundle/manifests/cert-manager-webhook_v1_configmap.yaml b/bundle/manifests/cert-manager-webhook_v1_configmap.yaml index e22d26d..5d668cf 100644 --- a/bundle/manifests/cert-manager-webhook_v1_configmap.yaml +++ b/bundle/manifests/cert-manager-webhook_v1_configmap.yaml @@ -7,5 +7,5 @@ metadata: app.kubernetes.io/component: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 name: cert-manager-webhook diff --git a/bundle/manifests/cert-manager-webhook_v1_service.yaml b/bundle/manifests/cert-manager-webhook_v1_service.yaml index cc374be..0fb13bd 100644 --- a/bundle/manifests/cert-manager-webhook_v1_service.yaml +++ b/bundle/manifests/cert-manager-webhook_v1_service.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/component: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 name: cert-manager-webhook spec: ports: diff --git a/bundle/manifests/cert-manager.clusterserviceversion.yaml b/bundle/manifests/cert-manager.clusterserviceversion.yaml index cd8c71b..ca3277c 100644 --- a/bundle/manifests/cert-manager.clusterserviceversion.yaml +++ b/bundle/manifests/cert-manager.clusterserviceversion.yaml @@ -67,9 +67,9 @@ metadata: ] capabilities: Full Lifecycle categories: Security - containerImage: quay.io/jetstack/cert-manager-controller:v1.12.2 - createdAt: '2023-10-03T13:18:40' - olm.skipRange: '>=1.12.0 <1.12.2' + containerImage: quay.io/jetstack/cert-manager-controller:v1.13.1 + createdAt: '2023-10-03T13:33:26' + olm.skipRange: '>=1.13.0 <1.13.1-rc1' operators.operatorframework.io/builder: operator-sdk-v1.25.0 operators.operatorframework.io/internal-objects: |- [ @@ -84,7 +84,7 @@ metadata: operatorframework.io/arch.arm64: supported operatorframework.io/arch.ppc64le: supported operatorframework.io/arch.s390x: supported - name: cert-manager.v1.12.2 + name: cert-manager.v1.13.1-rc1 namespace: placeholder spec: apiservicedefinitions: {} @@ -93,15 +93,15 @@ spec: - description: "A CertificateRequest is used to request a signed certificate from\ \ one of the configured issuers. \n All fields within the CertificateRequest's\ \ `spec` are immutable after creation. A CertificateRequest will either succeed\ - \ or fail, as denoted by its `status.state` field. \n A CertificateRequest\ - \ is a one-shot resource, meaning it represents a single point in time request\ - \ for a certificate and cannot be re-used." + \ or fail, as denoted by its `Ready` status condition and its `status.failureTime`\ + \ field. \n A CertificateRequest is a one-shot resource, meaning it represents\ + \ a single point in time request for a certificate and cannot be re-used." displayName: CertificateRequest kind: CertificateRequest name: certificaterequests.cert-manager.io version: v1 - description: "A Certificate resource should be created to ensure an up to date\ - \ and signed x509 certificate is stored in the Kubernetes Secret resource\ + \ and signed X.509 certificate is stored in the Kubernetes Secret resource\ \ named in `spec.secretName`. \n The stored certificate will be renewed before\ \ it expires (as configured by `spec.renewBefore`)." displayName: Certificate @@ -621,7 +621,7 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 name: cert-manager spec: replicas: 1 @@ -642,21 +642,21 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 spec: containers: - args: - --v=2 - --cluster-resource-namespace=$(POD_NAMESPACE) - --leader-election-namespace=kube-system - - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.12.2 + - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.13.1 - --max-concurrent-challenges=60 env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-controller:v1.12.2 + image: quay.io/jetstack/cert-manager-controller:v1.13.1 imagePullPolicy: IfNotPresent name: cert-manager-controller ports: @@ -672,6 +672,7 @@ spec: capabilities: drop: - ALL + enableServiceLinks: false nodeSelector: kubernetes.io/os: linux securityContext: @@ -684,7 +685,7 @@ spec: app.kubernetes.io/component: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 name: cert-manager-cainjector spec: replicas: 1 @@ -701,7 +702,7 @@ spec: app.kubernetes.io/component: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 spec: containers: - args: @@ -712,7 +713,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-cainjector:v1.12.2 + image: quay.io/jetstack/cert-manager-cainjector:v1.13.1 imagePullPolicy: IfNotPresent name: cert-manager-cainjector resources: {} @@ -721,6 +722,7 @@ spec: capabilities: drop: - ALL + enableServiceLinks: false nodeSelector: kubernetes.io/os: linux securityContext: @@ -733,7 +735,7 @@ spec: app.kubernetes.io/component: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 name: cert-manager-webhook spec: replicas: 1 @@ -750,7 +752,7 @@ spec: app.kubernetes.io/component: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 spec: containers: - args: @@ -766,7 +768,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-webhook:v1.12.2 + image: quay.io/jetstack/cert-manager-webhook:v1.13.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 @@ -802,6 +804,7 @@ spec: capabilities: drop: - ALL + enableServiceLinks: false nodeSelector: kubernetes.io/os: linux securityContext: @@ -894,7 +897,7 @@ spec: provider: name: The cert-manager maintainers url: https://cert-manager.io/ - version: 1.12.2 + version: 1.13.1-rc1 webhookdefinitions: - admissionReviewVersions: - v1 diff --git a/bundle/manifests/cert-manager.io_certificaterequests.yaml b/bundle/manifests/cert-manager.io_certificaterequests.yaml index 4f42366..a6cc361 100644 --- a/bundle/manifests/cert-manager.io_certificaterequests.yaml +++ b/bundle/manifests/cert-manager.io_certificaterequests.yaml @@ -6,7 +6,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 name: certificaterequests.cert-manager.io spec: group: cert-manager.io @@ -55,9 +55,9 @@ spec: description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed - or fail, as denoted by its `status.state` field. \n A CertificateRequest - is a one-shot resource, meaning it represents a single point in time request - for a certificate and cannot be re-used." + or fail, as denoted by its `Ready` status condition and its `status.failureTime` + field. \n A CertificateRequest is a one-shot resource, meaning it represents + a single point in time request for a certificate and cannot be re-used." properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -72,11 +72,13 @@ spec: metadata: type: object spec: - description: Desired state of the CertificateRequest resource. + description: Specification of the desired state of the CertificateRequest + resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. + description: Requested 'duration' (i.e. lifetime) of the Certificate. + Note that the issuer may choose to ignore the requested duration, + just like any other requested attribute. type: string extra: additionalProperties: @@ -96,19 +98,19 @@ spec: type: array x-kubernetes-list-type: atomic isCA: - description: IsCA will request to mark the certificate as valid for - certificate signing when submitting to the issuer. This will automatically - add the `cert sign` usage to the list of `usages`. + description: "Requested basic constraints isCA value. Note that the + issuer may choose to ignore the requested isCA value, just like + any other requested attribute. \n NOTE: If the CSR in the `Request` + field has a BasicConstraints extension, it must have the same isCA + value as specified here. \n If true, this will automatically add + the `cert sign` usage to the list of requested `usages`." type: boolean issuerRef: - description: IssuerRef is a reference to the issuer for this CertificateRequest. If - the `kind` field is not set, or set to `Issuer`, an Issuer resource - with the given name in the same namespace as the CertificateRequest - will be used. If the `kind` field is set to `ClusterIssuer`, a - ClusterIssuer with the provided name will be used. The `name` field - in this stanza is required at all times. The group field refers - to the API group of the issuer which defaults to `cert-manager.io` - if empty. + description: "Reference to the issuer responsible for issuing the + certificate. If the issuer is namespace-scoped, it must be in the + same namespace as the Certificate. If the issuer is cluster-scoped, + it can be used from any namespace. \n The `name` field of the reference + must always be specified." properties: group: description: Group of the resource being referred to. @@ -123,8 +125,14 @@ spec: - name type: object request: - description: The PEM-encoded x509 certificate signing request to be - submitted to the CA for signing. + description: "The PEM-encoded X.509 certificate signing request to + be submitted to the issuer for signing. \n If the CSR has a BasicConstraints + extension, its isCA attribute must match the `isCA` value of this + CertificateRequest. If the CSR has a KeyUsage extension, its key + usages must match the key usages in the `usages` field of this CertificateRequest. + If the CSR has a ExtKeyUsage extension, its extended key usages + must match the extended key usages in the `usages` field of this + CertificateRequest." format: byte type: string uid: @@ -132,10 +140,11 @@ spec: Populated by the cert-manager webhook on creation and immutable. type: string usages: - description: Usages is the set of x509 usages that are requested for - the certificate. If usages are set they SHOULD be encoded inside - the CSR spec Defaults to `digital signature` and `key encipherment` - if not specified. + description: "Requested key usages and extended key usages. \n NOTE: + If the CSR in the `Request` field has uses the KeyUsage or ExtKeyUsage + extension, these extensions must have the same values as specified + here without any additional values. \n If unset, defaults to `digital + signature` and `key encipherment`." items: description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 @@ -182,26 +191,27 @@ spec: - request type: object status: - description: Status of the CertificateRequest. This is set and managed - automatically. + description: 'Status of the CertificateRequest. This is set and managed + automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' properties: ca: - description: The PEM encoded x509 certificate of the signer, also + description: The PEM encoded X.509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. format: byte type: string certificate: - description: The PEM encoded x509 certificate resulting from the certificate - signing request. If not set, the CertificateRequest has either not - been completed or has failed. More information on failure can be - found by checking the `conditions` field. + description: The PEM encoded X.509 certificate resulting from the + certificate signing request. If not set, the CertificateRequest + has either not been completed or has failed. More information on + failure can be found by checking the `conditions` field. format: byte type: string conditions: description: List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + CertificateRequest. Known condition types are `Ready`, `InvalidRequest`, + `Approved` and `Denied`. items: description: CertificateRequestCondition contains condition information for a CertificateRequest. @@ -245,8 +255,6 @@ spec: format: date-time type: string type: object - required: - - spec type: object served: true storage: true diff --git a/bundle/manifests/cert-manager.io_certificates.yaml b/bundle/manifests/cert-manager.io_certificates.yaml index fd80d2a..ef4eac3 100644 --- a/bundle/manifests/cert-manager.io_certificates.yaml +++ b/bundle/manifests/cert-manager.io_certificates.yaml @@ -6,7 +6,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 name: certificates.cert-manager.io spec: group: cert-manager.io @@ -48,7 +48,7 @@ spec: schema: openAPIV3Schema: description: "A Certificate resource should be created to ensure an up to - date and signed x509 certificate is stored in the Kubernetes Secret resource + date and signed X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." properties: @@ -65,14 +65,15 @@ spec: metadata: type: object spec: - description: Desired state of the Certificate resource. + description: Specification of the desired state of the Certificate resource. + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status properties: additionalOutputFormats: - description: AdditionalOutputFormats defines extra output formats - of the private key and signed certificate chain to be written to - this Certificate's target Secret. This is an Alpha Feature and is - only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` - option on both the controller and webhook components. + description: "Defines extra output formats of the private key and + signed certificate chain to be written to this Certificate's target + Secret. \n This is an Alpha Feature and is only enabled with the + `--feature-gates=AdditionalCertificateOutputFormats=true` option + set on both the controller and webhook components." items: description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary @@ -91,53 +92,55 @@ spec: type: object type: array commonName: - description: 'CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to - avoid generating invalid CSRs. This value is ignored by TLS clients - when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + description: "Requested common name X509 certificate subject attribute. + More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 + NOTE: TLS clients will ignore this value when any subject alternative + name is set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). + \n Should have a length of 64 characters or fewer to avoid generating + invalid CSRs. Cannot be set if the `literalSubject` field is set." type: string dnsNames: - description: DNSNames is a list of DNS subjectAltNames to be set on - the Certificate. + description: Requested DNS subject alternative names. items: type: string type: array duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. If unset - this defaults to 90 days. Certificate will be renewed either 2/3 - through its duration or `renewBefore` period before its expiry, - whichever is later. Minimum accepted duration is 1 hour. Value must - be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + description: "Requested 'duration' (i.e. lifetime) of the Certificate. + Note that the issuer may choose to ignore the requested duration, + just like any other requested attribute. \n If unset, this defaults + to 90 days. Minimum accepted duration is 1 hour. Value must be in + units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration." type: string emailAddresses: - description: EmailAddresses is a list of email subjectAltNames to - be set on the Certificate. + description: Requested email subject alternative names. items: type: string type: array encodeUsagesInRequest: - description: EncodeUsagesInRequest controls whether key usages should - be present in the CertificateRequest + description: "Whether the KeyUsage and ExtKeyUsage extensions should + be set in the encoded CSR. \n This option defaults to true, and + should only be disabled if the target issuer does not support CSRs + with these X509 KeyUsage/ ExtKeyUsage extensions." type: boolean ipAddresses: - description: IPAddresses is a list of IP address subjectAltNames to - be set on the Certificate. + description: Requested IP address subject alternative names. items: type: string type: array isCA: - description: IsCA will mark this Certificate as valid for certificate - signing. This will automatically add the `cert sign` usage to the - list of `usages`. + description: "Requested basic constraints isCA value. The isCA value + is used to set the `isCA` field on the created CertificateRequest + resources. Note that the issuer may choose to ignore the requested + isCA value, just like any other requested attribute. \n If true, + this will automatically add the `cert sign` usage to the list of + requested `usages`." type: boolean issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. - If the `kind` field is not set, or set to `Issuer`, an Issuer resource - with the given name in the same namespace as the Certificate will - be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer - with the provided name will be used. The `name` field in this stanza - is required at all times. + description: "Reference to the issuer responsible for issuing the + certificate. If the issuer is namespace-scoped, it must be in the + same namespace as the Certificate. If the issuer is cluster-scoped, + it can be used from any namespace. \n The `name` field of the reference + must always be specified." properties: group: description: Group of the resource being referred to. @@ -152,8 +155,8 @@ spec: - name type: object keystores: - description: Keystores configures additional keystore output formats - stored in the `secretName` Secret resource. + description: Additional keystore output formats to be stored in the + Certificate's Secret. properties: jks: description: JKS configures options for storing a JKS keystore @@ -229,95 +232,107 @@ spec: type: object type: object literalSubject: - description: LiteralSubject is an LDAP formatted string that represents - the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). - Use this *instead* of the Subject field if you need to ensure the - correct ordering of the RDN sequence, such as when issuing certs - for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, - https://github.com/cert-manager/cert-manager/issues/4424. This field - is alpha level and is only supported by cert-manager installations - where LiteralCertificateSubject feature gate is enabled on both - cert-manager controller and webhook. + description: "Requested X.509 certificate subject, represented using + the LDAP \"String Representation of a Distinguished Name\" [1]. + Important: the LDAP string format also specifies the order of the + attributes in the subject, this is important when issuing certs + for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` + More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More + info: https://github.com/cert-manager/cert-manager/issues/3203 More + info: https://github.com/cert-manager/cert-manager/issues/4424 \n + Cannot be set if the `subject` or `commonName` field is set. This + is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` + option set on both the controller and webhook components." type: string privateKey: - description: Options to control private keys used for the Certificate. + description: Private key options. These include the key algorithm + and size, the used encoding and the rotation policy. properties: algorithm: - description: Algorithm is the private key algorithm of the corresponding - private key for this certificate. If provided, allowed values - are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified - and `size` is not provided, key size of 256 will be used for - `ECDSA` key algorithm and key size of 2048 will be used for - `RSA` key algorithm. key size is ignored when using the `Ed25519` - key algorithm. + description: "Algorithm is the private key algorithm of the corresponding + private key for this certificate. \n If provided, allowed values + are either `RSA`, `ECDSA` or `Ed25519`. If `algorithm` is specified + and `size` is not provided, key size of 2048 will be used for + `RSA` key algorithm and key size of 256 will be used for `ECDSA` + key algorithm. key size is ignored when using the `Ed25519` + key algorithm." enum: - RSA - ECDSA - Ed25519 type: string encoding: - description: The private key cryptography standards (PKCS) encoding - for this certificate's private key to be encoded in. If provided, + description: "The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. \n If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and - PKCS#8, respectively. Defaults to `PKCS1` if not specified. + PKCS#8, respectively. Defaults to `PKCS1` if not specified." enum: - PKCS1 - PKCS8 type: string rotationPolicy: - description: RotationPolicy controls how private keys should be - regenerated when a re-issuance is being processed. If set to - Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists - but it does not have the correct algorithm or size, a warning - will be raised to await user intervention. If set to Always, - a private key matching the specified requirements will be generated - whenever a re-issuance occurs. Default is 'Never' for backward - compatibility. + description: "RotationPolicy controls how private keys should + be regenerated when a re-issuance is being processed. \n If + set to `Never`, a private key will only be generated if one + does not already exist in the target `spec.secretName`. If one + does exists but it does not have the correct algorithm or size, + a warning will be raised to await user intervention. If set + to `Always`, a private key matching the specified requirements + will be generated whenever a re-issuance occurs. Default is + `Never` for backward compatibility." enum: - Never - Always type: string size: - description: Size is the key bit size of the corresponding private - key for this certificate. If `algorithm` is set to `RSA`, valid - values are `2048`, `4096` or `8192`, and will default to `2048` - if not specified. If `algorithm` is set to `ECDSA`, valid values - are `256`, `384` or `521`, and will default to `256` if not - specified. If `algorithm` is set to `Ed25519`, Size is ignored. - No other values are allowed. + description: "Size is the key bit size of the corresponding private + key for this certificate. \n If `algorithm` is set to `RSA`, + valid values are `2048`, `4096` or `8192`, and will default + to `2048` if not specified. If `algorithm` is set to `ECDSA`, + valid values are `256`, `384` or `521`, and will default to + `256` if not specified. If `algorithm` is set to `Ed25519`, + Size is ignored. No other values are allowed." type: integer type: object renewBefore: - description: How long before the currently issued certificate's expiry - cert-manager should renew the certificate. The default is 2/3 of - the issued certificate's duration. Minimum accepted value is 5 minutes. - Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + description: "How long before the currently issued certificate's expiry + cert-manager should renew the certificate. For example, if a certificate + is valid for 60 minutes, and `renewBefore=10m`, cert-manager will + begin to attempt to renew the certificate 50 minutes after it was + issued (i.e. when there are 10 minutes remaining until the certificate + is no longer valid). \n NOTE: The actual lifetime of the issued + certificate is used to determine the renewal time. If an issuer + returns a certificate with a different lifetime than the one requested, + cert-manager will use the lifetime of the issued certificate. \n + If unset, this defaults to 1/3 of the issued certificate's lifetime. + Minimum accepted value is 5 minutes. Value must be in units accepted + by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration." type: string revisionHistoryLimit: - description: revisionHistoryLimit is the maximum number of CertificateRequest - revisions that are maintained in the Certificate's history. Each - revision represents a single `CertificateRequest` created by this - Certificate, either when it was created, renewed, or Spec was changed. - Revisions will be removed by oldest first if the number of revisions - exceeds this number. If set, revisionHistoryLimit must be a value - of `1` or greater. If unset (`nil`), revisions will not be garbage - collected. Default value is `nil`. + description: "The maximum number of CertificateRequest revisions that + are maintained in the Certificate's history. Each revision represents + a single `CertificateRequest` created by this Certificate, either + when it was created, renewed, or Spec was changed. Revisions will + be removed by oldest first if the number of revisions exceeds this + number. \n If set, revisionHistoryLimit must be a value of `1` or + greater. If unset (`nil`), revisions will not be garbage collected. + Default value is `nil`." format: int32 type: integer secretName: - description: SecretName is the name of the secret resource that will - be automatically created and managed by this Certificate resource. - It will be populated with a private key and certificate, signed - by the denoted issuer. + description: Name of the Secret resource that will be automatically + created and managed by this Certificate resource. It will be populated + with a private key and certificate, signed by the denoted issuer. + The Secret resource lives in the same namespace as the Certificate + resource. type: string secretTemplate: - description: SecretTemplate defines annotations and labels to be copied - to the Certificate's Secret. Labels and annotations on the Secret - will be changed as they appear on the SecretTemplate when added - or removed. SecretTemplate annotations are added in conjunction - with, and cannot overwrite, the base set of annotations cert-manager - sets on the Certificate's Secret. + description: Defines annotations and labels to be copied to the Certificate's + Secret. Labels and annotations on the Secret will be changed as + they appear on the SecretTemplate when added or removed. SecretTemplate + annotations are added in conjunction with, and cannot overwrite, + the base set of annotations cert-manager sets on the Certificate's + Secret. properties: annotations: additionalProperties: @@ -333,7 +348,10 @@ spec: type: object type: object subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + description: "Requested set of X509 certificate subject attributes. + More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 + \n The common name attribute is specified separately in the `commonName` + field. Cannot be set if the `literalSubject` field is set." properties: countries: description: Countries to be used on the Certificate. @@ -375,15 +393,17 @@ spec: type: array type: object uris: - description: URIs is a list of URI subjectAltNames to be set on the - Certificate. + description: Requested URI subject alternative names. items: type: string type: array usages: - description: Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. + description: "Requested key usages and extended key usages. These + usages are used to set the `usages` field on the created CertificateRequest + resources. If `encodeUsagesInRequest` is unset or set to `true`, + the usages will additionally be encoded in the `request` field which + contains the CSR blob. \n If unset, defaults to `digital signature` + and `key encipherment`." items: description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 @@ -425,7 +445,8 @@ spec: - secretName type: object status: - description: Status of the Certificate. This is set and managed automatically. + description: 'Status of the Certificate. This is set and managed automatically. + Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' properties: conditions: description: List of status conditions to indicate the status of certificates. @@ -504,7 +525,7 @@ spec: type: string notBefore: description: The time after which the certificate stored in the secret - named by this resource in spec.secretName is valid. + named by this resource in `spec.secretName` is valid. format: date-time type: string renewalTime: @@ -525,8 +546,6 @@ spec: greater than this field." type: integer type: object - required: - - spec type: object served: true storage: true diff --git a/bundle/manifests/cert-manager.io_clusterissuers.yaml b/bundle/manifests/cert-manager.io_clusterissuers.yaml index c1d864e..f088bf8 100644 --- a/bundle/manifests/cert-manager.io_clusterissuers.yaml +++ b/bundle/manifests/cert-manager.io_clusterissuers.yaml @@ -6,7 +6,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 name: clusterissuers.cert-manager.io spec: group: cert-manager.io @@ -650,10 +650,12 @@ spec: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). - The only kind of parent resource with \"Core\" - support is Gateway. This API may be extended - in the future to support additional kinds of - parent resources, such as HTTPRoute. \n The + There are two kinds of parent resources with + \"Core\" support: \n * Gateway (Gateway conformance + profile) * Service (Mesh conformance profile, + experimental, ClusterIP Services only) \n This + API may be extended in the future to support + additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." @@ -672,8 +674,12 @@ spec: kind: default: Gateway description: "Kind is kind of the referent. - \n Support: Core (Gateway) \n Support: Implementation-specific - (Other Resources)" + \n There are two kinds of parent resources + with \"Core\" support: \n * Gateway (Gateway + conformance profile) * Service (Mesh conformance + profile, experimental, ClusterIP Services + only) \n Support for other resources is + Implementation-Specific." maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -695,7 +701,18 @@ spec: are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other - kind of cross-namespace reference. \n Support: + kind of cross-namespace reference. \n ParentRefs + from a Route to a Service in the same namespace + are \"producer\" routes, which apply default + routing rules to inbound connections from + any namespace to the Service. \n ParentRefs + from a Route to a Service in a different + namespace are \"consumer\" routes, and these + routing rules are only applied to outbound + connections originating from the same namespace + as the Route, for which the intended destination + of the connections are a Service targeted + as a ParentRef of the Route. \n Support: Core" maxLength: 63 minLength: 1 @@ -715,20 +732,25 @@ spec: may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified - values. \n Implementations MAY choose to - support other parent resources. Implementations - supporting other types of parent resources - MUST clearly document how/if Port is interpreted. - \n For the purpose of status, an attachment - is considered successful as long as the - parent resource accepts it partially. For - example, Gateway listeners can restrict - which Routes can attach to them by Route - kind, namespace, or hostname. If 1 of 2 - Gateway listeners accept attachment from - the referencing Route, the Route MUST be - considered successfully attached. If no - Gateway listeners accept attachment from + values. \n When the parent resource is a + Service, this targets a specific port in + the Service spec. When both Port (experimental) + and SectionName are specified, the name + and port of the selected port must match + both specified values. \n Implementations + MAY choose to support other parent resources. + Implementations supporting other types of + parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose + of status, an attachment is considered successful + as long as the parent resource accepts it + partially. For example, Gateway listeners + can restrict which Routes can attach to + them by Route kind, namespace, or hostname. + If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST + be considered successfully attached. If + no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " @@ -744,15 +766,21 @@ spec: Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match - both specified values. \n Implementations - MAY choose to support attaching Routes to - other resources. If that is the case, they - MUST clearly document how SectionName is - interpreted. \n When unspecified (empty - string), this will reference the entire - resource. For the purpose of status, an - attachment is considered successful if at - least one section in the parent resource + both specified values. * Service: Port Name. + When both Port (experimental) and SectionName + are specified, the name and port of the + selected listener must match both specified + values. Note that attaching Routes to Services + as Parents is part of experimental Mesh + support and is not supported for any other + purpose. \n Implementations MAY choose to + support attaching Routes to other resources. + If that is the case, they MUST clearly document + how SectionName is interpreted. \n When + unspecified (empty string), this will reference + the entire resource. For the purpose of + status, an attachment is considered successful + if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. diff --git a/bundle/manifests/cert-manager.io_issuers.yaml b/bundle/manifests/cert-manager.io_issuers.yaml index a5ebde4..9f57e9c 100644 --- a/bundle/manifests/cert-manager.io_issuers.yaml +++ b/bundle/manifests/cert-manager.io_issuers.yaml @@ -6,7 +6,7 @@ metadata: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 name: issuers.cert-manager.io spec: group: cert-manager.io @@ -649,10 +649,12 @@ spec: description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). - The only kind of parent resource with \"Core\" - support is Gateway. This API may be extended - in the future to support additional kinds of - parent resources, such as HTTPRoute. \n The + There are two kinds of parent resources with + \"Core\" support: \n * Gateway (Gateway conformance + profile) * Service (Mesh conformance profile, + experimental, ClusterIP Services only) \n This + API may be extended in the future to support + additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." @@ -671,8 +673,12 @@ spec: kind: default: Gateway description: "Kind is kind of the referent. - \n Support: Core (Gateway) \n Support: Implementation-specific - (Other Resources)" + \n There are two kinds of parent resources + with \"Core\" support: \n * Gateway (Gateway + conformance profile) * Service (Mesh conformance + profile, experimental, ClusterIP Services + only) \n Support for other resources is + Implementation-Specific." maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -694,7 +700,18 @@ spec: are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other - kind of cross-namespace reference. \n Support: + kind of cross-namespace reference. \n ParentRefs + from a Route to a Service in the same namespace + are \"producer\" routes, which apply default + routing rules to inbound connections from + any namespace to the Service. \n ParentRefs + from a Route to a Service in a different + namespace are \"consumer\" routes, and these + routing rules are only applied to outbound + connections originating from the same namespace + as the Route, for which the intended destination + of the connections are a Service targeted + as a ParentRef of the Route. \n Support: Core" maxLength: 63 minLength: 1 @@ -714,20 +731,25 @@ spec: may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified - values. \n Implementations MAY choose to - support other parent resources. Implementations - supporting other types of parent resources - MUST clearly document how/if Port is interpreted. - \n For the purpose of status, an attachment - is considered successful as long as the - parent resource accepts it partially. For - example, Gateway listeners can restrict - which Routes can attach to them by Route - kind, namespace, or hostname. If 1 of 2 - Gateway listeners accept attachment from - the referencing Route, the Route MUST be - considered successfully attached. If no - Gateway listeners accept attachment from + values. \n When the parent resource is a + Service, this targets a specific port in + the Service spec. When both Port (experimental) + and SectionName are specified, the name + and port of the selected port must match + both specified values. \n Implementations + MAY choose to support other parent resources. + Implementations supporting other types of + parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose + of status, an attachment is considered successful + as long as the parent resource accepts it + partially. For example, Gateway listeners + can restrict which Routes can attach to + them by Route kind, namespace, or hostname. + If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST + be considered successfully attached. If + no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " @@ -743,15 +765,21 @@ spec: Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match - both specified values. \n Implementations - MAY choose to support attaching Routes to - other resources. If that is the case, they - MUST clearly document how SectionName is - interpreted. \n When unspecified (empty - string), this will reference the entire - resource. For the purpose of status, an - attachment is considered successful if at - least one section in the parent resource + both specified values. * Service: Port Name. + When both Port (experimental) and SectionName + are specified, the name and port of the + selected listener must match both specified + values. Note that attaching Routes to Services + as Parents is part of experimental Mesh + support and is not supported for any other + purpose. \n Implementations MAY choose to + support attaching Routes to other resources. + If that is the case, they MUST clearly document + how SectionName is interpreted. \n When + unspecified (empty string), this will reference + the entire resource. For the purpose of + status, an attachment is considered successful + if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. diff --git a/bundle/manifests/cert-manager_v1_configmap.yaml b/bundle/manifests/cert-manager_v1_configmap.yaml new file mode 100644 index 0000000..0bc7293 --- /dev/null +++ b/bundle/manifests/cert-manager_v1_configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app: cert-manager + app.kubernetes.io/component: controller + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v1.13.1 + name: cert-manager diff --git a/bundle/manifests/cert-manager_v1_service.yaml b/bundle/manifests/cert-manager_v1_service.yaml index ec25798..3a6b055 100644 --- a/bundle/manifests/cert-manager_v1_service.yaml +++ b/bundle/manifests/cert-manager_v1_service.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.12.2 + app.kubernetes.io/version: v1.13.1 name: cert-manager spec: ports: From 5b550f63e1e13de95972979dacb00c15b1b2a486 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Tue, 3 Oct 2023 17:49:40 +0100 Subject: [PATCH 3/4] v1.13.1 Signed-off-by: Richard Wall --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 08ab2b8..d48c9df 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ CERT_MANAGER_VERSION ?= 1.13.1 # Decoupled the BUNDLE_VERSION from the CERT_MANAGER_VERSION so that I can do a # patch release containing the fix for: # https://github.com/cert-manager/cert-manager/issues/5551 -export BUNDLE_VERSION ?= 1.13.1-rc1 +export BUNDLE_VERSION ?= 1.13.1 # DO NOT PUBLISH PRE-RELEASES TO THE STABLE CHANNEL! # For stable releases use: `candidate stable`. # For pre-releases use: `candidate`. From b249773b42751626be9daaf35f847daaaa2b0007 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Tue, 3 Oct 2023 17:50:22 +0100 Subject: [PATCH 4/4] make bundle-generate Signed-off-by: Richard Wall --- bundle/manifests/cert-manager.clusterserviceversion.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bundle/manifests/cert-manager.clusterserviceversion.yaml b/bundle/manifests/cert-manager.clusterserviceversion.yaml index ca3277c..a8c1162 100644 --- a/bundle/manifests/cert-manager.clusterserviceversion.yaml +++ b/bundle/manifests/cert-manager.clusterserviceversion.yaml @@ -68,8 +68,8 @@ metadata: capabilities: Full Lifecycle categories: Security containerImage: quay.io/jetstack/cert-manager-controller:v1.13.1 - createdAt: '2023-10-03T13:33:26' - olm.skipRange: '>=1.13.0 <1.13.1-rc1' + createdAt: '2023-10-03T16:49:57' + olm.skipRange: '>=1.13.0 <1.13.1' operators.operatorframework.io/builder: operator-sdk-v1.25.0 operators.operatorframework.io/internal-objects: |- [ @@ -84,7 +84,7 @@ metadata: operatorframework.io/arch.arm64: supported operatorframework.io/arch.ppc64le: supported operatorframework.io/arch.s390x: supported - name: cert-manager.v1.13.1-rc1 + name: cert-manager.v1.13.1 namespace: placeholder spec: apiservicedefinitions: {} @@ -897,7 +897,7 @@ spec: provider: name: The cert-manager maintainers url: https://cert-manager.io/ - version: 1.13.1-rc1 + version: 1.13.1 webhookdefinitions: - admissionReviewVersions: - v1