--- # Source: cert-manager-webhook-pdns/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: cert-manager-webhook-pdns namespace: cert-manager labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm --- # Source: cert-manager-webhook-pdns/templates/rbac.yaml # Grant cert-manager permission to validate using our apiserver apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-webhook-pdns labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm rules: - apiGroups: - '' resources: - 'secrets' verbs: - 'get' - apiGroups: - 'flowcontrol.apiserver.k8s.io' resources: - 'flowschemas' - 'prioritylevelconfigurations' verbs: - 'watch' - 'list' --- # Source: cert-manager-webhook-pdns/templates/rbac.yaml # Grant cert-manager permission to validate using our apiserver apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-webhook-pdns:domain-solver labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm rules: - apiGroups: - acme.zacharyseguin.ca resources: - '*' verbs: - 'create' --- # Source: cert-manager-webhook-pdns/templates/rbac.yaml # Grant the webhook permission to read the ConfigMap containing the Kubernetes # apiserver's requestheader-ca-certificate. # This ConfigMap is automatically created by the Kubernetes apiserver. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cert-manager-webhook-pdns labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-webhook-pdns subjects: - apiGroup: "" kind: ServiceAccount name: cert-manager-webhook-pdns namespace: cert-manager --- # Source: cert-manager-webhook-pdns/templates/rbac.yaml # apiserver gets the auth-delegator role to delegate auth decisions to # the core apiserver apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cert-manager-webhook-pdns:auth-delegator labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - apiGroup: "" kind: ServiceAccount name: cert-manager-webhook-pdns namespace: cert-manager --- # Source: cert-manager-webhook-pdns/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cert-manager-webhook-pdns:domain-solver labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-webhook-pdns:domain-solver subjects: - apiGroup: "" kind: ServiceAccount name: cert-manager namespace: cert-manager --- # Source: cert-manager-webhook-pdns/templates/rbac.yaml # Grant the webhook permission to read the ConfigMap containing the Kubernetes # apiserver's requestheader-ca-certificate. # This ConfigMap is automatically created by the Kubernetes apiserver. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cert-manager-webhook-pdns:webhook-authentication-reader namespace: kube-system labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - apiGroup: "" kind: ServiceAccount name: cert-manager-webhook-pdns namespace: cert-manager --- # Source: cert-manager-webhook-pdns/templates/service.yaml apiVersion: v1 kind: Service metadata: name: cert-manager-webhook-pdns namespace: cert-manager labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP ports: - port: 443 targetPort: https protocol: TCP name: https selector: app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns --- # Source: cert-manager-webhook-pdns/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: cert-manager-webhook-pdns namespace: cert-manager labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns template: metadata: labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: cert-manager-webhook-pdns containers: - name: cert-manager-webhook-pdns image: "docker.io/zachomedia/cert-manager-webhook-pdns:latest" imagePullPolicy: IfNotPresent args: - --tls-cert-file=/tls/tls.crt - --tls-private-key-file=/tls/tls.key - --secure-port=8443 env: - name: GROUP_NAME value: "acme.zacharyseguin.ca" ports: - name: https containerPort: 8443 protocol: TCP securityContext: runAsGroup: 100 runAsUser: 100 livenessProbe: httpGet: scheme: HTTPS path: /healthz port: https readinessProbe: httpGet: scheme: HTTPS path: /healthz port: https volumeMounts: - name: certs mountPath: /tls readOnly: true resources: {} volumes: - name: certs secret: secretName: cert-manager-webhook-pdns-webhook-tls --- # Source: cert-manager-webhook-pdns/templates/apiservice.yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1alpha1.acme.zacharyseguin.ca namespace: cert-manager labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm annotations: cert-manager.io/inject-ca-from: "cert-manager/cert-manager-webhook-pdns-webhook-tls" spec: group: acme.zacharyseguin.ca groupPriorityMinimum: 1000 versionPriority: 15 service: name: cert-manager-webhook-pdns namespace: cert-manager version: v1alpha1 --- # Source: cert-manager-webhook-pdns/templates/pki.yaml # Generate a CA Certificate used to sign certificates for the webhook apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: cert-manager-webhook-pdns-ca namespace: "cert-manager" labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm spec: secretName: cert-manager-webhook-pdns-ca duration: 43800h0m0s # 5y issuerRef: name: cert-manager-webhook-pdns-selfsign commonName: "ca.cert-manager-webhook-pdns.cert-manager" isCA: true --- # Source: cert-manager-webhook-pdns/templates/pki.yaml # Finally, generate a serving certificate for the webhook to use apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: cert-manager-webhook-pdns-webhook-tls namespace: "cert-manager" labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm spec: secretName: cert-manager-webhook-pdns-webhook-tls duration: 8760h0m0s # 1y issuerRef: name: cert-manager-webhook-pdns-ca dnsNames: - cert-manager-webhook-pdns - cert-manager-webhook-pdns.cert-manager - cert-manager-webhook-pdns.cert-manager.svc --- # Source: cert-manager-webhook-pdns/templates/pki.yaml # Create a selfsigned Issuer, in order to create a root CA certificate for # signing webhook serving certificates apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: cert-manager-webhook-pdns-selfsign namespace: "cert-manager" labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm spec: selfSigned: {} --- # Source: cert-manager-webhook-pdns/templates/pki.yaml # Create an Issuer that uses the above generated CA certificate to issue certs apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: cert-manager-webhook-pdns-ca namespace: "cert-manager" labels: helm.sh/chart: cert-manager-webhook-pdns-3.1.3 app.kubernetes.io/name: cert-manager-webhook-pdns app.kubernetes.io/instance: cert-manager-webhook-pdns app.kubernetes.io/version: "v2.5.1" app.kubernetes.io/managed-by: Helm spec: ca: secretName: cert-manager-webhook-pdns-ca