cluster-api-operator
cluster-api-operator copied to clipboard
Published
20 hours ago •
kubernetes-sigs
kubernetes-sigs
✨ Add deployment overrides to templates
What this PR does / why we need it: Adding option to override certain configuration in the following resources: addon bootstrap control-plane core-conditions core infra-conditions infra
Example of values.yaml snippet:
---
# ---
# Cluster API provider options
core: override-test-core
bootstrap: override-test-core
controlPlane: override-test-core
infrastructure: override-test-core
addon: override-test-core
manager.featureGates: {}
# ---
# Common configuration secret options
configSecret: {}
# ---
# CAPI operator deployment options
logLevel: 2
replicaCount: 1
leaderElection:
enabled: true
image:
manager:
repository: gcr.io/k8s-staging-capi-operator/cluster-api-operator
tag: dev
pullPolicy: IfNotPresent
env:
manager: []
healthAddr: ":8081"
metricsBindAddr: "127.0.0.1:8080"
diagnosticsAddress: "8443"
insecureDiagnostics: false
imagePullSecrets: {}
resources:
manager:
limits:
cpu: 100m
memory: 150Mi
requests:
cpu: 100m
memory: 100Mi
containerSecurityContext: {}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- ppc64le
- key: kubernetes.io/os
operator: In
values:
- linux
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
volumes:
- name: cert
secret:
defaultMode: 420
secretName: capi-operator-webhook-service-cert
volumeMounts:
manager:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
deploymentOverride:
addon:
containers:
- name: manager
imageUrl: "test.org/cluster-api-provider-aws/cluster-api-provider-aws-controller:v0.6.0"
core:
containers:
- name: manager
imageUrl: "test.org/cluster-api/cluster-api-controller:v1.7.1"
infrastructure:
deployment:
containers:
- name: manager
imageUrl: "test.org/cluster-api-vsphere/cluster-api-vsphere-controller:v1.10.0"
bootstrap:
deployment:
containers:
- name: manager
imageUrl: "test.org/cluster-api-bootstrap-provider-kubeadm/cluster-api-kubeadm-controller:v0.4.0"
controlPlane:
deployment:
containers:
- name: manager
imageUrl: "test.org/cluster-api-control-plane/cluster-api-control-plane-controller:v0.4.0"
coreConditions:
containers:
- name: manager
imageUrl: "test.org/cluster-api/cluster-api-controller:v1.7.1"
infraConditions:
containers:
- name: manager
imageUrl: "test.org/cluster-api/cluster-api-controller:v1.7.1"
Output be like:
---
# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: release-name-cert-manager-cainjector
namespace: default
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
---
# Source: cluster-api-operator/charts/cert-manager/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: release-name-cert-manager
namespace: default
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: release-name-cert-manager-webhook
namespace: default
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
---
# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-cert-manager-cainjector
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "update", "patch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# Issuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rules:
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# ClusterIssuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rules:
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# Certificates controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["cert-manager.io"]
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# Orders controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rules:
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
verbs: ["update", "patch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "challenges"]
verbs: ["get", "list", "watch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["create", "delete"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rules:
# Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "challenges/status"]
verbs: ["update", "patch"]
# Used to watch challenge resources
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["get", "list", "watch"]
# Used to watch challenges, issuer and clusterissuer resources
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
# Need to be able to retrieve ACME account private key to complete challenges
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
# Used to create events
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
# HTTP01 rules
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: [ "gateway.networking.k8s.io" ]
resources: [ "httproutes" ]
verbs: ["get", "list", "watch", "create", "delete", "update"]
# We require the ability to specify a custom hostname when we are creating
# new ingress resources.
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
- apiGroups: ["route.openshift.io"]
resources: ["routes/custom-host"]
verbs: ["create"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges/finalizers"]
verbs: ["update"]
# DNS01 rules (duplicated above)
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# ingress-shim controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests"]
verbs: ["create", "update", "delete"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/finalizers"]
verbs: ["update"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gateways", "httproutes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gateways/finalizers", "httproutes/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-cert-manager-cluster-view
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-cert-manager-view
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["get", "list", "watch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-cert-manager-edit
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates/status"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-cert-manager-controller-approve:cert-manager-io
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "cert-manager"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rules:
- apiGroups: ["cert-manager.io"]
resources: ["signers"]
verbs: ["approve"]
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# Permission to:
# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-cert-manager-controller-certificatesigningrequests
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "cert-manager"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/status"]
verbs: ["update", "patch"]
- apiGroups: ["certificates.k8s.io"]
resources: ["signers"]
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
verbs: ["sign"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: release-name-cert-manager-webhook:subjectaccessreviews
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rules:
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-cert-manager-cainjector
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-cert-manager-cainjector
subjects:
- name: release-name-cert-manager-cainjector
namespace: default
kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-cert-manager-controller-issuers
subjects:
- name: release-name-cert-manager
namespace: default
kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-cert-manager-controller-clusterissuers
subjects:
- name: release-name-cert-manager
namespace: default
kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-cert-manager-controller-certificates
subjects:
- name: release-name-cert-manager
namespace: default
kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-cert-manager-controller-orders
subjects:
- name: release-name-cert-manager
namespace: default
kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-cert-manager-controller-challenges
subjects:
- name: release-name-cert-manager
namespace: default
kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-cert-manager-controller-ingress-shim
subjects:
- name: release-name-cert-manager
namespace: default
kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-cert-manager-controller-approve:cert-manager-io
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "cert-manager"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-cert-manager-controller-approve:cert-manager-io
subjects:
- name: release-name-cert-manager
namespace: default
kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-cert-manager-controller-certificatesigningrequests
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "cert-manager"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-cert-manager-controller-certificatesigningrequests
subjects:
- name: release-name-cert-manager
namespace: default
kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: release-name-cert-manager-webhook:subjectaccessreviews
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: release-name-cert-manager-webhook:subjectaccessreviews
subjects:
- apiGroup: ""
kind: ServiceAccount
name: release-name-cert-manager-webhook
namespace: default
---
# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml
# leader election rules
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: release-name-cert-manager-cainjector:leaderelection
namespace: kube-system
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rules:
# Used for leader election by the controller
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
# see cmd/cainjector/start.go#L113
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
# see cmd/cainjector/start.go#L137
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
verbs: ["get", "update", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: release-name-cert-manager:leaderelection
namespace: kube-system
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
resourceNames: ["cert-manager-controller"]
verbs: ["get", "update", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: release-name-cert-manager-webhook:dynamic-serving
namespace: default
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames:
- 'release-name-cert-manager-webhook-ca'
verbs: ["get", "list", "watch", "update"]
# It's not possible to grant CREATE permission on a single resourceName.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: release-name-cert-manager-cainjector:leaderelection
namespace: kube-system
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: release-name-cert-manager-cainjector:leaderelection
subjects:
- kind: ServiceAccount
name: release-name-cert-manager-cainjector
namespace: default
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: release-name-cert-manager:leaderelection
namespace: kube-system
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: release-name-cert-manager:leaderelection
subjects:
- apiGroup: ""
kind: ServiceAccount
name: release-name-cert-manager
namespace: default
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: release-name-cert-manager-webhook:dynamic-serving
namespace: default
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: release-name-cert-manager-webhook:dynamic-serving
subjects:
- apiGroup: ""
kind: ServiceAccount
name: release-name-cert-manager-webhook
namespace: default
---
# Source: cluster-api-operator/charts/cert-manager/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: release-name-cert-manager
namespace: default
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 9402
name: tcp-prometheus-servicemonitor
targetPort: 9402
selector:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-service.yaml
apiVersion: v1
kind: Service
metadata:
name: release-name-cert-manager-webhook
namespace: default
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
spec:
type: ClusterIP
ports:
- name: https
port: 443
protocol: TCP
targetPort: "https"
selector:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "webhook"
---
# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: release-name-cert-manager-cainjector
namespace: default
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "cainjector"
template:
metadata:
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
spec:
serviceAccountName: release-name-cert-manager-cainjector
enableServiceLinks: false
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: cert-manager-cainjector
image: "quay.io/jetstack/cert-manager-cainjector:v1.14.5"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --leader-election-namespace=kube-system
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
nodeSelector:
kubernetes.io/os: linux
---
# Source: cluster-api-operator/charts/cert-manager/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: release-name-cert-manager
namespace: default
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
template:
metadata:
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
annotations:
prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
prometheus.io/port: '9402'
spec:
serviceAccountName: release-name-cert-manager
enableServiceLinks: false
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: cert-manager-controller
image: "quay.io/jetstack/cert-manager-controller:v1.14.5"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=kube-system
- --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.14.5
- --max-concurrent-challenges=60
ports:
- containerPort: 9402
name: http-metrics
protocol: TCP
- containerPort: 9403
name: http-healthz
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# LivenessProbe settings are based on those used for the Kubernetes
# controller-manager. See:
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
livenessProbe:
httpGet:
port: http-healthz
path: /livez
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 8
nodeSelector:
kubernetes.io/os: linux
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: release-name-cert-manager-webhook
namespace: default
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "webhook"
template:
metadata:
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
spec:
serviceAccountName: release-name-cert-manager-webhook
enableServiceLinks: false
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: cert-manager-webhook
image: "quay.io/jetstack/cert-manager-webhook:v1.14.5"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --secure-port=10250
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- --dynamic-serving-ca-secret-name=release-name-cert-manager-webhook-ca
- --dynamic-serving-dns-names=release-name-cert-manager-webhook
- --dynamic-serving-dns-names=release-name-cert-manager-webhook.$(POD_NAMESPACE)
- --dynamic-serving-dns-names=release-name-cert-manager-webhook.$(POD_NAMESPACE).svc
ports:
- name: https
protocol: TCP
containerPort: 10250
- name: healthcheck
protocol: TCP
containerPort: 6080
livenessProbe:
httpGet:
path: /livez
port: 6080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /healthz
port: 6080
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
nodeSelector:
kubernetes.io/os: linux
---
# Source: cluster-api-operator/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: release-name-cluster-api-operator
namespace: 'default'
labels:
app: cluster-api-operator
app.kubernetes.io/name: cluster-api-operator
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
control-plane: controller-manager
clusterctl.cluster.x-k8s.io/core: capi-operator
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cluster-api-operator
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
control-plane: controller-manager
clusterctl.cluster.x-k8s.io/core: capi-operator
template:
metadata:
labels:
app: cluster-api-operator
app.kubernetes.io/name: cluster-api-operator
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "controller"
control-plane: controller-manager
clusterctl.cluster.x-k8s.io/core: capi-operator
spec:
containers:
- args:
- --v=2
- --health-addr=:8081
- --metrics-bind-addr=127.0.0.1:8080
- --diagnostics-address=8443
- --leader-elect=true
command:
- /manager
image: "gcr.io/k8s-staging-capi-operator/cluster-api-operator:dev"
imagePullPolicy: IfNotPresent
name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
- containerPort: 8080
name: metrics
protocol: TCP
resources:
limits:
cpu: 100m
memory: 150Mi
requests:
cpu: 100m
memory: 100Mi
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
terminationGracePeriodSeconds: 10
volumes:
- name: cert
secret:
defaultMode: 420
secretName: capi-operator-webhook-service-cert
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- ppc64le
- key: kubernetes.io/os
operator: In
values:
- linux
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
---
# Source: cluster-api-operator/templates/addon.yaml
# Addon provider
---
# Source: cluster-api-operator/templates/bootstrap.yaml
# Bootstrap provider
---
# Source: cluster-api-operator/templates/control-plane.yaml
# Control plane provider
---
# Source: cluster-api-operator/templates/core-conditions.yaml
# Deploy core components if not specified
---
# Source: cluster-api-operator/templates/core.yaml
# Core provider
---
# Source: cluster-api-operator/templates/infra-conditions.yaml
# Deploy bootstrap, and infrastructure components if not specified
---
# Source: cluster-api-operator/templates/infra.yaml
# Infrastructure providers
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-mutating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: release-name-cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
annotations:
cert-manager.io/inject-ca-from-secret: "default/release-name-cert-manager-webhook-ca"
webhooks:
- name: webhook.cert-manager.io
rules:
- apiGroups:
- "cert-manager.io"
apiVersions:
- "v1"
operations:
- CREATE
resources:
- "certificaterequests"
admissionReviewVersions: ["v1"]
# This webhook only accepts v1 cert-manager resources.
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
# this webhook (after the resources have been converted to v1).
matchPolicy: Equivalent
timeoutSeconds: 30
failurePolicy: Fail
# Only include 'sideEffects' field in Kubernetes 1.12+
sideEffects: None
clientConfig:
service:
name: release-name-cert-manager-webhook
namespace: default
path: /mutate
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-validating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: release-name-cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
annotations:
cert-manager.io/inject-ca-from-secret: "default/release-name-cert-manager-webhook-ca"
webhooks:
- name: webhook.cert-manager.io
namespaceSelector:
matchExpressions:
- key: cert-manager.io/disable-validation
operator: NotIn
values:
- "true"
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- "v1"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
admissionReviewVersions: ["v1"]
# This webhook only accepts v1 cert-manager resources.
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
# this webhook (after the resources have been converted to v1).
matchPolicy: Equivalent
timeoutSeconds: 30
failurePolicy: Fail
sideEffects: None
clientConfig:
service:
name: release-name-cert-manager-webhook
namespace: default
path: /validate
---
# Source: cluster-api-operator/templates/addon.yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-weight": "1"
name: override-test-core-addon-system
---
# Source: cluster-api-operator/templates/bootstrap.yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-weight": "1"
name: override-test-core-bootstrap-system
---
# Source: cluster-api-operator/templates/control-plane.yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-weight": "1"
name: override-test-core-control-plane-system
---
# Source: cluster-api-operator/templates/core.yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-weight": "1"
name: capi-system
---
# Source: cluster-api-operator/templates/infra.yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-weight": "1"
name: override-test-core-infrastructure-system
---
# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: release-name-cert-manager-startupapicheck
namespace: default
annotations:
helm.sh/hook: post-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "-5"
labels:
app: startupapicheck
app.kubernetes.io/name: startupapicheck
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "startupapicheck"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
---
# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-rbac.yaml
# create certificate role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: release-name-cert-manager-startupapicheck:create-cert
namespace: default
labels:
app: startupapicheck
app.kubernetes.io/name: startupapicheck
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "startupapicheck"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
annotations:
helm.sh/hook: post-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "-5"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["create"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: release-name-cert-manager-startupapicheck:create-cert
namespace: default
labels:
app: startupapicheck
app.kubernetes.io/name: startupapicheck
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "startupapicheck"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
annotations:
helm.sh/hook: post-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "-5"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: release-name-cert-manager-startupapicheck:create-cert
subjects:
- kind: ServiceAccount
name: release-name-cert-manager-startupapicheck
namespace: default
---
# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: release-name-cert-manager-startupapicheck
namespace: default
labels:
app: startupapicheck
app.kubernetes.io/name: startupapicheck
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "startupapicheck"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
annotations:
helm.sh/hook: post-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "1"
spec:
backoffLimit: 4
template:
metadata:
labels:
app: startupapicheck
app.kubernetes.io/name: startupapicheck
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: "startupapicheck"
app.kubernetes.io/version: "v1.14.5"
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-v1.14.5
spec:
restartPolicy: OnFailure
serviceAccountName: release-name-cert-manager-startupapicheck
enableServiceLinks: false
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: cert-manager-startupapicheck
image: "quay.io/jetstack/cert-manager-startupapicheck:v1.14.5"
imagePullPolicy: IfNotPresent
args:
- check
- api
- --wait=1m
- -v
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
nodeSelector:
kubernetes.io/os: linux
---
# Source: cluster-api-operator/templates/addon.yaml
apiVersion: operator.cluster.x-k8s.io/v1alpha2
kind: AddonProvider
metadata:
name: override-test-core
namespace: override-test-core-addon-system
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-weight": "2"
containers:
- imageUrl: test.org/cluster-api-provider-aws/cluster-api-provider-aws-controller:v0.6.0
name: manager
---
# Source: cluster-api-operator/templates/bootstrap.yaml
apiVersion: operator.cluster.x-k8s.io/v1alpha2
kind: BootstrapProvider
metadata:
name: override-test-core
namespace: override-test-core-bootstrap-system
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-weight": "2"
deployment:
containers:
- imageUrl: test.org/cluster-api-bootstrap-provider-kubeadm/cluster-api-kubeadm-controller:v0.4.0
name: manager
---
# Source: cluster-api-operator/templates/control-plane.yaml
apiVersion: operator.cluster.x-k8s.io/v1alpha2
kind: ControlPlaneProvider
metadata:
name: override-test-core
namespace: override-test-core-control-plane-system
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-weight": "2"
deployment:
containers:
- imageUrl: test.org/cluster-api-control-plane/cluster-api-control-plane-controller:v0.4.0
name: manager
---
# Source: cluster-api-operator/templates/core.yaml
apiVersion: operator.cluster.x-k8s.io/v1alpha2
kind: CoreProvider
metadata:
name: override-test-core
namespace: capi-system
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-weight": "2"
containers:
- imageUrl: test.org/cluster-api/cluster-api-controller:v1.7.1
name: manager
---
# Source: cluster-api-operator/templates/infra.yaml
apiVersion: operator.cluster.x-k8s.io/v1alpha2
kind: InfrastructureProvider
metadata:
name: override-test-core
namespace: override-test-core-infrastructure-system
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook-weight": "2"
deployment:
containers:
- imageUrl: test.org/cluster-api-vsphere/cluster-api-vsphere-controller:v1.10.0
name: manager
Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #516
The committers listed above are authorized under a signed CLA.
- :white_check_mark: login: omerap12 / name: Omer Aplatony (a51d44e2c37e00b301371aad198417f554723e25, b1be4947778d3e360476ec5ba10a911c96314ef2, 1a4e7fd84a1882957776adbaee56d125696f91cb, 81527ae2f69c0fd263950a9f011c8c8c8237f288, 45d8d6b5a28528859dafc417c1e30ab2d8784378)
![linux-foundation-easycla[bot] avatar](https://avatars.githubusercontent.com/in/17893?v=4 "Published by a pub.dev verified publisher"){kind=small}
Welcome @omerap12!
It looks like this is your first PR to kubernetes-sigs/cluster-api-operator 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.
You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.
You can also check if kubernetes-sigs/cluster-api-operator has its own contribution guidelines.
You may want to refer to our testing guide if you run into trouble with your tests not passing.
If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!
Thank you, and welcome to Kubernetes. :smiley:
Hi @omerap12. Thanks for your PR.
I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
Deploy Preview for kubernetes-sigs-cluster-api-operator ready!
| Name | Link |
|---|---|
| Latest commit | b1be4947778d3e360476ec5ba10a911c96314ef2 |
| Latest deploy log | https://app.netlify.com/sites/kubernetes-sigs-cluster-api-operator/deploys/675c7b6449f19700086d6278 |
| Deploy Preview | https://deploy-preview-525--kubernetes-sigs-cluster-api-operator.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
@omerap12 hey, thanks for the PR. Can you please rebase it first, so we can then take a closer look? Thanks
@omerap12 hey, thanks for the PR. Can you please rebase it first, so we can then take a closer look? Thanks
Done
@omerap12 hey, thanks for the PR. Can you please rebase it first, so we can then take a closer look? Thanks
Done
Looks like something went wrong with rebase, I see your branch is still behind by 32 commits. I was suspecting the rebase being the initial root cause of CI failure
@omerap12 hey, thanks for the PR. Can you please rebase it first, so we can then take a closer look? Thanks
Done
Looks like something went wrong with rebase, I see your branch is still behind by 32 commits. I was suspecting the rebase being the initial root cause of CI failure
Merged master
By checking the CI logs, e2e tests are not compiling properly
When I first submitted the PR they seemed to wok lol. Ill take a look later and get this fixed
btw, can I set deploymentOverride in the values file to a default of empty dict?
deploymentOverride: {}
Hey, thanks. Can we also add tests for other provider types (currently, only infra provider is being added)?
Hey, thanks. Can we also add tests for other provider types (currently, only infra provider is being added)?
Added another test.
Looking forward for this 🥳 Thanks everyone for your contributions!
@furkatgofurov7 could you or someone else have another look at it? Almost three months since the last reply.
LGTM label has been added. Git tree hash: 388d65d75f4f952c11ed622cc96a26bac4c1c986
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: alexander-demicev
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Needs approval from an approver in each of these files:
- ~~OWNERS~~ [alexander-demicev]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
@omerap12: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| pull-cluster-api-operator-e2e-main | b1be4947778d3e360476ec5ba10a911c96314ef2 | link | true | /test pull-cluster-api-operator-e2e-main |
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.
PR needs rebase.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.