cert-manager.yaml

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  creationTimestamp: null
  labels:
    controller-tools.k8s.io: "1.0"
  name: certificates.certmanager.k8s.io
spec:
  additionalPrinterColumns:
  - JSONPath: .status.conditions[?(@.type=="Ready")].status
    name: Ready
    type: string
  - JSONPath: .spec.secretName
    name: Secret
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.conditions[?(@.type=="Ready")].message
    name: Status
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: certmanager.k8s.io
  names:
    kind: Certificate
    plural: certificates
    shortNames:
    - cert
    - certs
  scope: Namespaced
  validation:
    openAPIV3Schema:
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          properties:
            acme:
              description: ACME contains configuration specific to ACME Certificates.
                Notably, this contains details on how the domain names listed on this
                Certificate resource should be 'solved', i.e. mapping HTTP01 and DNS01
                providers to DNS names.
              properties:
                config:
                  items:
                    properties:
                      domains:
                        description: Domains is the list of domains that this SolverConfig
                          applies to.
                        items:
                          type: string
                        type: array
                    required:
                    - domains
                    type: object
                  type: array
              required:
              - config
              type: object
            commonName:
              description: CommonName is a common name to be used on the Certificate.
                If no CommonName is given, then the first entry in DNSNames is used
                as the CommonName. The CommonName should have a length of 64 characters
                or fewer to avoid generating invalid CSRs; in order to have longer
                domain names, set the CommonName (or first DNSNames entry) to have
                64 characters or fewer, and then add the longer domain name to DNSNames.
              type: string
            dnsNames:
              description: DNSNames is a list of subject alt names to be used on the
                Certificate. If no CommonName is given, then the first entry in DNSNames
                is used as the CommonName and must have a length of 64 characters
                or fewer.
              items:
                type: string
              type: array
            duration:
              description: Certificate default Duration
              type: string
            ipAddresses:
              description: IPAddresses is a list of IP addresses to be used on the
                Certificate
              items:
                type: string
              type: array
            isCA:
              description: IsCA will mark this Certificate as valid for signing. This
                implies that the 'signing' usage is set
              type: boolean
            issuerRef:
              description: IssuerRef is a reference to the issuer for this certificate.
                If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
                with the given name in the same namespace as the Certificate will
                be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
                with the provided name will be used. The 'name' field in this stanza
                is required at all times.
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
              required:
              - name
              type: object
            keyAlgorithm:
              description: KeyAlgorithm is the private key algorithm of the corresponding
                private key for this certificate. If provided, allowed values are
                either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is
                not provided, key size of 256 will be used for "ecdsa" key algorithm
                and key size of 2048 will be used for "rsa" key algorithm.
              enum:
              - rsa
              - ecdsa
              type: string
            keyEncoding:
              description: KeyEncoding is the private key cryptography standards (PKCS)
                for this certificate's private key to be encoded in. If provided,
                allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
                respectively. If KeyEncoding is not specified, then PKCS#1 will be
                used by default.
              type: string
            keySize:
              description: KeySize is the key bit size of the corresponding private
                key for this certificate. If provided, value must be between 2048
                and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
                and value must be one of (256, 384, 521) when KeyAlgorithm is set
                to "ecdsa".
              format: int64
              type: integer
            organization:
              description: Organization is the organization to be used on the Certificate
              items:
                type: string
              type: array
            renewBefore:
              description: Certificate renew before expiration duration
              type: string
            secretName:
              description: SecretName is the name of the secret resource to store
                this secret in
              type: string
          required:
          - secretName
          - issuerRef
          type: object
        status:
          properties:
            conditions:
              items:
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
                      to the last status change of this condition.
                    format: date-time
                    type: string
                  message:
                    description: Message is a human readable description of the details
                      of the last transition, complementing reason.
                    type: string
                  reason:
                    description: Reason is a brief machine readable explanation for
                      the condition's last transition.
                    type: string
                  status:
                    description: Status of the condition, one of ('True', 'False',
                      'Unknown').
                    enum:
                    - "True"
                    - "False"
                    - Unknown
                    type: string
                  type:
                    description: Type of the condition, currently ('Ready').
                    type: string
                required:
                - type
                - status
                type: object
              type: array
            lastFailureTime:
              format: date-time
              type: string
            notAfter:
              description: The expiration time of the certificate stored in the secret
                named by this resource in spec.secretName.
              format: date-time
              type: string
          type: object
  version: v1alpha1
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  creationTimestamp: null
  labels:
    controller-tools.k8s.io: "1.0"
  name: certificaterequests.certmanager.k8s.io
spec:
  additionalPrinterColumns:
  - JSONPath: .status.conditions[?(@.type=="Ready")].status
    name: Ready
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.conditions[?(@.type=="Ready")].message
    name: Status
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: certmanager.k8s.io
  names:
    kind: CertificateRequest
    plural: certificaterequests
    shortNames:
    - cr
    - crs
  scope: Namespaced
  validation:
    openAPIV3Schema:
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          properties:
            csr:
              description: Byte slice containing the PEM encoded CertificateSigningRequest
              format: byte
              type: string
            duration:
              description: Requested certificate default Duration
              type: string
            isCA:
              description: IsCA will mark the resulting certificate as valid for signing.
                This implies that the 'signing' usage is set
              type: boolean
            issuerRef:
              description: IssuerRef is a reference to the issuer for this CertificateRequest.  If
                the 'kind' field is not set, or set to 'Issuer', an Issuer resource
                with the given name in the same namespace as the CertificateRequest
                will be used.  If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
                with the provided name will be used. The 'name' field in this stanza
                is required at all times. The group field refers to the API group
                of the issuer which defaults to 'certmanager.k8s.io' if empty.
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
              required:
              - name
              type: object
          required:
          - issuerRef
          type: object
        status:
          properties:
            ca:
              description: Byte slice containing the PEM encoded certificate authority
                of the signed certificate.
              format: byte
              type: string
            certificate:
              description: Byte slice containing a PEM encoded signed certificate
                resulting from the given certificate signing request.
              format: byte
              type: string
            conditions:
              items:
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
                      to the last status change of this condition.
                    format: date-time
                    type: string
                  message:
                    description: Message is a human readable description of the details
                      of the last transition, complementing reason.
                    type: string
                  reason:
                    description: Reason is a brief machine readable explanation for
                      the condition's last transition.
                    type: string
                  status:
                    description: Status of the condition, one of ('True', 'False',
                      'Unknown').
                    enum:
                    - "True"
                    - "False"
                    - Unknown
                    type: string
                  type:
                    description: Type of the condition, currently ('Ready').
                    type: string
                required:
                - type
                - status
                type: object
              type: array
          type: object
  version: v1alpha1
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  creationTimestamp: null
  labels:
    controller-tools.k8s.io: "1.0"
  name: challenges.certmanager.k8s.io
spec:
  additionalPrinterColumns:
  - JSONPath: .status.state
    name: State
    type: string
  - JSONPath: .spec.dnsName
    name: Domain
    type: string
  - JSONPath: .status.reason
    name: Reason
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: certmanager.k8s.io
  names:
    kind: Challenge
    plural: challenges
  scope: Namespaced
  validation:
    openAPIV3Schema:
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          properties:
            authzURL:
              description: AuthzURL is the URL to the ACME Authorization resource
                that this challenge is a part of.
              type: string
            config:
              description: 'Config specifies the solver configuration for this challenge.
                Only **one** of ''config'' or ''solver'' may be specified, and if
                both are specified then no action will be performed on the Challenge
                resource. DEPRECATED: the ''solver'' field should be specified instead'
              type: object
            dnsName:
              description: DNSName is the identifier that this challenge is for, e.g.
                example.com.
              type: string
            issuerRef:
              description: IssuerRef references a properly configured ACME-type Issuer
                which should be used to create this Challenge. If the Issuer does
                not exist, processing will be retried. If the Issuer is not an 'ACME'
                Issuer, an error will be returned and the Challenge will be marked
                as failed.
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
              required:
              - name
              type: object
            key:
              description: Key is the ACME challenge key for this challenge
              type: string
            solver:
              description: Solver contains the domain solving configuration that should
                be used to solve this challenge resource. Only **one** of 'config'
                or 'solver' may be specified, and if both are specified then no action
                will be performed on the Challenge resource.
              properties:
                selector:
                  description: Selector selects a set of DNSNames on the Certificate
                    resource that should be solved using this challenge solver.
                  properties:
                    dnsNames:
                      description: List of DNSNames that this solver will be used
                        to solve. If specified and a match is found, a dnsNames selector
                        will take precedence over a dnsZones selector. If multiple
                        solvers match with the same dnsNames value, the solver with
                        the most matching labels in matchLabels will be selected.
                        If neither has more matches, the solver defined earlier in
                        the list will be selected.
                      items:
                        type: string
                      type: array
                    dnsZones:
                      description: List of DNSZones that this solver will be used
                        to solve. The most specific DNS zone match specified here
                        will take precedence over other DNS zone matches, so a solver
                        specifying sys.example.com will be selected over one specifying
                        example.com for the domain www.sys.example.com. If multiple
                        solvers match with the same dnsZones value, the solver with
                        the most matching labels in matchLabels will be selected.
                        If neither has more matches, the solver defined earlier in
                        the list will be selected.
                      items:
                        type: string
                      type: array
                    matchLabels:
                      description: A label selector that is used to refine the set
                        of certificate's that this challenge solver will apply to.
                      type: object
                  type: object
              type: object
            token:
              description: Token is the ACME challenge token for this challenge.
              type: string
            type:
              description: Type is the type of ACME challenge this resource represents,
                e.g. "dns01" or "http01"
              type: string
            url:
              description: URL is the URL of the ACME Challenge resource for this
                challenge. This can be used to lookup details about the status of
                this challenge.
              type: string
            wildcard:
              description: Wildcard will be true if this challenge is for a wildcard
                identifier, for example '*.example.com'
              type: boolean
          required:
          - authzURL
          - type
          - url
          - dnsName
          - token
          - key
          - wildcard
          - issuerRef
          type: object
        status:
          properties:
            presented:
              description: Presented will be set to true if the challenge values for
                this challenge are currently 'presented'. This *does not* imply the
                self check is passing. Only that the values have been 'submitted'
                for the appropriate challenge mechanism (i.e. the DNS01 TXT record
                has been presented, or the HTTP01 configuration has been configured).
              type: boolean
            processing:
              description: Processing is used to denote whether this challenge should
                be processed or not. This field will only be set to true by the 'scheduling'
                component. It will only be set to false by the 'challenges' controller,
                after the challenge has reached a final state or timed out. If this
                field is set to false, the challenge controller will not take any
                more action.
              type: boolean
            reason:
              description: Reason contains human readable information on why the Challenge
                is in the current state.
              type: string
            state:
              description: State contains the current 'state' of the challenge. If
                not set, the state of the challenge is unknown.
              enum:
              - ""
              - valid
              - ready
              - pending
              - processing
              - invalid
              - expired
              - errored
              type: string
          required:
          - processing
          - presented
          - reason
          type: object
      required:
      - metadata
      - spec
      - status
  version: v1alpha1
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  creationTimestamp: null
  labels:
    controller-tools.k8s.io: "1.0"
  name: clusterissuers.certmanager.k8s.io
spec:
  group: certmanager.k8s.io
  names:
    kind: ClusterIssuer
    plural: clusterissuers
  scope: Cluster
  validation:
    openAPIV3Schema:
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          properties:
            acme:
              properties:
                email:
                  description: Email is the email for this account
                  type: string
                privateKeySecretRef:
                  description: PrivateKey is the name of a secret containing the private
                    key for this user account.
                  properties:
                    key:
                      description: The key of the secret to select from. Must be a
                        valid secret key.
                      type: string
                    name:
                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                        TODO: Add other useful fields. apiVersion, kind, uid?'
                      type: string
                  required:
                  - name
                  type: object
                server:
                  description: Server is the ACME server URL
                  type: string
                skipTLSVerify:
                  description: If true, skip verifying the ACME server TLS certificate
                  type: boolean
                solvers:
                  description: Solvers is a list of challenge solvers that will be
                    used to solve ACME challenges for the matching domains.
                  items:
                    properties:
                      selector:
                        description: Selector selects a set of DNSNames on the Certificate
                          resource that should be solved using this challenge solver.
                        properties:
                          dnsNames:
                            description: List of DNSNames that this solver will be
                              used to solve. If specified and a match is found, a
                              dnsNames selector will take precedence over a dnsZones
                              selector. If multiple solvers match with the same dnsNames
                              value, the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            items:
                              type: string
                            type: array
                          dnsZones:
                            description: List of DNSZones that this solver will be
                              used to solve. The most specific DNS zone match specified
                              here will take precedence over other DNS zone matches,
                              so a solver specifying sys.example.com will be selected
                              over one specifying example.com for the domain www.sys.example.com.
                              If multiple solvers match with the same dnsZones value,
                              the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            items:
                              type: string
                            type: array
                          matchLabels:
                            description: A label selector that is used to refine the
                              set of certificate's that this challenge solver will
                              apply to.
                            type: object
                        type: object
                    type: object
                  type: array
              required:
              - server
              - privateKeySecretRef
              type: object
            ca:
              properties:
                secretName:
                  description: SecretName is the name of the secret used to sign Certificates
                    issued by this Issuer.
                  type: string
              required:
              - secretName
              type: object
            selfSigned:
              type: object
            vault:
              properties:
                auth:
                  description: Vault authentication
                  properties:
                    appRole:
                      description: This Secret contains a AppRole and Secret
                      properties:
                        path:
                          description: Where the authentication path is mounted in
                            Vault.
                          type: string
                        roleId:
                          type: string
                        secretRef:
                          properties:
                            key:
                              description: The key of the secret to select from. Must
                                be a valid secret key.
                              type: string
                            name:
                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                TODO: Add other useful fields. apiVersion, kind, uid?'
                              type: string
                          required:
                          - name
                          type: object
                      required:
                      - path
                      - roleId
                      - secretRef
                      type: object
                    tokenSecretRef:
                      description: This Secret contains the Vault token key
                      properties:
                        key:
                          description: The key of the secret to select from. Must
                            be a valid secret key.
                          type: string
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                      required:
                      - name
                      type: object
                  type: object
                caBundle:
                  description: Base64 encoded CA bundle to validate Vault server certificate.
                    Only used if the Server URL is using HTTPS protocol. This parameter
                    is ignored for plain HTTP protocol connection. If not set the
                    system root certificates are used to validate the TLS connection.
                  format: byte
                  type: string
                path:
                  description: Vault URL path to the certificate role
                  type: string
                server:
                  description: Server is the vault connection address
                  type: string
              required:
              - auth
              - server
              - path
              type: object
            venafi:
              properties:
                cloud:
                  description: Cloud specifies the Venafi cloud configuration settings.
                    Only one of TPP or Cloud may be specified.
                  properties:
                    apiTokenSecretRef:
                      description: APITokenSecretRef is a secret key selector for
                        the Venafi Cloud API token.
                      properties:
                        key:
                          description: The key of the secret to select from. Must
                            be a valid secret key.
                          type: string
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                      required:
                      - name
                      type: object
                    url:
                      description: URL is the base URL for Venafi Cloud
                      type: string
                  required:
                  - url
                  - apiTokenSecretRef
                  type: object
                tpp:
                  description: TPP specifies Trust Protection Platform configuration
                    settings. Only one of TPP or Cloud may be specified.
                  properties:
                    caBundle:
                      description: CABundle is a PEM encoded TLS certifiate to use
                        to verify connections to the TPP instance. If specified, system
                        roots will not be used and the issuing CA for the TPP instance
                        must be verifiable using the provided root. If not specified,
                        the connection will be verified using the cert-manager system
                        root certificates.
                      format: byte
                      type: string
                    credentialsRef:
                      description: CredentialsRef is a reference to a Secret containing
                        the username and password for the TPP server. The secret must
                        contain two keys, 'username' and 'password'.
                      properties:
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                      required:
                      - name
                      type: object
                    url:
                      description: URL is the base URL for the Venafi TPP instance
                      type: string
                  required:
                  - url
                  - credentialsRef
                  type: object
                zone:
                  description: Zone is the Venafi Policy Zone to use for this issuer.
                    All requests made to the Venafi platform will be restricted by
                    the named zone policy. This field is required.
                  type: string
              required:
              - zone
              type: object
          type: object
        status:
          properties:
            acme:
              properties:
                lastRegisteredEmail:
                  description: LastRegisteredEmail is the email associated with the
                    latest registered ACME account, in order to track changes made
                    to registered account associated with the  Issuer
                  type: string
                uri:
                  description: URI is the unique account identifier, which can also
                    be used to retrieve account details from the CA
                  type: string
              type: object
            conditions:
              items:
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
                      to the last status change of this condition.
                    format: date-time
                    type: string
                  message:
                    description: Message is a human readable description of the details
                      of the last transition, complementing reason.
                    type: string
                  reason:
                    description: Reason is a brief machine readable explanation for
                      the condition's last transition.
                    type: string
                  status:
                    description: Status of the condition, one of ('True', 'False',
                      'Unknown').
                    enum:
                    - "True"
                    - "False"
                    - Unknown
                    type: string
                  type:
                    description: Type of the condition, currently ('Ready').
                    type: string
                required:
                - type
                - status
                type: object
              type: array
          type: object
  version: v1alpha1
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  creationTimestamp: null
  labels:
    controller-tools.k8s.io: "1.0"
  name: issuers.certmanager.k8s.io
spec:
  group: certmanager.k8s.io
  names:
    kind: Issuer
    plural: issuers
  scope: Namespaced
  validation:
    openAPIV3Schema:
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          properties:
            acme:
              properties:
                email:
                  description: Email is the email for this account
                  type: string
                privateKeySecretRef:
                  description: PrivateKey is the name of a secret containing the private
                    key for this user account.
                  properties:
                    key:
                      description: The key of the secret to select from. Must be a
                        valid secret key.
                      type: string
                    name:
                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                        TODO: Add other useful fields. apiVersion, kind, uid?'
                      type: string
                  required:
                  - name
                  type: object
                server:
                  description: Server is the ACME server URL
                  type: string
                skipTLSVerify:
                  description: If true, skip verifying the ACME server TLS certificate
                  type: boolean
                solvers:
                  description: Solvers is a list of challenge solvers that will be
                    used to solve ACME challenges for the matching domains.
                  items:
                    properties:
                      selector:
                        description: Selector selects a set of DNSNames on the Certificate
                          resource that should be solved using this challenge solver.
                        properties:
                          dnsNames:
                            description: List of DNSNames that this solver will be
                              used to solve. If specified and a match is found, a
                              dnsNames selector will take precedence over a dnsZones
                              selector. If multiple solvers match with the same dnsNames
                              value, the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            items:
                              type: string
                            type: array
                          dnsZones:
                            description: List of DNSZones that this solver will be
                              used to solve. The most specific DNS zone match specified
                              here will take precedence over other DNS zone matches,
                              so a solver specifying sys.example.com will be selected
                              over one specifying example.com for the domain www.sys.example.com.
                              If multiple solvers match with the same dnsZones value,
                              the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            items:
                              type: string
                            type: array
                          matchLabels:
                            description: A label selector that is used to refine the
                              set of certificate's that this challenge solver will
                              apply to.
                            type: object
                        type: object
                    type: object
                  type: array
              required:
              - server
              - privateKeySecretRef
              type: object
            ca:
              properties:
                secretName:
                  description: SecretName is the name of the secret used to sign Certificates
                    issued by this Issuer.
                  type: string
              required:
              - secretName
              type: object
            selfSigned:
              type: object
            vault:
              properties:
                auth:
                  description: Vault authentication
                  properties:
                    appRole:
                      description: This Secret contains a AppRole and Secret
                      properties:
                        path:
                          description: Where the authentication path is mounted in
                            Vault.
                          type: string
                        roleId:
                          type: string
                        secretRef:
                          properties:
                            key:
                              description: The key of the secret to select from. Must
                                be a valid secret key.
                              type: string
                            name:
                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                TODO: Add other useful fields. apiVersion, kind, uid?'
                              type: string
                          required:
                          - name
                          type: object
                      required:
                      - path
                      - roleId
                      - secretRef
                      type: object
                    tokenSecretRef:
                      description: This Secret contains the Vault token key
                      properties:
                        key:
                          description: The key of the secret to select from. Must
                            be a valid secret key.
                          type: string
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                      required:
                      - name
                      type: object
                  type: object
                caBundle:
                  description: Base64 encoded CA bundle to validate Vault server certificate.
                    Only used if the Server URL is using HTTPS protocol. This parameter
                    is ignored for plain HTTP protocol connection. If not set the
                    system root certificates are used to validate the TLS connection.
                  format: byte
                  type: string
                path:
                  description: Vault URL path to the certificate role
                  type: string
                server:
                  description: Server is the vault connection address
                  type: string
              required:
              - auth
              - server
              - path
              type: object
            venafi:
              properties:
                cloud:
                  description: Cloud specifies the Venafi cloud configuration settings.
                    Only one of TPP or Cloud may be specified.
                  properties:
                    apiTokenSecretRef:
                      description: APITokenSecretRef is a secret key selector for
                        the Venafi Cloud API token.
                      properties:
                        key:
                          description: The key of the secret to select from. Must
                            be a valid secret key.
                          type: string
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                      required:
                      - name
                      type: object
                    url:
                      description: URL is the base URL for Venafi Cloud
                      type: string
                  required:
                  - url
                  - apiTokenSecretRef
                  type: object
                tpp:
                  description: TPP specifies Trust Protection Platform configuration
                    settings. Only one of TPP or Cloud may be specified.
                  properties:
                    caBundle:
                      description: CABundle is a PEM encoded TLS certifiate to use
                        to verify connections to the TPP instance. If specified, system
                        roots will not be used and the issuing CA for the TPP instance
                        must be verifiable using the provided root. If not specified,
                        the connection will be verified using the cert-manager system
                        root certificates.
                      format: byte
                      type: string
                    credentialsRef:
                      description: CredentialsRef is a reference to a Secret containing
                        the username and password for the TPP server. The secret must
                        contain two keys, 'username' and 'password'.
                      properties:
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                      required:
                      - name
                      type: object
                    url:
                      description: URL is the base URL for the Venafi TPP instance
                      type: string
                  required:
                  - url
                  - credentialsRef
                  type: object
                zone:
                  description: Zone is the Venafi Policy Zone to use for this issuer.
                    All requests made to the Venafi platform will be restricted by
                    the named zone policy. This field is required.
                  type: string
              required:
              - zone
              type: object
          type: object
        status:
          properties:
            acme:
              properties:
                lastRegisteredEmail:
                  description: LastRegisteredEmail is the email associated with the
                    latest registered ACME account, in order to track changes made
                    to registered account associated with the  Issuer
                  type: string
                uri:
                  description: URI is the unique account identifier, which can also
                    be used to retrieve account details from the CA
                  type: string
              type: object
            conditions:
              items:
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
                      to the last status change of this condition.
                    format: date-time
                    type: string
                  message:
                    description: Message is a human readable description of the details
                      of the last transition, complementing reason.
                    type: string
                  reason:
                    description: Reason is a brief machine readable explanation for
                      the condition's last transition.
                    type: string
                  status:
                    description: Status of the condition, one of ('True', 'False',
                      'Unknown').
                    enum:
                    - "True"
                    - "False"
                    - Unknown
                    type: string
                  type:
                    description: Type of the condition, currently ('Ready').
                    type: string
                required:
                - type
                - status
                type: object
              type: array
          type: object
  version: v1alpha1
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  creationTimestamp: null
  labels:
    controller-tools.k8s.io: "1.0"
  name: orders.certmanager.k8s.io
spec:
  additionalPrinterColumns:
  - JSONPath: .status.state
    name: State
    type: string
  - JSONPath: .spec.issuerRef.name
    name: Issuer
    priority: 1
    type: string
  - JSONPath: .status.reason
    name: Reason
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: certmanager.k8s.io
  names:
    kind: Order
    plural: orders
  scope: Namespaced
  validation:
    openAPIV3Schema:
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          properties:
            commonName:
              description: CommonName is the common name as specified on the DER encoded
                CSR. If CommonName is not specified, the first DNSName specified will
                be used as the CommonName. At least one of CommonName or a DNSNames
                must be set. This field must match the corresponding field on the
                DER encoded CSR.
              type: string
            config:
              description: 'Config specifies a mapping from DNS identifiers to how
                those identifiers should be solved when performing ACME challenges.
                A config entry must exist for each domain listed in DNSNames and CommonName.
                Only **one** of ''config'' or ''solvers'' may be specified, and if
                both are specified then no action will be performed on the Order resource.  This
                field will be removed when support for solver config specified on
                the Certificate under certificate.spec.acme has been removed. DEPRECATED:
                this field will be removed in future. Solver configuration must instead
                be provided on ACME Issuer resources.'
              items:
                properties:
                  domains:
                    description: Domains is the list of domains that this SolverConfig
                      applies to.
                    items:
                      type: string
                    type: array
                required:
                - domains
                type: object
              type: array
            csr:
              description: Certificate signing request bytes in DER encoding. This
                will be used when finalizing the order. This field must be set on
                the order.
              format: byte
              type: string
            dnsNames:
              description: DNSNames is a list of DNS names that should be included
                as part of the Order validation process. If CommonName is not specified,
                the first DNSName specified will be used as the CommonName. At least
                one of CommonName or a DNSNames must be set. This field must match
                the corresponding field on the DER encoded CSR.
              items:
                type: string
              type: array
            issuerRef:
              description: IssuerRef references a properly configured ACME-type Issuer
                which should be used to create this Order. If the Issuer does not
                exist, processing will be retried. If the Issuer is not an 'ACME'
                Issuer, an error will be returned and the Order will be marked as
                failed.
              properties:
                group:
                  type: string
                kind:
                  type: string
                name:
                  type: string
              required:
              - name
              type: object
          required:
          - csr
          - issuerRef
          type: object
        status:
          properties:
            certificate:
              description: Certificate is a copy of the PEM encoded certificate for
                this Order. This field will be populated after the order has been
                successfully finalized with the ACME server, and the order has transitioned
                to the 'valid' state.
              format: byte
              type: string
            challenges:
              description: Challenges is a list of ChallengeSpecs for Challenges that
                must be created in order to complete this Order.
              items:
                properties:
                  authzURL:
                    description: AuthzURL is the URL to the ACME Authorization resource
                      that this challenge is a part of.
                    type: string
                  config:
                    description: 'Config specifies the solver configuration for this
                      challenge. Only **one** of ''config'' or ''solver'' may be specified,
                      and if both are specified then no action will be performed on
                      the Challenge resource. DEPRECATED: the ''solver'' field should
                      be specified instead'
                    type: object
                  dnsName:
                    description: DNSName is the identifier that this challenge is
                      for, e.g. example.com.
                    type: string
                  issuerRef:
                    description: IssuerRef references a properly configured ACME-type
                      Issuer which should be used to create this Challenge. If the
                      Issuer does not exist, processing will be retried. If the Issuer
                      is not an 'ACME' Issuer, an error will be returned and the Challenge
                      will be marked as failed.
                    properties:
                      group:
                        type: string
                      kind:
                        type: string
                      name:
                        type: string
                    required:
                    - name
                    type: object
                  key:
                    description: Key is the ACME challenge key for this challenge
                    type: string
                  solver:
                    description: Solver contains the domain solving configuration
                      that should be used to solve this challenge resource. Only **one**
                      of 'config' or 'solver' may be specified, and if both are specified
                      then no action will be performed on the Challenge resource.
                    properties:
                      selector:
                        description: Selector selects a set of DNSNames on the Certificate
                          resource that should be solved using this challenge solver.
                        properties:
                          dnsNames:
                            description: List of DNSNames that this solver will be
                              used to solve. If specified and a match is found, a
                              dnsNames selector will take precedence over a dnsZones
                              selector. If multiple solvers match with the same dnsNames
                              value, the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            items:
                              type: string
                            type: array
                          dnsZones:
                            description: List of DNSZones that this solver will be
                              used to solve. The most specific DNS zone match specified
                              here will take precedence over other DNS zone matches,
                              so a solver specifying sys.example.com will be selected
                              over one specifying example.com for the domain www.sys.example.com.
                              If multiple solvers match with the same dnsZones value,
                              the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            items:
                              type: string
                            type: array
                          matchLabels:
                            description: A label selector that is used to refine the
                              set of certificate's that this challenge solver will
                              apply to.
                            type: object
                        type: object
                    type: object
                  token:
                    description: Token is the ACME challenge token for this challenge.
                    type: string
                  type:
                    description: Type is the type of ACME challenge this resource
                      represents, e.g. "dns01" or "http01"
                    type: string
                  url:
                    description: URL is the URL of the ACME Challenge resource for
                      this challenge. This can be used to lookup details about the
                      status of this challenge.
                    type: string
                  wildcard:
                    description: Wildcard will be true if this challenge is for a
                      wildcard identifier, for example '*.example.com'
                    type: boolean
                required:
                - authzURL
                - type
                - url
                - dnsName
                - token
                - key
                - wildcard
                - issuerRef
                type: object
              type: array
            failureTime:
              description: FailureTime stores the time that this order failed. This
                is used to influence garbage collection and back-off.
              format: date-time
              type: string
            finalizeURL:
              description: FinalizeURL of the Order. This is used to obtain certificates
                for this order once it has been completed.
              type: string
            reason:
              description: Reason optionally provides more information about a why
                the order is in the current state.
              type: string
            state:
              description: State contains the current state of this Order resource.
                States 'success' and 'expired' are 'final'
              enum:
              - ""
              - valid
              - ready
              - pending
              - processing
              - invalid
              - expired
              - errored
              type: string
            url:
              description: URL of the Order. This will initially be empty when the
                resource is first created. The Order controller will populate this
                field when the Order is first processed. This field will be immutable
                after it is initially set.
              type: string
          type: object
      required:
      - metadata
      - spec
      - status
  version: v1alpha1
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
---
apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager
  labels:
    certmanager.k8s.io/disable-validation: "true"

---
---
# Source: cert-manager/charts/cainjector/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-manager-cainjector
  namespace: "cert-manager"
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.9.0

---
# Source: cert-manager/charts/webhook/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-manager-webhook
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0

---
# Source: cert-manager/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-manager
  namespace: "cert-manager"
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0

---
# Source: cert-manager/charts/cainjector/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.9.0
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["configmaps", "events"]
    verbs: ["get", "create", "update", "patch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiregistration.k8s.io"]
    resources: ["apiservices"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-cainjector
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.9.0
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-cainjector
subjects:
  - name: cert-manager-cainjector
    namespace: "cert-manager"
    kind: ServiceAccount
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-leaderelection
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
rules:
  # Used for leader election by the controller
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "update", "patch"]

---

# Issuer controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-controller-issuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["issuers", "issuers/status"]
    verbs: ["update"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]

---

# ClusterIssuer controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["clusterissuers", "clusterissuers/status"]
    verbs: ["update"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]

---

# Certificates controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
    verbs: ["update"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers", "orders"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates/finalizers"]
    verbs: ["update"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["orders"]
    verbs: ["create", "delete"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]

---

# Orders controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-controller-orders
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["orders", "orders/status"]
    verbs: ["update"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["orders", "clusterissuers", "issuers", "challenges"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["challenges"]
    verbs: ["create", "delete"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["orders/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]

---

# Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
rules:
  # Use to update challenge resource status
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["challenges", "challenges/status"]
    verbs: ["update"]
  # Used to watch challenges, issuer and clusterissuer resources
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["challenges", "issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  # Need to be able to retrieve ACME account private key to complete challenges
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  # Used to create events
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  # HTTP01 rules
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch", "create", "delete", "update"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["challenges/finalizers"]
    verbs: ["update"]
  # DNS01 rules (duplicated above)
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]

---

# ingress-shim controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates", "certificaterequests"]
    verbs: ["create", "update", "delete"]
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["extensions"]
    resources: ["ingresses/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-leaderelection
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-leaderelection
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-issuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-issuers
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-clusterissuers
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-certificates
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-orders
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-orders
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-challenges
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller-ingress-shim
subjects:
  - name: cert-manager
    namespace: "cert-manager"
    kind: ServiceAccount

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-view
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-edit
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups: ["certmanager.k8s.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]

---
# Source: cert-manager/charts/webhook/templates/rbac.yaml
### Webhook ###
---
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-webhook:auth-delegator
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook
  namespace: cert-manager

---

# apiserver gets the ability to read authentication. This allows it to
# read the specific configmap that has the requestheader-* entries to
# api agg
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: cert-manager-webhook:webhook-authentication-reader
  namespace: kube-system
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook
  namespace: cert-manager

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-webhook:webhook-requester
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
rules:
- apiGroups:
  - admission.certmanager.k8s.io
  resources:
  - certificates
  - certificaterequests
  - issuers
  - clusterissuers
  verbs:
  - create

---
# Source: cert-manager/charts/webhook/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: cert-manager-webhook
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
spec:
  type: ClusterIP
  ports:
  - name: https
    port: 443
    targetPort: 6443
  selector:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller

---
# Source: cert-manager/charts/cainjector/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cert-manager-cainjector
  namespace: "cert-manager"
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cainjector-v0.9.0
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cainjector
      app.kubernetes.io/name: cainjector
      app.kubernetes.io/instance:  cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: cainjector
        app.kubernetes.io/name: cainjector
        app.kubernetes.io/instance:  cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: cainjector-v0.9.0
      annotations:
    spec:
      serviceAccountName: cert-manager-cainjector
      containers:
        - name: cainjector
          image: "quay.io/jetstack/cert-manager-cainjector:v0.9.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --leader-election-namespace=$(POD_NAMESPACE)
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            {}
            

---
# Source: cert-manager/charts/webhook/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cert-manager-webhook
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
spec:
  replicas: 1
  selector:
    matchLabels:
      app: webhook
      app.kubernetes.io/name: webhook
      app.kubernetes.io/instance:  cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: webhook
        app.kubernetes.io/name: webhook
        app.kubernetes.io/instance:  cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: webhook-v0.9.0
      annotations:
    spec:
      serviceAccountName: cert-manager-webhook
      containers:
        - name: webhook
          image: "quay.io/jetstack/cert-manager-webhook:v0.9.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --secure-port=6443
          - --tls-cert-file=/certs/tls.crt
          - --tls-private-key-file=/certs/tls.key
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            {}
            
          volumeMounts:
          - name: certs
            mountPath: /certs
      volumes:
      - name: certs
        secret:
          secretName: cert-manager-webhook-webhook-tls

---
# Source: cert-manager/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cert-manager
  namespace: "cert-manager"
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: cert-manager-v0.9.0
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cert-manager
      app.kubernetes.io/name: cert-manager
      app.kubernetes.io/instance:  cert-manager
      app.kubernetes.io/managed-by: Tiller
  template:
    metadata:
      labels:
        app: cert-manager
        app.kubernetes.io/name: cert-manager
        app.kubernetes.io/instance:  cert-manager
        app.kubernetes.io/managed-by: Tiller
        helm.sh/chart: cert-manager-v0.9.0
      annotations:
        prometheus.io/path: "/metrics"
        prometheus.io/scrape: 'true'
        prometheus.io/port: '9402'
    spec:
      serviceAccountName: cert-manager
      containers:
        - name: cert-manager
          image: "quay.io/jetstack/cert-manager-controller:v0.9.0"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --cluster-resource-namespace=$(POD_NAMESPACE)
          - --leader-election-namespace=$(POD_NAMESPACE)
          ports:
          - containerPort: 9402
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          resources:
            requests:
              cpu: 10m
              memory: 32Mi
            

---
# Source: cert-manager/charts/webhook/templates/apiservice.yaml
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
  name: v1beta1.admission.certmanager.k8s.io
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
  annotations:
    certmanager.k8s.io/inject-ca-from: "cert-manager/cert-manager-webhook-webhook-tls"
spec:
  group: admission.certmanager.k8s.io
  groupPriorityMinimum: 1000
  versionPriority: 15
  service:
    name: cert-manager-webhook
    namespace: "cert-manager"
  version: v1beta1

---
# Source: cert-manager/charts/webhook/templates/pki.yaml
---
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: cert-manager-webhook-selfsign
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
spec:
  selfSigned: {}

---

# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cert-manager-webhook-ca
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
spec:
  secretName: cert-manager-webhook-ca
  duration: 43800h # 5y
  issuerRef:
    name: cert-manager-webhook-selfsign
  commonName: "ca.webhook.cert-manager"
  isCA: true

---

# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: cert-manager-webhook-ca
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
spec:
  ca:
    secretName: cert-manager-webhook-ca

---

# Finally, generate a serving certificate for the webhook to use
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: cert-manager-webhook-webhook-tls
  namespace: "cert-manager"
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
spec:
  secretName: cert-manager-webhook-webhook-tls
  duration: 8760h # 1y
  issuerRef:
    name: cert-manager-webhook-ca
  dnsNames:
  - cert-manager-webhook
  - cert-manager-webhook.cert-manager
  - cert-manager-webhook.cert-manager.svc

---
# Source: cert-manager/templates/servicemonitor.yaml


---
# Source: cert-manager/charts/webhook/templates/validating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: cert-manager-webhook
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance:  cert-manager
    app.kubernetes.io/managed-by: Tiller
    helm.sh/chart: webhook-v0.9.0
  annotations:
    certmanager.k8s.io/inject-apiserver-ca: "true"
webhooks:
  - name: certificates.admission.certmanager.k8s.io
    namespaceSelector:
      matchExpressions:
      - key: "certmanager.k8s.io/disable-validation"
        operator: "NotIn"
        values:
        - "true"
      - key: "name"
        operator: "NotIn"
        values:
        - cert-manager
    rules:
      - apiGroups:
          - "certmanager.k8s.io"
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
        resources:
          - certificates
    failurePolicy: Fail
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/admission.certmanager.k8s.io/v1beta1/certificates
  - name: issuers.admission.certmanager.k8s.io
    namespaceSelector:
      matchExpressions:
      - key: "certmanager.k8s.io/disable-validation"
        operator: "NotIn"
        values:
        - "true"
      - key: "name"
        operator: "NotIn"
        values:
        - cert-manager
    rules:
      - apiGroups:
          - "certmanager.k8s.io"
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
        resources:
          - issuers
    failurePolicy: Fail
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/admission.certmanager.k8s.io/v1beta1/issuers
  - name: clusterissuers.admission.certmanager.k8s.io
    namespaceSelector:
      matchExpressions:
      - key: "certmanager.k8s.io/disable-validation"
        operator: "NotIn"
        values:
        - "true"
      - key: "name"
        operator: "NotIn"
        values:
        - cert-manager
    rules:
      - apiGroups:
          - "certmanager.k8s.io"
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
        resources:
          - clusterissuers
    failurePolicy: Fail
    clientConfig:
      service:
        name: kubernetes
        namespace: default
        path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers