Skip to content
Snippets Groups Projects
Commit 2973cce2 authored by Thomas Schneider's avatar Thomas Schneider
Browse files

Add manifests

parent 1901c414
Branches main
No related tags found
No related merge requests found
Pipeline #4185 passed
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.cert-manager-webhook-rwth.thomas.fsmpi.eu
annotations:
cert-manager.io/inject-ca-from: >-
cert-manager/cert-manager-webhook-rwth-webhook-tls
spec:
group: cert-manager-webhook-rwth.thomas.fsmpi.eu
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: cert-manager-webhook-rwth
namespace: cert-manager
version: v1alpha1
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager-webhook-rwth
namespace: cert-manager
spec:
selector:
matchLabels:
app: cert-manager-webhook-rwth
template:
metadata: {}
spec:
serviceAccountName: cert-manager-webhook-rwth
containers:
- name: cert-manager-webhook-rwth
image: >-
registry.git.fsmpi.rwth-aachen.de/thomas/cert-manager-webhook-rwth:latest
args:
- --tls-cert-file=/tls/tls.crt
- --tls-private-key-file=/tls/tls.key
- --secure-port=8443
- --v=2 # log level
securityContext:
runAsUser: 65534
ports:
- name: https
containerPort: 8443
livenessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: https
readinessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: https
volumeMounts:
- name: certs
mountPath: /tls
readOnly: true
volumes:
- name: certs
secret:
secretName: cert-manager-webhook-rwth-webhook-tls
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app: cert-manager-webhook-rwth
resources:
- apiservice.yaml
- deployment.yaml
- pki.yaml
- rbac.yaml
- service.yaml
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: cert-manager-webhook-rwth-selfsign
namespace: cert-manager
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cert-manager-webhook-rwth-ca
namespace: cert-manager
spec:
secretName: cert-manager-webhook-rwth-ca
duration: 8760h # 1y
issuerRef:
name: cert-manager-webhook-rwth-selfsign
commonName: ca.cert-manager-webhook-rwth.cert-manager
isCA: true
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: cert-manager-webhook-rwth-ca
namespace: cert-manager
spec:
ca:
secretName: cert-manager-webhook-rwth-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cert-manager-webhook-rwth-webhook-tls
namespace: cert-manager
spec:
secretName: cert-manager-webhook-rwth-webhook-tls
duration: 720h # 30d
issuerRef:
name: cert-manager-webhook-rwth-ca
dnsNames:
- cert-manager-webhook-rwth
- cert-manager-webhook-rwth.cert-manager
- cert-manager-webhook-rwth.cert-manager.svc
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager-webhook-rwth
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-webhook-rwth:webhook-authentication-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-rwth
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-webhook-rwth:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-rwth
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-webhook-rwth:domain-solver
rules:
- apiGroups:
- cert-manager-webhook-rwth.thomas.fsmpi.eu
resources:
- '*'
verbs:
- 'create'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-webhook-rwth:domain-solver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-webhook-rwth:domain-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook-rwth:secret-reader
namespace: cert-manager
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- rwthdns-apikey
verbs:
- get
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-webhook-rwth:secret-reader
namespace: cert-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook-rwth:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-rwth
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-webhook-rwth:flowcontrol-solver
rules:
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- prioritylevelconfigurations
- flowschemas
verbs:
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-webhook-rwth:flowcontrol-solver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-webhook-rwth:flowcontrol-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-rwth
namespace: cert-manager
---
apiVersion: v1
kind: Service
metadata:
name: cert-manager-webhook-rwth
namespace: cert-manager
spec:
type: ClusterIP
ports:
- port: 443
targetPort: https
name: https
selector:
app: cert-manager-webhook-rwth
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment