-
Mariano Cano authoredMariano Cano authored
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
deployment.yaml 8.90 KiB
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: step-issuer-system
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
creationTimestamp: null
name: stepissuers.certmanager.step.sm
spec:
group: certmanager.step.sm
names:
kind: StepIssuer
listKind: StepIssuerList
plural: stepissuers
singular: stepissuer
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: StepIssuer is the Schema for the stepissuers API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: StepIssuerSpec defines the desired state of StepIssuer
properties:
caBundle:
description: CABundle is a base64 encoded TLS certificate used to verify
connections to the step certificates server. If not set the system
root certificates are used to validate the TLS connection.
format: byte
type: string
provisioner:
description: Provisioner contains the step certificates provisioner
configuration.
properties:
kid:
description: KeyID is the kid property of the JWK provisioner.
type: string
name:
description: Names is the name of the JWK provisioner.
type: string
passwordRef:
description: PasswordRef is a reference to a Secret containing the
provisioner password used to decrypt the provisioner private key.
properties:
key:
description: The key of the secret to select from. Must be a
valid secret key.
type: string
name:
description: The name of the secret in the pod's namespace to
select from. type: string
required:
- name
type: object
required:
- kid
- name
- passwordRef
type: object
url:
description: URL is the base URL for the step certificates instance.
type: string
required:
- provisioner
- url
type: object
status:
description: StepIssuerStatus defines the observed state of StepIssuer
properties:
conditions:
items:
description: StepIssuerCondition contains condition information for
the step issuer.
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding
to the last status change of this condition.
format: date-time
type: string
message:
description: Message is a human readable description of the details
of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation for
the condition's last transition.
type: string
status:
allOf:
- enum:
- "True"
- "False"
- Unknown
- enum:
- "True"
- "False"
- Unknown
description: Status of the condition, one of ('True', 'False',
'Unknown').
type: string
type:
description: Type of the condition, currently ('Ready').
enum:
- Ready
type: string
required:
- status
- type
type: object
type: array
type: object
type: object
version: v1beta1
versions:
- name: v1beta1
served: true
storage: true
status:
acceptedNames:
kind: "" plural: ""
conditions: []
storedVersions: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: step-issuer-leader-election-role
namespace: step-issuer-system
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: step-issuer-manager-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
- certificaterequests
verbs:
- get
- list
- update
- watch
- apiGroups:
- cert-manager.io
resources:
- certificaterequests/status
verbs:
- get
- patch
- update
- apiGroups:
- certmanager.step.sm resources:
- stepissuers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- certmanager.step.sm
resources:
- stepissuers/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: step-issuer-proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: step-issuer-leader-election-rolebinding
namespace: step-issuer-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: step-issuer-leader-election-role
subjects:
- kind: ServiceAccount
name: default
namespace: step-issuer-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: step-issuer-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: step-issuer-manager-role
subjects:
- kind: ServiceAccount
name: default
namespace: step-issuer-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: step-issuer-proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io kind: ClusterRole
name: step-issuer-proxy-role
subjects:
- kind: ServiceAccount
name: default
namespace: step-issuer-system
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/port: "8443"
prometheus.io/scheme: https
prometheus.io/scrape: "true"
labels:
control-plane: controller-manager
name: step-issuer-controller-manager-metrics-service
namespace: step-issuer-system
spec:
ports:
- name: https
port: 8443
targetPort: https
selector:
control-plane: controller-manager
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
control-plane: controller-manager
name: step-issuer-controller-manager
namespace: step-issuer-system
spec:
replicas: 1
selector:
matchLabels:
control-plane: controller-manager
template:
metadata:
labels:
control-plane: controller-manager
spec:
containers:
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=10
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
- args:
- --metrics-addr=127.0.0.1:8080
- --enable-leader-election
command:
- /manager
image: smallstep/step-issuer:0.1.0
name: manager
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 100m
memory: 30Mi
terminationGracePeriodSeconds: 10
