feat(helm): update chart cert-manager ( v1.15.3 → v1.16.0 ) #4073
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://github.com/avatars/in/2740?s=60&v=4){kind=small}
| datasource | package | from | to | | ---------- | ------------ | ------- | ------- | | helm | cert-manager | v1.15.3 | v1.16.0 | Signed-off-by: Jeff Billimek <billimek@users.noreply.github.com>
renovate
bot
force-pushed
the
renovate/cert-manager-1.x
branch
from
f1fe165
to
c82687c
Compare
Enable the installation of CRDs by setting the `crds` field to `enabled: true` in the values configuration. This change ensures that CRDs are installed as part of the chart deployment process, allowing for proper functioning of cert-manager.
Removing the webhook section from the cert-manager chart configuration file as it is no longer needed.
|
Helm Release Diff: --- /tmp/tmp.2HaIXm1qRx 2024-10-04 18:05:51.326112933 +0000
+++ /tmp/tmp.aomxYOkFtk 2024-10-04 18:05:52.792111734 +0000
@@ -310,7 +310,7 @@
---
# Source: cert-manager/templates/rbac.yaml
# Permission to:
-# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
+# - Update and sign CertificateSigningRequests referencing cert-manager.io Issuers and ClusterIssuers
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@@ -488,8 +488,7 @@
kind: ClusterRole
name: cert-manager-webhook:subjectaccessreviews
subjects:
- - apiGroup: ""
- kind: ServiceAccount
+ - kind: ServiceAccount
name: cert-manager-webhook
namespace: default
@@ -536,6 +535,19 @@
verbs: [ "create" ]
---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cert-manager-tokenrequest
+ namespace: default
+rules:
+ - apiGroups: [ "" ]
+ resources: [ "serviceaccounts/token" ]
+ resourceNames: [ "cert-manager" ]
+ verbs: [ "create" ]
+
+---
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@@ -585,8 +597,24 @@
kind: Role
name: cert-manager:leaderelection
subjects:
- - apiGroup: ""
- kind: ServiceAccount
+ - kind: ServiceAccount
+ name: cert-manager
+ namespace: default
+
+---
+# Source: cert-manager/templates/rbac.yaml
+# grant cert-manager permission to create tokens for the serviceaccount
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cert-manager-cert-manager-tokenrequest
+ namespace: default
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cert-manager-tokenrequest
+subjects:
+ - kind: ServiceAccount
name: cert-manager
namespace: default
@@ -602,12 +630,29 @@
kind: Role
name: cert-manager-webhook:dynamic-serving
subjects:
- - apiGroup: ""
- kind: ServiceAccount
+ - kind: ServiceAccount
name: cert-manager-webhook
namespace: default
---
+# Source: cert-manager/templates/cainjector-service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: cert-manager-cainjector
+ namespace: default
+spec:
+ type: ClusterIP
+ ports:
+ - protocol: TCP
+ port: 9402
+ name: http-metrics
+ selector:
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "cainjector"
+
+---
# Source: cert-manager/templates/service.yaml
apiVersion: v1
kind: Service
@@ -640,6 +685,10 @@
port: 443
protocol: TCP
targetPort: "https"
+ - name: metrics
+ port: 9402
+ protocol: TCP
+ targetPort: "http-metrics"
selector:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
@@ -670,11 +719,15 @@
type: RuntimeDefault
containers:
- name: cert-manager-cainjector
- image: "quay.io/jetstack/cert-manager-cainjector:v1.15.3"
+ image: "quay.io/jetstack/cert-manager-cainjector:v1.16.0"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --leader-election-namespace=kube-system
+ ports:
+ - containerPort: 9402
+ name: http-metrics
+ protocol: TCP
env:
- name: POD_NAMESPACE
valueFrom:
@@ -714,13 +767,13 @@
type: RuntimeDefault
containers:
- name: cert-manager-controller
- image: "quay.io/jetstack/cert-manager-controller:v1.15.3"
+ image: "quay.io/jetstack/cert-manager-controller:v1.16.0"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=kube-system
- - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.15.3
+ - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.16.0
- --dns01-recursive-nameservers=1.1.1.1:53
- --dns01-recursive-nameservers-only
- --max-concurrent-challenges=60
@@ -783,7 +836,7 @@
type: RuntimeDefault
containers:
- name: cert-manager-webhook
- image: "quay.io/jetstack/cert-manager-webhook:v1.15.3"
+ image: "quay.io/jetstack/cert-manager-webhook:v1.16.0"
imagePullPolicy: IfNotPresent
args:
- --v=2
@@ -801,6 +854,9 @@
- name: healthcheck
protocol: TCP
containerPort: 6080
+ - containerPort: 9402
+ name: http-metrics
+ protocol: TCP
livenessProbe:
httpGet:
path: /livez
@@ -879,10 +935,23 @@
spec:
jobLabel: cert-manager
selector:
- matchLabels:
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - cainjector
+ - cert-manager
+ - webhook
+ - key: app.kubernetes.io/instance
+ operator: In
+ values:
+ - cert-manager
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - cainjector
+ - controller
+ - webhook
endpoints:
- targetPort: 9402
path: /metrics
@@ -958,7 +1027,7 @@
helm.sh/hook-weight: "-5"
rules:
- apiGroups: [ "cert-manager.io" ]
- resources: [ "certificates" ]
+ resources: [ "certificaterequests" ]
verbs: [ "create" ]
---
@@ -1006,7 +1075,7 @@
type: RuntimeDefault
containers:
- name: cert-manager-startupapicheck
- image: "quay.io/jetstack/cert-manager-startupapicheck:v1.15.3"
+ image: "quay.io/jetstack/cert-manager-startupapicheck:v1.16.0"
imagePullPolicy: IfNotPresent
args:
- check
@@ -1019,5 +1088,10 @@
drop:
- ALL
readOnlyRootFilesystem: true
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
nodeSelector:
kubernetes.io/os: linux |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.15.3->v1.16.0Release Notes
cert-manager/cert-manager (cert-manager)
v1.16.0Compare Source
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.