diff --git a/test/e2e/helm_test.go b/test/e2e/helm_test.go index 9f109ab8e..aaccbfc4e 100644 --- a/test/e2e/helm_test.go +++ b/test/e2e/helm_test.go @@ -229,4 +229,33 @@ var _ = Describe("Create a proper set of manifests when using helm charts", func Expect(err).ToNot(HaveOccurred()) Expect(manifests).To(Equal(string(expectedManifests))) }) + + It("should include deplpoymentoverrides when specified - all", func() { + manifest, err := helmChart.Run(map[string]string{ + "core": "override-test-core", + "bootstrap": "override-test-core", + "controlPlane": "override-test-core", + "infrastructure": "override-test-core", + "addon": "override-test-core", + "deploymentOverride.addon.containers[0].name": "manager", + "deploymentOverride.addon.containers[0].imageUrl": "test.org/cluster-api-provider-aws/cluster-api-provider-aws-controller:v0.6.0", + "deploymentOverride.core.containers[0].name": "manager", + "deploymentOverride.core.containers[0].imageUrl": "test.org/cluster-api/cluster-api-controller:v1.7.1", + "deploymentOverride.infrastructure.deployment.containers[0].name": "manager", + "deploymentOverride.infrastructure.deployment.containers[0].imageUrl": "test.org/cluster-api-vsphere/cluster-api-vsphere-controller:v1.10.0", + "deploymentOverride.bootstrap.deployment.containers[0].name": "manager", + "deploymentOverride.bootstrap.deployment.containers[0].imageUrl": "test.org/cluster-api-bootstrap-provider-kubeadm/cluster-api-kubeadm-controller:v0.4.0", + "deploymentOverride.controlPlane.deployment.containers[0].name": "manager", + "deploymentOverride.controlPlane.deployment.containers[0].imageUrl": "test.org/cluster-api-control-plane/cluster-api-control-plane-controller:v0.4.0", + "deploymentOverride.coreConditions.containers[0].name": "manager", + "deploymentOverride.coreConditions.containers[0].imageUrl": "test.org/cluster-api/cluster-api-controller:v1.7.1", + "deploymentOverride.infraConditions.containers[0].name": "manager", + "deploymentOverride.infraConditions.containers[0].imageUrl": "test.org/cluster-api/cluster-api-controller:v1.7.1", + }) + Except(err).ToNot(HaveOccurred()) + Except(manifest).ToNot(BeEmpty()) + expectedManifests, err := os.ReadFile(filepath.Join(customManifestsFolder, "deployment-overrides-all.yaml")) + Except(err).ToNot(HaveOccurred()) + Except(manifest).To(Equal(string(expectedManifests))) + }) }) diff --git a/test/e2e/resources/deployment-overrides-all.yaml b/test/e2e/resources/deployment-overrides-all.yaml new file mode 100644 index 000000000..381e15990 --- /dev/null +++ b/test/e2e/resources/deployment-overrides-all.yaml @@ -0,0 +1,1561 @@ +--- +# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: release-name-cert-manager-cainjector + namespace: default + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +--- +# Source: cluster-api-operator/charts/cert-manager/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: release-name-cert-manager + namespace: default + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +--- +# Source: cluster-api-operator/charts/cert-manager/templates/webhook-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: release-name-cert-manager-webhook + namespace: default + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +--- +# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: release-name-cert-manager-cainjector + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "create", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "update", "patch"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: release-name-cert-manager-controller-issuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +rules: + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "issuers/status"] + verbs: ["update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +# ClusterIssuer controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: release-name-cert-manager-controller-clusterissuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +rules: + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "clusterissuers/status"] + verbs: ["update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +# Certificates controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: release-name-cert-manager-controller-certificates + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] + verbs: ["update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["cert-manager.io"] + resources: ["certificates/finalizers", "certificaterequests/finalizers"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +# Orders controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: release-name-cert-manager-controller-orders + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +rules: + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "orders/status"] + verbs: ["update", "patch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "challenges"] + verbs: ["get", "list", "watch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["create", "delete"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +# Challenges controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: release-name-cert-manager-controller-challenges + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +rules: + # Use to update challenge resource status + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "challenges/status"] + verbs: ["update", "patch"] + # Used to watch challenge resources + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["get", "list", "watch"] + # Used to watch challenges, issuer and clusterissuer resources + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + # Need to be able to retrieve ACME account private key to complete challenges + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + # Used to create events + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + # HTTP01 rules + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + - apiGroups: [ "gateway.networking.k8s.io" ] + resources: [ "httproutes" ] + verbs: ["get", "list", "watch", "create", "delete", "update"] + # We require the ability to specify a custom hostname when we are creating + # new ingress resources. + # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 + - apiGroups: ["route.openshift.io"] + resources: ["routes/custom-host"] + verbs: ["create"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges/finalizers"] + verbs: ["update"] + # DNS01 rules (duplicated above) + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +# ingress-shim controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: release-name-cert-manager-controller-ingress-shim + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/finalizers"] + verbs: ["update"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gateways", "httproutes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gateways/finalizers", "httproutes/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: release-name-cert-manager-cluster-view + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: release-name-cert-manager-view + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "orders"] + verbs: ["get", "list", "watch"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: release-name-cert-manager-edit + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates/status"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "orders"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: release-name-cert-manager-controller-approve:cert-manager-io + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +rules: + - apiGroups: ["cert-manager.io"] + resources: ["signers"] + verbs: ["approve"] + resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +# Permission to: +# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers +# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: release-name-cert-manager-controller-certificatesigningrequests + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests/status"] + verbs: ["update", "patch"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] + verbs: ["sign"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: release-name-cert-manager-webhook:subjectaccessreviews + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +rules: +- apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-cert-manager-cainjector + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-cert-manager-cainjector +subjects: + - name: release-name-cert-manager-cainjector + namespace: default + kind: ServiceAccount +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-cert-manager-controller-issuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-cert-manager-controller-issuers +subjects: + - name: release-name-cert-manager + namespace: default + kind: ServiceAccount +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-cert-manager-controller-clusterissuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-cert-manager-controller-clusterissuers +subjects: + - name: release-name-cert-manager + namespace: default + kind: ServiceAccount +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-cert-manager-controller-certificates + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-cert-manager-controller-certificates +subjects: + - name: release-name-cert-manager + namespace: default + kind: ServiceAccount +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-cert-manager-controller-orders + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-cert-manager-controller-orders +subjects: + - name: release-name-cert-manager + namespace: default + kind: ServiceAccount +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-cert-manager-controller-challenges + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-cert-manager-controller-challenges +subjects: + - name: release-name-cert-manager + namespace: default + kind: ServiceAccount +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-cert-manager-controller-ingress-shim + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-cert-manager-controller-ingress-shim +subjects: + - name: release-name-cert-manager + namespace: default + kind: ServiceAccount +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-cert-manager-controller-approve:cert-manager-io + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-cert-manager-controller-approve:cert-manager-io +subjects: + - name: release-name-cert-manager + namespace: default + kind: ServiceAccount +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-cert-manager-controller-certificatesigningrequests + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-cert-manager-controller-certificatesigningrequests +subjects: + - name: release-name-cert-manager + namespace: default + kind: ServiceAccount +--- +# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-cert-manager-webhook:subjectaccessreviews + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-cert-manager-webhook:subjectaccessreviews +subjects: +- apiGroup: "" + kind: ServiceAccount + name: release-name-cert-manager-webhook + namespace: default +--- +# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml +# leader election rules +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-cert-manager-cainjector:leaderelection + namespace: kube-system + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +rules: + # Used for leader election by the controller + # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller + # see cmd/cainjector/start.go#L113 + # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller + # see cmd/cainjector/start.go#L137 + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] + verbs: ["get", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-cert-manager:leaderelection + namespace: kube-system + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + resourceNames: ["cert-manager-controller"] + verbs: ["get", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-cert-manager-webhook:dynamic-serving + namespace: default + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +rules: +- apiGroups: [""] + resources: ["secrets"] + resourceNames: + - 'release-name-cert-manager-webhook-ca' + verbs: ["get", "list", "watch", "update"] +# It's not possible to grant CREATE permission on a single resourceName. +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-cert-manager-cainjector:leaderelection + namespace: kube-system + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: release-name-cert-manager-cainjector:leaderelection +subjects: + - kind: ServiceAccount + name: release-name-cert-manager-cainjector + namespace: default +--- +# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-cert-manager:leaderelection + namespace: kube-system + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: release-name-cert-manager:leaderelection +subjects: + - apiGroup: "" + kind: ServiceAccount + name: release-name-cert-manager + namespace: default +--- +# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-cert-manager-webhook:dynamic-serving + namespace: default + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: release-name-cert-manager-webhook:dynamic-serving +subjects: +- apiGroup: "" + kind: ServiceAccount + name: release-name-cert-manager-webhook + namespace: default +--- +# Source: cluster-api-operator/charts/cert-manager/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: release-name-cert-manager + namespace: default + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +spec: + type: ClusterIP + ports: + - protocol: TCP + port: 9402 + name: tcp-prometheus-servicemonitor + targetPort: 9402 + selector: + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" +--- +# Source: cluster-api-operator/charts/cert-manager/templates/webhook-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: release-name-cert-manager-webhook + namespace: default + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +spec: + type: ClusterIP + ports: + - name: https + port: 443 + protocol: TCP + targetPort: "https" + selector: + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "webhook" +--- +# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: release-name-cert-manager-cainjector + namespace: default + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "cainjector" + template: + metadata: + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 + spec: + serviceAccountName: release-name-cert-manager-cainjector + enableServiceLinks: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: cert-manager-cainjector + image: "quay.io/jetstack/cert-manager-cainjector:v1.14.5" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --leader-election-namespace=kube-system + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + nodeSelector: + kubernetes.io/os: linux +--- +# Source: cluster-api-operator/charts/cert-manager/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: release-name-cert-manager + namespace: default + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + template: + metadata: + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 + annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' + spec: + serviceAccountName: release-name-cert-manager + enableServiceLinks: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: cert-manager-controller + image: "quay.io/jetstack/cert-manager-controller:v1.14.5" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=kube-system + - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.14.5 + - --max-concurrent-challenges=60 + ports: + - containerPort: 9402 + name: http-metrics + protocol: TCP + - containerPort: 9403 + name: http-healthz + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # LivenessProbe settings are based on those used for the Kubernetes + # controller-manager. See: + # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 + livenessProbe: + httpGet: + port: http-healthz + path: /livez + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 8 + nodeSelector: + kubernetes.io/os: linux +--- +# Source: cluster-api-operator/charts/cert-manager/templates/webhook-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: release-name-cert-manager-webhook + namespace: default + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "webhook" + template: + metadata: + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 + spec: + serviceAccountName: release-name-cert-manager-webhook + enableServiceLinks: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: cert-manager-webhook + image: "quay.io/jetstack/cert-manager-webhook:v1.14.5" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --secure-port=10250 + - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) + - --dynamic-serving-ca-secret-name=release-name-cert-manager-webhook-ca + - --dynamic-serving-dns-names=release-name-cert-manager-webhook + - --dynamic-serving-dns-names=release-name-cert-manager-webhook.$(POD_NAMESPACE) + - --dynamic-serving-dns-names=release-name-cert-manager-webhook.$(POD_NAMESPACE).svc + + ports: + - name: https + protocol: TCP + containerPort: 10250 + - name: healthcheck + protocol: TCP + containerPort: 6080 + livenessProbe: + httpGet: + path: /livez + port: 6080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: 6080 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + nodeSelector: + kubernetes.io/os: linux +--- +# Source: cluster-api-operator/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: release-name-cluster-api-operator + namespace: 'default' + labels: + app: cluster-api-operator + app.kubernetes.io/name: cluster-api-operator + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + control-plane: controller-manager + clusterctl.cluster.x-k8s.io/core: capi-operator +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: cluster-api-operator + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + control-plane: controller-manager + clusterctl.cluster.x-k8s.io/core: capi-operator + template: + metadata: + labels: + app: cluster-api-operator + app.kubernetes.io/name: cluster-api-operator + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "controller" + control-plane: controller-manager + clusterctl.cluster.x-k8s.io/core: capi-operator + spec: + containers: + - args: + - --v=2 + - --health-addr=:8081 + - --metrics-bind-addr=127.0.0.1:8080 + - --diagnostics-address=8443 + - --leader-elect=true + command: + - /manager + image: "gcr.io/k8s-staging-capi-operator/cluster-api-operator:dev" + imagePullPolicy: IfNotPresent + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + resources: + limits: + cpu: 100m + memory: 150Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: capi-operator-webhook-service-cert + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - key: kubernetes.io/os + operator: In + values: + - linux + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane +--- +# Source: cluster-api-operator/templates/addon.yaml +# Addon provider +--- +# Source: cluster-api-operator/templates/bootstrap.yaml +# Bootstrap provider +--- +# Source: cluster-api-operator/templates/control-plane.yaml +# Control plane provider +--- +# Source: cluster-api-operator/templates/core-conditions.yaml +# Deploy core components if not specified +--- +# Source: cluster-api-operator/templates/core.yaml +# Core provider +--- +# Source: cluster-api-operator/templates/infra-conditions.yaml +# Deploy bootstrap, and infrastructure components if not specified +--- +# Source: cluster-api-operator/templates/infra.yaml +# Infrastructure providers +--- +# Source: cluster-api-operator/charts/cert-manager/templates/webhook-mutating-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: release-name-cert-manager-webhook + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 + annotations: + cert-manager.io/inject-ca-from-secret: "default/release-name-cert-manager-webhook-ca" +webhooks: + - name: webhook.cert-manager.io + rules: + - apiGroups: + - "cert-manager.io" + apiVersions: + - "v1" + operations: + - CREATE + resources: + - "certificaterequests" + admissionReviewVersions: ["v1"] + # This webhook only accepts v1 cert-manager resources. + # Equivalent matchPolicy ensures that non-v1 resource requests are sent to + # this webhook (after the resources have been converted to v1). + matchPolicy: Equivalent + timeoutSeconds: 30 + failurePolicy: Fail + # Only include 'sideEffects' field in Kubernetes 1.12+ + sideEffects: None + clientConfig: + service: + name: release-name-cert-manager-webhook + namespace: default + path: /mutate +--- +# Source: cluster-api-operator/charts/cert-manager/templates/webhook-validating-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: release-name-cert-manager-webhook + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 + annotations: + cert-manager.io/inject-ca-from-secret: "default/release-name-cert-manager-webhook-ca" +webhooks: + - name: webhook.cert-manager.io + namespaceSelector: + matchExpressions: + - key: cert-manager.io/disable-validation + operator: NotIn + values: + - "true" + rules: + - apiGroups: + - "cert-manager.io" + - "acme.cert-manager.io" + apiVersions: + - "v1" + operations: + - CREATE + - UPDATE + resources: + - "*/*" + admissionReviewVersions: ["v1"] + # This webhook only accepts v1 cert-manager resources. + # Equivalent matchPolicy ensures that non-v1 resource requests are sent to + # this webhook (after the resources have been converted to v1). + matchPolicy: Equivalent + timeoutSeconds: 30 + failurePolicy: Fail + sideEffects: None + clientConfig: + service: + name: release-name-cert-manager-webhook + namespace: default + path: /validate +--- +# Source: cluster-api-operator/templates/addon.yaml +apiVersion: v1 +kind: Namespace +metadata: + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "1" + name: override-test-core-addon-system +--- +# Source: cluster-api-operator/templates/bootstrap.yaml +apiVersion: v1 +kind: Namespace +metadata: + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "1" + name: override-test-core-bootstrap-system +--- +# Source: cluster-api-operator/templates/control-plane.yaml +apiVersion: v1 +kind: Namespace +metadata: + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "1" + name: override-test-core-control-plane-system +--- +# Source: cluster-api-operator/templates/core.yaml +apiVersion: v1 +kind: Namespace +metadata: + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "1" + name: capi-system +--- +# Source: cluster-api-operator/templates/infra.yaml +apiVersion: v1 +kind: Namespace +metadata: + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "1" + name: override-test-core-infrastructure-system +--- +# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: release-name-cert-manager-startupapicheck + namespace: default + annotations: + helm.sh/hook: post-install + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-5" + labels: + app: startupapicheck + app.kubernetes.io/name: startupapicheck + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "startupapicheck" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 +--- +# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-rbac.yaml +# create certificate role +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-cert-manager-startupapicheck:create-cert + namespace: default + labels: + app: startupapicheck + app.kubernetes.io/name: startupapicheck + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "startupapicheck" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 + annotations: + helm.sh/hook: post-install + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-5" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates"] + verbs: ["create"] +--- +# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-cert-manager-startupapicheck:create-cert + namespace: default + labels: + app: startupapicheck + app.kubernetes.io/name: startupapicheck + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "startupapicheck" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 + annotations: + helm.sh/hook: post-install + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "-5" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: release-name-cert-manager-startupapicheck:create-cert +subjects: + - kind: ServiceAccount + name: release-name-cert-manager-startupapicheck + namespace: default +--- +# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: release-name-cert-manager-startupapicheck + namespace: default + labels: + app: startupapicheck + app.kubernetes.io/name: startupapicheck + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "startupapicheck" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 + annotations: + helm.sh/hook: post-install + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "1" +spec: + backoffLimit: 4 + template: + metadata: + labels: + app: startupapicheck + app.kubernetes.io/name: startupapicheck + app.kubernetes.io/instance: release-name + app.kubernetes.io/component: "startupapicheck" + app.kubernetes.io/version: "v1.14.5" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.14.5 + spec: + restartPolicy: OnFailure + serviceAccountName: release-name-cert-manager-startupapicheck + enableServiceLinks: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: cert-manager-startupapicheck + image: "quay.io/jetstack/cert-manager-startupapicheck:v1.14.5" + imagePullPolicy: IfNotPresent + args: + - check + - api + - --wait=1m + - -v + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + nodeSelector: + kubernetes.io/os: linux +--- +# Source: cluster-api-operator/templates/addon.yaml +apiVersion: operator.cluster.x-k8s.io/v1alpha2 +kind: AddonProvider +metadata: + name: override-test-core + namespace: override-test-core-addon-system + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "2" + + containers: + - imageUrl: test.org/cluster-api-provider-aws/cluster-api-provider-aws-controller:v0.6.0 + name: manager +--- +# Source: cluster-api-operator/templates/bootstrap.yaml +apiVersion: operator.cluster.x-k8s.io/v1alpha2 +kind: BootstrapProvider +metadata: + name: override-test-core + namespace: override-test-core-bootstrap-system + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "2" + + deployment: + containers: + - imageUrl: test.org/cluster-api-bootstrap-provider-kubeadm/cluster-api-kubeadm-controller:v0.4.0 + name: manager +--- +# Source: cluster-api-operator/templates/control-plane.yaml +apiVersion: operator.cluster.x-k8s.io/v1alpha2 +kind: ControlPlaneProvider +metadata: + name: override-test-core + namespace: override-test-core-control-plane-system + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "2" + + deployment: + containers: + - imageUrl: test.org/cluster-api-control-plane/cluster-api-control-plane-controller:v0.4.0 + name: manager +--- +# Source: cluster-api-operator/templates/core.yaml +apiVersion: operator.cluster.x-k8s.io/v1alpha2 +kind: CoreProvider +metadata: + name: override-test-core + namespace: capi-system + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "2" + + containers: + - imageUrl: test.org/cluster-api/cluster-api-controller:v1.7.1 + name: manager +--- +# Source: cluster-api-operator/templates/infra.yaml +apiVersion: operator.cluster.x-k8s.io/v1alpha2 +kind: InfrastructureProvider +metadata: + name: override-test-core + namespace: override-test-core-infrastructure-system + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "2" + + deployment: + containers: + - imageUrl: test.org/cluster-api-vsphere/cluster-api-vsphere-controller:v1.10.0 + name: manager