From 52b050b98a15ebba66ea6c5782f105b59b216548 Mon Sep 17 00:00:00 2001 From: Abhay Krishna Arunachalam Date: Fri, 23 Feb 2024 08:57:30 -0800 Subject: [PATCH] Revert "[release-0.19] Bump cert-manager/cert-manager to latest release (#2951)" This reverts commit bca79d0dd956e43b3c869953c3ffda06b4ff50f4. --- UPSTREAM_PROJECTS.yaml | 4 +- .../CERT_MANAGER_ACMESOLVER_ATTRIBUTION.txt | 173 ++-- .../CERT_MANAGER_CAINJECTOR_ATTRIBUTION.txt | 170 ++-- .../CERT_MANAGER_CONTROLLER_ATTRIBUTION.txt | 754 ++++------------ .../CERT_MANAGER_CTL_ATTRIBUTION.txt | 298 +++---- .../CERT_MANAGER_WEBHOOK_ATTRIBUTION.txt | 237 +++-- projects/cert-manager/cert-manager/CHECKSUMS | 20 +- projects/cert-manager/cert-manager/GIT_TAG | 2 +- .../cert-manager/cert-manager/GOLANG_VERSION | 2 +- projects/cert-manager/cert-manager/README.md | 2 +- ...e-sourceRegistry-and-digest-in-chart.patch | 124 +-- .../patches/0002-Add-cert-manager-CRDs.patch | 844 ++++-------------- .../0003-Remove-namespace-from-chart.patch | 4 +- ...Update-cert-manager-namespace-config.patch | 37 +- .../cert-manager/manifests/cert-manager.yaml | 454 +++------- 15 files changed, 1019 insertions(+), 2106 deletions(-) diff --git a/UPSTREAM_PROJECTS.yaml b/UPSTREAM_PROJECTS.yaml index 727bf98e42..7b5cfba60a 100644 --- a/UPSTREAM_PROJECTS.yaml +++ b/UPSTREAM_PROJECTS.yaml @@ -61,8 +61,8 @@ projects: repos: - name: cert-manager versions: - - tag: v1.14.2 - go_version: "1.21" + - tag: v1.13.2 + go_version: "1.20" - org: cilium repos: - name: cilium diff --git a/projects/cert-manager/cert-manager/CERT_MANAGER_ACMESOLVER_ATTRIBUTION.txt b/projects/cert-manager/cert-manager/CERT_MANAGER_ACMESOLVER_ATTRIBUTION.txt index d3ff4ba8be..0a81d5e5af 100644 --- a/projects/cert-manager/cert-manager/CERT_MANAGER_ACMESOLVER_ATTRIBUTION.txt +++ b/projects/cert-manager/cert-manager/CERT_MANAGER_ACMESOLVER_ATTRIBUTION.txt @@ -2,20 +2,20 @@ ** github.com/cert-manager/cert-manager; version v0.0.0-00010101000000-000000000000 -- https://github.com/cert-manager/cert-manager -** github.com/cert-manager/cert-manager/acmesolver-binary; version v1.14.2 -- +** github.com/cert-manager/cert-manager/acmesolver-binary; version v1.13.2 -- https://github.com/cert-manager/cert-manager/acmesolver-binary -** github.com/go-logr/logr; version v1.4.1 -- +** github.com/go-logr/logr; version v1.2.4 -- https://github.com/go-logr/logr -** github.com/go-logr/zapr; version v1.3.0 -- +** github.com/go-logr/zapr; version v1.2.4 -- https://github.com/go-logr/zapr ** github.com/google/gofuzz; version v1.2.0 -- https://github.com/google/gofuzz -** github.com/matttproud/golang_protobuf_extensions/v2/pbutil; version v2.0.0 -- -https://github.com/matttproud/golang_protobuf_extensions/v2 +** github.com/matttproud/golang_protobuf_extensions/pbutil; version v1.0.4 -- +https://github.com/matttproud/golang_protobuf_extensions ** github.com/modern-go/concurrent; version v0.0.0-20180306012644-bacd9c7ef1dd -- https://github.com/modern-go/concurrent @@ -23,57 +23,57 @@ https://github.com/modern-go/concurrent ** github.com/modern-go/reflect2; version v1.0.2 -- https://github.com/modern-go/reflect2 -** github.com/prometheus/client_golang/prometheus; version v1.18.0 -- +** github.com/prometheus/client_golang/prometheus; version v1.16.0 -- https://github.com/prometheus/client_golang -** github.com/prometheus/client_model/go; version v0.5.0 -- +** github.com/prometheus/client_model/go; version v0.4.0 -- https://github.com/prometheus/client_model -** github.com/prometheus/common; version v0.45.0 -- +** github.com/prometheus/common; version v0.44.0 -- https://github.com/prometheus/common -** github.com/prometheus/procfs; version v0.12.0 -- +** github.com/prometheus/procfs; version v0.10.1 -- https://github.com/prometheus/procfs -** github.com/spf13/cobra; version v1.8.0 -- +** github.com/spf13/cobra; version v1.7.0 -- https://github.com/spf13/cobra ** gopkg.in/yaml.v2; version v2.4.0 -- https://gopkg.in/yaml.v2 -** k8s.io/api/core/v1; version v0.29.0 -- +** k8s.io/api; version v0.28.1 -- https://github.com/kubernetes/api -** k8s.io/apiextensions-apiserver/pkg/apis/apiextensions; version v0.29.0 -- +** k8s.io/apiextensions-apiserver/pkg/apis/apiextensions; version v0.28.1 -- https://github.com/kubernetes/apiextensions-apiserver -** k8s.io/apimachinery/pkg; version v0.29.0 -- +** k8s.io/apimachinery/pkg; version v0.28.1 -- https://github.com/kubernetes/apimachinery -** k8s.io/component-base; version v0.29.0 -- +** k8s.io/client-go/kubernetes/scheme; version v0.28.1 -- +https://github.com/kubernetes/client-go + +** k8s.io/component-base; version v0.28.1 -- https://github.com/kubernetes/component-base -** k8s.io/klog/v2; version v2.110.1 -- +** k8s.io/klog/v2; version v2.100.1 -- https://github.com/kubernetes/klog -** k8s.io/utils; version v0.0.0-20240102154912-e7106e64919e -- +** k8s.io/kube-aggregator/pkg/apis/apiregistration; version v0.28.1 -- +https://github.com/kubernetes/kube-aggregator + +** k8s.io/utils; version v0.0.0-20230726121419-3b25d923346b -- https://github.com/kubernetes/utils -** sigs.k8s.io/gateway-api/apis/v1; version v1.0.0 -- +** sigs.k8s.io/gateway-api/apis/v1beta1; version v0.8.0 -- https://github.com/kubernetes-sigs/gateway-api ** sigs.k8s.io/json; version v0.0.0-20221116044647-bc3834ca7abd -- https://github.com/kubernetes-sigs/json -** sigs.k8s.io/structured-merge-diff/v4/value; version v4.4.1 -- +** sigs.k8s.io/structured-merge-diff/v4/value; version v4.3.0 -- https://github.com/kubernetes-sigs/structured-merge-diff -** sigs.k8s.io/yaml; version v1.4.0 -- -https://github.com/kubernetes-sigs/yaml - -** sigs.k8s.io/yaml/goyaml.v2; version v1.4.0 -- -https://github.com/kubernetes-sigs/yaml - Apache License Version 2.0, January 2004 @@ -278,7 +278,7 @@ https://github.com/kubernetes-sigs/yaml limitations under the License. -* For github.com/matttproud/golang_protobuf_extensions/v2/pbutil see also this required NOTICE: +* For github.com/matttproud/golang_protobuf_extensions/pbutil see also this required NOTICE: Copyright 2012 Matt T. Proud (matt.proud@gmail.com) @@ -349,22 +349,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. - -* For sigs.k8s.io/yaml/goyaml.v2 see also this required NOTICE: -Copyright 2011-2016 Canonical Ltd. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - ------ ** github.com/gogo/protobuf; version v1.3.2 -- @@ -408,7 +392,41 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/google/go-cmp/cmp; version v0.6.0 -- +** github.com/golang/protobuf/proto; version v1.5.3 -- +https://github.com/golang/protobuf + +Copyright 2010 The Go Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +------ + +** github.com/google/go-cmp/cmp; version v0.5.9 -- https://github.com/google/go-cmp Copyright (c) 2017 The Go Authors. All rights reserved. @@ -441,7 +459,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg; version v0.45.0 -- +** github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg; version v0.44.0 -- https://github.com/prometheus/common Copyright (c) 2011, Open Knowledge Foundation Ltd. @@ -511,19 +529,19 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** golang.org/go; version go1.21.6 -- +** golang.org/go; version go1.20.13 -- https://github.com/golang/go -** golang.org/x/net; version v0.19.0 -- +** golang.org/x/net; version v0.17.0 -- https://golang.org/x/net -** golang.org/x/sys/unix; version v0.15.0 -- +** golang.org/x/sys/unix; version v0.13.0 -- https://golang.org/x/sys -** golang.org/x/text; version v0.14.0 -- +** golang.org/x/text; version v0.13.0 -- https://golang.org/x/text -** k8s.io/apimachinery/third_party/forked/golang/reflect; version v0.29.0 -- +** k8s.io/apimachinery/third_party/forked/golang/reflect; version v0.28.1 -- https://github.com/kubernetes/apimachinery Copyright (c) 2009 The Go Authors. All rights reserved. @@ -556,7 +574,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** google.golang.org/protobuf; version v1.32.0 -- +** google.golang.org/protobuf; version v1.31.0 -- https://go.googlesource.com/protobuf Copyright (c) 2018 The Go Authors. All rights reserved. @@ -623,7 +641,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** k8s.io/utils/internal/third_party/forked/golang/net; version v0.0.0-20240102154912-e7106e64919e -- +** k8s.io/utils/internal/third_party/forked/golang/net; version v0.0.0-20230726121419-3b25d923346b -- https://github.com/kubernetes/utils Copyright (c) 2012 The Go Authors. All rights reserved. @@ -676,7 +694,7 @@ Copyright (c) 2016 json-iterator https://github.com/uber-go/multierr Copyright (c) 2017-2021 Uber Technologies, Inc. -** go.uber.org/zap; version v1.26.0 -- +** go.uber.org/zap; version v1.25.0 -- https://github.com/uber-go/zap Copyright (c) 2016-2017 Uber Technologies, Inc. @@ -699,3 +717,56 @@ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------ + +** sigs.k8s.io/yaml; version v1.3.0 -- +https://github.com/kubernetes-sigs/yaml +Copyright (c) 2014 Sam Ghods +Copyright (c) 2012 The Go Authors. All rights reserved. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + + + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +* Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. +* Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. +* Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +------ diff --git a/projects/cert-manager/cert-manager/CERT_MANAGER_CAINJECTOR_ATTRIBUTION.txt b/projects/cert-manager/cert-manager/CERT_MANAGER_CAINJECTOR_ATTRIBUTION.txt index cf5e51058d..9927846daa 100644 --- a/projects/cert-manager/cert-manager/CERT_MANAGER_CAINJECTOR_ATTRIBUTION.txt +++ b/projects/cert-manager/cert-manager/CERT_MANAGER_CAINJECTOR_ATTRIBUTION.txt @@ -2,22 +2,22 @@ ** github.com/cert-manager/cert-manager; version v0.0.0-00010101000000-000000000000 -- https://github.com/cert-manager/cert-manager -** github.com/cert-manager/cert-manager/cainjector-binary; version v1.14.2 -- +** github.com/cert-manager/cert-manager/cainjector-binary; version v1.13.2 -- https://github.com/cert-manager/cert-manager/cainjector-binary -** github.com/go-logr/logr; version v1.4.1 -- +** github.com/go-logr/logr; version v1.2.4 -- https://github.com/go-logr/logr -** github.com/go-logr/zapr; version v1.3.0 -- +** github.com/go-logr/zapr; version v1.2.4 -- https://github.com/go-logr/zapr -** github.com/go-openapi/jsonpointer; version v0.20.2 -- +** github.com/go-openapi/jsonpointer; version v0.19.6 -- https://github.com/go-openapi/jsonpointer -** github.com/go-openapi/jsonreference; version v0.20.4 -- +** github.com/go-openapi/jsonreference; version v0.20.2 -- https://github.com/go-openapi/jsonreference -** github.com/go-openapi/swag; version v0.22.7 -- +** github.com/go-openapi/swag; version v0.22.3 -- https://github.com/go-openapi/swag ** github.com/golang/groupcache/lru; version v0.0.0-20210331224755-41bb18bfe9da -- @@ -29,8 +29,8 @@ https://github.com/google/gnostic-models ** github.com/google/gofuzz; version v1.2.0 -- https://github.com/google/gofuzz -** github.com/matttproud/golang_protobuf_extensions/v2/pbutil; version v2.0.0 -- -https://github.com/matttproud/golang_protobuf_extensions/v2 +** github.com/matttproud/golang_protobuf_extensions/pbutil; version v1.0.4 -- +https://github.com/matttproud/golang_protobuf_extensions ** github.com/modern-go/concurrent; version v0.0.0-20180306012644-bacd9c7ef1dd -- https://github.com/modern-go/concurrent @@ -38,19 +38,19 @@ https://github.com/modern-go/concurrent ** github.com/modern-go/reflect2; version v1.0.2 -- https://github.com/modern-go/reflect2 -** github.com/prometheus/client_golang/prometheus; version v1.18.0 -- +** github.com/prometheus/client_golang/prometheus; version v1.16.0 -- https://github.com/prometheus/client_golang -** github.com/prometheus/client_model/go; version v0.5.0 -- +** github.com/prometheus/client_model/go; version v0.4.0 -- https://github.com/prometheus/client_model -** github.com/prometheus/common; version v0.45.0 -- +** github.com/prometheus/common; version v0.44.0 -- https://github.com/prometheus/common -** github.com/prometheus/procfs; version v0.12.0 -- +** github.com/prometheus/procfs; version v0.10.1 -- https://github.com/prometheus/procfs -** github.com/spf13/cobra; version v1.8.0 -- +** github.com/spf13/cobra; version v1.7.0 -- https://github.com/spf13/cobra ** gomodules.xyz/jsonpatch/v2; version v2.4.0 -- @@ -59,54 +59,48 @@ https://github.com/gomodules/jsonpatch ** gopkg.in/yaml.v2; version v2.4.0 -- https://gopkg.in/yaml.v2 -** k8s.io/api; version v0.29.0 -- +** k8s.io/api; version v0.28.1 -- https://github.com/kubernetes/api -** k8s.io/apiextensions-apiserver/pkg/apis/apiextensions; version v0.29.0 -- +** k8s.io/apiextensions-apiserver/pkg/apis/apiextensions; version v0.28.1 -- https://github.com/kubernetes/apiextensions-apiserver -** k8s.io/apimachinery/pkg; version v0.29.0 -- +** k8s.io/apimachinery/pkg; version v0.28.1 -- https://github.com/kubernetes/apimachinery -** k8s.io/client-go; version v0.29.0 -- +** k8s.io/client-go; version v0.28.1 -- https://github.com/kubernetes/client-go -** k8s.io/component-base; version v0.29.0 -- +** k8s.io/component-base; version v0.28.1 -- https://github.com/kubernetes/component-base -** k8s.io/klog/v2; version v2.110.1 -- +** k8s.io/klog/v2; version v2.100.1 -- https://github.com/kubernetes/klog -** k8s.io/kube-aggregator/pkg/apis/apiregistration; version v0.29.0 -- +** k8s.io/kube-aggregator/pkg/apis/apiregistration; version v0.28.1 -- https://github.com/kubernetes/kube-aggregator -** k8s.io/kube-openapi/pkg; version v0.0.0-20240103051144-eec4567ac022 -- +** k8s.io/kube-openapi/pkg; version v0.0.0-20230905202853-d090da108d2f -- https://github.com/kubernetes/kube-openapi -** k8s.io/kube-openapi/pkg/validation/spec; version v0.0.0-20240103051144-eec4567ac022 -- +** k8s.io/kube-openapi/pkg/validation/spec; version v0.0.0-20230905202853-d090da108d2f -- https://github.com/kubernetes/kube-openapi -** k8s.io/utils; version v0.0.0-20240102154912-e7106e64919e -- +** k8s.io/utils; version v0.0.0-20230726121419-3b25d923346b -- https://github.com/kubernetes/utils -** sigs.k8s.io/controller-runtime; version v0.16.3 -- +** sigs.k8s.io/controller-runtime; version v0.16.1 -- https://github.com/kubernetes-sigs/controller-runtime -** sigs.k8s.io/gateway-api/apis/v1; version v1.0.0 -- +** sigs.k8s.io/gateway-api/apis/v1beta1; version v0.8.0 -- https://github.com/kubernetes-sigs/gateway-api ** sigs.k8s.io/json; version v0.0.0-20221116044647-bc3834ca7abd -- https://github.com/kubernetes-sigs/json -** sigs.k8s.io/structured-merge-diff/v4; version v4.4.1 -- +** sigs.k8s.io/structured-merge-diff/v4; version v4.3.0 -- https://github.com/kubernetes-sigs/structured-merge-diff -** sigs.k8s.io/yaml; version v1.4.0 -- -https://github.com/kubernetes-sigs/yaml - -** sigs.k8s.io/yaml/goyaml.v2; version v1.4.0 -- -https://github.com/kubernetes-sigs/yaml - Apache License Version 2.0, January 2004 @@ -311,7 +305,7 @@ https://github.com/kubernetes-sigs/yaml limitations under the License. -* For github.com/matttproud/golang_protobuf_extensions/v2/pbutil see also this required NOTICE: +* For github.com/matttproud/golang_protobuf_extensions/pbutil see also this required NOTICE: Copyright 2012 Matt T. Proud (matt.proud@gmail.com) @@ -382,22 +376,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. - -* For sigs.k8s.io/yaml/goyaml.v2 see also this required NOTICE: -Copyright 2011-2016 Canonical Ltd. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - ------ ** github.com/pkg/errors; version v0.9.1 -- @@ -429,7 +407,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/evanphx/json-patch/v5; version v5.7.0 -- +** github.com/evanphx/json-patch/v5; version v5.6.0 -- https://github.com/evanphx/json-patch/v5 Copyright (c) 2014, Evan Phoenix @@ -460,7 +438,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/fsnotify/fsnotify; version v1.7.0 -- +** github.com/fsnotify/fsnotify; version v1.6.0 -- https://github.com/fsnotify/fsnotify Copyright © 2012 The Go Authors. All rights reserved. @@ -566,7 +544,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/google/go-cmp/cmp; version v0.6.0 -- +** github.com/google/go-cmp/cmp; version v0.5.9 -- https://github.com/google/go-cmp Copyright (c) 2017 The Go Authors. All rights reserved. @@ -599,7 +577,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/google/uuid; version v1.5.0 -- +** github.com/google/uuid; version v1.3.1 -- https://github.com/google/uuid Copyright (c) 2009,2014 Google Inc. All rights reserved. @@ -632,7 +610,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/imdario/mergo; version v0.3.16 -- +** github.com/imdario/mergo; version v0.3.13 -- https://github.com/darccio/mergo Copyright (c) 2013 Dario Castañé. All rights reserved. @@ -703,7 +681,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg; version v0.45.0 -- +** github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg; version v0.44.0 -- https://github.com/prometheus/common Copyright (c) 2011, Open Knowledge Foundation Ltd. @@ -773,31 +751,34 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** golang.org/go; version go1.21.6 -- +** golang.org/go; version go1.20.13 -- https://github.com/golang/go -** golang.org/x/exp/maps; version v0.0.0-20231226003508-02704c960a9b -- +** golang.org/x/exp; version v0.0.0-20230905200255-921286631fa9 -- https://golang.org/x/exp -** golang.org/x/net; version v0.19.0 -- +** golang.org/x/net; version v0.17.0 -- https://golang.org/x/net -** golang.org/x/oauth2; version v0.15.0 -- +** golang.org/x/oauth2; version v0.12.0 -- https://golang.org/x/oauth2 -** golang.org/x/sys/unix; version v0.15.0 -- +** golang.org/x/sync/errgroup; version v0.3.0 -- +https://golang.org/x/sync + +** golang.org/x/sys/unix; version v0.13.0 -- https://golang.org/x/sys -** golang.org/x/term; version v0.15.0 -- +** golang.org/x/term; version v0.13.0 -- https://golang.org/x/term -** golang.org/x/text; version v0.14.0 -- +** golang.org/x/text; version v0.13.0 -- https://golang.org/x/text -** golang.org/x/time/rate; version v0.5.0 -- +** golang.org/x/time/rate; version v0.3.0 -- https://golang.org/x/time -** k8s.io/apimachinery/third_party/forked/golang; version v0.29.0 -- +** k8s.io/apimachinery/third_party/forked/golang; version v0.28.1 -- https://github.com/kubernetes/apimachinery Copyright (c) 2009 The Go Authors. All rights reserved. @@ -830,7 +811,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** google.golang.org/protobuf; version v1.32.0 -- +** google.golang.org/protobuf; version v1.31.0 -- https://go.googlesource.com/protobuf Copyright (c) 2018 The Go Authors. All rights reserved. @@ -897,7 +878,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json; version v0.0.0-20240103051144-eec4567ac022 -- +** k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json; version v0.0.0-20230905202853-d090da108d2f -- https://github.com/kubernetes/kube-openapi Copyright (c) 2020 The Go Authors. All rights reserved. @@ -930,7 +911,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** k8s.io/utils/internal/third_party/forked/golang/net; version v0.0.0-20240102154912-e7106e64919e -- +** k8s.io/utils/internal/third_party/forked/golang/net; version v0.0.0-20230726121419-3b25d923346b -- https://github.com/kubernetes/utils Copyright (c) 2012 The Go Authors. All rights reserved. @@ -1016,7 +997,7 @@ Copyright (c) 2016 Mail.Ru Group https://github.com/uber-go/multierr Copyright (c) 2017-2021 Uber Technologies, Inc. -** go.uber.org/zap; version v1.26.0 -- +** go.uber.org/zap; version v1.25.0 -- https://github.com/uber-go/zap Copyright (c) 2016-2017 Uber Technologies, Inc. @@ -1112,3 +1093,56 @@ See the License for the specific language governing permissions and limitations under the License. ------ + +** sigs.k8s.io/yaml; version v1.3.0 -- +https://github.com/kubernetes-sigs/yaml +Copyright (c) 2014 Sam Ghods +Copyright (c) 2012 The Go Authors. All rights reserved. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + + + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +* Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. +* Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. +* Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +------ diff --git a/projects/cert-manager/cert-manager/CERT_MANAGER_CONTROLLER_ATTRIBUTION.txt b/projects/cert-manager/cert-manager/CERT_MANAGER_CONTROLLER_ATTRIBUTION.txt index 8dc0f64808..ce08fb5f06 100644 --- a/projects/cert-manager/cert-manager/CERT_MANAGER_CONTROLLER_ATTRIBUTION.txt +++ b/projects/cert-manager/cert-manager/CERT_MANAGER_CONTROLLER_ATTRIBUTION.txt @@ -5,13 +5,34 @@ https://github.com/googleapis/google-cloud-go ** github.com/akamai/AkamaiOPEN-edgegrid-golang; version v1.2.2 -- https://github.com/akamai/AkamaiOPEN-edgegrid-golang -** github.com/aws/aws-sdk-go; version v1.49.13 -- +** github.com/aws/aws-sdk-go; version v1.45.7 -- https://github.com/aws/aws-sdk-go +** github.com/Azure/go-autorest/autorest; version v0.11.29 -- +https://github.com/Azure/go-autorest/autorest + +** github.com/Azure/go-autorest/autorest/adal; version v0.9.23 -- +https://github.com/Azure/go-autorest/autorest/adal + +** github.com/Azure/go-autorest/autorest/date; version v0.3.0 -- +https://github.com/Azure/go-autorest/autorest/date + +** github.com/Azure/go-autorest/autorest/to; version v0.4.0 -- +https://github.com/Azure/go-autorest/autorest/to + +** github.com/Azure/go-autorest/autorest/validation; version v0.3.1 -- +https://github.com/Azure/go-autorest/autorest/validation + +** github.com/Azure/go-autorest/logger; version v0.2.1 -- +https://github.com/Azure/go-autorest/logger + +** github.com/Azure/go-autorest/tracing; version v0.6.0 -- +https://github.com/Azure/go-autorest/tracing + ** github.com/cert-manager/cert-manager; version v0.0.0-00010101000000-000000000000 -- https://github.com/cert-manager/cert-manager -** github.com/cert-manager/cert-manager/controller-binary; version v1.14.2 -- +** github.com/cert-manager/cert-manager/controller-binary; version v1.13.2 -- https://github.com/cert-manager/cert-manager/controller-binary ** github.com/coreos/go-semver/semver; version v0.3.1 -- @@ -20,25 +41,25 @@ https://github.com/coreos/go-semver ** github.com/coreos/go-systemd/v22/journal; version v22.5.0 -- https://github.com/coreos/go-systemd/v22 -** github.com/go-jose/go-jose/v3; version v3.0.1 -- +** github.com/go-jose/go-jose/v3; version v3.0.0 -- https://github.com/go-jose/go-jose/v3 -** github.com/go-logr/logr; version v1.4.1 -- +** github.com/go-logr/logr; version v1.2.4 -- https://github.com/go-logr/logr ** github.com/go-logr/stdr; version v1.2.2 -- https://github.com/go-logr/stdr -** github.com/go-logr/zapr; version v1.3.0 -- +** github.com/go-logr/zapr; version v1.2.4 -- https://github.com/go-logr/zapr -** github.com/go-openapi/jsonpointer; version v0.20.2 -- +** github.com/go-openapi/jsonpointer; version v0.19.6 -- https://github.com/go-openapi/jsonpointer -** github.com/go-openapi/jsonreference; version v0.20.4 -- +** github.com/go-openapi/jsonreference; version v0.20.2 -- https://github.com/go-openapi/jsonreference -** github.com/go-openapi/swag; version v0.22.7 -- +** github.com/go-openapi/swag; version v0.22.3 -- https://github.com/go-openapi/swag ** github.com/golang/groupcache/lru; version v0.0.0-20210331224755-41bb18bfe9da -- @@ -53,7 +74,7 @@ https://github.com/google/gofuzz ** github.com/google/s2a-go; version v0.1.7 -- https://github.com/google/s2a-go -** github.com/googleapis/enterprise-certificate-proxy/client; version v0.3.2 -- +** github.com/googleapis/enterprise-certificate-proxy/client; version v0.2.5 -- https://github.com/googleapis/enterprise-certificate-proxy ** github.com/grpc-ecosystem/go-grpc-prometheus; version v1.2.0 -- @@ -62,11 +83,8 @@ https://github.com/grpc-ecosystem/go-grpc-prometheus ** github.com/jmespath/go-jmespath; version v0.4.1-0.20220621161143-b0104c826a24 -- https://github.com/jmespath/go-jmespath -** github.com/kylelemons/godebug; version v1.1.0 -- -https://github.com/kylelemons/godebug - -** github.com/matttproud/golang_protobuf_extensions/v2/pbutil; version v2.0.0 -- -https://github.com/matttproud/golang_protobuf_extensions/v2 +** github.com/matttproud/golang_protobuf_extensions/pbutil; version v1.0.4 -- +https://github.com/matttproud/golang_protobuf_extensions ** github.com/modern-go/concurrent; version v0.0.0-20180306012644-bacd9c7ef1dd -- https://github.com/modern-go/concurrent @@ -74,126 +92,123 @@ https://github.com/modern-go/concurrent ** github.com/modern-go/reflect2; version v1.0.2 -- https://github.com/modern-go/reflect2 -** github.com/prometheus/client_golang/prometheus; version v1.18.0 -- +** github.com/prometheus/client_golang/prometheus; version v1.16.0 -- https://github.com/prometheus/client_golang -** github.com/prometheus/client_model/go; version v0.5.0 -- +** github.com/prometheus/client_model/go; version v0.4.0 -- https://github.com/prometheus/client_model -** github.com/prometheus/common; version v0.45.0 -- +** github.com/prometheus/common; version v0.44.0 -- https://github.com/prometheus/common -** github.com/prometheus/procfs; version v0.12.0 -- +** github.com/prometheus/procfs; version v0.10.1 -- https://github.com/prometheus/procfs -** github.com/spf13/cobra; version v1.8.0 -- +** github.com/spf13/cobra; version v1.7.0 -- https://github.com/spf13/cobra -** github.com/Venafi/vcert/v5; version v5.3.0 -- -https://github.com/Venafi/vcert/v5 +** github.com/Venafi/vcert/v4; version v4.24.1-0.20230703183014-69f417ae176d -- +https://github.com/Venafi/vcert/v4 -** go.etcd.io/etcd/api/v3; version v3.5.11 -- +** go.etcd.io/etcd/api/v3; version v3.5.9 -- https://github.com/etcd-io/etcd -** go.etcd.io/etcd/client/pkg/v3; version v3.5.11 -- +** go.etcd.io/etcd/client/pkg/v3; version v3.5.9 -- https://github.com/etcd-io/etcd -** go.etcd.io/etcd/client/v3; version v3.5.11 -- +** go.etcd.io/etcd/client/v3; version v3.5.9 -- https://github.com/etcd-io/etcd ** go.opencensus.io; version v0.24.0 -- https://github.com/census-instrumentation/opencensus-go -** go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc; version v0.46.1 -- +** go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc; version v0.45.0 -- https://github.com/open-telemetry/opentelemetry-go-contrib -** go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp; version v0.46.1 -- +** go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp; version v0.44.0 -- https://github.com/open-telemetry/opentelemetry-go-contrib -** go.opentelemetry.io/otel; version v1.21.0 -- +** go.opentelemetry.io/otel; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go -** go.opentelemetry.io/otel/exporters/otlp/otlptrace; version v1.21.0 -- +** go.opentelemetry.io/otel/exporters/otlp/otlptrace; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go -** go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc; version v1.21.0 -- +** go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go -** go.opentelemetry.io/otel/metric; version v1.21.0 -- +** go.opentelemetry.io/otel/metric; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go -** go.opentelemetry.io/otel/sdk; version v1.21.0 -- +** go.opentelemetry.io/otel/sdk; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go -** go.opentelemetry.io/otel/trace; version v1.21.0 -- +** go.opentelemetry.io/otel/trace; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go ** go.opentelemetry.io/proto/otlp; version v1.0.0 -- https://github.com/open-telemetry/opentelemetry-proto-go -** google.golang.org/genproto/googleapis/api; version v0.0.0-20240102182953-50ed04b92917 -- +** google.golang.org/genproto/googleapis/api; version v0.0.0-20230803162519-f966b187b2e5 -- https://github.com/googleapis/go-genproto -** google.golang.org/genproto/googleapis/rpc; version v0.0.0-20240102182953-50ed04b92917 -- +** google.golang.org/genproto/googleapis/rpc; version v0.0.0-20230911183012-2d3300fd4832 -- https://github.com/googleapis/go-genproto -** google.golang.org/grpc; version v1.60.1 -- +** google.golang.org/grpc; version v1.58.3 -- https://github.com/grpc/grpc-go -** gopkg.in/ini.v1; version v1.67.0 -- +** gopkg.in/ini.v1; version v1.62.0 -- https://gopkg.in/ini.v1 ** gopkg.in/yaml.v2; version v2.4.0 -- https://gopkg.in/yaml.v2 -** k8s.io/api; version v0.29.0 -- +** k8s.io/api; version v0.28.1 -- https://github.com/kubernetes/api -** k8s.io/apiextensions-apiserver/pkg/apis/apiextensions; version v0.29.0 -- +** k8s.io/apiextensions-apiserver/pkg/apis/apiextensions; version v0.28.1 -- https://github.com/kubernetes/apiextensions-apiserver -** k8s.io/apimachinery/pkg; version v0.29.0 -- +** k8s.io/apimachinery/pkg; version v0.28.1 -- https://github.com/kubernetes/apimachinery -** k8s.io/apiserver/pkg; version v0.29.0 -- +** k8s.io/apiserver/pkg; version v0.28.1 -- https://github.com/kubernetes/apiserver -** k8s.io/client-go; version v0.29.0 -- +** k8s.io/client-go; version v0.28.1 -- https://github.com/kubernetes/client-go -** k8s.io/component-base; version v0.29.0 -- +** k8s.io/component-base; version v0.28.1 -- https://github.com/kubernetes/component-base -** k8s.io/klog/v2; version v2.110.1 -- +** k8s.io/klog/v2; version v2.100.1 -- https://github.com/kubernetes/klog -** k8s.io/kube-openapi/pkg; version v0.0.0-20240103051144-eec4567ac022 -- +** k8s.io/kube-aggregator/pkg/apis/apiregistration; version v0.28.1 -- +https://github.com/kubernetes/kube-aggregator + +** k8s.io/kube-openapi/pkg; version v0.0.0-20230905202853-d090da108d2f -- https://github.com/kubernetes/kube-openapi -** k8s.io/kube-openapi/pkg/validation/spec; version v0.0.0-20240103051144-eec4567ac022 -- +** k8s.io/kube-openapi/pkg/validation/spec; version v0.0.0-20230905202853-d090da108d2f -- https://github.com/kubernetes/kube-openapi -** k8s.io/utils; version v0.0.0-20240102154912-e7106e64919e -- +** k8s.io/utils; version v0.0.0-20230726121419-3b25d923346b -- https://github.com/kubernetes/utils -** sigs.k8s.io/apiserver-network-proxy/konnectivity-client; version v0.29.0 -- +** sigs.k8s.io/apiserver-network-proxy/konnectivity-client; version v0.1.2 -- https://github.com/kubernetes-sigs/apiserver-network-proxy -** sigs.k8s.io/gateway-api; version v1.0.0 -- +** sigs.k8s.io/gateway-api; version v0.8.0 -- https://github.com/kubernetes-sigs/gateway-api ** sigs.k8s.io/json; version v0.0.0-20221116044647-bc3834ca7abd -- https://github.com/kubernetes-sigs/json -** sigs.k8s.io/structured-merge-diff/v4; version v4.4.1 -- +** sigs.k8s.io/structured-merge-diff/v4; version v4.3.0 -- https://github.com/kubernetes-sigs/structured-merge-diff -** sigs.k8s.io/yaml; version v1.4.0 -- -https://github.com/kubernetes-sigs/yaml - -** sigs.k8s.io/yaml/goyaml.v2; version v1.4.0 -- -https://github.com/kubernetes-sigs/yaml - Apache License Version 2.0, January 2004 @@ -419,7 +434,7 @@ go-jmespath Copyright 2015 James Saryerwinnie -* For github.com/matttproud/golang_protobuf_extensions/v2/pbutil see also this required NOTICE: +* For github.com/matttproud/golang_protobuf_extensions/pbutil see also this required NOTICE: Copyright 2012 Matt T. Proud (matt.proud@gmail.com) @@ -490,51 +505,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. - -* For sigs.k8s.io/yaml/goyaml.v2 see also this required NOTICE: -Copyright 2011-2016 Canonical Ltd. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - ------- - -** github.com/pkg/browser; version v0.0.0-20210911075715-681adbf594b8 -- -https://github.com/pkg/browser - -Copyright (c) 2014, Dave Cheney -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - ------ ** github.com/pkg/errors; version v0.9.1 -- @@ -566,37 +536,40 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/aws/aws-sdk-go/internal/sync/singleflight; version v1.49.13 -- +** github.com/aws/aws-sdk-go/internal/sync/singleflight; version v1.45.7 -- https://github.com/aws/aws-sdk-go -** golang.org/go; version go1.21.6 -- +** golang.org/go; version go1.20.13 -- https://github.com/golang/go -** golang.org/x/crypto; version v0.17.0 -- +** golang.org/x/crypto; version v0.14.0 -- https://golang.org/x/crypto -** golang.org/x/net; version v0.19.0 -- +** golang.org/x/exp; version v0.0.0-20230905200255-921286631fa9 -- +https://golang.org/x/exp + +** golang.org/x/net; version v0.17.0 -- https://golang.org/x/net -** golang.org/x/oauth2; version v0.15.0 -- +** golang.org/x/oauth2; version v0.12.0 -- https://golang.org/x/oauth2 -** golang.org/x/sync/errgroup; version v0.5.0 -- +** golang.org/x/sync/errgroup; version v0.3.0 -- https://golang.org/x/sync -** golang.org/x/sys; version v0.15.0 -- +** golang.org/x/sys; version v0.13.0 -- https://golang.org/x/sys -** golang.org/x/term; version v0.15.0 -- +** golang.org/x/term; version v0.13.0 -- https://golang.org/x/term -** golang.org/x/text; version v0.14.0 -- +** golang.org/x/text; version v0.13.0 -- https://golang.org/x/text -** golang.org/x/time/rate; version v0.5.0 -- +** golang.org/x/time/rate; version v0.3.0 -- https://golang.org/x/time -** k8s.io/apimachinery/third_party/forked/golang; version v0.29.0 -- +** k8s.io/apimachinery/third_party/forked/golang; version v0.28.1 -- https://github.com/kubernetes/apimachinery Copyright (c) 2009 The Go Authors. All rights reserved. @@ -629,10 +602,10 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/go-jose/go-jose/v3/json; version v3.0.1 -- +** github.com/go-jose/go-jose/v3/json; version v3.0.0 -- https://github.com/go-jose/go-jose/v3 -** k8s.io/utils/internal/third_party/forked/golang/net; version v0.0.0-20240102154912-e7106e64919e -- +** k8s.io/utils/internal/third_party/forked/golang/net; version v0.0.0-20230726121419-3b25d923346b -- https://github.com/kubernetes/utils Copyright (c) 2012 The Go Authors. All rights reserved. @@ -773,7 +746,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/google/go-cmp/cmp; version v0.6.0 -- +** github.com/google/go-cmp/cmp; version v0.5.9 -- https://github.com/google/go-cmp Copyright (c) 2017 The Go Authors. All rights reserved. @@ -839,7 +812,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/google/uuid; version v1.5.0 -- +** github.com/google/uuid; version v1.3.1 -- https://github.com/google/uuid Copyright (c) 2009,2014 Google Inc. All rights reserved. @@ -905,7 +878,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/grpc-ecosystem/grpc-gateway/v2; version v2.18.1 -- +** github.com/grpc-ecosystem/grpc-gateway/v2; version v2.16.0 -- https://github.com/grpc-ecosystem/grpc-gateway/v2 Copyright (c) 2015, Gengo, Inc. @@ -938,7 +911,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/imdario/mergo; version v0.3.16 -- +** github.com/imdario/mergo; version v0.3.13 -- https://github.com/darccio/mergo Copyright (c) 2013 Dario Castañé. All rights reserved. @@ -972,7 +945,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/miekg/dns; version v1.1.57 -- +** github.com/miekg/dns; version v1.1.55 -- https://github.com/miekg/dns BSD 3-Clause License @@ -1078,7 +1051,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg; version v0.45.0 -- +** github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg; version v0.44.0 -- https://github.com/prometheus/common Copyright (c) 2011, Open Knowledge Foundation Ltd. @@ -1114,10 +1087,10 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/rogpeppe/go-internal/fmtsort; version v1.12.0 -- +** github.com/rogpeppe/go-internal/fmtsort; version v1.11.0 -- https://github.com/rogpeppe/go-internal -** google.golang.org/protobuf; version v1.32.0 -- +** google.golang.org/protobuf; version v1.31.0 -- https://go.googlesource.com/protobuf Copyright (c) 2018 The Go Authors. All rights reserved. @@ -1184,7 +1157,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** google.golang.org/api; version v0.154.0 -- +** google.golang.org/api; version v0.140.0 -- https://github.com/googleapis/google-api-go-client Copyright (c) 2011 Google Inc. All rights reserved. @@ -1217,7 +1190,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** google.golang.org/api/internal/third_party/uritemplates; version v0.154.0 -- +** google.golang.org/api/internal/third_party/uritemplates; version v0.140.0 -- https://github.com/googleapis/google-api-go-client Copyright (c) 2013 Joshua Tacoma. All rights reserved. @@ -1284,7 +1257,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json; version v0.0.0-20240103051144-eec4567ac022 -- +** k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json; version v0.0.0-20230905202853-d090da108d2f -- https://github.com/kubernetes/kube-openapi Copyright (c) 2020 The Go Authors. All rights reserved. @@ -1317,7 +1290,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** software.sslmate.com/src/go-pkcs12; version v0.4.0 -- +** software.sslmate.com/src/go-pkcs12; version v0.2.1 -- https://software.sslmate.com/src/go-pkcs12 Copyright (c) 2015, 2018, 2019 Opsmate, Inc. All rights reserved. @@ -1372,41 +1345,10 @@ OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ------ -** github.com/Azure/azure-sdk-for-go/sdk/azcore; version v1.9.1 -- -https://github.com/Azure/azure-sdk-for-go/sdk/azcore +** github.com/Azure/azure-sdk-for-go; version v68.0.0+incompatible -- +https://github.com/Azure/azure-sdk-for-go Copyright (c) Microsoft Corporation. -** github.com/Azure/azure-sdk-for-go/sdk/azidentity; version v1.4.0 -- -https://github.com/Azure/azure-sdk-for-go/sdk/azidentity -Copyright (c) Microsoft Corporation. - -** github.com/Azure/azure-sdk-for-go/sdk/internal; version v1.5.1 -- -https://github.com/Azure/azure-sdk-for-go/sdk/internal -Copyright (c) Microsoft Corporation. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE ------- - -** github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns; version v1.2.0 -- -https://github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns -Copyright (c) Microsoft Corporation. All rights reserved. - ** github.com/Azure/go-ntlmssp; version v0.0.0-20221128193559-754e69321358 -- https://github.com/Azure/go-ntlmssp Copyright (c) 2016 Microsoft @@ -1459,12 +1401,12 @@ Copyright (c) 2018 Daniel McCarney https://github.com/emicklei/go-restful/v3 Copyright (c) 2012,2013 Ernest Micklei -** github.com/felixge/httpsnoop; version v1.0.4 -- +** github.com/felixge/httpsnoop; version v1.0.3 -- https://github.com/felixge/httpsnoop Copyright (c) 2016 Felix Geisendörfer (felix@debuggable.com) -** github.com/golang-jwt/jwt/v5; version v5.0.0 -- -https://github.com/golang-jwt/jwt/v5 +** github.com/golang-jwt/jwt/v4; version v4.5.0 -- +https://github.com/golang-jwt/jwt/v4 Copyright (c) 2012 Dave Grijalva Copyright (c) 2021 golang-jwt maintainers @@ -1504,10 +1446,6 @@ Copyright (c) 2014 Ryan Uber https://github.com/sirupsen/logrus Copyright (c) 2014 Simon Eskildsen -** github.com/sosodev/duration; version v1.2.0 -- -https://github.com/sosodev/duration -Copyright (c) 2022 Kyle McGough - ** github.com/youmark/pkcs8; version v0.0.0-20201027041543-1326539a0a0a -- https://github.com/youmark/pkcs8 Copyright (c) 2014 youmark @@ -1516,7 +1454,7 @@ Copyright (c) 2014 youmark https://github.com/uber-go/multierr Copyright (c) 2017-2021 Uber Technologies, Inc. -** go.uber.org/zap; version v1.26.0 -- +** go.uber.org/zap; version v1.25.0 -- https://github.com/uber-go/zap Copyright (c) 2016-2017 Uber Technologies, Inc. @@ -1539,34 +1477,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------ -** github.com/AzureAD/microsoft-authentication-library-for-go/apps; version v1.1.1 -- -https://github.com/AzureAD/microsoft-authentication-library-for-go -Copyright (c) Microsoft Corporation. - -MIT License - - - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE ------- - -** github.com/digitalocean/godo; version v1.107.0 -- +** github.com/digitalocean/godo; version v1.102.1 -- https://github.com/digitalocean/godo Copyright (c) 2014-2016 The godo AUTHORS. All rights reserved. Copyright (c) 2013 The go-github AUTHORS. All rights reserved. @@ -1623,7 +1534,7 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/go-asn1-ber/asn1-ber; version v1.5.5 -- +** github.com/go-asn1-ber/asn1-ber; version v1.5.4 -- https://github.com/go-asn1-ber/asn1-ber Copyright (c) 2011-2015 Michael Mitton (mmitton@gmail.com) @@ -1648,7 +1559,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------ -** github.com/go-ldap/ldap/v3; version v3.4.6 -- +** github.com/go-ldap/ldap/v3; version v3.4.5 -- https://github.com/go-ldap/ldap/v3 Copyright (c) 2011-2015 Michael Mitton (mmitton@gmail.com) @@ -1773,6 +1684,59 @@ limitations under the License. ------ +** sigs.k8s.io/yaml; version v1.3.0 -- +https://github.com/kubernetes-sigs/yaml +Copyright (c) 2014 Sam Ghods +Copyright (c) 2012 The Go Authors. All rights reserved. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + + + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +* Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. +* Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. +* Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +------ + ** github.com/hashicorp/errwrap; version v1.1.0 -- https://github.com/hashicorp/errwrap @@ -2154,6 +2118,12 @@ https://github.com/hashicorp/go-rootcerts * Package github.com/hashicorp/go-rootcerts's source code may be found at: https://github.com/hashicorp/go-rootcerts/tree/v1.0.2 +** github.com/hashicorp/go-secure-stdlib/parseutil; version v0.1.7 -- +https://github.com/hashicorp/go-secure-stdlib/parseutil + + * Package github.com/hashicorp/go-secure-stdlib/parseutil's source code may be found at: + https://github.com/hashicorp/go-secure-stdlib/parseutil/tree/v0.1.7 + ** github.com/hashicorp/go-secure-stdlib/strutil; version v0.1.2 -- https://github.com/hashicorp/go-secure-stdlib/strutil @@ -2888,11 +2858,11 @@ Exhibit B - “Incompatible With Secondary Licenses” Notice ------ -** github.com/hashicorp/go-retryablehttp; version v0.7.5 -- +** github.com/hashicorp/go-retryablehttp; version v0.7.4 -- https://github.com/hashicorp/go-retryablehttp * Package github.com/hashicorp/go-retryablehttp's source code may be found at: - https://github.com/hashicorp/go-retryablehttp/tree/v0.7.5 + https://github.com/hashicorp/go-retryablehttp/tree/v0.7.4 ** github.com/hashicorp/vault/api; version v1.10.0 -- https://github.com/hashicorp/vault/api @@ -2900,11 +2870,11 @@ https://github.com/hashicorp/vault/api * Package github.com/hashicorp/vault/api's source code may be found at: https://github.com/hashicorp/vault/api/tree/v1.10.0 -** github.com/hashicorp/vault/sdk/helper; version v0.10.2 -- +** github.com/hashicorp/vault/sdk/helper; version v0.10.0 -- https://github.com/hashicorp/vault/sdk * Package github.com/hashicorp/vault/sdk/helper's source code may be found at: - https://github.com/hashicorp/vault/sdk/tree/v0.10.2 + https://github.com/hashicorp/vault/sdk/tree/v0.10.0 Copyright (c) 2015 HashiCorp, Inc. @@ -3274,387 +3244,11 @@ Exhibit B - "Incompatible With Secondary Licenses" Notice ------ -** github.com/hashicorp/go-secure-stdlib/parseutil; version v0.1.8 -- -https://github.com/hashicorp/go-secure-stdlib/parseutil - - * Package github.com/hashicorp/go-secure-stdlib/parseutil's source code may be found at: - https://github.com/hashicorp/go-secure-stdlib/parseutil/tree/v0.1.8 - -Copyright (c) 2020 HashiCorp, Inc. - -Mozilla Public License, version 2.0 - -1. Definitions - -1.1. "Contributor" - - means each individual or legal entity that creates, contributes to the - creation of, or owns Covered Software. - -1.2. "Contributor Version" - - means the combination of the Contributions of others (if any) used by a - Contributor and that particular Contributor's Contribution. - -1.3. "Contribution" - - means Covered Software of a particular Contributor. - -1.4. "Covered Software" - - means Source Code Form to which the initial Contributor has attached the - notice in Exhibit A, the Executable Form of such Source Code Form, and - Modifications of such Source Code Form, in each case including portions - thereof. - -1.5. "Incompatible With Secondary Licenses" - means - - a. that the initial Contributor has attached the notice described in - Exhibit B to the Covered Software; or - - b. that the Covered Software was made available under the terms of - version 1.1 or earlier of the License, but not also under the terms of - a Secondary License. - -1.6. "Executable Form" - - means any form of the work other than Source Code Form. - -1.7. "Larger Work" - - means a work that combines Covered Software with other material, in a - separate file or files, that is not Covered Software. - -1.8. "License" - - means this document. - -1.9. "Licensable" - - means having the right to grant, to the maximum extent possible, whether - at the time of the initial grant or subsequently, any and all of the - rights conveyed by this License. - -1.10. "Modifications" - - means any of the following: - - a. any file in Source Code Form that results from an addition to, - deletion from, or modification of the contents of Covered Software; or - - b. any new file in Source Code Form that contains any Covered Software. - -1.11. "Patent Claims" of a Contributor - - means any patent claim(s), including without limitation, method, - process, and apparatus claims, in any patent Licensable by such - Contributor that would be infringed, but for the grant of the License, - by the making, using, selling, offering for sale, having made, import, - or transfer of either its Contributions or its Contributor Version. - -1.12. "Secondary License" - - means either the GNU General Public License, Version 2.0, the GNU Lesser - General Public License, Version 2.1, the GNU Affero General Public - License, Version 3.0, or any later versions of those licenses. - -1.13. "Source Code Form" - - means the form of the work preferred for making modifications. - -1.14. "You" (or "Your") - - means an individual or a legal entity exercising rights under this - License. For legal entities, "You" includes any entity that controls, is - controlled by, or is under common control with You. For purposes of this - definition, "control" means (a) the power, direct or indirect, to cause - the direction or management of such entity, whether by contract or - otherwise, or (b) ownership of more than fifty percent (50%) of the - outstanding shares or beneficial ownership of such entity. - - -2. License Grants and Conditions - -2.1. Grants - - Each Contributor hereby grants You a world-wide, royalty-free, - non-exclusive license: - - a. under intellectual property rights (other than patent or trademark) - Licensable by such Contributor to use, reproduce, make available, - modify, display, perform, distribute, and otherwise exploit its - Contributions, either on an unmodified basis, with Modifications, or - as part of a Larger Work; and - - b. under Patent Claims of such Contributor to make, use, sell, offer for - sale, have made, import, and otherwise transfer either its - Contributions or its Contributor Version. - -2.2. Effective Date - - The licenses granted in Section 2.1 with respect to any Contribution - become effective for each Contribution on the date the Contributor first - distributes such Contribution. - -2.3. Limitations on Grant Scope - - The licenses granted in this Section 2 are the only rights granted under - this License. No additional rights or licenses will be implied from the - distribution or licensing of Covered Software under this License. - Notwithstanding Section 2.1(b) above, no patent license is granted by a - Contributor: - - a. for any code that a Contributor has removed from Covered Software; or - - b. for infringements caused by: (i) Your and any other third party's - modifications of Covered Software, or (ii) the combination of its - Contributions with other software (except as part of its Contributor - Version); or - - c. under Patent Claims infringed by Covered Software in the absence of - its Contributions. - - This License does not grant any rights in the trademarks, service marks, - or logos of any Contributor (except as may be necessary to comply with - the notice requirements in Section 3.4). - -2.4. Subsequent Licenses - - No Contributor makes additional grants as a result of Your choice to - distribute the Covered Software under a subsequent version of this - License (see Section 10.2) or under the terms of a Secondary License (if - permitted under the terms of Section 3.3). - -2.5. Representation - - Each Contributor represents that the Contributor believes its - Contributions are its original creation(s) or it has sufficient rights to - grant the rights to its Contributions conveyed by this License. - -2.6. Fair Use - - This License is not intended to limit any rights You have under - applicable copyright doctrines of fair use, fair dealing, or other - equivalents. - -2.7. Conditions - - Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in - Section 2.1. - - -3. Responsibilities - -3.1. Distribution of Source Form - - All distribution of Covered Software in Source Code Form, including any - Modifications that You create or to which You contribute, must be under - the terms of this License. You must inform recipients that the Source - Code Form of the Covered Software is governed by the terms of this - License, and how they can obtain a copy of this License. You may not - attempt to alter or restrict the recipients' rights in the Source Code - Form. - -3.2. Distribution of Executable Form - - If You distribute Covered Software in Executable Form then: - - a. such Covered Software must also be made available in Source Code Form, - as described in Section 3.1, and You must inform recipients of the - Executable Form how they can obtain a copy of such Source Code Form by - reasonable means in a timely manner, at a charge no more than the cost - of distribution to the recipient; and - - b. You may distribute such Executable Form under the terms of this - License, or sublicense it under different terms, provided that the - license for the Executable Form does not attempt to limit or alter the - recipients' rights in the Source Code Form under this License. - -3.3. Distribution of a Larger Work - - You may create and distribute a Larger Work under terms of Your choice, - provided that You also comply with the requirements of this License for - the Covered Software. If the Larger Work is a combination of Covered - Software with a work governed by one or more Secondary Licenses, and the - Covered Software is not Incompatible With Secondary Licenses, this - License permits You to additionally distribute such Covered Software - under the terms of such Secondary License(s), so that the recipient of - the Larger Work may, at their option, further distribute the Covered - Software under the terms of either this License or such Secondary - License(s). - -3.4. Notices - - You may not remove or alter the substance of any license notices - (including copyright notices, patent notices, disclaimers of warranty, or - limitations of liability) contained within the Source Code Form of the - Covered Software, except that You may alter any license notices to the - extent required to remedy known factual inaccuracies. - -3.5. Application of Additional Terms - - You may choose to offer, and to charge a fee for, warranty, support, - indemnity or liability obligations to one or more recipients of Covered - Software. However, You may do so only on Your own behalf, and not on - behalf of any Contributor. You must make it absolutely clear that any - such warranty, support, indemnity, or liability obligation is offered by - You alone, and You hereby agree to indemnify every Contributor for any - liability incurred by such Contributor as a result of warranty, support, - indemnity or liability terms You offer. You may include additional - disclaimers of warranty and limitations of liability specific to any - jurisdiction. - -4. Inability to Comply Due to Statute or Regulation - - If it is impossible for You to comply with any of the terms of this License - with respect to some or all of the Covered Software due to statute, - judicial order, or regulation then You must: (a) comply with the terms of - this License to the maximum extent possible; and (b) describe the - limitations and the code they affect. Such description must be placed in a - text file included with all distributions of the Covered Software under - this License. Except to the extent prohibited by statute or regulation, - such description must be sufficiently detailed for a recipient of ordinary - skill to be able to understand it. - -5. Termination - -5.1. The rights granted under this License will terminate automatically if You - fail to comply with any of its terms. However, if You become compliant, - then the rights granted under this License from a particular Contributor - are reinstated (a) provisionally, unless and until such Contributor - explicitly and finally terminates Your grants, and (b) on an ongoing - basis, if such Contributor fails to notify You of the non-compliance by - some reasonable means prior to 60 days after You have come back into - compliance. Moreover, Your grants from a particular Contributor are - reinstated on an ongoing basis if such Contributor notifies You of the - non-compliance by some reasonable means, this is the first time You have - received notice of non-compliance with this License from such - Contributor, and You become compliant prior to 30 days after Your receipt - of the notice. - -5.2. If You initiate litigation against any entity by asserting a patent - infringement claim (excluding declaratory judgment actions, - counter-claims, and cross-claims) alleging that a Contributor Version - directly or indirectly infringes any patent, then the rights granted to - You by any and all Contributors for the Covered Software under Section - 2.1 of this License shall terminate. - -5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user - license agreements (excluding distributors and resellers) which have been - validly granted by You or Your distributors under this License prior to - termination shall survive termination. - -6. Disclaimer of Warranty - - Covered Software is provided under this License on an "as is" basis, - without warranty of any kind, either expressed, implied, or statutory, - including, without limitation, warranties that the Covered Software is free - of defects, merchantable, fit for a particular purpose or non-infringing. - The entire risk as to the quality and performance of the Covered Software - is with You. Should any Covered Software prove defective in any respect, - You (not any Contributor) assume the cost of any necessary servicing, - repair, or correction. This disclaimer of warranty constitutes an essential - part of this License. No use of any Covered Software is authorized under - this License except under this disclaimer. - -7. Limitation of Liability - - Under no circumstances and under no legal theory, whether tort (including - negligence), contract, or otherwise, shall any Contributor, or anyone who - distributes Covered Software as permitted above, be liable to You for any - direct, indirect, special, incidental, or consequential damages of any - character including, without limitation, damages for lost profits, loss of - goodwill, work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses, even if such party shall have been - informed of the possibility of such damages. This limitation of liability - shall not apply to liability for death or personal injury resulting from - such party's negligence to the extent applicable law prohibits such - limitation. Some jurisdictions do not allow the exclusion or limitation of - incidental or consequential damages, so this exclusion and limitation may - not apply to You. - -8. Litigation - - Any litigation relating to this License may be brought only in the courts - of a jurisdiction where the defendant maintains its principal place of - business and such litigation shall be governed by laws of that - jurisdiction, without reference to its conflict-of-law provisions. Nothing - in this Section shall prevent a party's ability to bring cross-claims or - counter-claims. - -9. Miscellaneous - - This License represents the complete agreement concerning the subject - matter hereof. If any provision of this License is held to be - unenforceable, such provision shall be reformed only to the extent - necessary to make it enforceable. Any law or regulation which provides that - the language of a contract shall be construed against the drafter shall not - be used to construe this License against a Contributor. - - -10. Versions of the License - -10.1. New Versions - - Mozilla Foundation is the license steward. Except as provided in Section - 10.3, no one other than the license steward has the right to modify or - publish new versions of this License. Each version will be given a - distinguishing version number. - -10.2. Effect of New Versions - - You may distribute the Covered Software under the terms of the version - of the License under which You originally received the Covered Software, - or under the terms of any subsequent version published by the license - steward. - -10.3. Modified Versions - - If you create software not governed by this License, and you want to - create a new license for such software, you may create and use a - modified version of this License if you rename the license and remove - any references to the name of the license steward (except to note that - such modified license differs from this License). - -10.4. Distributing Source Code Form that is Incompatible With Secondary - Licenses If You choose to distribute Source Code Form that is - Incompatible With Secondary Licenses under the terms of this version of - the License, the notice described in Exhibit B of this License must be - attached. - -Exhibit A - Source Code Form License Notice - - This Source Code Form is subject to the - terms of the Mozilla Public License, v. - 2.0. If a copy of the MPL was not - distributed with this file, You can - obtain one at - http://mozilla.org/MPL/2.0/. - -If it is not possible or desirable to put the notice in a particular file, -then You may include the notice in a location (such as a LICENSE file in a -relevant directory) where a recipient would be likely to look for such a -notice. - -You may add additional accurate notices of copyright ownership. - -Exhibit B - "Incompatible With Secondary Licenses" Notice - - This Source Code Form is "Incompatible - With Secondary Licenses", as defined by - the Mozilla Public License, v. 2.0. - - ------- - -** github.com/hashicorp/go-sockaddr; version v1.0.6 -- -https://github.com/hashicorp/go-sockaddr +** github.com/hashicorp/go-sockaddr; version v1.0.2 -- +https://github.com/hashicorp/go-sockaddr * Package github.com/hashicorp/go-sockaddr's source code may be found at: - https://github.com/hashicorp/go-sockaddr/tree/v1.0.6 - -Copyright (c) 2016 HashiCorp, Inc. + https://github.com/hashicorp/go-sockaddr/tree/v1.0.2 Mozilla Public License Version 2.0 ================================== diff --git a/projects/cert-manager/cert-manager/CERT_MANAGER_CTL_ATTRIBUTION.txt b/projects/cert-manager/cert-manager/CERT_MANAGER_CTL_ATTRIBUTION.txt index 5f74ba3876..83be5c0360 100644 --- a/projects/cert-manager/cert-manager/CERT_MANAGER_CTL_ATTRIBUTION.txt +++ b/projects/cert-manager/cert-manager/CERT_MANAGER_CTL_ATTRIBUTION.txt @@ -1,23 +1,20 @@ -** github.com/cert-manager/cert-manager; version v1.14.1 -- +** github.com/cert-manager/cert-manager; version v1.13.2-0.20231026154503-eca879c9d5de -- https://github.com/cert-manager/cert-manager -** github.com/cert-manager/cert-manager/cmd/ctl; version v1.14.2 -- +** github.com/cert-manager/cert-manager/cmd/ctl; version v1.13.2 -- https://github.com/cert-manager/cert-manager/cmd/ctl -** github.com/containerd/containerd; version v1.7.11 -- +** github.com/containerd/containerd; version v1.7.1 -- https://github.com/containerd/containerd -** github.com/containerd/log; version v0.1.0 -- -https://github.com/containerd/log - -** github.com/docker/cli/cli/config; version v24.0.6+incompatible -- +** github.com/docker/cli/cli/config; version v23.0.3+incompatible -- https://github.com/docker/cli ** github.com/docker/distribution; version v2.8.2+incompatible -- https://github.com/distribution/distribution -** github.com/docker/docker; version v24.0.7+incompatible -- +** github.com/docker/docker; version v23.0.3+incompatible -- https://github.com/moby/moby ** github.com/docker/go-connections; version v0.4.0 -- @@ -29,22 +26,22 @@ https://github.com/docker/go-metrics ** github.com/docker/go-units; version v0.5.0 -- https://github.com/docker/go-units -** github.com/go-logr/logr; version v1.4.1 -- +** github.com/go-logr/logr; version v1.2.4 -- https://github.com/go-logr/logr ** github.com/go-logr/stdr; version v1.2.2 -- https://github.com/go-logr/stdr -** github.com/go-logr/zapr; version v1.3.0 -- +** github.com/go-logr/zapr; version v1.2.4 -- https://github.com/go-logr/zapr -** github.com/go-openapi/jsonpointer; version v0.20.2 -- +** github.com/go-openapi/jsonpointer; version v0.19.6 -- https://github.com/go-openapi/jsonpointer -** github.com/go-openapi/jsonreference; version v0.20.4 -- +** github.com/go-openapi/jsonreference; version v0.20.2 -- https://github.com/go-openapi/jsonreference -** github.com/go-openapi/swag; version v0.22.7 -- +** github.com/go-openapi/swag; version v0.22.3 -- https://github.com/go-openapi/swag ** github.com/google/btree; version v1.0.1 -- @@ -59,14 +56,14 @@ https://github.com/google/gofuzz ** github.com/google/shlex; version v0.0.0-20191202100458-e7afc7fbc510 -- https://github.com/google/shlex -** github.com/klauspost/compress; version v1.16.5 -- +** github.com/klauspost/compress; version v1.16.0 -- https://github.com/klauspost/compress ** github.com/Masterminds/goutils; version v1.1.1 -- https://github.com/Masterminds/goutils -** github.com/matttproud/golang_protobuf_extensions/v2/pbutil; version v2.0.0 -- -https://github.com/matttproud/golang_protobuf_extensions/v2 +** github.com/matttproud/golang_protobuf_extensions/pbutil; version v1.0.4 -- +https://github.com/matttproud/golang_protobuf_extensions ** github.com/moby/locker; version v1.0.1 -- https://github.com/moby/locker @@ -74,7 +71,7 @@ https://github.com/moby/locker ** github.com/moby/spdystream; version v0.2.0 -- https://github.com/moby/spdystream -** github.com/moby/term; version v0.5.0 -- +** github.com/moby/term; version v0.0.0-20221205130635-1aeaba878587 -- https://github.com/moby/term ** github.com/modern-go/concurrent; version v0.0.0-20180306012644-bacd9c7ef1dd -- @@ -86,22 +83,22 @@ https://github.com/modern-go/reflect2 ** github.com/opencontainers/go-digest; version v1.0.0 -- https://github.com/opencontainers/go-digest -** github.com/opencontainers/image-spec/specs-go; version v1.1.0-rc5 -- +** github.com/opencontainers/image-spec/specs-go; version v1.1.0-rc2.0.20221005185240-3a7f492d3f1b -- https://github.com/opencontainers/image-spec -** github.com/prometheus/client_golang/prometheus; version v1.18.0 -- +** github.com/prometheus/client_golang/prometheus; version v1.16.0 -- https://github.com/prometheus/client_golang -** github.com/prometheus/client_model/go; version v0.5.0 -- +** github.com/prometheus/client_model/go; version v0.4.0 -- https://github.com/prometheus/client_model -** github.com/prometheus/common; version v0.45.0 -- +** github.com/prometheus/common; version v0.44.0 -- https://github.com/prometheus/common -** github.com/prometheus/procfs; version v0.12.0 -- +** github.com/prometheus/procfs; version v0.10.1 -- https://github.com/prometheus/procfs -** github.com/spf13/cobra; version v1.8.0 -- +** github.com/spf13/cobra; version v1.7.0 -- https://github.com/spf13/cobra ** github.com/xeipuuv/gojsonpointer; version v0.0.0-20190905194746-02993c407bfb -- @@ -113,22 +110,19 @@ https://github.com/xeipuuv/gojsonreference ** github.com/xeipuuv/gojsonschema; version v1.2.0 -- https://github.com/xeipuuv/gojsonschema -** go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp; version v0.46.1 -- -https://github.com/open-telemetry/opentelemetry-go-contrib - -** go.opentelemetry.io/otel; version v1.21.0 -- +** go.opentelemetry.io/otel; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go -** go.opentelemetry.io/otel/metric; version v1.21.0 -- +** go.opentelemetry.io/otel/metric; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go -** go.opentelemetry.io/otel/trace; version v1.21.0 -- +** go.opentelemetry.io/otel/trace; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go -** google.golang.org/genproto/googleapis/rpc/status; version v0.0.0-20240102182953-50ed04b92917 -- +** google.golang.org/genproto/googleapis/rpc/status; version v0.0.0-20230911183012-2d3300fd4832 -- https://github.com/googleapis/go-genproto -** google.golang.org/grpc; version v1.60.1 -- +** google.golang.org/grpc; version v1.58.3 -- https://github.com/grpc/grpc-go ** gopkg.in/yaml.v2; version v2.4.0 -- @@ -137,49 +131,52 @@ https://gopkg.in/yaml.v2 ** helm.sh/helm/v3; version v3.12.3 -- https://github.com/helm/helm -** k8s.io/api; version v0.29.0 -- +** k8s.io/api; version v0.28.1 -- https://github.com/kubernetes/api -** k8s.io/apiextensions-apiserver/pkg/apis/apiextensions; version v0.29.0 -- +** k8s.io/apiextensions-apiserver/pkg/apis/apiextensions; version v0.28.1 -- https://github.com/kubernetes/apiextensions-apiserver -** k8s.io/apimachinery/pkg; version v0.29.0 -- +** k8s.io/apimachinery/pkg; version v0.28.1 -- https://github.com/kubernetes/apimachinery -** k8s.io/apiserver/pkg/endpoints/deprecation; version v0.29.0 -- +** k8s.io/apiserver/pkg/endpoints/deprecation; version v0.28.1 -- https://github.com/kubernetes/apiserver -** k8s.io/cli-runtime/pkg; version v0.29.0 -- +** k8s.io/cli-runtime/pkg; version v0.28.1 -- https://github.com/kubernetes/cli-runtime -** k8s.io/client-go; version v0.29.0 -- +** k8s.io/client-go; version v0.28.1 -- https://github.com/kubernetes/client-go -** k8s.io/component-base; version v0.29.0 -- +** k8s.io/component-base; version v0.28.1 -- https://github.com/kubernetes/component-base -** k8s.io/klog/v2; version v2.110.1 -- +** k8s.io/klog/v2; version v2.100.1 -- https://github.com/kubernetes/klog -** k8s.io/kube-openapi/pkg; version v0.0.0-20240103051144-eec4567ac022 -- +** k8s.io/kube-aggregator/pkg/apis/apiregistration; version v0.28.1 -- +https://github.com/kubernetes/kube-aggregator + +** k8s.io/kube-openapi/pkg; version v0.0.0-20230905202853-d090da108d2f -- https://github.com/kubernetes/kube-openapi -** k8s.io/kube-openapi/pkg/validation/spec; version v0.0.0-20240103051144-eec4567ac022 -- +** k8s.io/kube-openapi/pkg/validation/spec; version v0.0.0-20230905202853-d090da108d2f -- https://github.com/kubernetes/kube-openapi -** k8s.io/kubectl/pkg; version v0.29.0 -- +** k8s.io/kubectl/pkg; version v0.28.1 -- https://github.com/kubernetes/kubectl -** k8s.io/utils; version v0.0.0-20240102154912-e7106e64919e -- +** k8s.io/utils; version v0.0.0-20230726121419-3b25d923346b -- https://github.com/kubernetes/utils -** oras.land/oras-go/pkg; version v1.2.4 -- +** oras.land/oras-go/pkg; version v1.2.3 -- https://github.com/oras-project/oras-go -** sigs.k8s.io/controller-runtime/pkg; version v0.16.3 -- +** sigs.k8s.io/controller-runtime/pkg; version v0.16.1 -- https://github.com/kubernetes-sigs/controller-runtime -** sigs.k8s.io/gateway-api/apis/v1; version v1.0.0 -- +** sigs.k8s.io/gateway-api/apis/v1beta1; version v0.8.0 -- https://github.com/kubernetes-sigs/gateway-api ** sigs.k8s.io/json; version v0.0.0-20221116044647-bc3834ca7abd -- @@ -191,15 +188,9 @@ https://github.com/kubernetes-sigs/kustomize ** sigs.k8s.io/kustomize/kyaml; version v0.14.3-0.20230601165947-6ce0bf390ce3 -- https://github.com/kubernetes-sigs/kustomize -** sigs.k8s.io/structured-merge-diff/v4; version v4.4.1 -- +** sigs.k8s.io/structured-merge-diff/v4; version v4.3.0 -- https://github.com/kubernetes-sigs/structured-merge-diff -** sigs.k8s.io/yaml; version v1.4.0 -- -https://github.com/kubernetes-sigs/yaml - -** sigs.k8s.io/yaml/goyaml.v2; version v1.4.0 -- -https://github.com/kubernetes-sigs/yaml - Apache License Version 2.0, January 2004 @@ -486,7 +477,7 @@ For more information, please see https://www.bis.doc.gov See also https://www.apache.org/dev/crypto.html and/or seek legal counsel. -* For github.com/matttproud/golang_protobuf_extensions/v2/pbutil see also this required NOTICE: +* For github.com/matttproud/golang_protobuf_extensions/pbutil see also this required NOTICE: Copyright 2012 Matt T. Proud (matt.proud@gmail.com) @@ -565,50 +556,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. - -* For sigs.k8s.io/yaml/goyaml.v2 see also this required NOTICE: -Copyright 2011-2016 Canonical Ltd. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - ------- - -** github.com/gorilla/websocket; version v1.5.0 -- -https://github.com/gorilla/websocket - -Copyright (c) 2013 The Gorilla WebSocket Authors. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - - Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - - Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - ------ ** github.com/pkg/errors; version v0.9.1 -- @@ -742,10 +689,10 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/evanphx/json-patch; version v5.7.0+incompatible -- +** github.com/evanphx/json-patch; version v5.6.0+incompatible -- https://github.com/evanphx/json-patch -** github.com/evanphx/json-patch/v5; version v5.7.0 -- +** github.com/evanphx/json-patch/v5; version v5.6.0 -- https://github.com/evanphx/json-patch/v5 Copyright (c) 2014, Evan Phoenix @@ -851,7 +798,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/google/go-cmp/cmp; version v0.6.0 -- +** github.com/google/go-cmp/cmp; version v0.5.9 -- https://github.com/google/go-cmp Copyright (c) 2017 The Go Authors. All rights reserved. @@ -884,7 +831,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/google/uuid; version v1.5.0 -- +** github.com/google/uuid; version v1.3.1 -- https://github.com/google/uuid Copyright (c) 2009,2014 Google Inc. All rights reserved. @@ -950,7 +897,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/imdario/mergo; version v0.3.16 -- +** github.com/imdario/mergo; version v0.3.13 -- https://github.com/darccio/mergo Copyright (c) 2013 Dario Castañé. All rights reserved. @@ -984,7 +931,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/klauspost/compress/internal/snapref; version v1.16.5 -- +** github.com/klauspost/compress/internal/snapref; version v1.16.0 -- https://github.com/klauspost/compress Copyright (c) 2011 The Snappy-Go Authors. All rights reserved. @@ -1020,37 +967,40 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ** github.com/liggitt/tabwriter; version v0.0.0-20181228230101-89fcab3d43de -- https://github.com/liggitt/tabwriter -** golang.org/go; version go1.21.6 -- +** golang.org/go; version go1.20.13 -- https://github.com/golang/go -** golang.org/x/crypto; version v0.17.0 -- +** golang.org/x/crypto; version v0.14.0 -- https://golang.org/x/crypto -** golang.org/x/net; version v0.19.0 -- +** golang.org/x/exp; version v0.0.0-20230905200255-921286631fa9 -- +https://golang.org/x/exp + +** golang.org/x/net; version v0.17.0 -- https://golang.org/x/net -** golang.org/x/oauth2; version v0.15.0 -- +** golang.org/x/oauth2; version v0.12.0 -- https://golang.org/x/oauth2 -** golang.org/x/sync; version v0.5.0 -- +** golang.org/x/sync; version v0.3.0 -- https://golang.org/x/sync -** golang.org/x/sys; version v0.15.0 -- +** golang.org/x/sys; version v0.13.0 -- https://golang.org/x/sys -** golang.org/x/term; version v0.15.0 -- +** golang.org/x/term; version v0.13.0 -- https://golang.org/x/term -** golang.org/x/text; version v0.14.0 -- +** golang.org/x/text; version v0.13.0 -- https://golang.org/x/text -** golang.org/x/time/rate; version v0.5.0 -- +** golang.org/x/time/rate; version v0.3.0 -- https://golang.org/x/time -** k8s.io/apimachinery/third_party/forked/golang; version v0.29.0 -- +** k8s.io/apimachinery/third_party/forked/golang; version v0.28.1 -- https://github.com/kubernetes/apimachinery -** k8s.io/client-go/third_party/forked/golang/template; version v0.29.0 -- +** k8s.io/client-go/third_party/forked/golang/template; version v0.28.1 -- https://github.com/kubernetes/client-go Copyright (c) 2009 The Go Authors. All rights reserved. @@ -1120,42 +1070,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/mxk/go-flowrate/flowrate; version v0.0.0-20140419014527-cca7078d478f -- -https://github.com/mxk/go-flowrate - -Copyright (c) 2014 The Go-FlowRate Authors. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the - distribution. - - * Neither the name of the go-flowrate project nor the names of its - contributors may be used to endorse or promote products derived - from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - ------- - -** github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg; version v0.45.0 -- +** github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg; version v0.44.0 -- https://github.com/prometheus/common Copyright (c) 2011, Open Knowledge Foundation Ltd. @@ -1260,7 +1175,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** google.golang.org/protobuf; version v1.32.0 -- +** google.golang.org/protobuf; version v1.31.0 -- https://go.googlesource.com/protobuf Copyright (c) 2018 The Go Authors. All rights reserved. @@ -1327,7 +1242,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json; version v0.0.0-20240103051144-eec4567ac022 -- +** k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json; version v0.0.0-20230905202853-d090da108d2f -- https://github.com/kubernetes/kube-openapi Copyright (c) 2020 The Go Authors. All rights reserved. @@ -1360,7 +1275,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** k8s.io/utils/internal/third_party/forked/golang/net; version v0.0.0-20240102154912-e7106e64919e -- +** k8s.io/utils/internal/third_party/forked/golang/net; version v0.0.0-20230726121419-3b25d923346b -- https://github.com/kubernetes/utils Copyright (c) 2012 The Go Authors. All rights reserved. @@ -1414,9 +1329,9 @@ OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ------ -** github.com/asaskevich/govalidator; version v0.0.0-20230301143203-a9d515a09cc2 -- +** github.com/asaskevich/govalidator; version v0.0.0-20200428143746-21a406dcc535 -- https://github.com/asaskevich/govalidator -Copyright (c) 2014-2020 Alex Saskevich +Copyright (c) 2014 Alex Saskevich ** github.com/Azure/go-ntlmssp; version v0.0.0-20221128193559-754e69321358 -- https://github.com/Azure/go-ntlmssp @@ -1430,7 +1345,7 @@ Copyright (C) 2013 Blake Mizerany https://github.com/blang/semver/v4 Copyright (c) 2014 Benedikt Lang -** github.com/BurntSushi/toml; version v1.3.2 -- +** github.com/BurntSushi/toml; version v1.2.1 -- https://github.com/BurntSushi/toml Copyright (c) 2013 TOML authors @@ -1458,10 +1373,6 @@ Copyright (c) 2015 Fatih Arslan https://github.com/fatih/color Copyright (c) 2013 Fatih Arslan -** github.com/felixge/httpsnoop; version v1.0.4 -- -https://github.com/felixge/httpsnoop -Copyright (c) 2016 Felix Geisendörfer (felix@debuggable.com) - ** github.com/go-errors/errors; version v1.4.2 -- https://github.com/go-errors/errors Copyright (c) 2015 Conrad Irwin @@ -1490,7 +1401,7 @@ Copyright (c) 2019 Josh Bleecher Snyder https://github.com/json-iterator/go Copyright (c) 2016 json-iterator -** github.com/klauspost/compress/zstd/internal/xxhash; version v1.16.5 -- +** github.com/klauspost/compress/zstd/internal/xxhash; version v1.16.0 -- https://github.com/klauspost/compress Copyright (c) 2016 Caleb Spare @@ -1558,11 +1469,11 @@ Copyright (c) 2011-2012 Peter Bourgon https://github.com/rivo/uniseg Copyright (c) 2019 Oliver Kuederle -** github.com/rubenv/sql-migrate; version v1.5.2 -- +** github.com/rubenv/sql-migrate; version v1.3.1 -- https://github.com/rubenv/sql-migrate Copyright (C) 2014-2021 by Ruben Vermeersch -** github.com/rubenv/sql-migrate/sqlparse; version v1.5.2 -- +** github.com/rubenv/sql-migrate/sqlparse; version v1.3.1 -- https://github.com/rubenv/sql-migrate Copyright (C) 2014-2017 by Ruben Vermeersch Copyright (C) 2012-2014 by Liam Staskawicz @@ -1579,7 +1490,7 @@ Copyright (c) 2014 Steve Francia https://github.com/uber-go/multierr Copyright (c) 2017-2021 Uber Technologies, Inc. -** go.uber.org/zap; version v1.26.0 -- +** go.uber.org/zap; version v1.25.0 -- https://github.com/uber-go/zap Copyright (c) 2016-2017 Uber Technologies, Inc. @@ -1606,7 +1517,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------ -** github.com/go-asn1-ber/asn1-ber; version v1.5.5 -- +** github.com/go-asn1-ber/asn1-ber; version v1.5.4 -- https://github.com/go-asn1-ber/asn1-ber Copyright (c) 2011-2015 Michael Mitton (mmitton@gmail.com) @@ -1659,7 +1570,7 @@ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------ -** github.com/go-ldap/ldap/v3; version v3.4.6 -- +** github.com/go-ldap/ldap/v3; version v3.4.5 -- https://github.com/go-ldap/ldap/v3 Copyright (c) 2011-2015 Michael Mitton (mmitton@gmail.com) @@ -1919,6 +1830,59 @@ limitations under the License. ------ +** sigs.k8s.io/yaml; version v1.3.0 -- +https://github.com/kubernetes-sigs/yaml +Copyright (c) 2014 Sam Ghods +Copyright (c) 2012 The Go Authors. All rights reserved. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + + + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +* Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. +* Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. +* Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +------ + ** github.com/hashicorp/errwrap; version v1.1.0 -- https://github.com/hashicorp/errwrap diff --git a/projects/cert-manager/cert-manager/CERT_MANAGER_WEBHOOK_ATTRIBUTION.txt b/projects/cert-manager/cert-manager/CERT_MANAGER_WEBHOOK_ATTRIBUTION.txt index ba15de79b7..a02f8f2a17 100644 --- a/projects/cert-manager/cert-manager/CERT_MANAGER_WEBHOOK_ATTRIBUTION.txt +++ b/projects/cert-manager/cert-manager/CERT_MANAGER_WEBHOOK_ATTRIBUTION.txt @@ -2,38 +2,35 @@ ** github.com/cert-manager/cert-manager; version v0.0.0-00010101000000-000000000000 -- https://github.com/cert-manager/cert-manager -** github.com/cert-manager/cert-manager/webhook-binary; version v1.14.2 -- +** github.com/cert-manager/cert-manager/webhook-binary; version v1.13.2 -- https://github.com/cert-manager/cert-manager/webhook-binary -** github.com/go-logr/logr; version v1.4.1 -- +** github.com/go-logr/logr; version v1.2.4 -- https://github.com/go-logr/logr ** github.com/go-logr/stdr; version v1.2.2 -- https://github.com/go-logr/stdr -** github.com/go-logr/zapr; version v1.3.0 -- +** github.com/go-logr/zapr; version v1.2.4 -- https://github.com/go-logr/zapr -** github.com/go-openapi/jsonpointer; version v0.20.2 -- +** github.com/go-openapi/jsonpointer; version v0.19.6 -- https://github.com/go-openapi/jsonpointer -** github.com/go-openapi/jsonreference; version v0.20.4 -- +** github.com/go-openapi/jsonreference; version v0.20.2 -- https://github.com/go-openapi/jsonreference -** github.com/go-openapi/swag; version v0.22.7 -- +** github.com/go-openapi/swag; version v0.22.3 -- https://github.com/go-openapi/swag -** github.com/google/cel-go; version v0.17.7 -- -https://github.com/google/cel-go - ** github.com/google/gnostic-models; version v0.6.8 -- https://github.com/google/gnostic-models ** github.com/google/gofuzz; version v1.2.0 -- https://github.com/google/gofuzz -** github.com/matttproud/golang_protobuf_extensions/v2/pbutil; version v2.0.0 -- -https://github.com/matttproud/golang_protobuf_extensions/v2 +** github.com/matttproud/golang_protobuf_extensions/pbutil; version v1.0.4 -- +https://github.com/matttproud/golang_protobuf_extensions ** github.com/modern-go/concurrent; version v0.0.0-20180306012644-bacd9c7ef1dd -- https://github.com/modern-go/concurrent @@ -41,40 +38,40 @@ https://github.com/modern-go/concurrent ** github.com/modern-go/reflect2; version v1.0.2 -- https://github.com/modern-go/reflect2 -** github.com/prometheus/client_golang/prometheus; version v1.18.0 -- +** github.com/prometheus/client_golang/prometheus; version v1.16.0 -- https://github.com/prometheus/client_golang -** github.com/prometheus/client_model/go; version v0.5.0 -- +** github.com/prometheus/client_model/go; version v0.4.0 -- https://github.com/prometheus/client_model -** github.com/prometheus/common; version v0.45.0 -- +** github.com/prometheus/common; version v0.44.0 -- https://github.com/prometheus/common -** github.com/prometheus/procfs; version v0.12.0 -- +** github.com/prometheus/procfs; version v0.10.1 -- https://github.com/prometheus/procfs -** github.com/spf13/cobra; version v1.8.0 -- +** github.com/spf13/cobra; version v1.7.0 -- https://github.com/spf13/cobra -** go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp; version v0.46.1 -- +** go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp; version v0.44.0 -- https://github.com/open-telemetry/opentelemetry-go-contrib -** go.opentelemetry.io/otel; version v1.21.0 -- +** go.opentelemetry.io/otel; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go -** go.opentelemetry.io/otel/exporters/otlp/otlptrace; version v1.21.0 -- +** go.opentelemetry.io/otel/exporters/otlp/otlptrace; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go -** go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc; version v1.21.0 -- +** go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go -** go.opentelemetry.io/otel/metric; version v1.21.0 -- +** go.opentelemetry.io/otel/metric; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go -** go.opentelemetry.io/otel/sdk; version v1.21.0 -- +** go.opentelemetry.io/otel/sdk; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go -** go.opentelemetry.io/otel/trace; version v1.21.0 -- +** go.opentelemetry.io/otel/trace; version v1.19.0 -- https://github.com/open-telemetry/opentelemetry-go ** go.opentelemetry.io/proto/otlp; version v1.0.0 -- @@ -83,66 +80,63 @@ https://github.com/open-telemetry/opentelemetry-proto-go ** gomodules.xyz/jsonpatch/v2; version v2.4.0 -- https://github.com/gomodules/jsonpatch -** google.golang.org/genproto/googleapis/api; version v0.0.0-20240102182953-50ed04b92917 -- +** google.golang.org/genproto/googleapis/api/httpbody; version v0.0.0-20230803162519-f966b187b2e5 -- https://github.com/googleapis/go-genproto -** google.golang.org/genproto/googleapis/rpc; version v0.0.0-20240102182953-50ed04b92917 -- +** google.golang.org/genproto/googleapis/rpc; version v0.0.0-20230911183012-2d3300fd4832 -- https://github.com/googleapis/go-genproto -** google.golang.org/grpc; version v1.60.1 -- +** google.golang.org/grpc; version v1.58.3 -- https://github.com/grpc/grpc-go ** gopkg.in/yaml.v2; version v2.4.0 -- https://gopkg.in/yaml.v2 -** k8s.io/api; version v0.29.0 -- +** k8s.io/api; version v0.28.1 -- https://github.com/kubernetes/api -** k8s.io/apiextensions-apiserver/pkg/apis/apiextensions; version v0.29.0 -- +** k8s.io/apiextensions-apiserver/pkg/apis/apiextensions; version v0.28.1 -- https://github.com/kubernetes/apiextensions-apiserver -** k8s.io/apimachinery/pkg; version v0.29.0 -- +** k8s.io/apimachinery/pkg; version v0.28.1 -- https://github.com/kubernetes/apimachinery -** k8s.io/apiserver; version v0.29.0 -- +** k8s.io/apiserver; version v0.28.1 -- https://github.com/kubernetes/apiserver -** k8s.io/client-go; version v0.29.0 -- +** k8s.io/client-go; version v0.28.1 -- https://github.com/kubernetes/client-go -** k8s.io/component-base; version v0.29.0 -- +** k8s.io/component-base; version v0.28.1 -- https://github.com/kubernetes/component-base -** k8s.io/klog/v2; version v2.110.1 -- +** k8s.io/klog/v2; version v2.100.1 -- https://github.com/kubernetes/klog -** k8s.io/kube-openapi/pkg; version v0.0.0-20240103051144-eec4567ac022 -- +** k8s.io/kube-aggregator/pkg/apis/apiregistration; version v0.28.1 -- +https://github.com/kubernetes/kube-aggregator + +** k8s.io/kube-openapi/pkg; version v0.0.0-20230905202853-d090da108d2f -- https://github.com/kubernetes/kube-openapi -** k8s.io/kube-openapi/pkg/validation/spec; version v0.0.0-20240103051144-eec4567ac022 -- +** k8s.io/kube-openapi/pkg/validation/spec; version v0.0.0-20230905202853-d090da108d2f -- https://github.com/kubernetes/kube-openapi -** k8s.io/utils; version v0.0.0-20240102154912-e7106e64919e -- +** k8s.io/utils; version v0.0.0-20230726121419-3b25d923346b -- https://github.com/kubernetes/utils -** sigs.k8s.io/apiserver-network-proxy/konnectivity-client; version v0.29.0 -- +** sigs.k8s.io/apiserver-network-proxy/konnectivity-client; version v0.1.2 -- https://github.com/kubernetes-sigs/apiserver-network-proxy -** sigs.k8s.io/gateway-api/apis/v1; version v1.0.0 -- +** sigs.k8s.io/gateway-api/apis/v1beta1; version v0.8.0 -- https://github.com/kubernetes-sigs/gateway-api ** sigs.k8s.io/json; version v0.0.0-20221116044647-bc3834ca7abd -- https://github.com/kubernetes-sigs/json -** sigs.k8s.io/structured-merge-diff/v4; version v4.4.1 -- +** sigs.k8s.io/structured-merge-diff/v4; version v4.3.0 -- https://github.com/kubernetes-sigs/structured-merge-diff -** sigs.k8s.io/yaml; version v1.4.0 -- -https://github.com/kubernetes-sigs/yaml - -** sigs.k8s.io/yaml/goyaml.v2; version v1.4.0 -- -https://github.com/kubernetes-sigs/yaml - Apache License Version 2.0, January 2004 @@ -347,7 +341,7 @@ https://github.com/kubernetes-sigs/yaml limitations under the License. -* For github.com/matttproud/golang_protobuf_extensions/v2/pbutil see also this required NOTICE: +* For github.com/matttproud/golang_protobuf_extensions/pbutil see also this required NOTICE: Copyright 2012 Matt T. Proud (matt.proud@gmail.com) @@ -418,54 +412,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. - -* For sigs.k8s.io/yaml/goyaml.v2 see also this required NOTICE: -Copyright 2011-2016 Canonical Ltd. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - ------- - -** github.com/antlr/antlr4/runtime/Go/antlr/v4; version v4.0.0-20230305170008-8188dc5388df -- -https://github.com/antlr/antlr4/runtime/Go/antlr/v4 - -Copyright 2021 The ANTLR Project - -Redistribution and use in source and binary forms, with or without modification, -are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - - 3. Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from this - software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - ------ ** github.com/gogo/protobuf; version v1.3.2 -- @@ -543,7 +489,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/google/go-cmp/cmp; version v0.6.0 -- +** github.com/google/go-cmp/cmp; version v0.5.9 -- https://github.com/google/go-cmp Copyright (c) 2017 The Go Authors. All rights reserved. @@ -576,7 +522,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/google/uuid; version v1.5.0 -- +** github.com/google/uuid; version v1.3.1 -- https://github.com/google/uuid Copyright (c) 2009,2014 Google Inc. All rights reserved. @@ -609,7 +555,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/grpc-ecosystem/grpc-gateway/v2; version v2.18.1 -- +** github.com/grpc-ecosystem/grpc-gateway/v2; version v2.16.0 -- https://github.com/grpc-ecosystem/grpc-gateway/v2 Copyright (c) 2015, Gengo, Inc. @@ -642,7 +588,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/imdario/mergo; version v0.3.16 -- +** github.com/imdario/mergo; version v0.3.13 -- https://github.com/darccio/mergo Copyright (c) 2013 Dario Castañé. All rights reserved. @@ -713,7 +659,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg; version v0.45.0 -- +** github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg; version v0.44.0 -- https://github.com/prometheus/common Copyright (c) 2011, Open Knowledge Foundation Ltd. @@ -783,37 +729,37 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** golang.org/go; version go1.21.6 -- +** golang.org/go; version go1.20.13 -- https://github.com/golang/go -** golang.org/x/crypto; version v0.17.0 -- +** golang.org/x/crypto/md4; version v0.14.0 -- https://golang.org/x/crypto -** golang.org/x/exp; version v0.0.0-20231226003508-02704c960a9b -- +** golang.org/x/exp; version v0.0.0-20230905200255-921286631fa9 -- https://golang.org/x/exp -** golang.org/x/net; version v0.19.0 -- +** golang.org/x/net; version v0.17.0 -- https://golang.org/x/net -** golang.org/x/oauth2; version v0.15.0 -- +** golang.org/x/oauth2; version v0.12.0 -- https://golang.org/x/oauth2 -** golang.org/x/sync; version v0.5.0 -- +** golang.org/x/sync/errgroup; version v0.3.0 -- https://golang.org/x/sync -** golang.org/x/sys/unix; version v0.15.0 -- +** golang.org/x/sys/unix; version v0.13.0 -- https://golang.org/x/sys -** golang.org/x/term; version v0.15.0 -- +** golang.org/x/term; version v0.13.0 -- https://golang.org/x/term -** golang.org/x/text; version v0.14.0 -- +** golang.org/x/text; version v0.13.0 -- https://golang.org/x/text -** golang.org/x/time/rate; version v0.5.0 -- +** golang.org/x/time/rate; version v0.3.0 -- https://golang.org/x/time -** k8s.io/apimachinery/third_party/forked/golang/reflect; version v0.29.0 -- +** k8s.io/apimachinery/third_party/forked/golang/reflect; version v0.28.1 -- https://github.com/kubernetes/apimachinery Copyright (c) 2009 The Go Authors. All rights reserved. @@ -846,7 +792,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** google.golang.org/protobuf; version v1.32.0 -- +** google.golang.org/protobuf; version v1.31.0 -- https://go.googlesource.com/protobuf Copyright (c) 2018 The Go Authors. All rights reserved. @@ -913,7 +859,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json; version v0.0.0-20240103051144-eec4567ac022 -- +** k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json; version v0.0.0-20230905202853-d090da108d2f -- https://github.com/kubernetes/kube-openapi Copyright (c) 2020 The Go Authors. All rights reserved. @@ -946,7 +892,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -** k8s.io/utils/internal/third_party/forked/golang; version v0.0.0-20240102154912-e7106e64919e -- +** k8s.io/utils/internal/third_party/forked/golang; version v0.0.0-20230726121419-3b25d923346b -- https://github.com/kubernetes/utils Copyright (c) 2012 The Go Authors. All rights reserved. @@ -1024,7 +970,7 @@ Copyright (c) 2016 Caleb Spare https://github.com/emicklei/go-restful/v3 Copyright (c) 2012,2013 Ernest Micklei -** github.com/felixge/httpsnoop; version v1.0.4 -- +** github.com/felixge/httpsnoop; version v1.0.3 -- https://github.com/felixge/httpsnoop Copyright (c) 2016 Felix Geisendörfer (felix@debuggable.com) @@ -1040,15 +986,11 @@ Copyright (c) 2016 json-iterator https://github.com/mailru/easyjson Copyright (c) 2016 Mail.Ru Group -** github.com/stoewer/go-strcase; version v1.3.0 -- -https://github.com/stoewer/go-strcase -Copyright (c) 2017, Adrian Stoewer - ** go.uber.org/multierr; version v1.11.0 -- https://github.com/uber-go/multierr Copyright (c) 2017-2021 Uber Technologies, Inc. -** go.uber.org/zap; version v1.26.0 -- +** go.uber.org/zap; version v1.25.0 -- https://github.com/uber-go/zap Copyright (c) 2016-2017 Uber Technologies, Inc. @@ -1071,7 +1013,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------ -** github.com/go-asn1-ber/asn1-ber; version v1.5.5 -- +** github.com/go-asn1-ber/asn1-ber; version v1.5.4 -- https://github.com/go-asn1-ber/asn1-ber Copyright (c) 2011-2015 Michael Mitton (mmitton@gmail.com) @@ -1096,7 +1038,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------ -** github.com/go-ldap/ldap/v3; version v3.4.6 -- +** github.com/go-ldap/ldap/v3; version v3.4.5 -- https://github.com/go-ldap/ldap/v3 Copyright (c) 2011-2015 Michael Mitton (mmitton@gmail.com) @@ -1193,3 +1135,56 @@ See the License for the specific language governing permissions and limitations under the License. ------ + +** sigs.k8s.io/yaml; version v1.3.0 -- +https://github.com/kubernetes-sigs/yaml +Copyright (c) 2014 Sam Ghods +Copyright (c) 2012 The Go Authors. All rights reserved. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + + + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +* Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. +* Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. +* Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +------ diff --git a/projects/cert-manager/cert-manager/CHECKSUMS b/projects/cert-manager/cert-manager/CHECKSUMS index 87270cb19b..23660077d9 100644 --- a/projects/cert-manager/cert-manager/CHECKSUMS +++ b/projects/cert-manager/cert-manager/CHECKSUMS @@ -1,10 +1,10 @@ -274ad2273cee9f4dfeaf4a02311236221b4d3b84fd8623aab577bd3263007e6f _output/bin/cert-manager/linux-amd64/cert-manager-acmesolver -36d053b0050482cd3b84c7cbbac2771af8ea01b600b246f143cf0c93c31812ca _output/bin/cert-manager/linux-amd64/cert-manager-cainjector -e01db7692d3ebfc5c353401251fd1e982a257e0ac3e10a33210304ba99ad272c _output/bin/cert-manager/linux-amd64/cert-manager-controller -7e17f410af89f21c4dd09b3f9cfc6af0bc0d9df4359cff29287d0040af7d163a _output/bin/cert-manager/linux-amd64/cert-manager-ctl -4e730ffa950d75eb04b2b09f5e295d95eb571f15a3eef0c2c9a82d18b092b69a _output/bin/cert-manager/linux-amd64/cert-manager-webhook -7a0b606ebb44463f616b382b84eb3cf7df9e91f96dff2fd0a83ffab1a8320112 _output/bin/cert-manager/linux-arm64/cert-manager-acmesolver -01dce540d1f1760f8e84ea1ea9bfd3d06cd66cd68e7418423b3237f2460a0f20 _output/bin/cert-manager/linux-arm64/cert-manager-cainjector -c4ac310ffdf8d33e84a6b5d97defb1e4ec6c6d3778c2e4dbd9828d790e6447b8 _output/bin/cert-manager/linux-arm64/cert-manager-controller -1dc59af9c5494966dfd828620d120966b56ecb93f3961a978fdd98a2ce3ae967 _output/bin/cert-manager/linux-arm64/cert-manager-ctl -2a072a17dd79b42851a602c9b0e389f15808210c3c8734569a06c8c1e3dd5c0a _output/bin/cert-manager/linux-arm64/cert-manager-webhook +2b72bd4e11997bb5480ede6c783d79ae011a0930f9ed815c26dfc713bd4c628b _output/bin/cert-manager/linux-amd64/cert-manager-acmesolver +c90f38b1d374a3da5733abd13cbe9ab8e6834b319e0c5e2ef6c426c8a4144bbe _output/bin/cert-manager/linux-amd64/cert-manager-cainjector +02facec218c79c2405f37d43a877533bfc554d143642103eedc2350522197422 _output/bin/cert-manager/linux-amd64/cert-manager-controller +035b2e3674e0bb0aa5357624ce855806f0bcdf4c1bd2ff8822b1ca8372fbc01d _output/bin/cert-manager/linux-amd64/cert-manager-ctl +dcc564729c4d9152854b5161fe100ea60a70165ed087b609367243e281a4bdc2 _output/bin/cert-manager/linux-amd64/cert-manager-webhook +b3b40afb6791b6754edf1a6a819436bc628c1a9a7b9ee41e22da6a3b555d4025 _output/bin/cert-manager/linux-arm64/cert-manager-acmesolver +0bd20caa6bc769b39f2bc0040aaaabb6a166f22b35e515b76be70ec8037021c2 _output/bin/cert-manager/linux-arm64/cert-manager-cainjector +cb392cfc39118119a623e2adb5ba204a744015d21a4a71a0d3130e10dd0aec74 _output/bin/cert-manager/linux-arm64/cert-manager-controller +9f6d6fed349c14c7b4e3a1ac6bffe63377fc3d81e2b0c5a273c783b3429d4e70 _output/bin/cert-manager/linux-arm64/cert-manager-ctl +17ce76b8850e967e83c839061793289aed6cd13b3422d36ed016bbb227ca6aec _output/bin/cert-manager/linux-arm64/cert-manager-webhook diff --git a/projects/cert-manager/cert-manager/GIT_TAG b/projects/cert-manager/cert-manager/GIT_TAG index 471578389b..fb844899c1 100644 --- a/projects/cert-manager/cert-manager/GIT_TAG +++ b/projects/cert-manager/cert-manager/GIT_TAG @@ -1 +1 @@ -v1.14.2 +v1.13.2 diff --git a/projects/cert-manager/cert-manager/GOLANG_VERSION b/projects/cert-manager/cert-manager/GOLANG_VERSION index d2ab029d32..5fb5a6b4f5 100644 --- a/projects/cert-manager/cert-manager/GOLANG_VERSION +++ b/projects/cert-manager/cert-manager/GOLANG_VERSION @@ -1 +1 @@ -1.21 +1.20 diff --git a/projects/cert-manager/cert-manager/README.md b/projects/cert-manager/cert-manager/README.md index 0f5200c1a2..9766a4d661 100644 --- a/projects/cert-manager/cert-manager/README.md +++ b/projects/cert-manager/cert-manager/README.md @@ -1,5 +1,5 @@ ## **cert-manager** -![Version](https://img.shields.io/badge/version-v1.14.2-blue) +![Version](https://img.shields.io/badge/version-v1.13.2-blue) ![Build Status](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiUkphQkhWTUpOOVE1OFVLU0dHQmVFUXZJV0dJaGVLYmtEZHp0aGtDRnJBQUxtaHVqOWp3S0l6d0NlTytqNWpwc2tNTmF6RnNhMTZ3d1J1RXErR0lWcldZPSIsIml2UGFyYW1ldGVyU3BlYyI6IlQyU2lIcVVtU3ozZVZSVTgiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main) [cert-manager](https://github.com/cert-manager/cert-manager) is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources, such as [Let’s Encrypt](https://letsencrypt.org), [HashiCorp Vault](https://www.vaultproject.io), [Venafi](https://www.venafi.com/), a simple signing key pair, or self signed. It periodically ensures that certificates are valid and up-to-date, and attempts to renew certificates at an appropriate time before expiry. diff --git a/projects/cert-manager/cert-manager/helm/patches/0001-Use-sourceRegistry-and-digest-in-chart.patch b/projects/cert-manager/cert-manager/helm/patches/0001-Use-sourceRegistry-and-digest-in-chart.patch index 9c9a217c30..2701c3d05d 100644 --- a/projects/cert-manager/cert-manager/helm/patches/0001-Use-sourceRegistry-and-digest-in-chart.patch +++ b/projects/cert-manager/cert-manager/helm/patches/0001-Use-sourceRegistry-and-digest-in-chart.patch @@ -1,4 +1,4 @@ -From fbd880ad90933d2913684686800ac91b0da56696 Mon Sep 17 00:00:00 2001 +From 61be93062447ad6eebd654f37e8f178f3bd4cbee Mon Sep 17 00:00:00 2001 From: Abdullahi Abdinur Date: Thu, 6 Oct 2022 12:55:27 -0700 Subject: [PATCH 1/4] Use-sourceRegistry-and-digest-in-chart @@ -6,13 +6,13 @@ Subject: [PATCH 1/4] Use-sourceRegistry-and-digest-in-chart --- deploy/charts/cert-manager/Chart.yaml | 20 ++ deploy/charts/cert-manager/README.md | 248 ++++++++++++++++++ - .../templates/cainjector-deployment.yaml | 2 +- - .../cert-manager/templates/deployment.yaml | 2 +- + .../templates/cainjector-deployment.yaml | 4 +- + .../cert-manager/templates/deployment.yaml | 4 +- .../cert-manager/templates/namespace.yaml | 7 + - .../templates/startupapicheck-job.yaml | 2 +- - .../templates/webhook-deployment.yaml | 2 +- + .../templates/startupapicheck-job.yaml | 4 +- + .../templates/webhook-deployment.yaml | 4 +- deploy/charts/cert-manager/values.yaml | 14 +- - 8 files changed, 289 insertions(+), 8 deletions(-) + 8 files changed, 289 insertions(+), 16 deletions(-) create mode 100644 deploy/charts/cert-manager/Chart.yaml create mode 100644 deploy/charts/cert-manager/README.md create mode 100644 deploy/charts/cert-manager/templates/namespace.yaml @@ -298,31 +298,35 @@ index 000000000..4fd1e752d + +This chart is maintained at [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager). diff --git a/deploy/charts/cert-manager/templates/cainjector-deployment.yaml b/deploy/charts/cert-manager/templates/cainjector-deployment.yaml -index a2f7243e8..8f181519e 100644 +index fbfed0fce..8d979bdd8 100644 --- a/deploy/charts/cert-manager/templates/cainjector-deployment.yaml +++ b/deploy/charts/cert-manager/templates/cainjector-deployment.yaml -@@ -59,7 +59,7 @@ spec: +@@ -54,9 +54,7 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }}-cainjector -- image: "{{ template "image" (tuple .Values.cainjector.image $.Chart.AppVersion) }}" +- {{- with .Values.cainjector.image }} +- image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}" +- {{- end }} + image: "{{ .Values.sourceRegistry }}/{{ .Values.cainjector.image.repository }}@{{ .Values.cainjector.image.digest }}" imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }} args: - {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}} + {{- if .Values.global.logLevel }} diff --git a/deploy/charts/cert-manager/templates/deployment.yaml b/deploy/charts/cert-manager/templates/deployment.yaml -index c984de03d..2cf730824 100644 +index 6e74f1e82..fdb95289d 100644 --- a/deploy/charts/cert-manager/templates/deployment.yaml +++ b/deploy/charts/cert-manager/templates/deployment.yaml -@@ -77,7 +77,7 @@ spec: +@@ -65,9 +65,7 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }}-controller -- image: "{{ template "image" (tuple .Values.image $.Chart.AppVersion) }}" +- {{- with .Values.image }} +- image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}" +- {{- end }} + image: "{{ .Values.sourceRegistry }}/{{ .Values.image.repository }}@{{ .Values.image.digest }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: - {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}} + {{- if .Values.global.logLevel }} diff --git a/deploy/charts/cert-manager/templates/namespace.yaml b/deploy/charts/cert-manager/templates/namespace.yaml new file mode 100644 index 000000000..b49644d70 @@ -337,36 +341,40 @@ index 000000000..b49644d70 +spec: {} +status: {} diff --git a/deploy/charts/cert-manager/templates/startupapicheck-job.yaml b/deploy/charts/cert-manager/templates/startupapicheck-job.yaml -index 311b4c48e..daf358d57 100644 +index f55b5fe15..6a7675e27 100644 --- a/deploy/charts/cert-manager/templates/startupapicheck-job.yaml +++ b/deploy/charts/cert-manager/templates/startupapicheck-job.yaml -@@ -47,7 +47,7 @@ spec: +@@ -43,9 +43,7 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }}-startupapicheck -- image: "{{ template "image" (tuple .Values.startupapicheck.image $.Chart.AppVersion) }}" +- {{- with .Values.startupapicheck.image }} +- image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}" +- {{- end }} + image: "{{ .Values.sourceRegistry }}/{{ .Values.startupapicheck.image.repository }}@{{ .Values.startupapicheck.image.digest }}" imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }} args: - check diff --git a/deploy/charts/cert-manager/templates/webhook-deployment.yaml b/deploy/charts/cert-manager/templates/webhook-deployment.yaml -index e55cd4361..ca7698384 100644 +index 259a96c79..efe5d692e 100644 --- a/deploy/charts/cert-manager/templates/webhook-deployment.yaml +++ b/deploy/charts/cert-manager/templates/webhook-deployment.yaml -@@ -64,7 +64,7 @@ spec: +@@ -56,9 +56,7 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }}-webhook -- image: "{{ template "image" (tuple .Values.webhook.image $.Chart.AppVersion) }}" +- {{- with .Values.webhook.image }} +- image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}" +- {{- end }} + image: "{{ .Values.sourceRegistry }}/{{ .Values.webhook.image.repository }}@{{ .Values.webhook.image.digest }}" imagePullPolicy: {{ .Values.webhook.image.pullPolicy }} args: - {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}} + {{- if .Values.global.logLevel }} diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml -index 885ae024b..2e2af002d 100644 +index 35ec9766a..fd30fc787 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml -@@ -3,6 +3,8 @@ +@@ -1,6 +1,8 @@ # Default values for cert-manager. # This is a YAML-formatted file. # Declare variables to be passed into your templates. @@ -375,74 +383,74 @@ index 885ae024b..2e2af002d 100644 global: # Reference to one or more secrets to be used when pulling images # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ -@@ -130,7 +132,7 @@ image: +@@ -68,7 +70,7 @@ featureGates: "" + maxConcurrentChallenges: 60 - # The container image for the cert-manager controller - # +docs:property + image: - repository: quay.io/jetstack/cert-manager-controller + repository: cert-manager/cert-manager-controller + # You can manage a registry with + # registry: quay.io + # repository: jetstack/cert-manager-controller +@@ -79,6 +81,7 @@ image: - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion will be used. -@@ -140,6 +142,7 @@ image: # Setting a digest will override any tag - # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + digest: {{cert-manager/cert-manager-controller}} - - # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent -@@ -753,7 +756,7 @@ webhook: - # The container image for the cert-manager webhook - # +docs:property + # Override the namespace used to store DNS provider credentials etc. for ClusterIssuer +@@ -333,7 +336,7 @@ webhook: + serviceLabels: {} + + image: - repository: quay.io/jetstack/cert-manager-webhook + repository: cert-manager/cert-manager-webhook + # You can manage a registry with + # registry: quay.io + # repository: jetstack/cert-manager-webhook +@@ -344,6 +347,7 @@ webhook: - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion will be used. -@@ -763,6 +766,7 @@ webhook: # Setting a digest will override any tag - # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + digest: {{cert-manager/cert-manager-webhook}} - # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent -@@ -1036,7 +1040,7 @@ cainjector: - # The container image for the cert-manager cainjector - # +docs:property +@@ -471,7 +475,7 @@ cainjector: + podLabels: {} + + image: - repository: quay.io/jetstack/cert-manager-cainjector + repository: cert-manager/cert-manager-cainjector + # You can manage a registry with + # registry: quay.io + # repository: jetstack/cert-manager-cainjector +@@ -482,6 +486,7 @@ cainjector: - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion will be used. -@@ -1046,6 +1050,7 @@ cainjector: # Setting a digest will override any tag - # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + digest: {{cert-manager/cert-manager-cainjector}} - # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent -@@ -1222,7 +1227,7 @@ startupapicheck: - # The container image for the cert-manager startupapicheck - # +docs:property -- repository: quay.io/jetstack/cert-manager-startupapicheck +@@ -577,7 +582,7 @@ startupapicheck: + podLabels: {} + + image: +- repository: quay.io/jetstack/cert-manager-ctl + repository: cert-manager/cert-manager-ctl + # You can manage a registry with + # registry: quay.io + # repository: jetstack/cert-manager-ctl +@@ -588,6 +593,7 @@ startupapicheck: - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion will be used. -@@ -1232,6 +1237,7 @@ startupapicheck: # Setting a digest will override any tag - # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + digest: {{cert-manager/cert-manager-ctl}} - # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent + -- -2.39.3 (Apple Git-145) +2.34.1 diff --git a/projects/cert-manager/cert-manager/helm/patches/0002-Add-cert-manager-CRDs.patch b/projects/cert-manager/cert-manager/helm/patches/0002-Add-cert-manager-CRDs.patch index 0f0c83c0f2..8b1cf03c01 100644 --- a/projects/cert-manager/cert-manager/helm/patches/0002-Add-cert-manager-CRDs.patch +++ b/projects/cert-manager/cert-manager/helm/patches/0002-Add-cert-manager-CRDs.patch @@ -1,19 +1,19 @@ -From 3690088bad728c09f567f9537a2b35d6376139bd Mon Sep 17 00:00:00 2001 +From f54914de847ff0be543ed2c966905aac8920a22d Mon Sep 17 00:00:00 2001 From: Prow Bot Date: Thu, 23 Jun 2022 07:01:26 -0600 Subject: [PATCH 2/4] Add cert-manager CRDs --- - .../cert-manager/crds/cert-manager.crds.yaml | 4710 +++++++++++++++++ - 1 file changed, 4710 insertions(+) + .../cert-manager/crds/cert-manager.crds.yaml | 4178 +++++++++++++++++ + 1 file changed, 4178 insertions(+) create mode 100644 deploy/charts/cert-manager/crds/cert-manager.crds.yaml diff --git a/deploy/charts/cert-manager/crds/cert-manager.crds.yaml b/deploy/charts/cert-manager/crds/cert-manager.crds.yaml new file mode 100644 -index 000000000..edb28bb0a +index 000000000..af016f11e --- /dev/null +++ b/deploy/charts/cert-manager/crds/cert-manager.crds.yaml -@@ -0,0 +1,4710 @@ +@@ -0,0 +1,4178 @@ +# Copyright 2022 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); @@ -28,17 +28,20 @@ index 000000000..edb28bb0a +# See the License for the specific language governing permissions and +# limitations under the License. + -+# Source: cert-manager/templates/crds.yaml ++--- ++# Source: cert-manager/templates/templates.out +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificaterequests.cert-manager.io ++ annotations: ++ cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels -+ app.kubernetes.io/version: "v1.14.2" ++ app.kubernetes.io/version: "v1.7.2" +spec: + group: cert-manager.io + names: @@ -82,8 +85,10 @@ index 000000000..edb28bb0a + type: date + schema: + openAPIV3Schema: -+ description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `Ready` status condition and its `status.failureTime` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." ++ description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." + type: object ++ required: ++ - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' @@ -94,14 +99,14 @@ index 000000000..edb28bb0a + metadata: + type: object + spec: -+ description: Specification of the desired state of the CertificateRequest resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status ++ description: Desired state of the CertificateRequest resource. + type: object + required: + - issuerRef + - request + properties: + duration: -+ description: Requested 'duration' (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute. ++ description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. + type: string + extra: + description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. @@ -117,10 +122,10 @@ index 000000000..edb28bb0a + type: string + x-kubernetes-list-type: atomic + isCA: -+ description: "Requested basic constraints isCA value. Note that the issuer may choose to ignore the requested isCA value, just like any other requested attribute. \n NOTE: If the CSR in the `Request` field has a BasicConstraints extension, it must have the same isCA value as specified here. \n If true, this will automatically add the `cert sign` usage to the list of requested `usages`." ++ description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: -+ description: "Reference to the issuer responsible for issuing the certificate. If the issuer is namespace-scoped, it must be in the same namespace as the Certificate. If the issuer is cluster-scoped, it can be used from any namespace. \n The `name` field of the reference must always be specified." ++ description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty. + type: object + required: + - name @@ -135,17 +140,17 @@ index 000000000..edb28bb0a + description: Name of the resource being referred to. + type: string + request: -+ description: "The PEM-encoded X.509 certificate signing request to be submitted to the issuer for signing. \n If the CSR has a BasicConstraints extension, its isCA attribute must match the `isCA` value of this CertificateRequest. If the CSR has a KeyUsage extension, its key usages must match the key usages in the `usages` field of this CertificateRequest. If the CSR has a ExtKeyUsage extension, its extended key usages must match the extended key usages in the `usages` field of this CertificateRequest." ++ description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing. + type: string + format: byte + uid: + description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: string + usages: -+ description: "Requested key usages and extended key usages. \n NOTE: If the CSR in the `Request` field has uses the KeyUsage or ExtKeyUsage extension, these extensions must have the same values as specified here without any additional values. \n If unset, defaults to `digital signature` and `key encipherment`." ++ description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified. + type: array + items: -+ description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" ++ description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' + type: string + enum: + - signing @@ -175,19 +180,19 @@ index 000000000..edb28bb0a + description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: string + status: -+ description: 'Status of the CertificateRequest. This is set and managed automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' ++ description: Status of the CertificateRequest. This is set and managed automatically. + type: object + properties: + ca: -+ description: The PEM encoded X.509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. ++ description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. + type: string + format: byte + certificate: -+ description: The PEM encoded X.509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. ++ description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. + type: string + format: byte + conditions: -+ description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`. ++ description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + type: array + items: + description: CertificateRequestCondition contains condition information for a CertificateRequest. @@ -216,9 +221,6 @@ index 000000000..edb28bb0a + type: + description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). + type: string -+ x-kubernetes-list-map-keys: -+ - type -+ x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. + type: string @@ -226,17 +228,19 @@ index 000000000..edb28bb0a + served: true + storage: true +--- -+# Source: cert-manager/templates/crds.yaml ++# Source: cert-manager/templates/templates.out +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificates.cert-manager.io ++ annotations: ++ cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels -+ app.kubernetes.io/version: "v1.14.2" ++ app.kubernetes.io/version: "v1.7.2" +spec: + group: cert-manager.io + names: @@ -275,8 +279,10 @@ index 000000000..edb28bb0a + type: date + schema: + openAPIV3Schema: -+ description: "A Certificate resource should be created to ensure an up to date and signed X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." ++ description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." + type: object ++ required: ++ - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' @@ -287,14 +293,14 @@ index 000000000..edb28bb0a + metadata: + type: object + spec: -+ description: Specification of the desired state of the Certificate resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status ++ description: Desired state of the Certificate resource. + type: object + required: + - issuerRef + - secretName + properties: + additionalOutputFormats: -+ description: "Defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. \n This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option set on both the controller and webhook components." ++ description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components. + type: array + items: + description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key. @@ -309,34 +315,34 @@ index 000000000..edb28bb0a + - DER + - CombinedPEM + commonName: -+ description: "Requested common name X509 certificate subject attribute. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 NOTE: TLS clients will ignore this value when any subject alternative name is set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). \n Should have a length of 64 characters or fewer to avoid generating invalid CSRs. Cannot be set if the `literalSubject` field is set." ++ description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + dnsNames: -+ description: Requested DNS subject alternative names. ++ description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. + type: array + items: + type: string + duration: -+ description: "Requested 'duration' (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute. \n If unset, this defaults to 90 days. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration." ++ description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + emailAddresses: -+ description: Requested email subject alternative names. ++ description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate. + type: array + items: + type: string + encodeUsagesInRequest: -+ description: "Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. \n This option defaults to true, and should only be disabled if the target issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions." ++ description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest + type: boolean + ipAddresses: -+ description: Requested IP address subject alternative names. ++ description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. + type: array + items: + type: string + isCA: -+ description: "Requested basic constraints isCA value. The isCA value is used to set the `isCA` field on the created CertificateRequest resources. Note that the issuer may choose to ignore the requested isCA value, just like any other requested attribute. \n If true, this will automatically add the `cert sign` usage to the list of requested `usages`." ++ description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: -+ description: "Reference to the issuer responsible for issuing the certificate. If the issuer is namespace-scoped, it must be in the same namespace as the Certificate. If the issuer is cluster-scoped, it can be used from any namespace. \n The `name` field of the reference must always be specified." ++ description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. + type: object + required: + - name @@ -351,7 +357,7 @@ index 000000000..edb28bb0a + description: Name of the resource being referred to. + type: string + keystores: -+ description: Additional keystore output formats to be stored in the Certificate's Secret. ++ description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. + type: object + properties: + jks: @@ -362,7 +368,7 @@ index 000000000..edb28bb0a + - passwordSecretRef + properties: + create: -+ description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority ++ description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. @@ -384,7 +390,7 @@ index 000000000..edb28bb0a + - passwordSecretRef + properties: + create: -+ description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority ++ description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. @@ -398,121 +404,41 @@ index 000000000..edb28bb0a + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string -+ profile: -+ description: "Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret." -+ type: string -+ enum: -+ - LegacyRC2 -+ - LegacyDES -+ - Modern2023 -+ literalSubject: -+ description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components." -+ type: string -+ nameConstraints: -+ description: "x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 \n This is an Alpha Feature and is only enabled with the `--feature-gates=NameConstraints=true` option set on both the controller and webhook components." -+ type: object -+ properties: -+ critical: -+ description: if true then the name constraints are marked critical. -+ type: boolean -+ excluded: -+ description: Excluded contains the constraints which must be disallowed. Any name matching a restriction in the excluded field is invalid regardless of information appearing in the permitted -+ type: object -+ properties: -+ dnsDomains: -+ description: DNSDomains is a list of DNS domains that are permitted or excluded. -+ type: array -+ items: -+ type: string -+ emailAddresses: -+ description: EmailAddresses is a list of Email Addresses that are permitted or excluded. -+ type: array -+ items: -+ type: string -+ ipRanges: -+ description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation. -+ type: array -+ items: -+ type: string -+ uriDomains: -+ description: URIDomains is a list of URI domains that are permitted or excluded. -+ type: array -+ items: -+ type: string -+ permitted: -+ description: Permitted contains the constraints in which the names must be located. -+ type: object -+ properties: -+ dnsDomains: -+ description: DNSDomains is a list of DNS domains that are permitted or excluded. -+ type: array -+ items: -+ type: string -+ emailAddresses: -+ description: EmailAddresses is a list of Email Addresses that are permitted or excluded. -+ type: array -+ items: -+ type: string -+ ipRanges: -+ description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation. -+ type: array -+ items: -+ type: string -+ uriDomains: -+ description: URIDomains is a list of URI domains that are permitted or excluded. -+ type: array -+ items: -+ type: string -+ otherNames: -+ description: '`otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.' -+ type: array -+ items: -+ type: object -+ properties: -+ oid: -+ description: OID is the object identifier for the otherName SAN. The object identifier must be expressed as a dotted string, for example, "1.2.840.113556.1.4.221". -+ type: string -+ utf8Value: -+ description: utf8Value is the string value of the otherName SAN. The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN. -+ type: string + privateKey: -+ description: Private key options. These include the key algorithm and size, the used encoding and the rotation policy. ++ description: Options to control private keys used for the Certificate. + type: object + properties: + algorithm: -+ description: "Algorithm is the private key algorithm of the corresponding private key for this certificate. \n If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. If `algorithm` is specified and `size` is not provided, key size of 2048 will be used for `RSA` key algorithm and key size of 256 will be used for `ECDSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm." ++ description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. + type: string + enum: + - RSA + - ECDSA + - Ed25519 + encoding: -+ description: "The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. \n If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified." ++ description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. + type: string + enum: + - PKCS1 + - PKCS8 + rotationPolicy: -+ description: "RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. \n If set to `Never`, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to `Always`, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is `Never` for backward compatibility." ++ description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. + type: string -+ enum: -+ - Never -+ - Always + size: -+ description: "Size is the key bit size of the corresponding private key for this certificate. \n If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed." ++ description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. + type: integer + renewBefore: -+ description: "How long before the currently issued certificate's expiry cert-manager should renew the certificate. For example, if a certificate is valid for 60 minutes, and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate 50 minutes after it was issued (i.e. when there are 10 minutes remaining until the certificate is no longer valid). \n NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate. \n If unset, this defaults to 1/3 of the issued certificate's lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration." ++ description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + revisionHistoryLimit: -+ description: "The maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. \n If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`." ++ description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. + type: integer + format: int32 + secretName: -+ description: Name of the Secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. The Secret resource lives in the same namespace as the Certificate resource. ++ description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. + type: string + secretTemplate: -+ description: Defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. ++ description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. + type: object + properties: + annotations: @@ -526,7 +452,7 @@ index 000000000..edb28bb0a + additionalProperties: + type: string + subject: -+ description: "Requested set of X509 certificate subject attributes. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 \n The common name attribute is specified separately in the `commonName` field. Cannot be set if the `literalSubject` field is set." ++ description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + type: object + properties: + countries: @@ -568,15 +494,15 @@ index 000000000..edb28bb0a + items: + type: string + uris: -+ description: Requested URI subject alternative names. ++ description: URIs is a list of URI subjectAltNames to be set on the Certificate. + type: array + items: + type: string + usages: -+ description: "Requested key usages and extended key usages. These usages are used to set the `usages` field on the created CertificateRequest resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages will additionally be encoded in the `request` field which contains the CSR blob. \n If unset, defaults to `digital signature` and `key encipherment`." ++ description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. + type: array + items: -+ description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" ++ description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' + type: string + enum: + - signing @@ -603,7 +529,7 @@ index 000000000..edb28bb0a + - microsoft sgc + - netscape sgc + status: -+ description: 'Status of the Certificate. This is set and managed automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' ++ description: Status of the Certificate. This is set and managed automatically. + type: object + properties: + conditions: @@ -640,14 +566,8 @@ index 000000000..edb28bb0a + type: + description: Type of the condition, known values are (`Ready`, `Issuing`). + type: string -+ x-kubernetes-list-map-keys: -+ - type -+ x-kubernetes-list-type: map -+ failedIssuanceAttempts: -+ description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). -+ type: integer + lastFailureTime: -+ description: LastFailureTime is set only if the lastest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset. ++ description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time. + type: string + format: date-time + nextPrivateKeySecretName: @@ -658,7 +578,7 @@ index 000000000..edb28bb0a + type: string + format: date-time + notBefore: -+ description: The time after which the certificate stored in the secret named by this resource in `spec.secretName` is valid. ++ description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. + type: string + format: date-time + renewalTime: @@ -671,17 +591,19 @@ index 000000000..edb28bb0a + served: true + storage: true +--- -+# Source: cert-manager/templates/crds.yaml ++# Source: cert-manager/templates/templates.out +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: challenges.acme.cert-manager.io ++ annotations: ++ cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels -+ app.kubernetes.io/version: "v1.14.2" ++ app.kubernetes.io/version: "v1.7.2" +spec: + group: acme.cert-manager.io + names: @@ -846,10 +768,10 @@ index 000000000..edb28bb0a + - subscriptionID + properties: + clientID: -+ description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.' ++ description: if both this and ClientSecret are left unset MSI will be used + type: string + clientSecretSecretRef: -+ description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.' ++ description: if both this and ClientID are left unset MSI will be used + type: object + required: + - name @@ -872,14 +794,14 @@ index 000000000..edb28bb0a + description: name of the DNS zone that should be used + type: string + managedIdentity: -+ description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.' ++ description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: -+ description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity ++ description: resource ID of the managed identity, can not be used at the same time as clientID + type: string + resourceGroupName: + description: resource group the DNS zone is located in @@ -888,7 +810,7 @@ index 000000000..edb28bb0a + description: ID of the Azure subscription + type: string + tenantID: -+ description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.' ++ description: when specifying ClientID and ClientSecret then this field is also needed + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. @@ -1002,20 +924,8 @@ index 000000000..edb28bb0a + - region + properties: + accessKeyID: -+ description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' ++ description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string -+ accessKeyIDSecretRef: -+ description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' -+ type: object -+ required: -+ - name -+ properties: -+ key: -+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. -+ type: string -+ name: -+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' -+ type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string @@ -1026,7 +936,7 @@ index 000000000..edb28bb0a + description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: -+ description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' ++ description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name @@ -1062,55 +972,10 @@ index 000000000..edb28bb0a + type: object + properties: + labels: -+ description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. ++ description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. + type: object + additionalProperties: + type: string -+ parentRefs: -+ description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' -+ type: array -+ items: -+ description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." -+ type: object -+ required: -+ - name -+ properties: -+ group: -+ description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" -+ type: string -+ default: gateway.networking.k8s.io -+ maxLength: 253 -+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ -+ kind: -+ description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific." -+ type: string -+ default: Gateway -+ maxLength: 63 -+ minLength: 1 -+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ -+ name: -+ description: "Name is the name of the referent. \n Support: Core" -+ type: string -+ maxLength: 253 -+ minLength: 1 -+ namespace: -+ description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" -+ type: string -+ maxLength: 63 -+ minLength: 1 -+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ -+ port: -+ description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " -+ type: integer -+ format: int32 -+ maximum: 65535 -+ minimum: 1 -+ sectionName: -+ description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" -+ type: string -+ maxLength: 253 -+ minLength: 1 -+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string @@ -1119,10 +984,7 @@ index 000000000..edb28bb0a + type: object + properties: + class: -+ description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. -+ type: string -+ ingressClassName: -+ description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. ++ description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. @@ -1143,7 +1005,7 @@ index 000000000..edb28bb0a + additionalProperties: + type: string + name: -+ description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. ++ description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. @@ -1164,7 +1026,7 @@ index 000000000..edb28bb0a + additionalProperties: + type: string + spec: -+ description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. ++ description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. + type: object + properties: + affinity: @@ -1231,7 +1093,6 @@ index 000000000..edb28bb0a + type: array + items: + type: string -+ x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer @@ -1291,8 +1152,6 @@ index 000000000..edb28bb0a + type: array + items: + type: string -+ x-kubernetes-map-type: atomic -+ x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object @@ -1314,7 +1173,7 @@ index 000000000..edb28bb0a + - topologyKey + properties: + labelSelector: -+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. ++ description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: @@ -1343,21 +1202,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic -+ matchLabelKeys: -+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic -+ mismatchLabelKeys: -+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic + namespaceSelector: -+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. ++ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + type: object + properties: + matchExpressions: @@ -1386,9 +1232,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic + namespaces: -+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". ++ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + type: array + items: + type: string @@ -1409,7 +1254,7 @@ index 000000000..edb28bb0a + - topologyKey + properties: + labelSelector: -+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. ++ description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: @@ -1438,21 +1283,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic -+ matchLabelKeys: -+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic -+ mismatchLabelKeys: -+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic + namespaceSelector: -+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. ++ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + type: object + properties: + matchExpressions: @@ -1481,9 +1313,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic + namespaces: -+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". ++ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + type: array + items: + type: string @@ -1511,7 +1342,7 @@ index 000000000..edb28bb0a + - topologyKey + properties: + labelSelector: -+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. ++ description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: @@ -1540,21 +1371,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic -+ matchLabelKeys: -+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic -+ mismatchLabelKeys: -+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic + namespaceSelector: -+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. ++ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + type: object + properties: + matchExpressions: @@ -1583,9 +1401,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic + namespaces: -+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". ++ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + type: array + items: + type: string @@ -1606,7 +1423,7 @@ index 000000000..edb28bb0a + - topologyKey + properties: + labelSelector: -+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. ++ description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: @@ -1635,21 +1452,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic -+ matchLabelKeys: -+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic -+ mismatchLabelKeys: -+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic + namespaceSelector: -+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. ++ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + type: object + properties: + matchExpressions: @@ -1678,26 +1482,14 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic + namespaces: -+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". ++ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string -+ imagePullSecrets: -+ description: If specified, the pod's imagePullSecrets -+ type: array -+ items: -+ description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. -+ type: object -+ properties: -+ name: -+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' -+ type: string -+ x-kubernetes-map-type: atomic + nodeSelector: + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object @@ -1797,17 +1589,19 @@ index 000000000..edb28bb0a + subresources: + status: {} +--- -+# Source: cert-manager/templates/crds.yaml ++# Source: cert-manager/templates/templates.out +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.cert-manager.io ++ annotations: ++ cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' -+ app.kubernetes.io/instance: "cert-manager" ++ app.kubernetes.io/instance: 'cert-manager' + # Generated labels -+ app.kubernetes.io/version: "v1.14.2" ++ app.kubernetes.io/version: "v1.7.2" +spec: + group: cert-manager.io + names: @@ -1860,10 +1654,6 @@ index 000000000..edb28bb0a + - privateKeySecretRef + - server + properties: -+ caBundle: -+ description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. -+ type: string -+ format: byte + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. + type: boolean @@ -1922,7 +1712,7 @@ index 000000000..edb28bb0a + description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: -+ description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' ++ description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' @@ -2011,10 +1801,10 @@ index 000000000..edb28bb0a + - subscriptionID + properties: + clientID: -+ description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.' ++ description: if both this and ClientSecret are left unset MSI will be used + type: string + clientSecretSecretRef: -+ description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.' ++ description: if both this and ClientID are left unset MSI will be used + type: object + required: + - name @@ -2037,14 +1827,14 @@ index 000000000..edb28bb0a + description: name of the DNS zone that should be used + type: string + managedIdentity: -+ description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.' ++ description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: -+ description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity ++ description: resource ID of the managed identity, can not be used at the same time as clientID + type: string + resourceGroupName: + description: resource group the DNS zone is located in @@ -2053,7 +1843,7 @@ index 000000000..edb28bb0a + description: ID of the Azure subscription + type: string + tenantID: -+ description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.' ++ description: when specifying ClientID and ClientSecret then this field is also needed + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. @@ -2167,20 +1957,8 @@ index 000000000..edb28bb0a + - region + properties: + accessKeyID: -+ description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' ++ description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string -+ accessKeyIDSecretRef: -+ description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' -+ type: object -+ required: -+ - name -+ properties: -+ key: -+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. -+ type: string -+ name: -+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' -+ type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string @@ -2191,7 +1969,7 @@ index 000000000..edb28bb0a + description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: -+ description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' ++ description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name @@ -2227,55 +2005,10 @@ index 000000000..edb28bb0a + type: object + properties: + labels: -+ description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. ++ description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. + type: object + additionalProperties: + type: string -+ parentRefs: -+ description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' -+ type: array -+ items: -+ description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." -+ type: object -+ required: -+ - name -+ properties: -+ group: -+ description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" -+ type: string -+ default: gateway.networking.k8s.io -+ maxLength: 253 -+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ -+ kind: -+ description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific." -+ type: string -+ default: Gateway -+ maxLength: 63 -+ minLength: 1 -+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ -+ name: -+ description: "Name is the name of the referent. \n Support: Core" -+ type: string -+ maxLength: 253 -+ minLength: 1 -+ namespace: -+ description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" -+ type: string -+ maxLength: 63 -+ minLength: 1 -+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ -+ port: -+ description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " -+ type: integer -+ format: int32 -+ maximum: 65535 -+ minimum: 1 -+ sectionName: -+ description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" -+ type: string -+ maxLength: 253 -+ minLength: 1 -+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string @@ -2284,10 +2017,7 @@ index 000000000..edb28bb0a + type: object + properties: + class: -+ description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. -+ type: string -+ ingressClassName: -+ description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. ++ description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. @@ -2308,7 +2038,7 @@ index 000000000..edb28bb0a + additionalProperties: + type: string + name: -+ description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. ++ description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. @@ -2329,7 +2059,7 @@ index 000000000..edb28bb0a + additionalProperties: + type: string + spec: -+ description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. ++ description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. + type: object + properties: + affinity: @@ -2396,7 +2126,6 @@ index 000000000..edb28bb0a + type: array + items: + type: string -+ x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer @@ -2456,8 +2185,6 @@ index 000000000..edb28bb0a + type: array + items: + type: string -+ x-kubernetes-map-type: atomic -+ x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object @@ -2479,7 +2206,7 @@ index 000000000..edb28bb0a + - topologyKey + properties: + labelSelector: -+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. ++ description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: @@ -2508,21 +2235,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic -+ matchLabelKeys: -+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic -+ mismatchLabelKeys: -+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic + namespaceSelector: -+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. ++ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + type: object + properties: + matchExpressions: @@ -2551,9 +2265,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic + namespaces: -+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". ++ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + type: array + items: + type: string @@ -2574,7 +2287,7 @@ index 000000000..edb28bb0a + - topologyKey + properties: + labelSelector: -+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. ++ description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: @@ -2603,21 +2316,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic -+ matchLabelKeys: -+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic -+ mismatchLabelKeys: -+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic + namespaceSelector: -+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. ++ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + type: object + properties: + matchExpressions: @@ -2646,9 +2346,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic + namespaces: -+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". ++ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + type: array + items: + type: string @@ -2676,7 +2375,7 @@ index 000000000..edb28bb0a + - topologyKey + properties: + labelSelector: -+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. ++ description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: @@ -2705,21 +2404,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic -+ matchLabelKeys: -+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic -+ mismatchLabelKeys: -+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic + namespaceSelector: -+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. ++ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + type: object + properties: + matchExpressions: @@ -2748,9 +2434,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic + namespaces: -+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". ++ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + type: array + items: + type: string @@ -2771,7 +2456,7 @@ index 000000000..edb28bb0a + - topologyKey + properties: + labelSelector: -+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. ++ description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: @@ -2800,21 +2485,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic -+ matchLabelKeys: -+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic -+ mismatchLabelKeys: -+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic + namespaceSelector: -+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. ++ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + type: object + properties: + matchExpressions: @@ -2843,26 +2515,14 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic + namespaces: -+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". ++ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string -+ imagePullSecrets: -+ description: If specified, the pod's imagePullSecrets -+ type: array -+ items: -+ description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. -+ type: object -+ properties: -+ name: -+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' -+ type: string -+ x-kubernetes-map-type: atomic + nodeSelector: + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object @@ -2930,11 +2590,6 @@ index 000000000..edb28bb0a + type: array + items: + type: string -+ issuingCertificateURLs: -+ description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt". -+ type: array -+ items: -+ type: string + ocspServers: + description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + type: array @@ -2995,6 +2650,7 @@ index 000000000..edb28bb0a + type: object + required: + - role ++ - secretRef + properties: + mountPath: + description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. @@ -3014,15 +2670,6 @@ index 000000000..edb28bb0a + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string -+ serviceAccountRef: -+ description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token. -+ type: object -+ required: -+ - name -+ properties: -+ name: -+ description: Name of the ServiceAccount used to request a token. -+ type: string + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting a token. + type: object @@ -3036,21 +2683,9 @@ index 000000000..edb28bb0a + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + caBundle: -+ description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. ++ description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + type: string + format: byte -+ caBundleSecretRef: -+ description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. -+ type: object -+ required: -+ - name -+ properties: -+ key: -+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. -+ type: string -+ name: -+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' -+ type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string @@ -3095,7 +2730,7 @@ index 000000000..edb28bb0a + - url + properties: + caBundle: -+ description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. ++ description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. + type: string + format: byte + credentialsRef: @@ -3121,9 +2756,6 @@ index 000000000..edb28bb0a + description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. + type: object + properties: -+ lastPrivateKeyHash: -+ description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer -+ type: string + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer + type: string @@ -3164,23 +2796,22 @@ index 000000000..edb28bb0a + type: + description: Type of the condition, known values are (`Ready`). + type: string -+ x-kubernetes-list-map-keys: -+ - type -+ x-kubernetes-list-type: map + served: true + storage: true +--- -+# Source: cert-manager/templates/crds.yaml ++# Source: cert-manager/templates/templates.out +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: issuers.cert-manager.io ++ annotations: ++ cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' -+ app.kubernetes.io/instance: "cert-manager" ++ app.kubernetes.io/instance: 'cert-manager' + # Generated labels -+ app.kubernetes.io/version: "v1.14.2" ++ app.kubernetes.io/version: "v1.7.2" +spec: + group: cert-manager.io + names: @@ -3233,10 +2864,6 @@ index 000000000..edb28bb0a + - privateKeySecretRef + - server + properties: -+ caBundle: -+ description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. -+ type: string -+ format: byte + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. + type: boolean @@ -3295,7 +2922,7 @@ index 000000000..edb28bb0a + description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: -+ description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' ++ description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' @@ -3384,10 +3011,10 @@ index 000000000..edb28bb0a + - subscriptionID + properties: + clientID: -+ description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.' ++ description: if both this and ClientSecret are left unset MSI will be used + type: string + clientSecretSecretRef: -+ description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.' ++ description: if both this and ClientID are left unset MSI will be used + type: object + required: + - name @@ -3410,14 +3037,14 @@ index 000000000..edb28bb0a + description: name of the DNS zone that should be used + type: string + managedIdentity: -+ description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.' ++ description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: -+ description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity ++ description: resource ID of the managed identity, can not be used at the same time as clientID + type: string + resourceGroupName: + description: resource group the DNS zone is located in @@ -3426,7 +3053,7 @@ index 000000000..edb28bb0a + description: ID of the Azure subscription + type: string + tenantID: -+ description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.' ++ description: when specifying ClientID and ClientSecret then this field is also needed + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. @@ -3540,20 +3167,8 @@ index 000000000..edb28bb0a + - region + properties: + accessKeyID: -+ description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' ++ description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string -+ accessKeyIDSecretRef: -+ description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' -+ type: object -+ required: -+ - name -+ properties: -+ key: -+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. -+ type: string -+ name: -+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' -+ type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string @@ -3564,7 +3179,7 @@ index 000000000..edb28bb0a + description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: -+ description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' ++ description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name @@ -3600,55 +3215,10 @@ index 000000000..edb28bb0a + type: object + properties: + labels: -+ description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. ++ description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway. + type: object + additionalProperties: + type: string -+ parentRefs: -+ description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' -+ type: array -+ items: -+ description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." -+ type: object -+ required: -+ - name -+ properties: -+ group: -+ description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" -+ type: string -+ default: gateway.networking.k8s.io -+ maxLength: 253 -+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ -+ kind: -+ description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific." -+ type: string -+ default: Gateway -+ maxLength: 63 -+ minLength: 1 -+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ -+ name: -+ description: "Name is the name of the referent. \n Support: Core" -+ type: string -+ maxLength: 253 -+ minLength: 1 -+ namespace: -+ description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" -+ type: string -+ maxLength: 63 -+ minLength: 1 -+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ -+ port: -+ description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " -+ type: integer -+ format: int32 -+ maximum: 65535 -+ minimum: 1 -+ sectionName: -+ description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" -+ type: string -+ maxLength: 253 -+ minLength: 1 -+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string @@ -3657,10 +3227,7 @@ index 000000000..edb28bb0a + type: object + properties: + class: -+ description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. -+ type: string -+ ingressClassName: -+ description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. ++ description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. @@ -3681,7 +3248,7 @@ index 000000000..edb28bb0a + additionalProperties: + type: string + name: -+ description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. ++ description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. @@ -3702,7 +3269,7 @@ index 000000000..edb28bb0a + additionalProperties: + type: string + spec: -+ description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. ++ description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. + type: object + properties: + affinity: @@ -3769,7 +3336,6 @@ index 000000000..edb28bb0a + type: array + items: + type: string -+ x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer @@ -3829,8 +3395,6 @@ index 000000000..edb28bb0a + type: array + items: + type: string -+ x-kubernetes-map-type: atomic -+ x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object @@ -3852,7 +3416,7 @@ index 000000000..edb28bb0a + - topologyKey + properties: + labelSelector: -+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. ++ description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: @@ -3881,21 +3445,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic -+ matchLabelKeys: -+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic -+ mismatchLabelKeys: -+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic + namespaceSelector: -+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. ++ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + type: object + properties: + matchExpressions: @@ -3924,9 +3475,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic + namespaces: -+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". ++ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + type: array + items: + type: string @@ -3947,7 +3497,7 @@ index 000000000..edb28bb0a + - topologyKey + properties: + labelSelector: -+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. ++ description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: @@ -3976,21 +3526,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic -+ matchLabelKeys: -+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic -+ mismatchLabelKeys: -+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic + namespaceSelector: -+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. ++ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + type: object + properties: + matchExpressions: @@ -4019,9 +3556,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic + namespaces: -+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". ++ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + type: array + items: + type: string @@ -4049,7 +3585,7 @@ index 000000000..edb28bb0a + - topologyKey + properties: + labelSelector: -+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. ++ description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: @@ -4078,21 +3614,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic -+ matchLabelKeys: -+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic -+ mismatchLabelKeys: -+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic + namespaceSelector: -+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. ++ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + type: object + properties: + matchExpressions: @@ -4121,9 +3644,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic + namespaces: -+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". ++ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + type: array + items: + type: string @@ -4144,7 +3666,7 @@ index 000000000..edb28bb0a + - topologyKey + properties: + labelSelector: -+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. ++ description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: @@ -4173,21 +3695,8 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic -+ matchLabelKeys: -+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic -+ mismatchLabelKeys: -+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. -+ type: array -+ items: -+ type: string -+ x-kubernetes-list-type: atomic + namespaceSelector: -+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. ++ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled. + type: object + properties: + matchExpressions: @@ -4216,26 +3725,14 @@ index 000000000..edb28bb0a + type: object + additionalProperties: + type: string -+ x-kubernetes-map-type: atomic + namespaces: -+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". ++ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string -+ imagePullSecrets: -+ description: If specified, the pod's imagePullSecrets -+ type: array -+ items: -+ description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. -+ type: object -+ properties: -+ name: -+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' -+ type: string -+ x-kubernetes-map-type: atomic + nodeSelector: + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object @@ -4303,11 +3800,6 @@ index 000000000..edb28bb0a + type: array + items: + type: string -+ issuingCertificateURLs: -+ description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt". -+ type: array -+ items: -+ type: string + ocspServers: + description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + type: array @@ -4368,6 +3860,7 @@ index 000000000..edb28bb0a + type: object + required: + - role ++ - secretRef + properties: + mountPath: + description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. @@ -4387,15 +3880,6 @@ index 000000000..edb28bb0a + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string -+ serviceAccountRef: -+ description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token. -+ type: object -+ required: -+ - name -+ properties: -+ name: -+ description: Name of the ServiceAccount used to request a token. -+ type: string + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting a token. + type: object @@ -4409,21 +3893,9 @@ index 000000000..edb28bb0a + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + caBundle: -+ description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. ++ description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + type: string + format: byte -+ caBundleSecretRef: -+ description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. -+ type: object -+ required: -+ - name -+ properties: -+ key: -+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. -+ type: string -+ name: -+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' -+ type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string @@ -4468,7 +3940,7 @@ index 000000000..edb28bb0a + - url + properties: + caBundle: -+ description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. ++ description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. + type: string + format: byte + credentialsRef: @@ -4494,9 +3966,6 @@ index 000000000..edb28bb0a + description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. + type: object + properties: -+ lastPrivateKeyHash: -+ description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer -+ type: string + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer + type: string @@ -4537,23 +4006,22 @@ index 000000000..edb28bb0a + type: + description: Type of the condition, known values are (`Ready`). + type: string -+ x-kubernetes-list-map-keys: -+ - type -+ x-kubernetes-list-type: map + served: true + storage: true +--- -+# Source: cert-manager/templates/crds.yaml ++# Source: cert-manager/templates/templates.out +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: orders.acme.cert-manager.io ++ annotations: ++ cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels -+ app.kubernetes.io/version: "v1.14.2" ++ app.kubernetes.io/version: "v1.7.2" +spec: + group: acme.cert-manager.io + names: @@ -4725,5 +4193,5 @@ index 000000000..edb28bb0a + served: true + storage: true -- -2.39.3 (Apple Git-145) +2.34.1 diff --git a/projects/cert-manager/cert-manager/helm/patches/0003-Remove-namespace-from-chart.patch b/projects/cert-manager/cert-manager/helm/patches/0003-Remove-namespace-from-chart.patch index 972fd5abd0..73c7249b4a 100644 --- a/projects/cert-manager/cert-manager/helm/patches/0003-Remove-namespace-from-chart.patch +++ b/projects/cert-manager/cert-manager/helm/patches/0003-Remove-namespace-from-chart.patch @@ -1,4 +1,4 @@ -From a8fa949e0d5b3eb6ddce2f03bdaea78ca6e71541 Mon Sep 17 00:00:00 2001 +From e733b0c7c345b91542537de3fee523897190a717 Mon Sep 17 00:00:00 2001 From: Abdullahi Abdinur Date: Thu, 6 Oct 2022 12:58:13 -0700 Subject: [PATCH 3/4] Remove namespace from chart @@ -22,5 +22,5 @@ index b49644d70..000000000 -spec: {} -status: {} -- -2.39.3 (Apple Git-145) +2.34.1 diff --git a/projects/cert-manager/cert-manager/helm/patches/0004-Update-cert-manager-namespace-config.patch b/projects/cert-manager/cert-manager/helm/patches/0004-Update-cert-manager-namespace-config.patch index 5ff40886b5..ffb81ae7f1 100644 --- a/projects/cert-manager/cert-manager/helm/patches/0004-Update-cert-manager-namespace-config.patch +++ b/projects/cert-manager/cert-manager/helm/patches/0004-Update-cert-manager-namespace-config.patch @@ -1,30 +1,28 @@ -From 9171416e0b081004d5278ae66677e27d2c9b47fd Mon Sep 17 00:00:00 2001 +From 0b0c300c2ee6b8622bec6414d8d8706badaff458 Mon Sep 17 00:00:00 2001 From: Abdullahi Abdinur Date: Wed, 19 Oct 2022 10:58:28 -0700 Subject: [PATCH 4/4] Update cert manager namespace config --- - deploy/charts/cert-manager/templates/_helpers.tpl | 2 +- - .../templates/cainjector-serviceaccount.yaml | 4 ++-- - .../charts/cert-manager/templates/serviceaccount.yaml | 4 ++-- - .../templates/startupapicheck-serviceaccount.yaml | 4 ++-- - .../cert-manager/templates/webhook-serviceaccount.yaml | 4 ++-- - deploy/charts/cert-manager/values.yaml | 10 +++++----- - 6 files changed, 14 insertions(+), 14 deletions(-) + deploy/charts/cert-manager/templates/_helpers.tpl | 2 +- + .../cert-manager/templates/cainjector-serviceaccount.yaml | 4 ++-- + deploy/charts/cert-manager/templates/serviceaccount.yaml | 4 ++-- + .../templates/startupapicheck-serviceaccount.yaml | 4 ++-- + .../cert-manager/templates/webhook-serviceaccount.yaml | 4 ++-- + deploy/charts/cert-manager/values.yaml | 5 ++++- + 6 files changed, 13 insertions(+), 10 deletions(-) diff --git a/deploy/charts/cert-manager/templates/_helpers.tpl b/deploy/charts/cert-manager/templates/_helpers.tpl -index 067fe6a05..902142094 100644 +index 90db4af26..da4f1a14b 100644 --- a/deploy/charts/cert-manager/templates/_helpers.tpl +++ b/deploy/charts/cert-manager/templates/_helpers.tpl -@@ -170,7 +170,7 @@ This gets around an problem within helm discussed here +@@ -170,5 +170,5 @@ This gets around an problem within helm discussed here https://github.com/helm/helm/issues/5358 */}} {{- define "cert-manager.namespace" -}} - {{ .Values.namespace | default .Release.Namespace }} + {{ .Release.Namespace | default .Values.defaultNamespace}} {{- end -}} - - {{/* diff --git a/deploy/charts/cert-manager/templates/cainjector-serviceaccount.yaml b/deploy/charts/cert-manager/templates/cainjector-serviceaccount.yaml index fedc731f8..6f2723a80 100644 --- a/deploy/charts/cert-manager/templates/cainjector-serviceaccount.yaml @@ -42,7 +40,7 @@ index fedc731f8..6f2723a80 100644 {{- end }} {{- end }} diff --git a/deploy/charts/cert-manager/templates/serviceaccount.yaml b/deploy/charts/cert-manager/templates/serviceaccount.yaml -index 87fc00ea7..b90ec30c3 100644 +index 6026842ff..39209cfa5 100644 --- a/deploy/charts/cert-manager/templates/serviceaccount.yaml +++ b/deploy/charts/cert-manager/templates/serviceaccount.yaml @@ -1,9 +1,9 @@ @@ -89,10 +87,10 @@ index dff5c0672..eec438f38 100644 {{- end }} {{- end }} diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml -index 2e2af002d..5d72cf4e2 100644 +index fd30fc787..3e5c9d004 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml -@@ -5,14 +5,14 @@ +@@ -3,10 +3,13 @@ # Declare variables to be passed into your templates. namespace: "cert-manager" sourceRegistry: "public.ecr.aws/eks-anywhere" @@ -102,16 +100,11 @@ index 2e2af002d..5d72cf4e2 100644 global: # Reference to one or more secrets to be used when pulling images # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ -- # -- # For example: -- # imagePullSecrets: -- # - name: "image-pull-secret" - imagePullSecrets: [] + #imagePullSecrets: [] -+ # - name: "image-pull-secret" + # - name: "image-pull-secret" # Labels to apply to all resources - # Please note that this does not add labels to the resources created dynamically by the controllers. -- -2.39.3 (Apple Git-145) +2.34.1 diff --git a/projects/cert-manager/cert-manager/manifests/cert-manager.yaml b/projects/cert-manager/cert-manager/manifests/cert-manager.yaml index 4f940cb126..15f67a138e 100644 --- a/projects/cert-manager/cert-manager/manifests/cert-manager.yaml +++ b/projects/cert-manager/cert-manager/manifests/cert-manager.yaml @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" spec: group: cert-manager.io names: @@ -225,7 +225,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" spec: group: cert-manager.io names: @@ -387,83 +387,9 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - profile: - description: "Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret." - type: string - enum: - - LegacyRC2 - - LegacyDES - - Modern2023 literalSubject: description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components." type: string - nameConstraints: - description: "x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 \n This is an Alpha Feature and is only enabled with the `--feature-gates=NameConstraints=true` option set on both the controller and webhook components." - type: object - properties: - critical: - description: if true then the name constraints are marked critical. - type: boolean - excluded: - description: Excluded contains the constraints which must be disallowed. Any name matching a restriction in the excluded field is invalid regardless of information appearing in the permitted - type: object - properties: - dnsDomains: - description: DNSDomains is a list of DNS domains that are permitted or excluded. - type: array - items: - type: string - emailAddresses: - description: EmailAddresses is a list of Email Addresses that are permitted or excluded. - type: array - items: - type: string - ipRanges: - description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation. - type: array - items: - type: string - uriDomains: - description: URIDomains is a list of URI domains that are permitted or excluded. - type: array - items: - type: string - permitted: - description: Permitted contains the constraints in which the names must be located. - type: object - properties: - dnsDomains: - description: DNSDomains is a list of DNS domains that are permitted or excluded. - type: array - items: - type: string - emailAddresses: - description: EmailAddresses is a list of Email Addresses that are permitted or excluded. - type: array - items: - type: string - ipRanges: - description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation. - type: array - items: - type: string - uriDomains: - description: URIDomains is a list of URI domains that are permitted or excluded. - type: array - items: - type: string - otherNames: - description: '`otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.' - type: array - items: - type: object - properties: - oid: - description: OID is the object identifier for the otherName SAN. The object identifier must be expressed as a dotted string, for example, "1.2.840.113556.1.4.221". - type: string - utf8Value: - description: utf8Value is the string value of the otherName SAN. The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN. - type: string privateKey: description: Private key options. These include the key algorithm and size, the used encoding and the rotation policy. type: object @@ -670,7 +596,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" spec: group: acme.cert-manager.io names: @@ -835,10 +761,10 @@ spec: - subscriptionID properties: clientID: - description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.' + description: if both this and ClientSecret are left unset MSI will be used type: string clientSecretSecretRef: - description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.' + description: if both this and ClientID are left unset MSI will be used type: object required: - name @@ -861,14 +787,14 @@ spec: description: name of the DNS zone that should be used type: string managedIdentity: - description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.' + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID type: object properties: clientID: description: client ID of the managed identity, can not be used at the same time as resourceID type: string resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity + description: resource ID of the managed identity, can not be used at the same time as clientID type: string resourceGroupName: description: resource group the DNS zone is located in @@ -877,7 +803,7 @@ spec: description: ID of the Azure subscription type: string tenantID: - description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.' + description: when specifying ClientID and ClientSecret then this field is also needed type: string cloudDNS: description: Use the Google Cloud DNS API to manage DNS01 challenge records. @@ -1083,13 +1009,13 @@ spec: maxLength: 253 minLength: 1 namespace: - description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" type: string maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ port: - description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " type: integer format: int32 maximum: 65535 @@ -1303,7 +1229,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + description: A label query over a set of resources, in this case pods. type: object properties: matchExpressions: @@ -1333,18 +1259,6 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic - matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -1398,7 +1312,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + description: A label query over a set of resources, in this case pods. type: object properties: matchExpressions: @@ -1428,18 +1342,6 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic - matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -1500,7 +1402,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + description: A label query over a set of resources, in this case pods. type: object properties: matchExpressions: @@ -1530,18 +1432,6 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic - matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -1595,7 +1485,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + description: A label query over a set of resources, in this case pods. type: object properties: matchExpressions: @@ -1625,18 +1515,6 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic - matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -1796,7 +1674,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: "cert-manager" # Generated labels - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" spec: group: cert-manager.io names: @@ -2000,10 +1878,10 @@ spec: - subscriptionID properties: clientID: - description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.' + description: if both this and ClientSecret are left unset MSI will be used type: string clientSecretSecretRef: - description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.' + description: if both this and ClientID are left unset MSI will be used type: object required: - name @@ -2026,14 +1904,14 @@ spec: description: name of the DNS zone that should be used type: string managedIdentity: - description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.' + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID type: object properties: clientID: description: client ID of the managed identity, can not be used at the same time as resourceID type: string resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity + description: resource ID of the managed identity, can not be used at the same time as clientID type: string resourceGroupName: description: resource group the DNS zone is located in @@ -2042,7 +1920,7 @@ spec: description: ID of the Azure subscription type: string tenantID: - description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.' + description: when specifying ClientID and ClientSecret then this field is also needed type: string cloudDNS: description: Use the Google Cloud DNS API to manage DNS01 challenge records. @@ -2248,13 +2126,13 @@ spec: maxLength: 253 minLength: 1 namespace: - description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" type: string maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ port: - description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " type: integer format: int32 maximum: 65535 @@ -2468,7 +2346,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + description: A label query over a set of resources, in this case pods. type: object properties: matchExpressions: @@ -2498,18 +2376,6 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic - matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -2563,7 +2429,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + description: A label query over a set of resources, in this case pods. type: object properties: matchExpressions: @@ -2593,18 +2459,6 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic - matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -2665,7 +2519,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + description: A label query over a set of resources, in this case pods. type: object properties: matchExpressions: @@ -2695,18 +2549,6 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic - matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -2760,7 +2602,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + description: A label query over a set of resources, in this case pods. type: object properties: matchExpressions: @@ -2790,18 +2632,6 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic - matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -2919,11 +2749,6 @@ spec: type: array items: type: string - issuingCertificateURLs: - description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt". - type: array - items: - type: string ocspServers: description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". type: array @@ -3169,7 +2994,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: "cert-manager" # Generated labels - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" spec: group: cert-manager.io names: @@ -3373,10 +3198,10 @@ spec: - subscriptionID properties: clientID: - description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.' + description: if both this and ClientSecret are left unset MSI will be used type: string clientSecretSecretRef: - description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.' + description: if both this and ClientID are left unset MSI will be used type: object required: - name @@ -3399,14 +3224,14 @@ spec: description: name of the DNS zone that should be used type: string managedIdentity: - description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.' + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID type: object properties: clientID: description: client ID of the managed identity, can not be used at the same time as resourceID type: string resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity + description: resource ID of the managed identity, can not be used at the same time as clientID type: string resourceGroupName: description: resource group the DNS zone is located in @@ -3415,7 +3240,7 @@ spec: description: ID of the Azure subscription type: string tenantID: - description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.' + description: when specifying ClientID and ClientSecret then this field is also needed type: string cloudDNS: description: Use the Google Cloud DNS API to manage DNS01 challenge records. @@ -3621,13 +3446,13 @@ spec: maxLength: 253 minLength: 1 namespace: - description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" type: string maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ port: - description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " type: integer format: int32 maximum: 65535 @@ -3841,7 +3666,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + description: A label query over a set of resources, in this case pods. type: object properties: matchExpressions: @@ -3871,18 +3696,6 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic - matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -3936,7 +3749,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + description: A label query over a set of resources, in this case pods. type: object properties: matchExpressions: @@ -3966,18 +3779,6 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic - matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -4038,7 +3839,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + description: A label query over a set of resources, in this case pods. type: object properties: matchExpressions: @@ -4068,18 +3869,6 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic - matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -4133,7 +3922,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. + description: A label query over a set of resources, in this case pods. type: object properties: matchExpressions: @@ -4163,18 +3952,6 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic - matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. - type: array - items: - type: string - x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -4292,11 +4069,6 @@ spec: type: array items: type: string - issuingCertificateURLs: - description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt". - type: array - items: - type: string ocspServers: description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". type: array @@ -4542,7 +4314,7 @@ metadata: app.kubernetes.io/name: 'cert-manager' app.kubernetes.io/instance: 'cert-manager' # Generated labels - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" spec: group: acme.cert-manager.io names: @@ -4726,7 +4498,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" --- # Source: cert-manager/templates/serviceaccount.yaml apiVersion: v1 @@ -4740,7 +4512,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" --- # Source: cert-manager/templates/webhook-serviceaccount.yaml apiVersion: v1 @@ -4754,7 +4526,35 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" +--- +# Source: cert-manager/templates/controller-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: cert-manager + namespace: cert-manager + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.13.2" +data: +--- +# Source: cert-manager/templates/webhook-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: cert-manager-webhook + namespace: cert-manager + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.13.2" +data: --- # Source: cert-manager/templates/cainjector-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -4766,7 +4566,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rules: - apiGroups: ["cert-manager.io"] resources: ["certificates"] @@ -4798,7 +4598,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rules: - apiGroups: ["cert-manager.io"] resources: ["issuers", "issuers/status"] @@ -4824,7 +4624,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rules: - apiGroups: ["cert-manager.io"] resources: ["clusterissuers", "clusterissuers/status"] @@ -4850,7 +4650,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] @@ -4885,7 +4685,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rules: - apiGroups: ["acme.cert-manager.io"] resources: ["orders", "orders/status"] @@ -4923,7 +4723,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rules: # Use to update challenge resource status - apiGroups: ["acme.cert-manager.io"] @@ -4983,7 +4783,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests"] @@ -5020,7 +4820,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" rules: - apiGroups: ["cert-manager.io"] @@ -5037,7 +4837,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -5060,7 +4860,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: @@ -5085,7 +4885,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rules: - apiGroups: ["cert-manager.io"] resources: ["signers"] @@ -5105,7 +4905,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rules: - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests"] @@ -5131,7 +4931,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rules: - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] @@ -5147,7 +4947,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -5167,7 +4967,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -5187,7 +4987,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -5207,7 +5007,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -5227,7 +5027,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -5247,7 +5047,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -5267,7 +5067,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -5287,7 +5087,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -5307,7 +5107,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -5327,7 +5127,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -5350,7 +5150,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rules: # Used for leader election by the controller # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller @@ -5376,7 +5176,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] @@ -5397,7 +5197,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" rules: - apiGroups: [""] resources: ["secrets"] @@ -5422,7 +5222,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -5445,7 +5245,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -5467,7 +5267,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -5489,7 +5289,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" spec: type: ClusterIP ports: @@ -5513,7 +5313,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" spec: type: ClusterIP ports: @@ -5537,7 +5337,7 @@ metadata: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" spec: replicas: 1 selector: @@ -5552,7 +5352,7 @@ spec: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" spec: serviceAccountName: cert-manager-cainjector enableServiceLinks: false @@ -5562,7 +5362,7 @@ spec: type: RuntimeDefault containers: - name: cert-manager-cainjector - image: "quay.io/jetstack/cert-manager-cainjector:v1.14.2" + image: "quay.io/jetstack/cert-manager-cainjector:v1.13.2" imagePullPolicy: IfNotPresent args: - --v=2 @@ -5577,7 +5377,6 @@ spec: capabilities: drop: - ALL - readOnlyRootFilesystem: true nodeSelector: kubernetes.io/os: linux --- @@ -5592,7 +5391,7 @@ metadata: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" spec: replicas: 1 selector: @@ -5607,7 +5406,7 @@ spec: app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" annotations: prometheus.io/path: "/metrics" prometheus.io/scrape: 'true' @@ -5621,13 +5420,13 @@ spec: type: RuntimeDefault containers: - name: cert-manager-controller - image: "quay.io/jetstack/cert-manager-controller:v1.14.2" + image: "quay.io/jetstack/cert-manager-controller:v1.13.2" imagePullPolicy: IfNotPresent args: - --v=2 - --cluster-resource-namespace=$(POD_NAMESPACE) - --leader-election-namespace=kube-system - - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.14.2 + - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.13.2 - --max-concurrent-challenges=60 ports: - containerPort: 9402 @@ -5641,25 +5440,11 @@ spec: capabilities: drop: - ALL - readOnlyRootFilesystem: true env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - # LivenessProbe settings are based on those used for the Kubernetes - # controller-manager. See: - # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 - livenessProbe: - httpGet: - port: http-healthz - path: /livez - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 15 - successThreshold: 1 - failureThreshold: 8 nodeSelector: kubernetes.io/os: linux --- @@ -5674,7 +5459,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" spec: replicas: 1 selector: @@ -5689,7 +5474,7 @@ spec: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" spec: serviceAccountName: cert-manager-webhook enableServiceLinks: false @@ -5699,7 +5484,7 @@ spec: type: RuntimeDefault containers: - name: cert-manager-webhook - image: "quay.io/jetstack/cert-manager-webhook:v1.14.2" + image: "quay.io/jetstack/cert-manager-webhook:v1.13.2" imagePullPolicy: IfNotPresent args: - --v=2 @@ -5742,7 +5527,6 @@ spec: capabilities: drop: - ALL - readOnlyRootFilesystem: true env: - name: POD_NAMESPACE valueFrom: @@ -5761,7 +5545,7 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" annotations: cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" webhooks: @@ -5769,18 +5553,20 @@ webhooks: rules: - apiGroups: - "cert-manager.io" + - "acme.cert-manager.io" apiVersions: - "v1" operations: - CREATE + - UPDATE resources: - - "certificaterequests" + - "*/*" admissionReviewVersions: ["v1"] # This webhook only accepts v1 cert-manager resources. # Equivalent matchPolicy ensures that non-v1 resource requests are sent to # this webhook (after the resources have been converted to v1). matchPolicy: Equivalent - timeoutSeconds: 30 + timeoutSeconds: 10 failurePolicy: Fail # Only include 'sideEffects' field in Kubernetes 1.12+ sideEffects: None @@ -5800,15 +5586,15 @@ metadata: app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.2" + app.kubernetes.io/version: "v1.13.2" annotations: cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" webhooks: - name: webhook.cert-manager.io namespaceSelector: matchExpressions: - - key: cert-manager.io/disable-validation - operator: NotIn + - key: "cert-manager.io/disable-validation" + operator: "NotIn" values: - "true" rules: @@ -5827,7 +5613,7 @@ webhooks: # Equivalent matchPolicy ensures that non-v1 resource requests are sent to # this webhook (after the resources have been converted to v1). matchPolicy: Equivalent - timeoutSeconds: 30 + timeoutSeconds: 10 failurePolicy: Fail sideEffects: None clientConfig: