Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Add deployment overrides to templates #525

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

omerap12
Copy link
Member

@omerap12 omerap12 commented May 10, 2024

What this PR does / why we need it:
Adding option to override certain configuration in the following resources:
addon
bootstrap
control-plane
core-conditions
core
infra-conditions
infra

Example of values.yaml snippet:

---
# ---
# Cluster API provider options
core: override-test-core
bootstrap: override-test-core
controlPlane: override-test-core
infrastructure: override-test-core
addon: override-test-core
manager.featureGates: {}
# ---
# Common configuration secret options
configSecret: {}
# ---
# CAPI operator deployment options
logLevel: 2
replicaCount: 1
leaderElection:
  enabled: true
image:
  manager:
    repository: gcr.io/k8s-staging-capi-operator/cluster-api-operator
    tag: dev
    pullPolicy: IfNotPresent
env:
  manager: []
healthAddr: ":8081"
metricsBindAddr: "127.0.0.1:8080"
diagnosticsAddress: "8443"
insecureDiagnostics: false
imagePullSecrets: {}
resources:
  manager:
    limits:
      cpu: 100m
      memory: 150Mi
    requests:
      cpu: 100m
      memory: 100Mi
containerSecurityContext: {}
affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/arch
              operator: In
              values:
                - amd64
                - arm64
                - ppc64le
            - key: kubernetes.io/os
              operator: In
              values:
                - linux
tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
  - effect: NoSchedule
    key: node-role.kubernetes.io/control-plane
volumes:
  - name: cert
    secret:
      defaultMode: 420
      secretName: capi-operator-webhook-service-cert
volumeMounts:
  manager:
    - mountPath: /tmp/k8s-webhook-server/serving-certs
      name: cert
      readOnly: true

deploymentOverride:
  addon:
    containers:
    - name: manager
      imageUrl: "test.org/cluster-api-provider-aws/cluster-api-provider-aws-controller:v0.6.0"
  core:
    containers:
    - name: manager
      imageUrl: "test.org/cluster-api/cluster-api-controller:v1.7.1"
  infrastructure:
    deployment:
      containers:
      - name: manager
        imageUrl: "test.org/cluster-api-vsphere/cluster-api-vsphere-controller:v1.10.0"
  bootstrap:
    deployment:
      containers:
      - name: manager
        imageUrl: "test.org/cluster-api-bootstrap-provider-kubeadm/cluster-api-kubeadm-controller:v0.4.0"
  controlPlane:
    deployment:
      containers:
      - name: manager
        imageUrl: "test.org/cluster-api-control-plane/cluster-api-control-plane-controller:v0.4.0"
  coreConditions:
    containers:
    - name: manager
      imageUrl: "test.org/cluster-api/cluster-api-controller:v1.7.1"
  infraConditions:
    containers:
    - name: manager
      imageUrl: "test.org/cluster-api/cluster-api-controller:v1.7.1"

Output be like:

---
# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
  name: release-name-cert-manager-cainjector
  namespace: default
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "cainjector"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
---
# Source: cluster-api-operator/charts/cert-manager/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
  name: release-name-cert-manager
  namespace: default
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
  name: release-name-cert-manager-webhook
  namespace: default
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "webhook"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
---
# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-cert-manager-cainjector
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "cainjector"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["get", "create", "update", "patch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "update", "patch"]
  - apiGroups: ["apiregistration.k8s.io"]
    resources: ["apiservices"]
    verbs: ["get", "list", "watch", "update", "patch"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch", "update", "patch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# Issuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-cert-manager-controller-issuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "issuers/status"]
    verbs: ["update", "patch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# ClusterIssuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "clusterissuers/status"]
    verbs: ["update", "patch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# Certificates controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
    verbs: ["update", "patch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates/finalizers", "certificaterequests/finalizers"]
    verbs: ["update"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders"]
    verbs: ["create", "delete", "get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# Orders controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-cert-manager-controller-orders
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
rules:
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders", "orders/status"]
    verbs: ["update", "patch"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders", "challenges"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["create", "delete"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
rules:
  # Use to update challenge resource status
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges", "challenges/status"]
    verbs: ["update", "patch"]
  # Used to watch challenge resources
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["get", "list", "watch"]
  # Used to watch challenges, issuer and clusterissuer resources
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  # Need to be able to retrieve ACME account private key to complete challenges
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  # Used to create events
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  # HTTP01 rules
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch", "create", "delete", "update"]
  - apiGroups: [ "gateway.networking.k8s.io" ]
    resources: [ "httproutes" ]
    verbs: ["get", "list", "watch", "create", "delete", "update"]
  # We require the ability to specify a custom hostname when we are creating
  # new ingress resources.
  # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
  - apiGroups: ["route.openshift.io"]
    resources: ["routes/custom-host"]
    verbs: ["create"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges/finalizers"]
    verbs: ["update"]
  # DNS01 rules (duplicated above)
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# ingress-shim controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests"]
    verbs: ["create", "update", "delete"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/finalizers"]
    verbs: ["update"]
  - apiGroups: ["gateway.networking.k8s.io"]
    resources: ["gateways", "httproutes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["gateway.networking.k8s.io"]
    resources: ["gateways/finalizers", "httproutes/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-cert-manager-cluster-view
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers"]
    verbs: ["get", "list", "watch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-cert-manager-view
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges", "orders"]
    verbs: ["get", "list", "watch"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-cert-manager-edit
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates/status"]
    verbs: ["update"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges", "orders"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-cert-manager-controller-approve:cert-manager-io
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "cert-manager"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["signers"]
    verbs: ["approve"]
    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# Permission to:
# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-cert-manager-controller-certificatesigningrequests
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "cert-manager"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
rules:
  - apiGroups: ["certificates.k8s.io"]
    resources: ["certificatesigningrequests"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["certificates.k8s.io"]
    resources: ["certificatesigningrequests/status"]
    verbs: ["update", "patch"]
  - apiGroups: ["certificates.k8s.io"]
    resources: ["signers"]
    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
    verbs: ["sign"]
  - apiGroups: ["authorization.k8s.io"]
    resources: ["subjectaccessreviews"]
    verbs: ["create"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-cert-manager-webhook:subjectaccessreviews
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "webhook"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
rules:
- apiGroups: ["authorization.k8s.io"]
  resources: ["subjectaccessreviews"]
  verbs: ["create"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-cert-manager-cainjector
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "cainjector"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-cert-manager-cainjector
subjects:
  - name: release-name-cert-manager-cainjector
    namespace: default
    kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-cert-manager-controller-issuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-cert-manager-controller-issuers
subjects:
  - name: release-name-cert-manager
    namespace: default
    kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-cert-manager-controller-clusterissuers
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-cert-manager-controller-clusterissuers
subjects:
  - name: release-name-cert-manager
    namespace: default
    kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-cert-manager-controller-certificates
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-cert-manager-controller-certificates
subjects:
  - name: release-name-cert-manager
    namespace: default
    kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-cert-manager-controller-orders
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-cert-manager-controller-orders
subjects:
  - name: release-name-cert-manager
    namespace: default
    kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-cert-manager-controller-challenges
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-cert-manager-controller-challenges
subjects:
  - name: release-name-cert-manager
    namespace: default
    kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-cert-manager-controller-ingress-shim
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-cert-manager-controller-ingress-shim
subjects:
  - name: release-name-cert-manager
    namespace: default
    kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-cert-manager-controller-approve:cert-manager-io
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "cert-manager"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-cert-manager-controller-approve:cert-manager-io
subjects:
  - name: release-name-cert-manager
    namespace: default
    kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-cert-manager-controller-certificatesigningrequests
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "cert-manager"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-cert-manager-controller-certificatesigningrequests
subjects:
  - name: release-name-cert-manager
    namespace: default
    kind: ServiceAccount
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-cert-manager-webhook:subjectaccessreviews
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "webhook"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-cert-manager-webhook:subjectaccessreviews
subjects:
- apiGroup: ""
  kind: ServiceAccount
  name: release-name-cert-manager-webhook
  namespace: default
---
# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml
# leader election rules
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: release-name-cert-manager-cainjector:leaderelection
  namespace: kube-system
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "cainjector"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
rules:
  # Used for leader election by the controller
  # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
  #   see cmd/cainjector/start.go#L113
  # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
  #   see cmd/cainjector/start.go#L137
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
    verbs: ["get", "update", "patch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["create"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: release-name-cert-manager:leaderelection
  namespace: kube-system
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
rules:
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    resourceNames: ["cert-manager-controller"]
    verbs: ["get", "update", "patch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["create"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: release-name-cert-manager-webhook:dynamic-serving
  namespace: default
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "webhook"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames:
  - 'release-name-cert-manager-webhook-ca'
  verbs: ["get", "list", "watch", "update"]
# It's not possible to grant CREATE permission on a single resourceName.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: release-name-cert-manager-cainjector:leaderelection
  namespace: kube-system
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "cainjector"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: release-name-cert-manager-cainjector:leaderelection
subjects:
  - kind: ServiceAccount
    name: release-name-cert-manager-cainjector
    namespace: default
---
# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: release-name-cert-manager:leaderelection
  namespace: kube-system
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: release-name-cert-manager:leaderelection
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: release-name-cert-manager
    namespace: default
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: release-name-cert-manager-webhook:dynamic-serving
  namespace: default
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "webhook"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: release-name-cert-manager-webhook:dynamic-serving
subjects:
- apiGroup: ""
  kind: ServiceAccount
  name: release-name-cert-manager-webhook
  namespace: default
---
# Source: cluster-api-operator/charts/cert-manager/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: release-name-cert-manager
  namespace: default
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
spec:
  type: ClusterIP
  ports:
  - protocol: TCP
    port: 9402
    name: tcp-prometheus-servicemonitor
    targetPort: 9402
  selector:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: release-name-cert-manager-webhook
  namespace: default
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "webhook"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
spec:
  type: ClusterIP
  ports:
  - name: https
    port: 443
    protocol: TCP
    targetPort: "https"
  selector:
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "webhook"
---
# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: release-name-cert-manager-cainjector
  namespace: default
  labels:
    app: cainjector
    app.kubernetes.io/name: cainjector
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "cainjector"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: cainjector
      app.kubernetes.io/instance: release-name
      app.kubernetes.io/component: "cainjector"
  template:
    metadata:
      labels:
        app: cainjector
        app.kubernetes.io/name: cainjector
        app.kubernetes.io/instance: release-name
        app.kubernetes.io/component: "cainjector"
        app.kubernetes.io/version: "v1.14.5"
        app.kubernetes.io/managed-by: Helm
        helm.sh/chart: cert-manager-v1.14.5
    spec:
      serviceAccountName: release-name-cert-manager-cainjector
      enableServiceLinks: false
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: cert-manager-cainjector
          image: "quay.io/jetstack/cert-manager-cainjector:v1.14.5"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --leader-election-namespace=kube-system
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: true
      nodeSelector:
        kubernetes.io/os: linux
---
# Source: cluster-api-operator/charts/cert-manager/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: release-name-cert-manager
  namespace: default
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: cert-manager
      app.kubernetes.io/instance: release-name
      app.kubernetes.io/component: "controller"
  template:
    metadata:
      labels:
        app: cert-manager
        app.kubernetes.io/name: cert-manager
        app.kubernetes.io/instance: release-name
        app.kubernetes.io/component: "controller"
        app.kubernetes.io/version: "v1.14.5"
        app.kubernetes.io/managed-by: Helm
        helm.sh/chart: cert-manager-v1.14.5
      annotations:
        prometheus.io/path: "/metrics"
        prometheus.io/scrape: 'true'
        prometheus.io/port: '9402'
    spec:
      serviceAccountName: release-name-cert-manager
      enableServiceLinks: false
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: cert-manager-controller
          image: "quay.io/jetstack/cert-manager-controller:v1.14.5"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --cluster-resource-namespace=$(POD_NAMESPACE)
          - --leader-election-namespace=kube-system
          - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.14.5
          - --max-concurrent-challenges=60
          ports:
          - containerPort: 9402
            name: http-metrics
            protocol: TCP
          - containerPort: 9403
            name: http-healthz
            protocol: TCP
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: true
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          # LivenessProbe settings are based on those used for the Kubernetes
          # controller-manager. See:
          # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
          livenessProbe:
            httpGet:
              port: http-healthz
              path: /livez
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 15
            successThreshold: 1
            failureThreshold: 8
      nodeSelector:
        kubernetes.io/os: linux
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: release-name-cert-manager-webhook
  namespace: default
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "webhook"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: webhook
      app.kubernetes.io/instance: release-name
      app.kubernetes.io/component: "webhook"
  template:
    metadata:
      labels:
        app: webhook
        app.kubernetes.io/name: webhook
        app.kubernetes.io/instance: release-name
        app.kubernetes.io/component: "webhook"
        app.kubernetes.io/version: "v1.14.5"
        app.kubernetes.io/managed-by: Helm
        helm.sh/chart: cert-manager-v1.14.5
    spec:
      serviceAccountName: release-name-cert-manager-webhook
      enableServiceLinks: false
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: cert-manager-webhook
          image: "quay.io/jetstack/cert-manager-webhook:v1.14.5"
          imagePullPolicy: IfNotPresent
          args:
          - --v=2
          - --secure-port=10250
          - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
          - --dynamic-serving-ca-secret-name=release-name-cert-manager-webhook-ca
          - --dynamic-serving-dns-names=release-name-cert-manager-webhook
          - --dynamic-serving-dns-names=release-name-cert-manager-webhook.$(POD_NAMESPACE)
          - --dynamic-serving-dns-names=release-name-cert-manager-webhook.$(POD_NAMESPACE).svc
          
          ports:
          - name: https
            protocol: TCP
            containerPort: 10250
          - name: healthcheck
            protocol: TCP
            containerPort: 6080
          livenessProbe:
            httpGet:
              path: /livez
              port: 6080
              scheme: HTTP
            initialDelaySeconds: 60
            periodSeconds: 10
            timeoutSeconds: 1
            successThreshold: 1
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /healthz
              port: 6080
              scheme: HTTP
            initialDelaySeconds: 5
            periodSeconds: 5
            timeoutSeconds: 1
            successThreshold: 1
            failureThreshold: 3
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: true
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
      nodeSelector:
        kubernetes.io/os: linux
---
# Source: cluster-api-operator/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: release-name-cluster-api-operator
  namespace: 'default'
  labels:
    app: cluster-api-operator
    app.kubernetes.io/name: cluster-api-operator
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "controller"
    control-plane: controller-manager
    clusterctl.cluster.x-k8s.io/core: capi-operator
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: cluster-api-operator
      app.kubernetes.io/instance: release-name
      app.kubernetes.io/component: "controller"
      control-plane: controller-manager
      clusterctl.cluster.x-k8s.io/core: capi-operator
  template:
    metadata:
      labels:
        app: cluster-api-operator
        app.kubernetes.io/name: cluster-api-operator
        app.kubernetes.io/instance: release-name
        app.kubernetes.io/component: "controller"
        control-plane: controller-manager
        clusterctl.cluster.x-k8s.io/core: capi-operator
    spec:
      containers:
      - args:
        - --v=2
        - --health-addr=:8081
        - --metrics-bind-addr=127.0.0.1:8080
        - --diagnostics-address=8443
        - --leader-elect=true
        command:
        - /manager
        image: "gcr.io/k8s-staging-capi-operator/cluster-api-operator:dev"
        imagePullPolicy: IfNotPresent
        name: manager
        ports:
        - containerPort: 9443
          name: webhook-server
          protocol: TCP
        - containerPort: 8080
          name: metrics
          protocol: TCP
        resources:
            limits:
              cpu: 100m
              memory: 150Mi
            requests:
              cpu: 100m
              memory: 100Mi
        volumeMounts:
            - mountPath: /tmp/k8s-webhook-server/serving-certs
              name: cert
              readOnly: true
      terminationGracePeriodSeconds: 10
      volumes:
        - name: cert
          secret:
            defaultMode: 420
            secretName: capi-operator-webhook-service-cert
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/arch
                operator: In
                values:
                - amd64
                - arm64
                - ppc64le
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
        - effect: NoSchedule
          key: node-role.kubernetes.io/control-plane
---
# Source: cluster-api-operator/templates/addon.yaml
# Addon provider
---
# Source: cluster-api-operator/templates/bootstrap.yaml
# Bootstrap provider
---
# Source: cluster-api-operator/templates/control-plane.yaml
# Control plane provider
---
# Source: cluster-api-operator/templates/core-conditions.yaml
# Deploy core components if not specified
---
# Source: cluster-api-operator/templates/core.yaml
# Core provider
---
# Source: cluster-api-operator/templates/infra-conditions.yaml
# Deploy bootstrap, and infrastructure components if not specified
---
# Source: cluster-api-operator/templates/infra.yaml
# Infrastructure providers
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-mutating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: release-name-cert-manager-webhook
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "webhook"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
  annotations:
    cert-manager.io/inject-ca-from-secret: "default/release-name-cert-manager-webhook-ca"
webhooks:
  - name: webhook.cert-manager.io
    rules:
      - apiGroups:
          - "cert-manager.io"
        apiVersions:
          - "v1"
        operations:
          - CREATE
        resources:
          - "certificaterequests"
    admissionReviewVersions: ["v1"]
    # This webhook only accepts v1 cert-manager resources.
    # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
    # this webhook (after the resources have been converted to v1).
    matchPolicy: Equivalent
    timeoutSeconds: 30
    failurePolicy: Fail
    # Only include 'sideEffects' field in Kubernetes 1.12+
    sideEffects: None
    clientConfig:
      service:
        name: release-name-cert-manager-webhook
        namespace: default
        path: /mutate
---
# Source: cluster-api-operator/charts/cert-manager/templates/webhook-validating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: release-name-cert-manager-webhook
  labels:
    app: webhook
    app.kubernetes.io/name: webhook
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "webhook"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
  annotations:
    cert-manager.io/inject-ca-from-secret: "default/release-name-cert-manager-webhook-ca"
webhooks:
  - name: webhook.cert-manager.io
    namespaceSelector:
      matchExpressions:
      - key: cert-manager.io/disable-validation
        operator: NotIn
        values:
        - "true"
    rules:
      - apiGroups:
          - "cert-manager.io"
          - "acme.cert-manager.io"
        apiVersions:
          - "v1"
        operations:
          - CREATE
          - UPDATE
        resources:
          - "*/*"
    admissionReviewVersions: ["v1"]
    # This webhook only accepts v1 cert-manager resources.
    # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
    # this webhook (after the resources have been converted to v1).
    matchPolicy: Equivalent
    timeoutSeconds: 30
    failurePolicy: Fail
    sideEffects: None
    clientConfig:
      service:
        name: release-name-cert-manager-webhook
        namespace: default
        path: /validate
---
# Source: cluster-api-operator/templates/addon.yaml
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "1"
  name: override-test-core-addon-system
---
# Source: cluster-api-operator/templates/bootstrap.yaml
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "1"
  name: override-test-core-bootstrap-system
---
# Source: cluster-api-operator/templates/control-plane.yaml
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "1"
  name: override-test-core-control-plane-system
---
# Source: cluster-api-operator/templates/core.yaml
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "1"
  name: capi-system
---
# Source: cluster-api-operator/templates/infra.yaml
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "1"
  name: override-test-core-infrastructure-system
---
# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
  name: release-name-cert-manager-startupapicheck
  namespace: default
  annotations:
    helm.sh/hook: post-install
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
    helm.sh/hook-weight: "-5"
  labels:
    app: startupapicheck
    app.kubernetes.io/name: startupapicheck
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "startupapicheck"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
---
# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-rbac.yaml
# create certificate role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: release-name-cert-manager-startupapicheck:create-cert
  namespace: default
  labels:
    app: startupapicheck
    app.kubernetes.io/name: startupapicheck
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "startupapicheck"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
  annotations:
    helm.sh/hook: post-install
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
    helm.sh/hook-weight: "-5"
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["create"]
---
# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: release-name-cert-manager-startupapicheck:create-cert
  namespace: default
  labels:
    app: startupapicheck
    app.kubernetes.io/name: startupapicheck
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "startupapicheck"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
  annotations:
    helm.sh/hook: post-install
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
    helm.sh/hook-weight: "-5"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: release-name-cert-manager-startupapicheck:create-cert
subjects:
  - kind: ServiceAccount
    name: release-name-cert-manager-startupapicheck
    namespace: default
---
# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: release-name-cert-manager-startupapicheck
  namespace: default
  labels:
    app: startupapicheck
    app.kubernetes.io/name: startupapicheck
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/component: "startupapicheck"
    app.kubernetes.io/version: "v1.14.5"
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-v1.14.5
  annotations:
    helm.sh/hook: post-install
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
    helm.sh/hook-weight: "1"
spec:
  backoffLimit: 4
  template:
    metadata:
      labels:
        app: startupapicheck
        app.kubernetes.io/name: startupapicheck
        app.kubernetes.io/instance: release-name
        app.kubernetes.io/component: "startupapicheck"
        app.kubernetes.io/version: "v1.14.5"
        app.kubernetes.io/managed-by: Helm
        helm.sh/chart: cert-manager-v1.14.5
    spec:
      restartPolicy: OnFailure
      serviceAccountName: release-name-cert-manager-startupapicheck
      enableServiceLinks: false
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: cert-manager-startupapicheck
          image: "quay.io/jetstack/cert-manager-startupapicheck:v1.14.5"
          imagePullPolicy: IfNotPresent
          args:
          - check
          - api
          - --wait=1m
          - -v
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: true
      nodeSelector:
        kubernetes.io/os: linux
---
# Source: cluster-api-operator/templates/addon.yaml
apiVersion: operator.cluster.x-k8s.io/v1alpha2
kind: AddonProvider
metadata:
  name: override-test-core
  namespace: override-test-core-addon-system
  annotations:
    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "2"
  
  containers:
  - imageUrl: test.org/cluster-api-provider-aws/cluster-api-provider-aws-controller:v0.6.0
    name: manager
---
# Source: cluster-api-operator/templates/bootstrap.yaml
apiVersion: operator.cluster.x-k8s.io/v1alpha2
kind: BootstrapProvider
metadata:
  name: override-test-core
  namespace: override-test-core-bootstrap-system
  annotations:
    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "2"
  
  deployment:
    containers:
    - imageUrl: test.org/cluster-api-bootstrap-provider-kubeadm/cluster-api-kubeadm-controller:v0.4.0
      name: manager
---
# Source: cluster-api-operator/templates/control-plane.yaml
apiVersion: operator.cluster.x-k8s.io/v1alpha2
kind: ControlPlaneProvider
metadata:
  name: override-test-core
  namespace: override-test-core-control-plane-system
  annotations:
    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "2"
  
  deployment:
    containers:
    - imageUrl: test.org/cluster-api-control-plane/cluster-api-control-plane-controller:v0.4.0
      name: manager
---
# Source: cluster-api-operator/templates/core.yaml
apiVersion: operator.cluster.x-k8s.io/v1alpha2
kind: CoreProvider
metadata:
  name: override-test-core
  namespace: capi-system
  annotations:
    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "2"
  
  containers:
  - imageUrl: test.org/cluster-api/cluster-api-controller:v1.7.1
    name: manager
---
# Source: cluster-api-operator/templates/infra.yaml
apiVersion: operator.cluster.x-k8s.io/v1alpha2
kind: InfrastructureProvider
metadata:
  name: override-test-core
  namespace: override-test-core-infrastructure-system
  annotations:
    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "2"
  
  deployment:
    containers:
    - imageUrl: test.org/cluster-api-vsphere/cluster-api-vsphere-controller:v1.10.0
      name: manager

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #516

Copy link

linux-foundation-easycla bot commented May 10, 2024

CLA Signed

The committers listed above are authorized under a signed CLA.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label May 10, 2024
@k8s-ci-robot k8s-ci-robot requested review from Fedosin and neolit123 May 10, 2024 12:00
@k8s-ci-robot
Copy link
Contributor

Welcome @omerap12!

It looks like this is your first PR to kubernetes-sigs/cluster-api-operator 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cluster-api-operator has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot
Copy link
Contributor

Hi @omerap12. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label May 10, 2024
Copy link

netlify bot commented May 10, 2024

Deploy Preview for kubernetes-sigs-cluster-api-operator ready!

Name Link
🔨 Latest commit b1be494
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-sigs-cluster-api-operator/deploys/675c7b6449f19700086d6278
😎 Deploy Preview https://deploy-preview-525--kubernetes-sigs-cluster-api-operator.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label May 10, 2024
@omerap12 omerap12 force-pushed the override_deployment_provider_helm branch 2 times, most recently from 4610c00 to 1df9146 Compare May 10, 2024 12:04
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels May 10, 2024
@omerap12 omerap12 changed the title Add deployment overrides to templates Non-breaking feature: ✨ (:sparkles:) Add deployment overrides to templates May 10, 2024
@omerap12 omerap12 changed the title Non-breaking feature: ✨ (:sparkles:) Add deployment overrides to templates Non-breaking feature: ✨: Add deployment overrides to templates May 10, 2024
@omerap12 omerap12 changed the title Non-breaking feature: ✨: Add deployment overrides to templates Non-breaking feature: ✨ Add deployment overrides to templates May 10, 2024
@omerap12 omerap12 changed the title Non-breaking feature: ✨ Add deployment overrides to templates ✨ Add deployment overrides to templates May 10, 2024
@alexander-demicev
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 4, 2024
Copy link
Contributor

@alexander-demicev alexander-demicev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution, can I ask you to add tests for this change https://github.com/kubernetes-sigs/cluster-api-operator/blob/main/test/e2e/helm_test.go#L31?

@omerap12
Copy link
Member Author

omerap12 commented Jun 4, 2024

Of course, Ill try to do it on this weekend @alexander-demicev

@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 5, 2024
@omerap12
Copy link
Member Author

omerap12 commented Jul 4, 2024

Hey @alexander-demicev , any update on this? should I close the PR?

@furkatgofurov7
Copy link
Member

/retest

@furkatgofurov7
Copy link
Member

@omerap12 hey, thanks for the PR. Can you please rebase it first, so we can then take a closer look? Thanks

@omerap12 omerap12 force-pushed the override_deployment_provider_helm branch from 5c0194a to a51d44e Compare July 30, 2024 11:36
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jul 30, 2024
Signed-off-by: Omer Aplatony <[email protected]>
@omerap12 omerap12 force-pushed the override_deployment_provider_helm branch from 665fe48 to 81527ae Compare July 30, 2024 19:17
@omerap12
Copy link
Member Author

@furkatgofurov7 Fixed :)

@omerap12
Copy link
Member Author

btw, can I set deploymentOverride in the values file to a default of empty dict?

deploymentOverride: {}

@furkatgofurov7
Copy link
Member

furkatgofurov7 commented Aug 20, 2024

Hey, thanks. Can we also add tests for other provider types (currently, only infra provider is being added)?

@@ -27,5 +27,7 @@ spec:
{{- end }}
{{- end }}
{{- end }}
{{- if hasKey (default (dict) $.Values.deploymentOverride ) "coreCondition" }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a test case for this manifest? Also, isn’t this a duplicate of templates/core.yaml

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you mean by duplicate? templates/core.yaml has the following:
https://github.com/kubernetes-sigs/cluster-api-operator/pull/525/files#diff-c73589d6ec69abbc84b0231a82d1fa536f3955e38026e4440db0b8e351295621R63

and I think we should avoid this default by just adding a default values to the values.yaml file.

@omerap12
Copy link
Member Author

Hey, thanks. Can we also add tests for other provider types (currently, only infra provider is being added)?

Added another test.

@omerap12
Copy link
Member Author

Please, let me rebase my changes when approved.

@@ -52,4 +52,7 @@ spec:
{{- end }}
{{- end }}
{{- end }}
{{- if hasKey (default (dict) $.Values.deploymentOverride) "bootstrap" }}
{{ .Values.deploymentOverride.bootstrap | toYaml | nindent 2 }}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't necessarily a deployment override, or? It allows to add custom stuff to the provider CR, which could be anything? Maybe the word 'deployment' is confusing here.
(I came here when looking for a way to add a manifestPatches key to the provider to set resource requests for the provider's deployment resource).

@skuethe
Copy link

skuethe commented Nov 20, 2024

Looking forward for this 🥳 Thanks everyone for your contributions!
@furkatgofurov7 could you or someone else have another look at it? Almost three months since the last reply.

Copy link
Member

@furkatgofurov7 furkatgofurov7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 25, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 388d65d75f4f952c11ed622cc96a26bac4c1c986

Copy link
Contributor

@alexander-demicev alexander-demicev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexander-demicev

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 27, 2024
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 12, 2024
@furkatgofurov7
Copy link
Member

@omerap12 can you rebase the PR on top the main?

@omerap12
Copy link
Member Author

@omerap12 can you rebase the PR on top the main?

sure. Ill do it soon

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 13, 2024
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 13, 2024
@furkatgofurov7
Copy link
Member

/retest

1 similar comment
@furkatgofurov7
Copy link
Member

/retest

@k8s-ci-robot
Copy link
Contributor

@omerap12: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cluster-api-operator-e2e-main b1be494 link true /test pull-cluster-api-operator-e2e-main

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Helm chart to support to override deployment for all providers
7 participants