fix: vendor critical bootstrap charts

2026-04-26 21:01:01 +00:00
parent 14462dd870
commit a2ed9555c0
175 changed files with 64772 additions and 57 deletions
@@ -948,6 +948,7 @@ jobs:
          B2_ACCOUNT_ID: ${{ secrets.B2_ACCOUNT_ID }}
          B2_APPLICATION_KEY: ${{ secrets.B2_APPLICATION_KEY }}
        run: |
          set -euo pipefail
          echo "Finding latest backup in B2..."
          CREDS=$(echo -n "${B2_ACCOUNT_ID}:${B2_APPLICATION_KEY}" | base64)
@@ -985,14 +986,15 @@ jobs:
          ")
          if [ "$LATEST" = "NONE" ]; then
-            echo "No backups found in B2. Skipping restore."
+            echo "No Rancher backups found in B2; refusing to continue without restored Rancher state." >&2
-            exit 0
+            exit 1
          fi
          BACKUP_FILE=$(basename "$LATEST")
          echo "Latest backup: ${BACKUP_FILE}"
          echo "Creating Restore CR..."
          kubectl -n cattle-resources-system delete restore restore-from-b2 --ignore-not-found
          kubectl apply -f - <<EOF
          apiVersion: resources.cattle.io/v1
          kind: Restore
@@ -1022,7 +1024,9 @@ jobs:
            fi
            sleep 10
          done
-          echo "Restore did not complete within timeout. Continuing anyway."
+          echo "Restore did not complete within timeout." >&2
          kubectl -n cattle-resources-system describe restore restore-from-b2 || true
          exit 1
      - name: Seed observability runtime images
        run: |
@@ -23,6 +23,8 @@ env:
  TF_VAR_proxmox_api_token_id: ${{ secrets.PROXMOX_API_TOKEN_ID }}
  TF_VAR_proxmox_api_token_secret: ${{ secrets.PROXMOX_API_TOKEN_SECRET }}
  TF_VAR_proxmox_insecure: "true"
  B2_ACCOUNT_ID: ${{ secrets.B2_ACCOUNT_ID }}
  B2_APPLICATION_KEY: ${{ secrets.B2_APPLICATION_KEY }}
 jobs:
  destroy:
@@ -58,6 +60,34 @@ jobs:
            -backend-config="secret_key=${{ secrets.S3_SECRET_KEY }}" \
            -backend-config="skip_requesting_account_id=true"
      - name: Verify Rancher backup exists
        run: |
          set -euo pipefail
          CREDS=$(printf '%s:%s' "${B2_ACCOUNT_ID}" "${B2_APPLICATION_KEY}" | base64 -w0)
          AUTH_RESP=$(curl -fsS -H "Authorization: Basic ${CREDS}" https://api.backblazeb2.com/b2api/v2/b2_authorize_account)
          API_URL=$(printf '%s' "${AUTH_RESP}" | python3 -c "import json,sys; print(json.load(sys.stdin)['apiUrl'])")
          AUTH_TOKEN=$(printf '%s' "${AUTH_RESP}" | python3 -c "import json,sys; print(json.load(sys.stdin)['authorizationToken'])")
          BUCKET_ID=$(printf '%s' "${AUTH_RESP}" | python3 -c "import json,sys; print(json.load(sys.stdin).get('allowed', {}).get('bucketId') or '')")
          if [ -z "${BUCKET_ID}" ]; then
            BUCKET_ID=$(curl -fsS -H "Authorization: Bearer ${AUTH_TOKEN}" \
              "${API_URL}/b2api/v2/b2_list_buckets?accountId=${B2_ACCOUNT_ID}&bucketName=HetznerTerra" \
              | python3 -c "import json,sys; buckets=json.load(sys.stdin).get('buckets',[]); print(buckets[0]['bucketId'] if buckets else '')")
          fi
          LATEST=$(curl -fsS -H "Authorization: Bearer ${AUTH_TOKEN}" \
            -H "Content-Type: application/json" \
            -d "{\"bucketId\":\"${BUCKET_ID}\",\"prefix\":\"rancher-backups/\",\"maxFileCount\":100}" \
            "${API_URL}/b2api/v2/b2_list_file_names" \
            | python3 -c "import json,sys; files=json.load(sys.stdin).get('files', []); tars=sorted(f['fileName'] for f in files if f['fileName'].endswith('.tar.gz')); print(tars[-1] if tars else '')")
          if [ -z "${LATEST}" ]; then
            echo "No Rancher backup found in B2; refusing to destroy cluster." >&2
            exit 1
          fi
          echo "Verified Rancher backup exists: ${LATEST}"
      - name: Terraform Destroy
        id: destroy
        working-directory: terraform
@@ -8,11 +8,10 @@ spec:
  targetNamespace: cert-manager
  chart:
    spec:
-      chart: cert-manager
+      chart: ./infrastructure/charts/cert-manager
      version: "v1.17.2"
      sourceRef:
-        kind: HelmRepository
+        kind: GitRepository
-        name: jetstack
+        name: platform
        namespace: flux-system
  install:
    createNamespace: true
@@ -1,8 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: jetstack
  namespace: flux-system
 spec:
  interval: 1h
  url: https://charts.jetstack.io
@@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - helmrepository-cert-manager.yaml
  - helmrelease-cert-manager.yaml
@@ -8,11 +8,10 @@ spec:
  targetNamespace: cattle-resources-system
  chart:
    spec:
-      chart: rancher-backup-crd
+      chart: ./infrastructure/charts/rancher-backup-crd
      version: "106.0.2+up8.1.0"
      sourceRef:
-        kind: HelmRepository
+        kind: GitRepository
-        name: rancher-charts
+        name: platform
        namespace: flux-system
  install:
    createNamespace: true
@@ -10,11 +10,10 @@ spec:
    - name: rancher-backup-crd
  chart:
    spec:
-      chart: rancher-backup
+      chart: ./infrastructure/charts/rancher-backup
      version: "106.0.2+up8.1.0"
      sourceRef:
-        kind: HelmRepository
+        kind: GitRepository
-        name: rancher-charts
+        name: platform
        namespace: flux-system
  install:
    createNamespace: true
@@ -1,8 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: rancher-charts
  namespace: flux-system
 spec:
  interval: 1h
  url: https://charts.rancher.io
@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - helmrepository-rancher-backup.yaml
  - helmrelease-rancher-backup-crd.yaml
  - helmrelease-rancher-backup.yaml
  - b2-credentials-externalsecret.yaml
@@ -1,8 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: rancher-stable
  namespace: flux-system
 spec:
  interval: 1h
  url: https://releases.rancher.com/server-charts/stable
@@ -8,11 +8,10 @@ spec:
  targetNamespace: kube-system
  chart:
    spec:
-      chart: traefik
+      chart: ./infrastructure/charts/traefik
      version: "39.0.0"
      sourceRef:
-        kind: HelmRepository
+        kind: GitRepository
-        name: traefik
+        name: platform
        namespace: flux-system
  install:
    createNamespace: true
@@ -35,4 +34,4 @@ spec:
      rancher:
        port: 9442
        exposedPort: 9442
-        protocol: TCP
+        protocol: TCP
@@ -1,9 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: traefik
  namespace: flux-system
 spec:
  interval: 10m
  url: https://traefik.github.io/charts
  provider: generic
@@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - helmrepository-traefik.yaml
+  - helmrelease-traefik.yaml
  - helmrelease-traefik.yaml
@@ -0,0 +1,26 @@
 annotations:
  artifacthub.io/category: security
  artifacthub.io/license: Apache-2.0
  artifacthub.io/prerelease: "false"
  artifacthub.io/signKey: |
    fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
    url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
 apiVersion: v2
 appVersion: v1.17.2
 description: A Helm chart for cert-manager
 home: https://cert-manager.io
 icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
 keywords:
 - cert-manager
 - kube-lego
 - letsencrypt
 - tls
 kubeVersion: '>= 1.22.0-0'
 maintainers:
 - email: cert-manager-maintainers@googlegroups.com
  name: cert-manager-maintainers
  url: https://cert-manager.io
 name: cert-manager
 sources:
 - https://github.com/cert-manager/cert-manager
 version: v1.17.2
@@ -0,0 +1,18 @@
 {{- if .Values.installCRDs }}
 ⚠️  WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.
 {{- end }}
 cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
 In order to begin issuing certificates, you will need to set up a ClusterIssuer
 or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
 More information on the different types of issuers and how to configure them
 can be found in our documentation:
 https://cert-manager.io/docs/configuration/
 For information on how to configure cert-manager to automatically provision
 Certificates for Ingress resources, take a look at the `ingress-shim`
 documentation:
 https://cert-manager.io/docs/usage/ingress/
@@ -0,0 +1,202 @@
 {{/* vim: set filetype=mustache: */}}
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "cert-manager.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
 {{- define "cert-manager.fullname" -}}
 {{- if .Values.fullnameOverride -}}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
 {{- if contains $name .Release.Name -}}
 {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "cert-manager.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create -}}
    {{ default (include "cert-manager.fullname" .) .Values.serviceAccount.name }}
 {{- else -}}
    {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
 {{/*
 Webhook templates
 */}}
 {{/*
 Expand the name of the chart.
 Manually fix the 'app' and 'name' labels to 'webhook' to maintain
 compatibility with the v0.9 deployment selector.
 */}}
 {{- define "webhook.name" -}}
 {{- printf "webhook" -}}
 {{- end -}}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "webhook.fullname" -}}
 {{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 55 | trimSuffix "-" -}}
 {{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- define "webhook.caRef" -}}
 {{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca
 {{- end -}}
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "webhook.serviceAccountName" -}}
 {{- if .Values.webhook.serviceAccount.create -}}
    {{ default (include "webhook.fullname" .) .Values.webhook.serviceAccount.name }}
 {{- else -}}
    {{ default "default" .Values.webhook.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
 {{/*
 cainjector templates
 */}}
 {{/*
 Expand the name of the chart.
 Manually fix the 'app' and 'name' labels to 'cainjector' to maintain
 compatibility with the v0.9 deployment selector.
 */}}
 {{- define "cainjector.name" -}}
 {{- printf "cainjector" -}}
 {{- end -}}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "cainjector.fullname" -}}
 {{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
 {{- printf "%s-cainjector" $trimmedName | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "cainjector.serviceAccountName" -}}
 {{- if .Values.cainjector.serviceAccount.create -}}
    {{ default (include "cainjector.fullname" .) .Values.cainjector.serviceAccount.name }}
 {{- else -}}
    {{ default "default" .Values.cainjector.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
 {{/*
 startupapicheck templates
 */}}
 {{/*
 Expand the name of the chart.
 Manually fix the 'app' and 'name' labels to 'startupapicheck' to maintain
 compatibility with the v0.9 deployment selector.
 */}}
 {{- define "startupapicheck.name" -}}
 {{- printf "startupapicheck" -}}
 {{- end -}}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "startupapicheck.fullname" -}}
 {{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
 {{- printf "%s-startupapicheck" $trimmedName | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "startupapicheck.serviceAccountName" -}}
 {{- if .Values.startupapicheck.serviceAccount.create -}}
    {{ default (include "startupapicheck.fullname" .) .Values.startupapicheck.serviceAccount.name }}
 {{- else -}}
    {{ default "default" .Values.startupapicheck.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "chartName" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Labels that should be added on each resource
 */}}
 {{- define "labels" -}}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- if eq .Values.creator "helm" }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 helm.sh/chart: {{ include "chartName" . }}
 {{- end -}}
 {{- if .Values.global.commonLabels}}
 {{ toYaml .Values.global.commonLabels }}
 {{- end }}
 {{- end -}}
 {{/*
 Namespace for all resources to be installed into
 If not defined in values file then the helm release namespace is used
 By default this is not set so the helm release namespace will be used
 This gets around an problem within helm discussed here
 https://github.com/helm/helm/issues/5358
 */}}
 {{- define "cert-manager.namespace" -}}
    {{ .Values.namespace | default .Release.Namespace }}
 {{- end -}}
 {{/*
 Util function for generating the image URL based on the provided options.
 IMPORTANT: This function is standardized across all charts in the cert-manager GH organization.
 Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ...
 See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
 */}}
 {{- define "image" -}}
 {{- $defaultTag := index . 1 -}}
 {{- with index . 0 -}}
 {{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
 {{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
 {{- end }}
 {{- end }}
 {{/*
 Check that the user has not set both .installCRDs and .crds.enabled or
 set .installCRDs and disabled .crds.keep.
 .installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead.
 */}}
 {{- define "cert-manager.crd-check" -}}
  {{- if and (.Values.installCRDs) (.Values.crds.enabled) }}
    {{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }}
  {{- end }}
  {{- if and (.Values.installCRDs) (not .Values.crds.keep) }}
    {{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }}
  {{- end }}
 {{- end -}}
@@ -0,0 +1,19 @@
 {{- if .Values.cainjector.config -}}
 {{- $config := .Values.cainjector.config -}}
 {{- $_ := set $config "apiVersion" (default "cainjector.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
 {{- $_ := set $config "kind" (default "CAInjectorConfiguration" $config.kind) -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "cainjector.fullname" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
 data:
  config.yaml: |
    {{- $config | toYaml | nindent 4 }}
 {{- end -}}
@@ -0,0 +1,166 @@
 {{- if .Values.cainjector.enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "cainjector.fullname" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
  {{- with .Values.cainjector.deploymentAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  replicas: {{ .Values.cainjector.replicaCount }}
  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
  {{- end }}
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "cainjector.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      app.kubernetes.io/component: "cainjector"
  {{- with .Values.cainjector.strategy }}
  strategy:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  template:
    metadata:
      labels:
        app: {{ include "cainjector.name" . }}
        app.kubernetes.io/name: {{ include "cainjector.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name }}
        app.kubernetes.io/component: "cainjector"
        {{- include "labels" . | nindent 8 }}
        {{- with .Values.cainjector.podLabels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with .Values.cainjector.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
      {{- if not .Values.cainjector.podAnnotations }}
      annotations:
      {{- end }}
        prometheus.io/path: "/metrics"
        prometheus.io/scrape: 'true'
        prometheus.io/port: '9402'
      {{- end }}
    spec:
      {{- if not .Values.cainjector.serviceAccount.create }}
      {{- with .Values.global.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- end }}
      serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
      {{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
      automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
      {{- end }}
      enableServiceLinks: {{ .Values.cainjector.enableServiceLinks }}
      {{- with .Values.global.priorityClassName }}
      priorityClassName: {{ . | quote }}
      {{- end }}
      {{- with .Values.cainjector.securityContext }}
      securityContext:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
        - name: {{ .Chart.Name }}-cainjector
          image: "{{ template "image" (tuple .Values.cainjector.image $.Chart.AppVersion) }}"
          imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
          args:
          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
          - --v={{ .Values.global.logLevel }}
          {{- end }}
          {{- if .Values.cainjector.config }}
          - --config=/var/cert-manager/config/config.yaml
          {{- end }}
          {{- with .Values.global.leaderElection }}
          - --leader-election-namespace={{ .namespace }}
          {{- if .leaseDuration }}
          - --leader-election-lease-duration={{ .leaseDuration }}
          {{- end }}
          {{- if .renewDeadline }}
          - --leader-election-renew-deadline={{ .renewDeadline }}
          {{- end }}
          {{- if .retryPeriod }}
          - --leader-election-retry-period={{ .retryPeriod }}
          {{- end }}
          {{- end }}
          {{- with .Values.cainjector.featureGates}}
          - --feature-gates={{ . }}
          {{- end}}
          {{- with .Values.cainjector.extraArgs }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- if not .Values.prometheus.enabled }}
          - --metrics-listen-address=0
          {{- end }}
          {{- if .Values.prometheus.enabled }}
          ports:
          - containerPort: 9402
            name: http-metrics
            protocol: TCP
          {{- end }}
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          {{- with .Values.cainjector.extraEnv }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- with .Values.cainjector.containerSecurityContext }}
          securityContext:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- with .Values.cainjector.resources }}
          resources:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- if or .Values.cainjector.config .Values.cainjector.volumeMounts }}
          volumeMounts:
            {{- if .Values.cainjector.config }}
            - name: config
              mountPath: /var/cert-manager/config
            {{- end }}
            {{- with .Values.cainjector.volumeMounts }}
            {{- toYaml . | nindent 12 }}
            {{- end }}
          {{- end }}
      {{- with .Values.cainjector.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.cainjector.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.cainjector.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with  .Values.cainjector.topologySpreadConstraints }}
      topologySpreadConstraints:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- if or .Values.cainjector.volumes .Values.cainjector.config }}
      volumes:
        {{- if .Values.cainjector.config }}
        - name: config
          configMap:
            name: {{ include "cainjector.fullname" . }}
        {{- end }}
        {{ with .Values.cainjector.volumes }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- end }}
 {{- end }}
@@ -0,0 +1,29 @@
 {{- if .Values.cainjector.podDisruptionBudget.enabled }}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
  name: {{ include "cainjector.fullname" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "cainjector.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      app.kubernetes.io/component: "cainjector"
  {{- if not (or (hasKey .Values.cainjector.podDisruptionBudget "minAvailable") (hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable")) }}
  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
  {{- end }}
  {{- if hasKey .Values.cainjector.podDisruptionBudget "minAvailable" }}
  minAvailable: {{ .Values.cainjector.podDisruptionBudget.minAvailable }}
  {{- end }}
  {{- if hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable" }}
  maxUnavailable: {{ .Values.cainjector.podDisruptionBudget.maxUnavailable }}
  {{- end }}
 {{- end }}
@@ -0,0 +1,20 @@
 {{- if .Values.cainjector.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ template "cainjector.fullname" . }}-psp
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
 rules:
 - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - {{ template "cainjector.fullname" . }}
 {{- end }}
 {{- end }}
@@ -0,0 +1,22 @@
 {{- if .Values.cainjector.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "cainjector.fullname" . }}-psp
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "cainjector.fullname" . }}-psp
 subjects:
  - kind: ServiceAccount
    name: {{ template "cainjector.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
 {{- end }}
@@ -0,0 +1,51 @@
 {{- if .Values.cainjector.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ template "cainjector.fullname" . }}
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
    {{- end }}
 spec:
  privileged: false
  allowPrivilegeEscalation: false
  allowedCapabilities: []  # default set of capabilities are implicitly allowed
  volumes:
  - 'configMap'
  - 'emptyDir'
  - 'projected'
  - 'secret'
  - 'downwardAPI'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
  fsGroup:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
 {{- end }}
 {{- end }}
@@ -0,0 +1,156 @@
 {{- if .Values.cainjector.enabled }}
 {{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "cainjector.fullname" . }}
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["get", "create", "update", "patch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "update", "patch"]
  - apiGroups: ["apiregistration.k8s.io"]
    resources: ["apiservices"]
    verbs: ["get", "list", "watch", "update", "patch"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch", "update", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "cainjector.fullname" . }}
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "cainjector.fullname" . }}
 subjects:
  - name: {{ template "cainjector.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
    kind: ServiceAccount
 ---
 # leader election rules
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ template "cainjector.fullname" . }}:leaderelection
  namespace: {{ .Values.global.leaderElection.namespace }}
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
 rules:
  # Used for leader election by the controller
  # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
  #   see cmd/cainjector/start.go#L113
  # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
  #   see cmd/cainjector/start.go#L137
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
    verbs: ["get", "update", "patch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["create"]
 ---
 # grant cert-manager permission to manage the leaderelection configmap in the
 # leader election namespace
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "cainjector.fullname" . }}:leaderelection
  namespace: {{ .Values.global.leaderElection.namespace }}
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "cainjector.fullname" . }}:leaderelection
 subjects:
  - kind: ServiceAccount
    name: {{ template "cainjector.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
 {{- end }}
 {{- $certmanagerNamespace := include "cert-manager.namespace" . }}
 {{- if (.Values.cainjector.config.metricsTLSConfig).dynamic }}
 {{- if $certmanagerNamespace | eq .Values.cainjector.config.metricsTLSConfig.dynamic.secretNamespace }}
 ---
 # Metrics server dynamic TLS serving certificate rules
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ template "cainjector.fullname" . }}:dynamic-serving
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
 rules:
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames:
    # Allow cainjector to read and update the metrics CA Secret when dynamic TLS is
    # enabled for the metrics server and if the Secret is configured to be in the
    # same namespace as cert-manager.
    - {{ .Values.cainjector.config.metricsTLSConfig.dynamic.secretName | quote }}
    verbs: ["get", "list", "watch", "update"]
  # It's not possible to grant CREATE permission on a single resourceName.
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "cainjector.fullname" . }}:dynamic-serving
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "cainjector.fullname" . }}:dynamic-serving
 subjects:
  - kind: ServiceAccount
    name: {{ template "cainjector.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
 {{- end }}
@@ -0,0 +1,32 @@
 {{- if .Values.cainjector.enabled }}
 {{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "cainjector.fullname" . }}
  namespace: {{ include "cert-manager.namespace" . }}
 {{- with .Values.cainjector.serviceAnnotations }}
  annotations:
 {{ toYaml . | indent 4 }}
 {{- end }}
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
    {{- with .Values.cainjector.serviceLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 spec:
  type: ClusterIP
  ports:
  - protocol: TCP
    port: 9402
    name: http-metrics
  selector:
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
 {{- end }}
 {{- end }}
@@ -0,0 +1,27 @@
 {{- if .Values.cainjector.enabled }}
 {{- if .Values.cainjector.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }}
 metadata:
  name: {{ template "cainjector.serviceAccountName" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  {{- with .Values.cainjector.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  labels:
    app: {{ include "cainjector.name" . }}
    app.kubernetes.io/name: {{ include "cainjector.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
    {{- include "labels" . | nindent 4 }}
    {{- with .Values.cainjector.serviceAccount.labels }}
      {{ toYaml . | nindent 4 }}
    {{- end }}
 {{- with .Values.global.imagePullSecrets }}
 imagePullSecrets:
  {{- toYaml . | nindent 2 }}
 {{- end }}
 {{- end }}
 {{- end }}
@@ -0,0 +1,19 @@
 {{- if .Values.config -}}
 {{- $config := .Values.config -}}
 {{- $_ := set $config "apiVersion" (default "controller.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
 {{- $_ := set $config "kind" (default "ControllerConfiguration" $config.kind) -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "cert-manager.fullname" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 data:
  config.yaml: |
    {{- $config | toYaml | nindent 4 }}
 {{- end -}}
@@ -0,0 +1,237 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "cert-manager.fullname" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ template "cert-manager.name" . }}
    app.kubernetes.io/name: {{ template "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
  {{- with .Values.deploymentAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  replicas: {{ .Values.replicaCount }}
  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
  {{- end }}
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ template "cert-manager.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      app.kubernetes.io/component: "controller"
  {{- with .Values.strategy }}
  strategy:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  template:
    metadata:
      labels:
        app: {{ template "cert-manager.name" . }}
        app.kubernetes.io/name: {{ template "cert-manager.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name }}
        app.kubernetes.io/component: "controller"
        {{- include "labels" . | nindent 8 }}
        {{- with .Values.podLabels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with .Values.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
      {{- if not .Values.podAnnotations }}
      annotations:
      {{- end }}
        prometheus.io/path: "/metrics"
        prometheus.io/scrape: 'true'
        prometheus.io/port: '9402'
      {{- end }}
    spec:
      {{- if not .Values.serviceAccount.create }}
      {{- with .Values.global.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- end }}
      serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}
      {{- if hasKey .Values "automountServiceAccountToken" }}
      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
      {{- end }}
      enableServiceLinks: {{ .Values.enableServiceLinks }}
      {{- with .Values.global.priorityClassName }}
      priorityClassName: {{ . | quote }}
      {{- end }}
      {{- with .Values.securityContext }}
      securityContext:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- if or .Values.volumes .Values.config}}
      volumes:
        {{- if .Values.config }}
        - name: config 
          configMap: 
            name: {{ include "cert-manager.fullname" . }}
        {{- end }}
        {{ with .Values.volumes }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- end }}
      containers:
        - name: {{ .Chart.Name }}-controller
          image: "{{ template "image" (tuple .Values.image $.Chart.AppVersion) }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          args:
          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
          - --v={{ .Values.global.logLevel }}
          {{- end }}
          {{- if .Values.config }}
          - --config=/var/cert-manager/config/config.yaml
          {{- end }}
          {{- $config := default .Values.config "" }}
          {{- if .Values.clusterResourceNamespace }}
          - --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
          {{- else }}
          - --cluster-resource-namespace=$(POD_NAMESPACE)
          {{- end }}
          {{- with .Values.global.leaderElection }}
          - --leader-election-namespace={{ .namespace }}
          {{- if .leaseDuration }}
          - --leader-election-lease-duration={{ .leaseDuration }}
          {{- end }}
          {{- if .renewDeadline }}
          - --leader-election-renew-deadline={{ .renewDeadline }}
          {{- end }}
          {{- if .retryPeriod }}
          - --leader-election-retry-period={{ .retryPeriod }}
          {{- end }}
          {{- end }}
          {{- with .Values.acmesolver.image }}
          - --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}
          {{- end }}
          {{- with .Values.extraArgs }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- with .Values.ingressShim }}
          {{- if .defaultIssuerName }}
          - --default-issuer-name={{ .defaultIssuerName }}
          {{- end }}
          {{- if .defaultIssuerKind }}
          - --default-issuer-kind={{ .defaultIssuerKind }}
          {{- end }}
          {{- if .defaultIssuerGroup }}
          - --default-issuer-group={{ .defaultIssuerGroup }}
          {{- end }}
          {{- end }}
          {{- if .Values.featureGates }}
          - --feature-gates={{ .Values.featureGates }}
          {{- end }}
          {{- if .Values.maxConcurrentChallenges }}
          - --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }}
          {{- end }}
          {{- if .Values.enableCertificateOwnerRef }}
          - --enable-certificate-owner-ref=true
          {{- end }}
          {{- if .Values.dns01RecursiveNameserversOnly }}
          - --dns01-recursive-nameservers-only=true
          {{- end }}
          {{- with .Values.dns01RecursiveNameservers }}
          - --dns01-recursive-nameservers={{ . }}
          {{- end }}
          {{- if .Values.disableAutoApproval }}
          - --controllers=-certificaterequests-approver
          {{- end }}
          ports:
          - containerPort: 9402
            name: http-metrics
            protocol: TCP
          - containerPort: 9403
            name: http-healthz
            protocol: TCP
          {{- with .Values.containerSecurityContext }}
          securityContext:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- if or .Values.config .Values.volumeMounts }}
          volumeMounts:
            {{- if .Values.config }}
            - name: config 
              mountPath: /var/cert-manager/config
            {{- end }}
            {{- with .Values.volumeMounts }}
            {{- toYaml . | nindent 12 }}
            {{- end }}
          {{- end }}
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          {{- with .Values.extraEnv }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- with .Values.http_proxy }}
          - name: HTTP_PROXY
            value: {{ . }}
          {{- end }}
          {{- with .Values.https_proxy }}
          - name: HTTPS_PROXY
            value: {{ . }}
          {{- end }}
          {{- with .Values.no_proxy }}
          - name: NO_PROXY
            value: {{ . }}
          {{- end }}
          {{- with .Values.resources }}
          resources:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- with .Values.livenessProbe }}
          {{- if .enabled }}
          # LivenessProbe settings are based on those used for the Kubernetes
          # controller-manager. See:
          # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
          livenessProbe:
            httpGet:
              port: http-healthz
              path: /livez
              scheme: HTTP
            initialDelaySeconds: {{ .initialDelaySeconds }}
            periodSeconds: {{ .periodSeconds }}
            timeoutSeconds: {{ .timeoutSeconds }}
            successThreshold: {{ .successThreshold }}
            failureThreshold: {{ .failureThreshold }}
          {{- end }}
          {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with  .Values.topologySpreadConstraints }}
      topologySpreadConstraints:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.podDnsPolicy }}
      dnsPolicy: {{ . }}
      {{- end }}
      {{- with .Values.podDnsConfig }}
      dnsConfig:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.hostAliases }}
      hostAliases: {{ toYaml . | nindent 8 }}
      {{- end }}
@@ -0,0 +1,4 @@
 {{ range .Values.extraObjects }}
 ---
 {{ tpl . $ }}
 {{ end }}
@@ -0,0 +1,19 @@
 {{- if .Values.webhook.networkPolicy.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: {{ template "webhook.fullname" . }}-allow-egress
  namespace: {{ include "cert-manager.namespace" . }}
 spec:
  egress:
    {{- with .Values.webhook.networkPolicy.egress }}
      {{- toYaml . | nindent 2 }}
    {{- end }}
  podSelector:
    matchLabels:
      app.kubernetes.io/name: {{ include "webhook.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      app.kubernetes.io/component: "webhook"
  policyTypes:
  - Egress
 {{- end }}
@@ -0,0 +1,21 @@
 {{- if .Values.webhook.networkPolicy.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: {{ template "webhook.fullname" . }}-allow-ingress
  namespace: {{ include "cert-manager.namespace" . }}
 spec:
  ingress:
    {{- with .Values.webhook.networkPolicy.ingress }}
      {{- toYaml . | nindent 2 }}
    {{- end }}
  podSelector:
    matchLabels:
      app.kubernetes.io/name: {{ include "webhook.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      app.kubernetes.io/component: "webhook"
  policyTypes:
  - Ingress
 {{- end }}
@@ -0,0 +1,29 @@
 {{- if .Values.podDisruptionBudget.enabled }}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
  name: {{ include "cert-manager.fullname" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "cert-manager.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      app.kubernetes.io/component: "controller"
  {{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }}
  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
  {{- end }}
  {{- if hasKey .Values.podDisruptionBudget "minAvailable" }}
  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
  {{- end }}
  {{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }}
  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
  {{- end }}
 {{- end }}
@@ -0,0 +1,63 @@
 {{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
 {{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
 {{- else if and .Values.prometheus.enabled .Values.prometheus.podmonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
  name: {{ template "cert-manager.fullname" . }}
 {{- if .Values.prometheus.podmonitor.namespace }}
  namespace: {{ .Values.prometheus.podmonitor.namespace }}
 {{- else }}
  namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
    prometheus: {{ .Values.prometheus.podmonitor.prometheusInstance }}
    {{- with .Values.prometheus.podmonitor.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 {{- if .Values.prometheus.podmonitor.annotations }}
  annotations:
    {{- with .Values.prometheus.podmonitor.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 {{- end }}
 spec:
  jobLabel: {{ template "cert-manager.fullname" . }}
  selector:
    matchExpressions:
      - key: app.kubernetes.io/name
        operator: In
        values:
        - {{ include "cainjector.name" . }}
        - {{ template "cert-manager.name" . }}
        - {{ include "webhook.name" . }}
      - key: app.kubernetes.io/instance
        operator: In
        values:
        - {{ .Release.Name }}
      - key: app.kubernetes.io/component
        operator: In
        values:
        - cainjector
        - controller
        - webhook
 {{- if .Values.prometheus.podmonitor.namespace }}
  namespaceSelector:
    matchNames:
      - {{ include "cert-manager.namespace" . }}
 {{- end }}
  podMetricsEndpoints:
    - port: http-metrics
      path: {{ .Values.prometheus.podmonitor.path }}
      interval: {{ .Values.prometheus.podmonitor.interval }}
      scrapeTimeout: {{ .Values.prometheus.podmonitor.scrapeTimeout }}
      honorLabels: {{ .Values.prometheus.podmonitor.honorLabels }}
      {{- with .Values.prometheus.podmonitor.endpointAdditionalProperties }}
      {{- toYaml . | nindent 6 }}
      {{- end }}
 {{- end }}
@@ -0,0 +1,18 @@
 {{- if .Values.global.podSecurityPolicy.enabled }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ template "cert-manager.fullname" . }}-psp
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 rules:
 - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - {{ template "cert-manager.fullname" . }}
 {{- end }}
@@ -0,0 +1,20 @@
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "cert-manager.fullname" . }}-psp
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "cert-manager.fullname" . }}-psp
 subjects:
  - kind: ServiceAccount
    name: {{ template "cert-manager.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
@@ -0,0 +1,49 @@
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ template "cert-manager.fullname" . }}
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
    {{- end }}
 spec:
  privileged: false
  allowPrivilegeEscalation: false
  allowedCapabilities: []  # default set of capabilities are implicitly allowed
  volumes:
  - 'configMap'
  - 'emptyDir'
  - 'projected'
  - 'secret'
  - 'downwardAPI'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
  fsGroup:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
 {{- end }}
@@ -0,0 +1,617 @@
 {{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ template "cert-manager.fullname" . }}:leaderelection
  namespace: {{ .Values.global.leaderElection.namespace }}
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 rules:
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    resourceNames: ["cert-manager-controller"]
    verbs: ["get", "update", "patch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["create"]
 ---
 # grant cert-manager permission to manage the leaderelection configmap in the
 # leader election namespace
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "cert-manager.fullname" . }}:leaderelection
  namespace: {{ .Values.global.leaderElection.namespace }}
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "cert-manager.fullname" . }}:leaderelection
 subjects:
  - kind: ServiceAccount
    name: {{ template "cert-manager.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
 ---
 {{- if .Values.serviceAccount.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 rules:
  - apiGroups: [""]
    resources: ["serviceaccounts/token"]
    resourceNames: ["{{ template "cert-manager.serviceAccountName" . }}"]
    verbs: ["create"]
 ---
 # grant cert-manager permission to create tokens for the serviceaccount
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "cert-manager.fullname" . }}-{{ template "cert-manager.serviceAccountName" .  }}-tokenrequest
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
 subjects:
  - kind: ServiceAccount
    name: {{ template "cert-manager.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
 ---
 # Issuer controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-issuers
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "issuers/status"]
    verbs: ["update", "patch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 # ClusterIssuer controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "clusterissuers/status"]
    verbs: ["update", "patch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 # Certificates controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-certificates
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
    verbs: ["update", "patch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates/finalizers", "certificaterequests/finalizers"]
    verbs: ["update"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders"]
    verbs: ["create", "delete", "get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 # Orders controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-orders
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 rules:
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders", "orders/status"]
    verbs: ["update", "patch"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders", "challenges"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers", "issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["create", "delete"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["orders/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 # Challenges controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-challenges
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 rules:
  # Use to update challenge resource status
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges", "challenges/status"]
    verbs: ["update", "patch"]
  # Used to watch challenge resources
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges"]
    verbs: ["get", "list", "watch"]
  # Used to watch challenges, issuer and clusterissuer resources
  - apiGroups: ["cert-manager.io"]
    resources: ["issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  # Need to be able to retrieve ACME account private key to complete challenges
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  # Used to create events
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  # HTTP01 rules
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch", "create", "delete", "update"]
  - apiGroups: [ "gateway.networking.k8s.io" ]
    resources: [ "httproutes" ]
    verbs: ["get", "list", "watch", "create", "delete", "update"]
  # We require the ability to specify a custom hostname when we are creating
  # new ingress resources.
  # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
  - apiGroups: ["route.openshift.io"]
    resources: ["routes/custom-host"]
    verbs: ["create"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges/finalizers"]
    verbs: ["update"]
  # DNS01 rules (duplicated above)
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
 ---
 # ingress-shim controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests"]
    verbs: ["create", "update", "delete"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
  # admission controller enabled:
  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/finalizers"]
    verbs: ["update"]
  - apiGroups: ["gateway.networking.k8s.io"]
    resources: ["gateways", "httproutes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["gateway.networking.k8s.io"]
    resources: ["gateways/finalizers", "httproutes/finalizers"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-issuers
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "cert-manager.fullname" . }}-controller-issuers
 subjects:
  - name: {{ template "cert-manager.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
 subjects:
  - name: {{ template "cert-manager.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-certificates
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "cert-manager.fullname" . }}-controller-certificates
 subjects:
  - name: {{ template "cert-manager.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-orders
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "cert-manager.fullname" . }}-controller-orders
 subjects:
  - name: {{ template "cert-manager.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-challenges
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "cert-manager.fullname" . }}-controller-challenges
 subjects:
  - name: {{ template "cert-manager.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
 subjects:
  - name: {{ template "cert-manager.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
    kind: ServiceAccount
 {{- if .Values.global.rbac.aggregateClusterRoles }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "cert-manager.fullname" . }}-cluster-view
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["clusterissuers"]
    verbs: ["get", "list", "watch"]
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "cert-manager.fullname" . }}-view
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
    {{- if .Values.global.rbac.aggregateClusterRoles }}
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
    {{- end }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges", "orders"]
    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "cert-manager.fullname" . }}-edit
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
    {{- if .Values.global.rbac.aggregateClusterRoles }}
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    {{- end }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates/status"]
    verbs: ["update"]
  - apiGroups: ["acme.cert-manager.io"]
    resources: ["challenges", "orders"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
 ---
 {{- if not .Values.disableAutoApproval -}}
 # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cert-manager"
    {{- include "labels" . | nindent 4 }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["signers"]
    verbs: ["approve"]
    {{- with .Values.approveSignerNames }}
    resourceNames:
    {{- range . }}
    - {{ . | quote }}
    {{- end  }}
    {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cert-manager"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
 subjects:
  - name: {{ template "cert-manager.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
    kind: ServiceAccount
 ---
 {{- end -}}
 # Permission to:
 # - Update and sign CertificateSigningRequests referencing cert-manager.io Issuers and ClusterIssuers
 # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cert-manager"
    {{- include "labels" . | nindent 4 }}
 rules:
  - apiGroups: ["certificates.k8s.io"]
    resources: ["certificatesigningrequests"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["certificates.k8s.io"]
    resources: ["certificatesigningrequests/status"]
    verbs: ["update", "patch"]
  - apiGroups: ["certificates.k8s.io"]
    resources: ["signers"]
    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
    verbs: ["sign"]
  - apiGroups: ["authorization.k8s.io"]
    resources: ["subjectaccessreviews"]
    verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cert-manager"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
 subjects:
  - name: {{ template "cert-manager.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
    kind: ServiceAccount
 {{- end }}
@@ -0,0 +1,37 @@
 {{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "cert-manager.fullname" . }}
  namespace: {{ include "cert-manager.namespace" . }}
 {{- with .Values.serviceAnnotations }}
  annotations:
 {{ toYaml . | indent 4 }}
 {{- end }}
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
    {{- with .Values.serviceLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 spec:
  type: ClusterIP
  {{- if .Values.serviceIPFamilyPolicy }}
  ipFamilyPolicy: {{ .Values.serviceIPFamilyPolicy }}
  {{- end }}
  {{- if .Values.serviceIPFamilies }}
  ipFamilies: {{ .Values.serviceIPFamilies | toYaml | nindent 2 }}
  {{- end }}
  ports:
  - protocol: TCP
    port: 9402
    name: tcp-prometheus-servicemonitor
    targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
  selector:
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
 {{- end }}
@@ -0,0 +1,27 @@
 {{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 {{- with .Values.global.imagePullSecrets }}
 imagePullSecrets:
  {{- toYaml . | nindent 2 }}
 {{- end }}
 automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 metadata:
  name: {{ template "cert-manager.serviceAccountName" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  {{- with .Values.serviceAccount.annotations }}
  annotations:
    {{- range $k, $v := . }}
      {{- printf "%s: %s" (tpl $k $) (tpl $v $) | nindent 4 }}
    {{- end }} 
  {{- end }}
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
    {{- with .Values.serviceAccount.labels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
 {{- end }}
@@ -0,0 +1,63 @@
 {{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
 {{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
 {{- else if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: {{ template "cert-manager.fullname" . }}
 {{- if .Values.prometheus.servicemonitor.namespace }}
  namespace: {{ .Values.prometheus.servicemonitor.namespace }}
 {{- else }}
  namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
  labels:
    app: {{ include "cert-manager.name" . }}
    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "controller"
    {{- include "labels" . | nindent 4 }}
    prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }}
    {{- with .Values.prometheus.servicemonitor.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 {{- if .Values.prometheus.servicemonitor.annotations }}
  annotations:
    {{- with .Values.prometheus.servicemonitor.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 {{- end }}
 spec:
  jobLabel: {{ template "cert-manager.fullname" . }}
  selector:
    matchExpressions:
      - key: app.kubernetes.io/name
        operator: In
        values:
        - {{ include "cainjector.name" . }}
        - {{ template "cert-manager.name" . }}
        - {{ include "webhook.name" . }}
      - key: app.kubernetes.io/instance
        operator: In
        values:
        - {{ .Release.Name }}
      - key: app.kubernetes.io/component
        operator: In
        values:
        - cainjector
        - controller
        - webhook
 {{- if .Values.prometheus.servicemonitor.namespace }}
  namespaceSelector:
    matchNames:
      - {{ include "cert-manager.namespace" . }}
 {{- end }}
  endpoints:
  - targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
    path: {{ .Values.prometheus.servicemonitor.path }}
    interval: {{ .Values.prometheus.servicemonitor.interval }}
    scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
    honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
    {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 {{- end }}
@@ -0,0 +1,95 @@
 {{- if .Values.startupapicheck.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: {{ include "startupapicheck.fullname" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "startupapicheck"
    {{- include "labels" . | nindent 4 }}
  {{- with .Values.startupapicheck.jobAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  backoffLimit: {{ .Values.startupapicheck.backoffLimit }}
  template:
    metadata:
      labels:
        app: {{ include "startupapicheck.name" . }}
        app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name }}
        app.kubernetes.io/component: "startupapicheck"
        {{- include "labels" . | nindent 8 }}
        {{- with .Values.startupapicheck.podLabels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with .Values.startupapicheck.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
    spec:
      restartPolicy: OnFailure
      serviceAccountName: {{ template "startupapicheck.serviceAccountName" . }}
      {{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
      automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
      {{- end }}
      enableServiceLinks: {{ .Values.startupapicheck.enableServiceLinks }}
      {{- with .Values.global.priorityClassName }}
      priorityClassName: {{ . | quote }}
      {{- end }}
      {{- with .Values.startupapicheck.securityContext }}
      securityContext:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
        - name: {{ .Chart.Name }}-startupapicheck
          image: "{{ template "image" (tuple .Values.startupapicheck.image $.Chart.AppVersion) }}"
          imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
          args:
          - check
          - api
          - --wait={{ .Values.startupapicheck.timeout }}
          {{- with .Values.startupapicheck.extraArgs }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- with .Values.startupapicheck.containerSecurityContext }}
          securityContext:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          {{- with .Values.startupapicheck.extraEnv }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- with .Values.startupapicheck.resources }}
          resources:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- with .Values.startupapicheck.volumeMounts }}
          volumeMounts:
            {{- toYaml . | nindent 12 }}
          {{- end }}
      {{- with .Values.startupapicheck.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.startupapicheck.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.startupapicheck.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.startupapicheck.volumes }}
      volumes:
        {{- toYaml . | nindent 8 }}
      {{- end }}
 {{- end }}
@@ -0,0 +1,24 @@
 {{- if .Values.startupapicheck.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ template "startupapicheck.fullname" . }}-psp
  labels:
    app: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "startupapicheck"
    {{- include "labels" . | nindent 4 }}
  {{- with .Values.startupapicheck.rbac.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 rules:
 - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - {{ template "startupapicheck.fullname" . }}
 {{- end }}
 {{- end }}
@@ -0,0 +1,26 @@
 {{- if .Values.startupapicheck.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "startupapicheck.fullname" . }}-psp
  labels:
    app: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "startupapicheck"
    {{- include "labels" . | nindent 4 }}
  {{- with .Values.startupapicheck.rbac.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "startupapicheck.fullname" . }}-psp
 subjects:
  - kind: ServiceAccount
    name: {{ template "startupapicheck.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
 {{- end }}
@@ -0,0 +1,51 @@
 {{- if .Values.startupapicheck.enabled }}
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ template "startupapicheck.fullname" . }}
  labels:
    app: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "startupapicheck"
    {{- include "labels" . | nindent 4 }}
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
    {{- end }}
    {{- with .Values.startupapicheck.rbac.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 spec:
  privileged: false
  allowPrivilegeEscalation: false
  allowedCapabilities: []  # default set of capabilities are implicitly allowed
  volumes:
  - 'projected'
  - 'secret'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
  fsGroup:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
 {{- end }}
 {{- end }}
@@ -0,0 +1,48 @@
 {{- if .Values.startupapicheck.enabled }}
 {{- if .Values.global.rbac.create }}
 # create certificate role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ template "startupapicheck.fullname" . }}:create-cert
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "startupapicheck"
    {{- include "labels" . | nindent 4 }}
  {{- with .Values.startupapicheck.rbac.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificaterequests"]
    verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "startupapicheck.fullname" . }}:create-cert
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "startupapicheck"
    {{- include "labels" . | nindent 4 }}
  {{- with .Values.startupapicheck.rbac.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "startupapicheck.fullname" . }}:create-cert
 subjects:
  - kind: ServiceAccount
    name: {{ template "startupapicheck.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
 {{- end }}
@@ -0,0 +1,27 @@
 {{- if .Values.startupapicheck.enabled }}
 {{- if .Values.startupapicheck.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.startupapicheck.serviceAccount.automountServiceAccountToken }}
 metadata:
  name: {{ template "startupapicheck.serviceAccountName" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  {{- with .Values.startupapicheck.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  labels:
    app: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "startupapicheck"
    {{- include "labels" . | nindent 4 }}
    {{- with .Values.startupapicheck.serviceAccount.labels }}
      {{ toYaml . | nindent 4 }}
    {{- end }}
 {{- with .Values.global.imagePullSecrets }}
 imagePullSecrets:
  {{- toYaml . | nindent 2 }}
 {{- end }}
 {{- end }}
 {{- end }}
@@ -0,0 +1,19 @@
 {{- if .Values.webhook.config -}}
 {{- $config := .Values.webhook.config -}}
 {{- $_ := set $config "apiVersion" (default "webhook.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
 {{- $_ := set $config "kind" (default "WebhookConfiguration" $config.kind) -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "webhook.fullname" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
 data:
  config.yaml: |
    {{- $config | toYaml | nindent 4 }}
 {{- end -}}
@@ -0,0 +1,217 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "webhook.fullname" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
  {{- with .Values.webhook.deploymentAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  replicas: {{ .Values.webhook.replicaCount }}
  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
  {{- end }}
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "webhook.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      app.kubernetes.io/component: "webhook"
  {{- with .Values.webhook.strategy }}
  strategy:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  template:
    metadata:
      labels:
        app: {{ include "webhook.name" . }}
        app.kubernetes.io/name: {{ include "webhook.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name }}
        app.kubernetes.io/component: "webhook"
        {{- include "labels" . | nindent 8 }}
        {{- with .Values.webhook.podLabels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with .Values.webhook.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
      {{- if not .Values.webhook.podAnnotations }}
      annotations:
      {{- end }}
        prometheus.io/path: "/metrics"
        prometheus.io/scrape: 'true'
        prometheus.io/port: '9402'
      {{- end }}
    spec:
      {{- if not .Values.webhook.serviceAccount.create }}
      {{- with .Values.global.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- end }}
      serviceAccountName: {{ template "webhook.serviceAccountName" . }}
      {{- if hasKey .Values.webhook "automountServiceAccountToken" }}
      automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
      {{- end }}
      enableServiceLinks: {{ .Values.webhook.enableServiceLinks }}
      {{- with .Values.global.priorityClassName }}
      priorityClassName: {{ . | quote }}
      {{- end }}
      {{- with .Values.webhook.securityContext }}
      securityContext:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- if .Values.webhook.hostNetwork }}
      hostNetwork: true
      {{- end }}
      {{- if .Values.webhook.hostNetwork }}
      dnsPolicy: ClusterFirstWithHostNet
      {{- end }}
      containers:
        - name: {{ .Chart.Name }}-webhook
          image: "{{ template "image" (tuple .Values.webhook.image $.Chart.AppVersion) }}"
          imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
          args:
          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
          - --v={{ .Values.global.logLevel }}
          {{- end }}
          {{- if .Values.webhook.config }}
          - --config=/var/cert-manager/config/config.yaml
          {{- end }}
          {{- $config := default .Values.webhook.config "" }}
          {{ if not $config.securePort -}}
          - --secure-port={{ .Values.webhook.securePort }}
          {{- end }}
          {{- if .Values.webhook.featureGates }}
          - --feature-gates={{ .Values.webhook.featureGates }}
          {{- end }}
          {{- $tlsConfig := default $config.tlsConfig "" }}
          {{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
          - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
          - --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca
          - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}
          - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE)
          - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc
          {{ if .Values.webhook.url.host }}
          - --dynamic-serving-dns-names={{ .Values.webhook.url.host }}
          {{- end }}
          {{- end }}
          {{- with .Values.webhook.extraArgs }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- if not .Values.prometheus.enabled }}
          - --metrics-listen-address=0
          {{- end }}
          ports:
          - name: https
            protocol: TCP
            {{- if $config.securePort }}
            containerPort: {{ $config.securePort }}
            {{- else if .Values.webhook.securePort }}
            containerPort: {{ .Values.webhook.securePort }}
            {{- else }}
            containerPort: 6443
            {{- end }}
          - name: healthcheck
            protocol: TCP
            {{- if $config.healthzPort }}
            containerPort: {{ $config.healthzPort }}
            {{- else }}
            containerPort: 6080
            {{- end }}
          {{- if .Values.prometheus.enabled }}
          - containerPort: 9402
            name: http-metrics
            protocol: TCP
          {{- end }}
          livenessProbe:
            httpGet:
              path: /livez
              {{- if $config.healthzPort }}
              port: {{ $config.healthzPort }}
              {{- else }}
              port: 6080
              {{- end }}
              scheme: HTTP
            initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
            periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
            timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }}
            successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }}
            failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }}
          readinessProbe:
            httpGet:
              path: /healthz
              {{- if $config.healthzPort }}
              port: {{ $config.healthzPort }}
              {{- else }}
              port: 6080
              {{- end }}
              scheme: HTTP
            initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
            periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
            timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
            successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
            failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
          {{- with .Values.webhook.containerSecurityContext }}
          securityContext:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          {{- with .Values.webhook.extraEnv }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- with .Values.webhook.resources }}
          resources:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- if or .Values.webhook.config .Values.webhook.volumeMounts }}
          volumeMounts:
            {{- if .Values.webhook.config }}
            - name: config
              mountPath: /var/cert-manager/config
            {{- end }}
            {{- with .Values.webhook.volumeMounts }}
            {{- toYaml . | nindent 12 }}
            {{- end }}
          {{- end }}
      {{- with .Values.webhook.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.webhook.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.webhook.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with  .Values.webhook.topologySpreadConstraints }}
      topologySpreadConstraints:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- if or .Values.webhook.config .Values.webhook.volumes }}
      volumes:
        {{- if .Values.webhook.config }}
        - name: config
          configMap:
            name: {{ include "webhook.fullname" . }}
        {{- end }}
        {{- with .Values.webhook.volumes }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- end }}
@@ -0,0 +1,48 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
  name: {{ include "webhook.fullname" . }}
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
  annotations:
    cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote }}
    {{- with .Values.webhook.mutatingWebhookConfigurationAnnotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 webhooks:
  - name: webhook.cert-manager.io
    {{- with .Values.webhook.mutatingWebhookConfiguration.namespaceSelector }}
    namespaceSelector:
      {{- toYaml . | nindent 6 }}
    {{- end }}
    rules:
      - apiGroups:
          - "cert-manager.io"
        apiVersions:
          - "v1"
        operations:
          - CREATE
        resources:
          - "certificaterequests"
    admissionReviewVersions: ["v1"]
    # This webhook only accepts v1 cert-manager resources.
    # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
    # this webhook (after the resources have been converted to v1).
    matchPolicy: Equivalent
    timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
    failurePolicy: Fail
    # Only include 'sideEffects' field in Kubernetes 1.12+
    sideEffects: None
    clientConfig:
      {{- if .Values.webhook.url.host }}
      url: https://{{ .Values.webhook.url.host }}/mutate
      {{- else }}
      service:
        name: {{ template "webhook.fullname" . }}
        namespace: {{ include "cert-manager.namespace" . }}
        path: /mutate
      {{- end }}
@@ -0,0 +1,29 @@
 {{- if .Values.webhook.podDisruptionBudget.enabled }}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
  name: {{ include "webhook.fullname" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "webhook.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      app.kubernetes.io/component: "webhook"
  {{- if not (or (hasKey .Values.webhook.podDisruptionBudget "minAvailable") (hasKey .Values.webhook.podDisruptionBudget "maxUnavailable")) }}
  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
  {{- end }}
  {{- if hasKey .Values.webhook.podDisruptionBudget "minAvailable" }}
  minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
  {{- end }}
  {{- if hasKey .Values.webhook.podDisruptionBudget "maxUnavailable" }}
  maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
  {{- end }}
 {{- end }}
@@ -0,0 +1,18 @@
 {{- if .Values.global.podSecurityPolicy.enabled }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ template "webhook.fullname" . }}-psp
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
 rules:
 - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - {{ template "webhook.fullname" . }}
 {{- end }}
@@ -0,0 +1,20 @@
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "webhook.fullname" . }}-psp
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "webhook.fullname" . }}-psp
 subjects:
  - kind: ServiceAccount
    name: {{ template "webhook.serviceAccountName" . }}
    namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
@@ -0,0 +1,54 @@
 {{- if .Values.global.podSecurityPolicy.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ template "webhook.fullname" . }}
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
    {{- end }}
 spec:
  privileged: false
  allowPrivilegeEscalation: false
  allowedCapabilities: []  # default set of capabilities are implicitly allowed
  volumes:
  - 'configMap'
  - 'emptyDir'
  - 'projected'
  - 'secret'
  - 'downwardAPI'
  hostNetwork: {{ .Values.webhook.hostNetwork }}
  {{- if .Values.webhook.hostNetwork }}
  hostPorts:
  - max: {{ .Values.webhook.securePort }}
    min: {{ .Values.webhook.securePort }}
  {{- end }}
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
  fsGroup:
    rule: 'MustRunAs'
    ranges:
    - min: 1000
      max: 1000
 {{- end }}
@@ -0,0 +1,90 @@
 {{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ template "webhook.fullname" . }}:dynamic-serving
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  resourceNames:
  - '{{ template "webhook.fullname" . }}-ca'
  {{- $certmanagerNamespace := include "cert-manager.namespace" . }}
  {{- with (.Values.webhook.config.metricsTLSConfig).dynamic }}
  {{- if $certmanagerNamespace | eq .secretNamespace }}
  # Allow webhook to read and update the metrics CA Secret when dynamic TLS is
  # enabled for the metrics server and if the Secret is configured to be in the
  # same namespace as cert-manager.
  - {{ .secretName | quote }}
  {{- end }}
  {{- end }}
  verbs: ["get", "list", "watch", "update"]
 # It's not possible to grant CREATE permission on a single resourceName.
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ template "webhook.fullname" . }}:dynamic-serving
  namespace: {{ include "cert-manager.namespace" . }}
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "webhook.fullname" . }}:dynamic-serving
 subjects:
 - kind: ServiceAccount
  name: {{ template "webhook.serviceAccountName" . }}
  namespace: {{ include "cert-manager.namespace" . }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "webhook.fullname" . }}:subjectaccessreviews
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
 rules:
 - apiGroups: ["authorization.k8s.io"]
  resources: ["subjectaccessreviews"]
  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ template "webhook.fullname" . }}:subjectaccessreviews
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "webhook.fullname" . }}:subjectaccessreviews
 subjects:
 - kind: ServiceAccount
  name: {{ template "webhook.serviceAccountName" . }}
  namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
@@ -0,0 +1,44 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "webhook.fullname" . }}
  namespace: {{ include "cert-manager.namespace" . }}
 {{- with .Values.webhook.serviceAnnotations }}
  annotations:
 {{ toYaml . | indent 4 }}
 {{- end }}
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
    {{- with .Values.webhook.serviceLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 spec:
  type: {{ .Values.webhook.serviceType }}
  {{- if .Values.webhook.serviceIPFamilyPolicy }}
  ipFamilyPolicy: {{ .Values.webhook.serviceIPFamilyPolicy }}
  {{- end }}
  {{- if .Values.webhook.serviceIPFamilies }}
  ipFamilies: {{ .Values.webhook.serviceIPFamilies | toYaml | nindent 2 }}
  {{- end }}
  {{- with .Values.webhook.loadBalancerIP }}
  loadBalancerIP: {{ . }}
  {{- end }}
  ports:
  - name: https
    port: 443
    protocol: TCP
    targetPort: "https"
 {{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
  - name: metrics
    port: 9402
    protocol: TCP
    targetPort: "http-metrics"
 {{- end }}
  selector:
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
@@ -0,0 +1,25 @@
 {{- if .Values.webhook.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }}
 metadata:
  name: {{ template "webhook.serviceAccountName" . }}
  namespace: {{ include "cert-manager.namespace" . }}
  {{- with .Values.webhook.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
    {{- with .Values.webhook.serviceAccount.labels }}
      {{ toYaml . | nindent 4 }}
    {{- end }}
 {{- with .Values.global.imagePullSecrets }}
 imagePullSecrets:
  {{- toYaml . | nindent 2 }}
 {{- end }}
 {{- end }}
@@ -0,0 +1,49 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: {{ include "webhook.fullname" . }}
  labels:
    app: {{ include "webhook.name" . }}
    app.kubernetes.io/name: {{ include "webhook.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "webhook"
    {{- include "labels" . | nindent 4 }}
  annotations:
    cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote}}
    {{- with .Values.webhook.validatingWebhookConfigurationAnnotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 webhooks:
  - name: webhook.cert-manager.io
    {{- with .Values.webhook.validatingWebhookConfiguration.namespaceSelector }}
    namespaceSelector:
      {{- toYaml . | nindent 6 }}
    {{- end }}
    rules:
      - apiGroups:
          - "cert-manager.io"
          - "acme.cert-manager.io"
        apiVersions:
          - "v1"
        operations:
          - CREATE
          - UPDATE
        resources:
          - "*/*"
    admissionReviewVersions: ["v1"]
    # This webhook only accepts v1 cert-manager resources.
    # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
    # this webhook (after the resources have been converted to v1).
    matchPolicy: Equivalent
    timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
    failurePolicy: Fail
    sideEffects: None
    clientConfig:
      {{- if .Values.webhook.url.host }}
      url: https://{{ .Values.webhook.url.host }}/validate
      {{- else }}
      service:
        name: {{ template "webhook.fullname" . }}
        namespace: {{ include "cert-manager.namespace" . }}
        path: /validate
      {{- end }}
@@ -0,0 +1,11 @@
 annotations:
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/hidden: "true"
  catalog.cattle.io/namespace: cattle-resources-system
  catalog.cattle.io/release-name: rancher-backup-crd
 apiVersion: v2
 appVersion: v7.0.5
 description: Installs the CRDs for rancher-backup.
 name: rancher-backup-crd
 type: application
 version: 106.0.6+up7.0.5
@@ -0,0 +1,3 @@
 # Rancher Backup CRD
 A Rancher chart that installs the CRDs used by `rancher-backup`.
@@ -0,0 +1,151 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: backups.resources.cattle.io
 spec:
  group: resources.cattle.io
  names:
    kind: Backup
    plural: backups
    singular: backup
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .status.storageLocation
      name: Location
      type: string
    - jsonPath: .status.backupType
      name: Type
      type: string
    - jsonPath: .status.filename
      name: Latest-Backup
      type: string
    - jsonPath: .spec.resourceSetName
      name: ResourceSet
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    - jsonPath: .status.conditions[?(@.type=="Ready")].message
      name: Status
      type: string
    name: v1
    schema:
      openAPIV3Schema:
        properties:
          spec:
            properties:
              encryptionConfigSecretName:
                description: Name of the Secret containing the encryption config
                nullable: true
                type: string
              resourceSetName:
                description: Name of the ResourceSet CR to use for backup
                nullable: true
                type: string
              retentionCount:
                minimum: 1
                type: integer
              schedule:
                description: Cron schedule for recurring backups
                example:
                  Descriptors: '@midnight'
                  Standard crontab specs: 0 0 * * *
                nullable: true
                type: string
              storageLocation:
                nullable: true
                properties:
                  s3:
                    nullable: true
                    properties:
                      bucketName:
                        nullable: true
                        type: string
                      clientConfig:
                        nullable: true
                        properties:
                          aws:
                            nullable: true
                            properties:
                              dualStack:
                                type: boolean
                            type: object
                        type: object
                      credentialSecretName:
                        nullable: true
                        type: string
                      credentialSecretNamespace:
                        nullable: true
                        type: string
                      endpoint:
                        nullable: true
                        type: string
                      endpointCA:
                        nullable: true
                        type: string
                      folder:
                        nullable: true
                        type: string
                      insecureTLSSkipVerify:
                        type: boolean
                      region:
                        nullable: true
                        type: string
                    type: object
                type: object
            required:
            - resourceSetName
            type: object
          status:
            properties:
              backupType:
                nullable: true
                type: string
              conditions:
                items:
                  properties:
                    lastTransitionTime:
                      nullable: true
                      type: string
                    lastUpdateTime:
                      nullable: true
                      type: string
                    message:
                      nullable: true
                      type: string
                    reason:
                      nullable: true
                      type: string
                    status:
                      nullable: true
                      type: string
                    type:
                      nullable: true
                      type: string
                  type: object
                nullable: true
                type: array
              filename:
                nullable: true
                type: string
              lastSnapshotTs:
                nullable: true
                type: string
              nextSnapshotAt:
                nullable: true
                type: string
              observedGeneration:
                type: integer
              storageLocation:
                nullable: true
                type: string
              summary:
                nullable: true
                type: string
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
@@ -0,0 +1,124 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: resourcesets.resources.cattle.io
 spec:
  group: resources.cattle.io
  names:
    kind: ResourceSet
    plural: resourcesets
    singular: resourceset
  scope: Cluster
  versions:
  - name: v1
    schema:
      openAPIV3Schema:
        properties:
          controllerReferences:
            items:
              properties:
                apiVersion:
                  nullable: true
                  type: string
                name:
                  nullable: true
                  type: string
                namespace:
                  nullable: true
                  type: string
                replicas:
                  type: integer
                resource:
                  nullable: true
                  type: string
              type: object
            nullable: true
            type: array
          resourceSelectors:
            items:
              properties:
                apiVersion:
                  nullable: true
                  type: string
                excludeKinds:
                  items:
                    nullable: true
                    type: string
                  nullable: true
                  type: array
                excludeResourceNameRegexp:
                  nullable: true
                  type: string
                fieldSelectors:
                  additionalProperties:
                    nullable: true
                    type: string
                  nullable: true
                  type: object
                kinds:
                  items:
                    nullable: true
                    type: string
                  nullable: true
                  type: array
                kindsRegexp:
                  nullable: true
                  type: string
                labelSelectors:
                  nullable: true
                  properties:
                    matchExpressions:
                      items:
                        properties:
                          key:
                            nullable: true
                            type: string
                          operator:
                            nullable: true
                            type: string
                          values:
                            items:
                              nullable: true
                              type: string
                            nullable: true
                            type: array
                        type: object
                      nullable: true
                      type: array
                    matchLabels:
                      additionalProperties:
                        nullable: true
                        type: string
                      nullable: true
                      type: object
                  type: object
                namespaceRegexp:
                  nullable: true
                  type: string
                namespaces:
                  items:
                    nullable: true
                    type: string
                  nullable: true
                  type: array
                resourceNameRegexp:
                  nullable: true
                  type: string
                resourceNames:
                  items:
                    nullable: true
                    type: string
                  nullable: true
                  type: array
              type: object
            nullable: true
            required:
            - apiVersion
            type: array
        required:
        - resourceSelectors
        type: object
    served: true
    storage: true
    subresources:
      status: {}
@@ -0,0 +1,132 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: restores.resources.cattle.io
 spec:
  group: resources.cattle.io
  names:
    kind: Restore
    plural: restores
    singular: restore
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .status.backupSource
      name: Backup-Source
      type: string
    - jsonPath: .spec.backupFilename
      name: Backup-File
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    - jsonPath: .status.conditions[?(@.type=="Ready")].message
      name: Status
      type: string
    name: v1
    schema:
      openAPIV3Schema:
        properties:
          spec:
            properties:
              backupFilename:
                nullable: true
                type: string
              deleteTimeoutSeconds:
                maximum: 10
                type: integer
              encryptionConfigSecretName:
                nullable: true
                type: string
              ignoreErrors:
                type: boolean
              prune:
                nullable: true
                type: boolean
              storageLocation:
                nullable: true
                properties:
                  s3:
                    nullable: true
                    properties:
                      bucketName:
                        nullable: true
                        type: string
                      clientConfig:
                        nullable: true
                        properties:
                          aws:
                            nullable: true
                            properties:
                              dualStack:
                                type: boolean
                            type: object
                        type: object
                      credentialSecretName:
                        nullable: true
                        type: string
                      credentialSecretNamespace:
                        nullable: true
                        type: string
                      endpoint:
                        nullable: true
                        type: string
                      endpointCA:
                        nullable: true
                        type: string
                      folder:
                        nullable: true
                        type: string
                      insecureTLSSkipVerify:
                        type: boolean
                      region:
                        nullable: true
                        type: string
                    type: object
                type: object
            required:
            - backupFilename
            type: object
          status:
            properties:
              backupSource:
                nullable: true
                type: string
              conditions:
                items:
                  properties:
                    lastTransitionTime:
                      nullable: true
                      type: string
                    lastUpdateTime:
                      nullable: true
                      type: string
                    message:
                      nullable: true
                      type: string
                    reason:
                      nullable: true
                      type: string
                    status:
                      nullable: true
                      type: string
                    type:
                      nullable: true
                      type: string
                  type: object
                nullable: true
                type: array
              observedGeneration:
                type: integer
              restoreCompletionTs:
                nullable: true
                type: string
              summary:
                nullable: true
                type: string
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
@@ -0,0 +1,26 @@
 annotations:
  catalog.cattle.io/auto-install: rancher-backup-crd=match
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/display-name: Rancher Backups
  catalog.cattle.io/kube-version: '>= 1.30.0-0 < 1.33.0-0'
  catalog.cattle.io/namespace: cattle-resources-system
  catalog.cattle.io/os: linux
  catalog.cattle.io/permits-os: linux,windows
  catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1
  catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0'
  catalog.cattle.io/release-name: rancher-backup
  catalog.cattle.io/scope: management
  catalog.cattle.io/type: cluster-tool
  catalog.cattle.io/ui-component: rancher-backup
  catalog.cattle.io/upstream-version: 7.0.5
 apiVersion: v2
 appVersion: v7.0.5
 description: Provides ability to back up and restore the Rancher application running
  on any Kubernetes cluster
 icon: file://assets/logos/rancher-backup.svg
 keywords:
 - applications
 - infrastructure
 kubeVersion: '>= 1.30.0-0'
 name: rancher-backup
 version: 106.0.6+up7.0.5
@@ -0,0 +1,79 @@
 # Rancher Backup
 This chart provides ability to back up and restore the Rancher application running on any Kubernetes cluster.
 Refer [this](https://github.com/rancher/backup-restore-operator) repository for implementation details.
 -----
 ### Get Repo Info
 ```bash
 helm repo add rancher-chart https://charts.rancher.io
 helm repo update
 ```
 -----
 ### Install Chart
 ```bash
 helm install rancher-backup-crd rancher-chart/rancher-backup-crd -n cattle-resources-system --create-namespace
 helm install rancher-backup rancher-chart/rancher-backup -n cattle-resources-system
 ```
 -----
 ### Configuration
 The following table lists the configurable parameters of the rancher-backup chart and their default values:
 | Parameter   |      Description      |  Default |
 |----------|---------------|-------|
 | image.repository |  Container image repository | rancher/backup-restore-operator |
 | image.tag |    Container image tag  |   v0.1.0-rc1 |
 | s3.enabled | Configure S3 compatible default storage location. Current version supports S3 and MinIO |    false |
 | s3.credentialSecretName | Name of the Secret containing S3 credentials. This is an optional field. Skip this field in order to use IAM Role authentication. The Secret must contain following two keys, `accessKey` and `secretKey` |    "" |
 | s3.credentialSecretNamespace | Namespace of the Secret containing S3 credentials. This can be any namespace. |    "" |
 | s3.region | Region of the S3 Bucket (Required for S3, not valid for MinIO) |    "" |
 | s3.bucketName | Name of the Bucket |    "" |
 | s3.folder | Base folder within the Bucket (optional) |    "" |
 | s3.endpoint | Endpoint for the S3 storage provider |   "" |
 | s3.endpointCA | Base64 encoded CA cert for the S3 storage provider (optional) | "" |
 | s3.insecureTLSSkipVerify |  Skip SSL verification | false |
 | persistence.enabled |  Configure a Persistent Volume as the default storage location. It accepts either a StorageClass name to create a PVC, or directly accepts the PV to use. The Persistent Volume is mounted at `/var/lib/backups` in the operator pod | false |
 | persistence.storageClass |  StorageClass to use for dynamically provisioning the Persistent Volume, which will be used for storing backups | "" |
 | persistence.volumeName |  Persistent Volume to use for storing backups | "" |
 | persistence.size |  Requested size of the Persistent Volume (Applicable when using dynamic provisioning) | "" |
 | debug | Set debug flag for backup-restore deployment | false |
 | trace | Set trace flag for backup-restore deployment | false |
 | nodeSelector | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | {} |
 | tolerations | https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration | [] |
 | affinity | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | {} |
 | serviceAccount.annotations | Annotations to apply to created service account | {} |
 | global.cattle.psp.enabled | Enable or disable PSPs in the chart | false |
 -----
 ### PSPs
 We have added a configuration to the chart `values.yaml` which allows you to enable or disable PSPs to align with the PSP deprecation in Kubernetes `v1.25` and above.
 -----
 ### CRDs
 Refer [this](https://github.com/rancher/backup-restore-operator#crds) section for information on CRDs that this chart installs. Also refer [this](https://github.com/rancher/backup-restore-operator/tree/master/examples) folder containing sample manifests for the CRDs.
 -----
 ### Upgrading Chart
 ```bash
 helm upgrade rancher-backup-crd -n cattle-resources-system
 helm upgrade rancher-backup -n cattle-resources-system
 ```
 -----
 ### Uninstall Chart
 ```bash
 helm uninstall rancher-backup -n cattle-resources-system
 helm uninstall rancher-backup-crd -n cattle-resources-system
 ```
@@ -0,0 +1,33 @@
 # Rancher Backup
 This chart enables ability to capture backups of the Rancher application and restore from these backups. This chart can be used to migrate Rancher from one Kubernetes cluster to a different Kubernetes cluster.
 For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/backup-restore-and-disaster-recovery).
 This chart installs the following components:
 - [backup-restore-operator](https://github.com/rancher/backup-restore-operator)
  - The operator handles backing up all Kubernetes resources and CRDs that Rancher creates and manages from the local cluster. It gathers these resources by querying the Kubernetes API server, packages all the resources to create a tarball file and saves it in the configured backup storage location.
  - The operator can be configured to store backups in S3-compatible object stores such as AWS S3 and MinIO, and in persistent volumes. During deployment, you can create a default storage location, but there is always the option to override the default storage location with each backup, but will be limited to using an S3-compatible object store.
  - It preserves the ownerReferences on all resources, hence maintaining dependencies between objects.
  - This operator provides encryption support, to encrypt user specified resources before saving them in the backup file. It uses the same encryption configuration that is used to enable [Kubernetes Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
 - Backup - A backup is a CRD (`Backup`) that defines when to take backups, where to store the backup and what encryption to use (optional). Backups can be taken ad hoc or scheduled to be taken in intervals.
 - Restore - A restore is a CRD (`Restore`) that defines which backup to use to restore the Rancher application to.
 ## Upgrading to Kubernetes v1.25+
 Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. 
 As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
 > **Note:**
 > In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
 > **Note:**
 > If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
 >
 > If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
 Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
 As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.
@@ -0,0 +1,25 @@
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "aks.cattle.io$"
 - apiVersion: "aks.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "apps/v1"
  kindsRegexp: "^deployments$"
  namespaces:
    - "cattle-system"
  resourceNames:
    - "aks-config-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNames:
    - "aks-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNames:
    - "aks-operator"
 - apiVersion: "v1"
  kindsRegexp: "^serviceaccounts$"
  namespaces:
    - "cattle-system"
  resourceNames:
  - "aks-operator"
@@ -0,0 +1,17 @@
 - apiVersion: "eks.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "apps/v1"
  kindsRegexp: "^deployments$"
  resourceNames:
    - "eks-config-operator"
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "eks.cattle.io$"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNames:
    - "eks-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNames:
    - "eks-operator"
@@ -0,0 +1,49 @@
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "elemental.cattle.io$"
 - apiVersion: "apps/v1"
  kindsRegexp: "^deployments$"
  namespaces:
    - "cattle-elemental-system"
  resourceNames:
    - "elemental-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNames:
    - "elemental-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNames:
    - "elemental-operator"
 - apiVersion: "v1"
  kindsRegexp: "^serviceaccounts$"
  namespaces:
    - "cattle-elemental-system"
  resourceNames:
    - "elemental-operator"
 - apiVersion: "management.cattle.io/v3"
  kindsRegexp: "^globalrole$"
  resourceNames:
    - "elemental-operator"
 - apiVersion: "management.cattle.io/v3"
  kindsRegexp: "^apiservice$"
  resourceNameRegexp: "elemental.cattle.io$"
 - apiVersion: "elemental.cattle.io/v1beta1"
  kindsRegexp: "."
  namespaceRegexp: "^cattle-fleet-|^fleet-|^cattle-elemental-system$"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^roles$|^rolebindings$"
  labelSelectors:
    matchExpressions:
    - key: "elemental.cattle.io/managed"
      operator: "In"
      values: ["true"]
  namespaceRegexp: "^cattle-fleet-|^fleet-"
 - apiVersion: "v1"
  kindsRegexp: "^serviceaccounts$"
  labelSelectors:
    matchExpressions:
    - key: "elemental.cattle.io/managed"
      operator: "In"
      values: ["true"]
  namespaceRegexp: "^cattle-fleet-|^fleet-"
@@ -0,0 +1,48 @@
 - apiVersion: "v1"
  kindsRegexp: "^namespaces$"
  resourceNameRegexp: "^fleet-"
 - apiVersion: "v1"
  kindsRegexp: "^namespaces$"
  labelSelectors:
    matchExpressions:
      - key: "app.kubernetes.io/managed-by"
        operator: "In"
        values: ["rancher"]
 - apiVersion: "v1"
  kindsRegexp: "^serviceaccounts$"
  namespaceRegexp: "^cattle-fleet-|^fleet-"
  excludeResourceNameRegexp: "^default$"
 - apiVersion: "v1"
  kindsRegexp: "^configmaps$"
  namespaceRegexp: "^cattle-fleet-|^fleet-"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^roles$|^rolebindings$"
  namespaceRegexp: "^cattle-fleet-|^fleet-"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNameRegexp: "^fleet-|^gitjob-"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNameRegexp: "^fleet-"
  resourceNames:
    - "gitjob"
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "fleet.cattle.io$|gitjob.cattle.io$"
 - apiVersion: "fleet.cattle.io/v1alpha1"
  kindsRegexp: "."
  excludeKinds:
    - "bundledeployments"
 - apiVersion: "gitjob.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "apps/v1"
  kindsRegexp: "^deployments$"
  namespaceRegexp: "^cattle-fleet-|^fleet-"
  resourceNameRegexp: "^fleet-"
  resourceNames:
    - "gitjob"
 - apiVersion: "apps/v1"
  kindsRegexp: "^services$"
  namespaceRegexp: "^cattle-fleet-|^fleet-"
  resourceNames:
    - "gitjob"
@@ -0,0 +1,17 @@
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "gke.cattle.io$"
 - apiVersion: "gke.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "apps/v1"
  kindsRegexp: "^deployments$"
  resourceNames:
    - "gke-config-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNames:
    - "gke-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNames:
    - "gke-operator"
@@ -0,0 +1,18 @@
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "provisioning.cattle.io$|rke-machine-config.cattle.io$|rke-machine.cattle.io$|rke.cattle.io$|cluster.x-k8s.io$"
 - apiVersion: "provisioning.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "rke-machine-config.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "rke-machine.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "rke.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "cluster.x-k8s.io/v1beta1"
  kindsRegexp: "."
 - apiVersion: "v1"
  kindsRegexp: "^configmaps$"
  resourceNames:
    - "provisioning-log"
  namespaceRegexp: "^c-m-"
@@ -0,0 +1,28 @@
 - apiVersion: "rancher.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "apps/v1"
  kindsRegexp: "^deployments$"
  resourceNames:
    - "rancher-operator"
  namespaces:
    - "rancher-operator-system"
 - apiVersion: "v1"
  kindsRegexp: "^serviceaccounts$"
  namespaces:
    - "rancher-operator-system"
  excludeResourceNameRegexp: "^default$"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNames:
    - "rancher-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNames:
    - "rancher-operator"
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "rancher.cattle.io$"
 - apiVersion: "v1"
  kindsRegexp: "^namespaces$"
  resourceNames:
    - "rancher-operator-system"
@@ -0,0 +1,52 @@
 - apiVersion: "v1"
  kindsRegexp: "^namespaces$"
  resourceNameRegexp: "^cattle-|^p-|^c-|^user-|^u-|^local-"
  resourceNames:
    - "local"
 - apiVersion: "v1"
  kindsRegexp: "^serviceaccounts$"
  namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
  excludeResourceNameRegexp: "^default$|^rancher-csp-adapter$"
 - apiVersion: "v1"
  kindsRegexp: "^configmaps$"
  namespaces:
    - "cattle-system"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^roles$|^rolebindings$"
  namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
  excludeResourceNameRegexp: "^rancher-csp-adapter"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNameRegexp: "^cattle-|^clusterrolebinding-|^globaladmin-user-|^grb-u-|^crb-"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNameRegexp: "^cattle-|^p-|^c-|^local-|^user-|^u-|^project-|^create-ns$"
  excludeResourceNameRegexp: "^rancher-csp-adapter-"
 - apiVersion: "scheduling.k8s.io/v1"
  kindsRegexp: "^priorityclasses$"
  resourceNameRegexp: "^rancher-critical$"
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "management.cattle.io$|project.cattle.io$|catalog.cattle.io$|resources.cattle.io$"
 - apiVersion: "management.cattle.io/v3"
  kindsRegexp: "."
  excludeKinds:
    - "tokens"
    - "rancherusernotifications"
 - apiVersion: "management.cattle.io/v3"
  kindsRegexp: "^tokens$"
  labelSelectors:
    matchExpressions:
      - key: "authn.management.cattle.io/kind"
        operator: "NotIn"
        values: [ "provisioning" ]
 - apiVersion: "project.cattle.io/v3"
  kindsRegexp: "."
 - apiVersion: "catalog.cattle.io/v1"
  kindsRegexp: "^clusterrepos$"
 - apiVersion: "resources.cattle.io/v1"
  kindsRegexp: "^ResourceSet$"
 - apiVersion: catalog.cattle.io/v1
  kindsRegexp: ^UIPlugin$
  namespaces:
  - cattle-ui-plugin-system
@@ -0,0 +1,25 @@
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "aks.cattle.io$"
 - apiVersion: "aks.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "apps/v1"
  kindsRegexp: "^deployments$"
  namespaces:
    - "cattle-system"
  resourceNames:
    - "aks-config-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNames:
    - "aks-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNames:
    - "aks-operator"
 - apiVersion: "v1"
  kindsRegexp: "^serviceaccounts$"
  namespaces:
    - "cattle-system"
  resourceNames:
  - "aks-operator"
@@ -0,0 +1,17 @@
 - apiVersion: "eks.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "apps/v1"
  kindsRegexp: "^deployments$"
  resourceNames:
    - "eks-config-operator"
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "eks.cattle.io$"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNames:
    - "eks-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNames:
    - "eks-operator"
@@ -0,0 +1,49 @@
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "elemental.cattle.io$"
 - apiVersion: "apps/v1"
  kindsRegexp: "^deployments$"
  namespaces:
    - "cattle-elemental-system"
  resourceNames:
    - "elemental-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNames:
    - "elemental-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNames:
    - "elemental-operator"
 - apiVersion: "v1"
  kindsRegexp: "^serviceaccounts$"
  namespaces:
    - "cattle-elemental-system"
  resourceNames:
    - "elemental-operator"
 - apiVersion: "management.cattle.io/v3"
  kindsRegexp: "^globalrole$"
  resourceNames:
    - "elemental-operator"
 - apiVersion: "management.cattle.io/v3"
  kindsRegexp: "^apiservice$"
  resourceNameRegexp: "elemental.cattle.io$"
 - apiVersion: "elemental.cattle.io/v1beta1"
  kindsRegexp: "."
  namespaceRegexp: "^cattle-fleet-|^fleet-|^cattle-elemental-system$"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^roles$|^rolebindings$"
  labelSelectors:
    matchExpressions:
    - key: "elemental.cattle.io/managed"
      operator: "In"
      values: ["true"]
  namespaceRegexp: "^cattle-fleet-|^fleet-"
 - apiVersion: "v1"
  kindsRegexp: "^secrets$|^serviceaccounts$"
  labelSelectors:
    matchExpressions:
    - key: "elemental.cattle.io/managed"
      operator: "In"
      values: ["true"]
  namespaceRegexp: "^cattle-fleet-|^fleet-"
@@ -0,0 +1,60 @@
 - apiVersion: "v1"
  kindsRegexp: "^namespaces$"
  resourceNameRegexp: "^fleet-"
 - apiVersion: "v1"
  kindsRegexp: "^namespaces$"
  labelSelectors:
    matchExpressions:
      - key: "app.kubernetes.io/managed-by"
        operator: "In"
        values: ["rancher"]
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  namespaceRegexp: "^cattle-fleet-|^fleet-"
  excludeResourceNameRegexp: "^import-token"
  labelSelectors:
    matchExpressions:
      - key: "owner"
        operator: "NotIn"
        values: ["helm"]
      - key: "fleet.cattle.io/managed"
        operator: "In"
        values: ["true"]
 - apiVersion: "v1"
  kindsRegexp: "^serviceaccounts$"
  namespaceRegexp: "^cattle-fleet-|^fleet-"
  excludeResourceNameRegexp: "^default$"
 - apiVersion: "v1"
  kindsRegexp: "^configmaps$"
  namespaceRegexp: "^cattle-fleet-|^fleet-"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^roles$|^rolebindings$"
  namespaceRegexp: "^cattle-fleet-|^fleet-"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNameRegexp: "^fleet-|^gitjob-"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNameRegexp: "^fleet-"
  resourceNames:
    - "gitjob"
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "fleet.cattle.io$|gitjob.cattle.io$"
 - apiVersion: "fleet.cattle.io/v1alpha1"
  kindsRegexp: "."
  excludeKinds:
    - "bundledeployments"
 - apiVersion: "gitjob.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "apps/v1"
  kindsRegexp: "^deployments$"
  namespaceRegexp: "^cattle-fleet-|^fleet-"
  resourceNameRegexp: "^fleet-"
  resourceNames:
    - "gitjob"
 - apiVersion: "apps/v1"
  kindsRegexp: "^services$"
  namespaceRegexp: "^cattle-fleet-|^fleet-"
  resourceNames:
    - "gitjob"
@@ -0,0 +1,17 @@
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "gke.cattle.io$"
 - apiVersion: "gke.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "apps/v1"
  kindsRegexp: "^deployments$"
  resourceNames:
    - "gke-config-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNames:
    - "gke-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNames:
    - "gke-operator"
@@ -0,0 +1,41 @@
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "provisioning.cattle.io$|rke-machine-config.cattle.io$|rke-machine.cattle.io$|rke.cattle.io$|cluster.x-k8s.io$"
 - apiVersion: "provisioning.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "rke-machine-config.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "rke-machine.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "rke.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "cluster.x-k8s.io/v1beta1"
  kindsRegexp: "."
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  resourceNameRegexp: "machine-driver-secret$|machine-provision$|admission-configuration-psact$|^harvesterconfig|^registryconfig-auth|^harvester-cloud-provider-config"
  namespaces:
  - "fleet-default"
 - apiVersion: "v1"
  kindsRegexp: "^configmaps$"
  resourceNames:
    - "provisioning-log"
  namespaceRegexp: "^c-m-"
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  namespaces:
   - "fleet-default"
  fieldSelectors:
    "type": "rke.cattle.io/machine-plan"
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  namespaces:
   - "fleet-default"
  fieldSelectors:
    "type": "rke.cattle.io/cluster-state"
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  namespaces:
   - "fleet-default"
  fieldSelectors:
    "type": "rke.cattle.io/machine-state"
@@ -0,0 +1,28 @@
 - apiVersion: "rancher.cattle.io/v1"
  kindsRegexp: "."
 - apiVersion: "apps/v1"
  kindsRegexp: "^deployments$"
  resourceNames:
    - "rancher-operator"
  namespaces:
    - "rancher-operator-system"
 - apiVersion: "v1"
  kindsRegexp: "^serviceaccounts$"
  namespaces:
    - "rancher-operator-system"
  excludeResourceNameRegexp: "^default$"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNames:
    - "rancher-operator"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNames:
    - "rancher-operator"
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "rancher.cattle.io$"
 - apiVersion: "v1"
  kindsRegexp: "^namespaces$"
  resourceNames:
    - "rancher-operator-system"
@@ -0,0 +1,69 @@
 - apiVersion: "v1"
  kindsRegexp: "^namespaces$"
  resourceNameRegexp: "^cattle-|^p-|^c-|^user-|^u-|^local-"
  resourceNames:
    - "local"
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
  labelSelectors:
    matchExpressions:
      - key: "owner"
        operator: "NotIn"
        values: ["helm"]
  excludeResourceNameRegexp: "^bootstrap-secret$|^rancher-csp-adapter|^csp-adapter-cache$"
 - apiVersion: "v1"
  kindsRegexp: "^serviceaccounts$"
  namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
  excludeResourceNameRegexp: "^default$|^rancher-csp-adapter$"
 - apiVersion: "v1"
  kindsRegexp: "^configmaps$"
  namespaces:
    - "cattle-system"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^roles$|^rolebindings$"
  namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
  excludeResourceNameRegexp: "^rancher-csp-adapter"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterrolebindings$"
  resourceNameRegexp: "^cattle-|^clusterrolebinding-|^globaladmin-user-|^grb-u-|^crb-"
 - apiVersion: "rbac.authorization.k8s.io/v1"
  kindsRegexp: "^clusterroles$"
  resourceNameRegexp: "^cattle-|^p-|^c-|^local-|^user-|^u-|^project-|^create-ns$"
  excludeResourceNameRegexp: "^rancher-csp-adapter-"
 - apiVersion: "scheduling.k8s.io/v1"
  kindsRegexp: "^priorityclasses$"
  resourceNameRegexp: "^rancher-critical$"
 - apiVersion: "apiextensions.k8s.io/v1"
  kindsRegexp: "."
  resourceNameRegexp: "management.cattle.io$|project.cattle.io$|catalog.cattle.io$|resources.cattle.io$"
 - apiVersion: "management.cattle.io/v3"
  kindsRegexp: "."
  excludeKinds:
    - "tokens"
    - "rancherusernotifications"
 - apiVersion: "management.cattle.io/v3"
  kindsRegexp: "^tokens$"
  labelSelectors:
    matchExpressions:
      - key: "authn.management.cattle.io/kind"
        operator: "NotIn"
        values: [ "provisioning" ]
 - apiVersion: "project.cattle.io/v3"
  kindsRegexp: "."
 - apiVersion: "catalog.cattle.io/v1"
  kindsRegexp: "^clusterrepos$"
 - apiVersion: "resources.cattle.io/v1"
  kindsRegexp: "^ResourceSet$"
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  namespaceRegexp: "^.*$"
  labelSelectors:
    matchExpressions:
      - key: "resources.cattle.io/backup"
        operator: "In"
        values: ["true"]
 - apiVersion: catalog.cattle.io/v1
  kindsRegexp: ^UIPlugin$
  namespaces:
  - cattle-ui-plugin-system
@@ -0,0 +1,8 @@
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  labelSelectors:
    matchExpressions:
    - key: "elemental.cattle.io/managed"
      operator: "In"
      values: ["true"]
  namespaceRegexp: "^cattle-fleet-|^fleet-"
@@ -0,0 +1,12 @@
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  namespaceRegexp: "^cattle-fleet-|^fleet-"
  excludeResourceNameRegexp: "^import-token"
  labelSelectors:
    matchExpressions:
      - key: "owner"
        operator: "NotIn"
        values: ["helm"]
      - key: "fleet.cattle.io/managed"
        operator: "In"
        values: ["true"]
@@ -0,0 +1,23 @@
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  resourceNameRegexp: "machine-driver-secret$|machine-provision$|admission-configuration-psact$|^harvesterconfig|^registryconfig-auth|^harvester-cloud-provider-config"
  namespaces:
  - "fleet-default"
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  namespaces:
   - "fleet-default"
  fieldSelectors:
      "type": "rke.cattle.io/machine-plan"
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  namespaces:
   - "fleet-default"
  fieldSelectors:
      "type": "rke.cattle.io/cluster-state"
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  namespaces:
   - "fleet-default"
  fieldSelectors:
      "type": "rke.cattle.io/machine-state"
@@ -0,0 +1,17 @@
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
  labelSelectors:
    matchExpressions:
      - key: "owner"
        operator: "NotIn"
        values: ["helm"]
  excludeResourceNameRegexp: "^bootstrap-secret$|^rancher-csp-adapter|^csp-adapter-cache$"
 - apiVersion: "v1"
  kindsRegexp: "^secrets$"
  namespaceRegexp: "^.*$"
  labelSelectors:
    matchExpressions:
      - key: "resources.cattle.io/backup"
        operator: "In"
        values: ["true"]
@@ -0,0 +1,87 @@
 {{- define "system_default_registry" -}}
 {{- if .Values.global.cattle.systemDefaultRegistry -}}
 {{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
 {{- else -}}
 {{- "" -}}
 {{- end -}}
 {{- end -}}
 {{/*
 Windows cluster will add default taint for linux nodes, 
 add below linux tolerations to workloads could be scheduled to those linux nodes
 */}}
 {{- define "linux-node-tolerations" -}}
 - key: "cattle.io/os"
  value: "linux"
  effect: "NoSchedule"
  operator: "Equal"
 {{- end -}}
 {{- define "linux-node-selector" -}}
 {{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
 beta.kubernetes.io/os: linux
 {{- else -}}
 kubernetes.io/os: linux
 {{- end -}}
 {{- end -}}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
 {{- define "backupRestore.fullname" -}}
 {{- .Chart.Name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "backupRestore.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Common labels
 */}}
 {{- define "backupRestore.labels" -}}
 helm.sh/chart: {{ include "backupRestore.chart" . }}
 {{ include "backupRestore.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "backupRestore.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "backupRestore.fullname" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 resources.cattle.io/operator: backup-restore
 {{- end }}
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "backupRestore.serviceAccountName" -}}
 {{ include "backupRestore.fullname" . }}
 {{- end }}
 {{- define "backupRestore.s3SecretName" -}}
 {{- printf "%s-%s" .Chart.Name "s3" | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Create PVC name using release and revision number, unless a volumeName is given.
 */}}
 {{- define "backupRestore.pvcName" -}}
 {{- if and .Values.persistence.volumeName }}
 {{- printf "%s" .Values.persistence.volumeName }}
 {{- else -}}
 {{- printf "%s-%d" .Release.Name .Release.Revision }}
 {{- end }}
 {{- end }}
@@ -0,0 +1,14 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ include "backupRestore.fullname" . }}
  labels:
    {{- include "backupRestore.labels" . | nindent 4 }}
 subjects:
 - kind: ServiceAccount
  name: {{ include "backupRestore.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
 roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
@@ -0,0 +1,89 @@
 {{- if and .Values.s3.enabled .Values.persistence.enabled }}
 {{- fail "\n\nCannot configure both s3 and PV for storing backups" }}
 {{- end }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "backupRestore.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "backupRestore.labels" . | nindent 4 }}
 spec:
  selector:
    matchLabels:
      {{- include "backupRestore.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "backupRestore.selectorLabels" . | nindent 8 }}
      annotations:
        checksum/s3: {{ include (print $.Template.BasePath "/s3-secret.yaml") . | sha256sum }}
        checksum/pvc: {{ include (print $.Template.BasePath "/pvc.yaml") . | sha256sum }}
        {{- if .Values.monitoring.metrics.enabled }}
        prometheus.io/port: "metrics"
        prometheus.io/scrape: "true"
        {{ end }}
    spec:
      serviceAccountName: {{ include "backupRestore.serviceAccountName" . }}
      {{- if .Values.imagePullSecrets }}
      imagePullSecrets:
      {{ toYaml .Values.imagePullSecrets | indent 6 }}
      {{- end }}
      {{- if .Values.priorityClassName }}
      priorityClassName: {{ .Values.priorityClassName }}
      {{- end }}
      containers:
      - name: {{ .Chart.Name }}
        image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
        imagePullPolicy: {{ default "Always" .Values.imagePullPolicy }}
        ports:
        - containerPort: 8080
        args:
 {{- if .Values.debug }}
        - "--debug"
 {{- end }}
 {{- if .Values.trace }}
        - "--trace"
 {{- end }}
        env:
        - name: CHART_NAMESPACE
          value: {{ .Release.Namespace }}
          {{- if .Values.s3.enabled }}
        - name: DEFAULT_S3_BACKUP_STORAGE_LOCATION
          value: {{ include "backupRestore.s3SecretName" . }}
          {{- end }}
          {{- if .Values.proxy }}
        - name: HTTP_PROXY
          value: {{ .Values.proxy }}
        - name: HTTPS_PROXY
          value: {{ .Values.proxy }}
        - name: NO_PROXY
          value: {{ .Values.noProxy }}
          {{- end }}
          {{- if .Values.monitoring.metrics.enabled }}
        - name: METRICS_SERVER
          value: "true"
          {{ end }}
          {{- if .Values.persistence.enabled }}
        - name: DEFAULT_PERSISTENCE_ENABLED
          value: "persistence-enabled"
        volumeMounts:
        - mountPath: "/var/lib/backups"
          name: pv-storage
      volumes:
        - name: pv-storage
          persistentVolumeClaim:
            claimName: {{ include "backupRestore.pvcName" . }}
          {{- end }} 
      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.nodeSelector }}
 {{ toYaml .Values.nodeSelector | indent 8 }}
 {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
 {{- if .Values.tolerations }}
 {{ toYaml .Values.tolerations | indent 8 }}
 {{- end }}
@@ -0,0 +1,126 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: {{ include "backupRestore.fullname" . }}-patch-sa
  namespace: {{ .Release.Namespace }}
  labels: {{ include "backupRestore.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": post-install, post-upgrade
    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
 spec:
  backoffLimit: 1
  template:
    spec:
      serviceAccountName: {{ include "backupRestore.fullname" . }}-patch-sa
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
      restartPolicy: Never
      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 {{- if .Values.nodeSelector }}
 {{ toYaml .Values.nodeSelector | indent 8 }}
 {{- end }}
      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
 {{- if .Values.tolerations }}
 {{ toYaml .Values.tolerations | indent 8 }}
 {{- end }}
      containers:
        - name: {{ include "backupRestore.fullname" . }}-patch-sa
          image: {{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}
          imagePullPolicy: IfNotPresent
          command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "backupRestore.fullname" . }}-patch-sa
  namespace: {{ .Release.Namespace }}
  labels: {{ include "backupRestore.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": post-install, post-upgrade
    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ include "backupRestore.fullname" . }}-patch-sa
  labels: {{ include "backupRestore.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": post-install, post-upgrade
    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
 rules:
  - apiGroups: [""]
    resources: ["serviceaccounts"]
    verbs: ["get", "patch"]
 {{- if .Values.global.cattle.psp.enabled}}
  - apiGroups: ["policy"]
    resources: ["podsecuritypolicies"]
    verbs:     ["use"]
    resourceNames:
      - {{ include "backupRestore.fullname" . }}-patch-sa
 {{- end}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ include "backupRestore.fullname" . }}-patch-sa
  labels: {{ include "backupRestore.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": post-install, post-upgrade
    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "backupRestore.fullname" . }}-patch-sa
 subjects:
  - kind: ServiceAccount
    name: {{ include "backupRestore.fullname" . }}-patch-sa
    namespace: {{ .Release.Namespace }}
 ---
 {{- if .Values.global.cattle.psp.enabled}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ include "backupRestore.fullname" . }}-patch-sa
  labels: {{ include "backupRestore.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": post-install, post-upgrade
    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
 spec:
  privileged: false
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false
  volumes:
    - 'secret'
 {{- end}}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: {{ include "backupRestore.fullname" . }}-default-allow-all
  namespace: {{ .Release.Namespace }}
 spec:
  podSelector: {}
  ingress:
    - {}
  egress:
    - {}
  policyTypes:
    - Ingress
    - Egress
@@ -0,0 +1,31 @@
 {{- if .Values.global.cattle.psp.enabled -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ include "backupRestore.fullname" . }}-psp
  labels: {{ include "backupRestore.labels" . | nindent 4 }}
 spec:
  privileged: false
  allowPrivilegeEscalation: false
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false
  volumes:
    - 'persistentVolumeClaim'
    - 'secret'
 {{- end -}}
@@ -0,0 +1,27 @@
 {{- if and .Values.persistence.enabled -}}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: {{ include "backupRestore.pvcName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "backupRestore.labels" . | nindent 4 }}
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
     {{- with .Values.persistence }}
    requests:
      storage: {{ .size | quote }}
 {{- if .storageClass }}
 {{- if (eq "-" .storageClass) }}
  storageClassName: ""
 {{- else }}
  storageClassName: {{ .storageClass | quote }}
 {{- end }}
 {{- end }}
 {{- if .volumeName }}
  volumeName: {{ .volumeName | quote }}
 {{- end }}
 {{- end }}
 {{- end }}
@@ -0,0 +1,13 @@
 apiVersion: resources.cattle.io/v1
 kind: ResourceSet
 metadata:
  name: rancher-resource-set-basic
 controllerReferences:
  - apiVersion: "apps/v1"
    resource: "deployments"
    name: "rancher"
    namespace: "cattle-system"
 resourceSelectors:
 {{- range $path, $_ := .Files.Glob "files/basic-resourceset-contents/*.yaml" -}}
  {{- $.Files.Get $path | nindent 2 -}}
 {{- end -}}
@@ -0,0 +1,16 @@
 apiVersion: resources.cattle.io/v1
 kind: ResourceSet
 metadata:
  name: rancher-resource-set-full
 controllerReferences:
  - apiVersion: "apps/v1"
    resource: "deployments"
    name: "rancher"
    namespace: "cattle-system"
 resourceSelectors:
 {{- range $path, $_ := .Files.Glob "files/basic-resourceset-contents/*.yaml" -}}
  {{- $.Files.Get $path | nindent 2 -}}
 {{- end -}}
 {{- range $path, $_ := .Files.Glob "files/sensitive-resourceset-contents/*.yaml" -}}
  {{- $.Files.Get $path | nindent 2 -}}
 {{- end -}}
@@ -0,0 +1,15 @@
 apiVersion: resources.cattle.io/v1
 kind: ResourceSet
 metadata:
  name: rancher-resource-set
  annotations:
    helm.sh/resource-policy: keep
 controllerReferences:
  - apiVersion: "apps/v1"
    resource: "deployments"
    name: "rancher"
    namespace: "cattle-system"
 resourceSelectors:
 {{- range $path, $_ := .Files.Glob "files/default-resourceset-contents/*.yaml" -}}
  {{- $.Files.Get $path | nindent 2 -}}
 {{- end -}}
@@ -0,0 +1,34 @@
 {{- if .Values.s3.enabled -}}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "backupRestore.s3SecretName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "backupRestore.labels" . | nindent 4 }}
 type: Opaque
 stringData:
  {{- with .Values.s3 }}
  {{- if .credentialSecretName }}
  credentialSecretName: {{ .credentialSecretName }} 
  credentialSecretNamespace: {{ required "When providing a Secret containing S3 credentials, a valid .Values.credentialSecretNamespace must be provided" .credentialSecretNamespace }}
  {{- end }}
  {{- if .region }}
  region: {{ .region | quote }}
  {{- end }}
  bucketName: {{ required "A valid .Values.bucketName is required for configuring S3 compatible storage as the default backup storage location" .bucketName | quote }}
  {{- if .folder }}
  folder: {{ .folder | quote }}
  {{- end }}
  endpoint: {{ required "A valid .Values.endpoint is required for configuring S3 compatible storage as the default backup storage location" .endpoint | quote }}
  {{- if .endpointCA }} 
  endpointCA: {{ .endpointCA }} 
  {{- end }}
  {{- if .insecureTLSSkipVerify }}
  insecureTLSSkipVerify: {{ .insecureTLSSkipVerify | quote }}
  {{- end }}
  {{- if .clientConfig }}
  clientConfig: {{ .clientConfig | toJson | quote }}
  {{- end }}
  {{- end }}
 {{ end }}
@@ -0,0 +1,30 @@
 {{ if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.monitoring.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: {{ include "backupRestore.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
 {{- include "backupRestore.labels" . | nindent 4 }}
 {{- with .Values.monitoring.serviceMonitor.additionalLabels }}
    {{- toYaml . | nindent 4 }}
 {{- end }}
 spec:
  selector:
    matchLabels:
 {{- include "backupRestore.labels" . | nindent 6 }}
  endpoints:
  - port: http
    path: /metrics
    {{- with .Values.monitoring.serviceMonitor.metricRelabelings }}
    metricRelabelings:
      {{- toYaml . | nindent 6 }}
    {{- end }}
    {{- with .Values.monitoring.serviceMonitor.relabelings }}
    relabelings:
      {{- toYaml . | nindent 4 }}
    {{- end }}
  namespaceSelector:
    matchNames:
    - {{ .Release.Namespace }}
 {{- end }}
@@ -0,0 +1,24 @@
 {{ if .Values.monitoring.metrics.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "backupRestore.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "backupRestore.labels" . | nindent 4 }}
  annotations:
    prometheus.io/path: /metrics
    prometheus.io/port: /8080
    prometheus.io/scrape: "true"
 spec:
  type: ClusterIP
  clusterIP: None
  ports:
    - port: 8080
      targetPort: 8080
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
 {{ end }}
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,3 @@`
							`# Rancher Backup CRD`

							A Rancher chart that installs the CRDs used by `rancher-backup`.