openshift
diff --git a/‎Makefile
Lines changed: 9 additions & 2 deletions b/‎Makefile
Lines changed: 9 additions & 2 deletions
diff --git a/‎bindata/istio-csr/cert-manager-istio-csr-clusterrole.yaml
Lines changed: 34 additions & 0 deletions b/‎bindata/istio-csr/cert-manager-istio-csr-clusterrole.yaml
Lines changed: 34 additions & 0 deletions
diff --git a/‎bindata/istio-csr/clusterrolebinding.yaml renamed to ‎bindata/istio-csr/cert-manager-istio-csr-clusterrolebinding.yaml
Lines changed: 5 additions & 8 deletions b/‎bindata/istio-csr/clusterrolebinding.yaml renamed to ‎bindata/istio-csr/cert-manager-istio-csr-clusterrolebinding.yaml
Lines changed: 5 additions & 8 deletions
diff --git a/‎bindata/istio-csr/cert-manager-istio-csr-deployment.yaml
Lines changed: 82 additions & 0 deletions b/‎bindata/istio-csr/cert-manager-istio-csr-deployment.yaml
Lines changed: 82 additions & 0 deletions
diff --git a/‎bindata/istio-csr/cert-manager-istio-csr-leases-role.yaml
Lines changed: 27 additions & 0 deletions b/‎bindata/istio-csr/cert-manager-istio-csr-leases-role.yaml
Lines changed: 27 additions & 0 deletions
diff --git a/‎bindata/istio-csr/rolebinding_leases.yaml renamed to ‎bindata/istio-csr/cert-manager-istio-csr-leases-rolebinding.yaml
Lines changed: 5 additions & 8 deletions b/‎bindata/istio-csr/rolebinding_leases.yaml renamed to ‎bindata/istio-csr/cert-manager-istio-csr-leases-rolebinding.yaml
Lines changed: 5 additions & 8 deletions
diff --git a/‎bindata/istio-csr/cert-manager-istio-csr-role.yaml
Lines changed: 28 additions & 0 deletions b/‎bindata/istio-csr/cert-manager-istio-csr-role.yaml
Lines changed: 28 additions & 0 deletions
diff --git a/‎bindata/istio-csr/rolebinding.yaml renamed to ‎bindata/istio-csr/cert-manager-istio-csr-rolebinding.yaml
Lines changed: 5 additions & 8 deletions b/‎bindata/istio-csr/rolebinding.yaml renamed to ‎bindata/istio-csr/cert-manager-istio-csr-rolebinding.yaml
Lines changed: 5 additions & 8 deletions
diff --git a/‎bindata/istio-csr/service.yaml renamed to ‎bindata/istio-csr/cert-manager-istio-csr-service.yaml
Lines changed: 1 addition & 3 deletions b/‎bindata/istio-csr/service.yaml renamed to ‎bindata/istio-csr/cert-manager-istio-csr-service.yaml
Lines changed: 1 addition & 3 deletions
diff --git a/‎bindata/istio-csr/serviceaccount.yaml renamed to ‎bindata/istio-csr/cert-manager-istio-csr-serviceaccount.yaml
Lines changed: 1 addition & 4 deletions b/‎bindata/istio-csr/serviceaccount.yaml renamed to ‎bindata/istio-csr/cert-manager-istio-csr-serviceaccount.yaml
Lines changed: 1 addition & 4 deletions
@@ -97,6 +97,8 @@ GOLANGCI_LINT_BIN=$(BIN_DIR)/golangci-lint
 
 OPERATOR_SDK_BIN=$(BIN_DIR)/operator-sdk
 
+HELM_BIN=$(BIN_DIR)/helm
+
 COMMIT ?= $(shell git rev-parse HEAD)
 SHORTCOMMIT ?= $(shell git rev-parse --short HEAD)
 GOBUILD_VERSION_ARGS = -ldflags "-X $(PACKAGE)/pkg/version.SHORTCOMMIT=$(SHORTCOMMIT) -X $(PACKAGE)/pkg/version.COMMIT=$(COMMIT)"
@@ -107,7 +109,7 @@ E2E_TIMEOUT ?= 1h
 E2E_GINKGO_LABEL_FILTER ?= "Platform: isSubsetOf {AWS}"
 
 MANIFEST_SOURCE = https://github.com/cert-manager/cert-manager/releases/download/v1.15.5/cert-manager.yaml
-
+ISTIO_CSR_VERSION = "v0.14.0"
 
 ##@ Development
 
@@ -141,8 +143,9 @@ test: manifests generate fmt vet ## Run tests.
 	mkdir -p "$(ENVTEST_ASSETS_DIR)"
 	KUBEBUILDER_ASSETS="$(shell $(SETUP_ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(ENVTEST_ASSETS_DIR) -p path)" go test ./... -coverprofile cover.out
 
-update-manifests:
+update-manifests: $(HELM_BIN)
 	hack/update-cert-manager-manifests.sh $(MANIFEST_SOURCE)
+	hack/update-istio-csr-manifests.sh $(ISTIO_CSR_VERSION)
 .PHONY: update-manifests
 
 update-scripts:
@@ -285,6 +288,10 @@ $(OPERATOR_SDK_BIN):
 	mkdir -p $(BIN_DIR)
 	hack/operator-sdk.sh $(OPERATOR_SDK_BIN)
 
+$(HELM_BIN):
+	mkdir -p $(BIN_DIR)
+	hack/helm.sh $(HELM_BIN)
+
 clean:
 	go clean
 	rm -f $(BIN)
@@ -0,0 +1,34 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app.kubernetes.io/name: cert-manager-istio-csr
+    app.kubernetes.io/instance: cert-manager-istio-csr
+    app.kubernetes.io/version: v0.14.0
+    app.kubernetes.io/managed-by: cert-manager-operator
+  name: cert-manager-istio-csr
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
@@ -1,20 +1,17 @@
----
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   labels:
-    app: cert-manager-istio-csr
     app.kubernetes.io/name: cert-manager-istio-csr
     app.kubernetes.io/instance: cert-manager-istio-csr
-    app.kubernetes.io/version: "v0.12.0"
+    app.kubernetes.io/version: v0.14.0
     app.kubernetes.io/managed-by: cert-manager-operator
-    app.kubernetes.io/part-of: cert-manager-operator
-  generateName: cert-manager-istio-csr-
+  name: cert-manager-istio-csr
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-istio-csr
 subjects:
-- kind: ServiceAccount
-  name: cert-manager-istio-csr
-  namespace: cert-manager
+  - kind: ServiceAccount
+    name: cert-manager-istio-csr
+    namespace: cert-manager
@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager-istio-csr
+  namespace: cert-manager
+  labels:
+    app.kubernetes.io/name: cert-manager-istio-csr
+    app.kubernetes.io/instance: cert-manager-istio-csr
+    app.kubernetes.io/version: v0.14.0
+    app.kubernetes.io/managed-by: cert-manager-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cert-manager-istio-csr
+  template:
+    metadata:
+      labels:
+        app: cert-manager-istio-csr
+        app.kubernetes.io/name: cert-manager-istio-csr
+        app.kubernetes.io/instance: cert-manager-istio-csr
+        app.kubernetes.io/version: v0.14.0
+    spec:
+      serviceAccountName: cert-manager-istio-csr
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+        - name: cert-manager-istio-csr
+          image: quay.io/jetstack/cert-manager-istio-csr:v0.14.0
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 6443
+            - containerPort: 9402
+          readinessProbe:
+            httpGet:
+              port: 6060
+              path: /readyz
+            initialDelaySeconds: 3
+            periodSeconds: 7
+          args:
+            - --log-level=1
+            - --log-format=text
+            - --metrics-port=9402
+            - --readiness-probe-port=6060
+            - --readiness-probe-path=/readyz
+            - --certificate-namespace=istio-system
+            - --issuer-enabled=true
+            - --issuer-name=istio-ca
+            - --issuer-kind=Issuer
+            - --issuer-group=cert-manager.io
+            - --preserve-certificate-requests=false
+            - --root-ca-file=
+            - --serving-certificate-dns-names=cert-manager-istio-csr.cert-manager.svc
+            - --serving-certificate-duration=1h
+            - --trust-domain=cluster.local
+            - --cluster-id=Kubernetes
+            - --max-client-certificate-duration=1h
+            - --serving-address=0.0.0.0:6443
+            - --serving-certificate-key-size=2048
+            - --serving-signature-algorithm=RSA
+            - --enable-client-cert-authenticator=false
+            - --leader-election-namespace=istio-system
+            - --disable-kubernetes-client-rate-limiter=false
+            - --runtime-issuance-config-map-name=
+            - --runtime-issuance-config-map-namespace=cert-manager
+            - --istiod-cert-enabled=false
+            - --istiod-cert-name=istiod-dynamic
+            - --istiod-cert-namespace=istio-system
+            - --istiod-cert-duration=1h
+            - --istiod-cert-renew-before=30m
+            - --istiod-cert-key-algorithm=RSA
+            - --istiod-cert-key-size=2048
+            - --istiod-cert-additional-dns-names=
+            - --istiod-cert-istio-revisions=default
+          resources: {}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
@@ -0,0 +1,27 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app.kubernetes.io/name: cert-manager-istio-csr
+    app.kubernetes.io/instance: cert-manager-istio-csr
+    app.kubernetes.io/version: v0.14.0
+    app.kubernetes.io/managed-by: cert-manager-operator
+  name: cert-manager-istio-csr-leases
+  namespace: istio-system
+rules:
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - create
+      - update
+      - watch
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
@@ -1,21 +1,18 @@
----
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cert-manager-istio-csr-leases
-  namespace: cert-manager
+  namespace: istio-system
   labels:
-    app: cert-manager-istio-csr
     app.kubernetes.io/name: cert-manager-istio-csr
     app.kubernetes.io/instance: cert-manager-istio-csr
-    app.kubernetes.io/version: "v0.12.0"
+    app.kubernetes.io/version: v0.14.0
     app.kubernetes.io/managed-by: cert-manager-operator
-    app.kubernetes.io/part-of: cert-manager-operator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: cert-manager-istio-csr-leases
 subjects:
-- kind: ServiceAccount
-  name: cert-manager-istio-csr
-  namespace: cert-manager
+  - kind: ServiceAccount
+    name: cert-manager-istio-csr
+    namespace: cert-manager
@@ -0,0 +1,28 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app.kubernetes.io/name: cert-manager-istio-csr
+    app.kubernetes.io/instance: cert-manager-istio-csr
+    app.kubernetes.io/version: v0.14.0
+    app.kubernetes.io/managed-by: cert-manager-operator
+  name: cert-manager-istio-csr
+  namespace: istio-system
+rules:
+  - apiGroups:
+      - cert-manager.io
+    resources:
+      - certificaterequests
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
@@ -1,21 +1,18 @@
----
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cert-manager-istio-csr
-  namespace: cert-manager
+  namespace: istio-system
   labels:
-    app: cert-manager-istio-csr
     app.kubernetes.io/name: cert-manager-istio-csr
     app.kubernetes.io/instance: cert-manager-istio-csr
-    app.kubernetes.io/version: "v0.12.0"
+    app.kubernetes.io/version: v0.14.0
     app.kubernetes.io/managed-by: cert-manager-operator
-    app.kubernetes.io/part-of: cert-manager-operator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: cert-manager-istio-csr
 subjects:
-- kind: ServiceAccount
-  name: cert-manager-istio-csr
-  namespace: cert-manager
+  - kind: ServiceAccount
+    name: cert-manager-istio-csr
+    namespace: cert-manager
@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: Service
 metadata:
@@ -8,9 +7,8 @@ metadata:
     app: cert-manager-istio-csr
     app.kubernetes.io/name: cert-manager-istio-csr
     app.kubernetes.io/instance: cert-manager-istio-csr
-    app.kubernetes.io/version: "v0.12.0"
+    app.kubernetes.io/version: v0.14.0
     app.kubernetes.io/managed-by: cert-manager-operator
-    app.kubernetes.io/part-of: cert-manager-operator
 spec:
   type: ClusterIP
   ports:
 
@@ -1,13 +1,10 @@
----
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    app: cert-manager-istio-csr
     app.kubernetes.io/name: cert-manager-istio-csr
     app.kubernetes.io/instance: cert-manager-istio-csr
-    app.kubernetes.io/version: "v0.12.0"
+    app.kubernetes.io/version: v0.14.0
     app.kubernetes.io/managed-by: cert-manager-operator
-    app.kubernetes.io/part-of: cert-manager-operator
   name: cert-manager-istio-csr
   namespace: cert-manager