Skip to content

Deploy releases/k8s-manifests 454249c#146

Merged
themightychris merged 8 commits into
deploys/k8s-manifestsfrom
releases/k8s-manifests
May 18, 2026
Merged

Deploy releases/k8s-manifests 454249c#146
themightychris merged 8 commits into
deploys/k8s-manifestsfrom
releases/k8s-manifests

Conversation

@github-actions
Copy link
Copy Markdown

@github-actions github-actions Bot commented May 18, 2026

kubectl diff reports that applying 454249c will change:

diff -uN /tmp/LIVE-2184372934/apps.v1.Deployment.cert-manager.cert-manager /tmp/MERGED-1725376609/apps.v1.Deployment.cert-manager.cert-manager
--- /tmp/LIVE-2184372934/apps.v1.Deployment.cert-manager.cert-manager	2026-05-18 15:52:25.078915596 +0000
+++ /tmp/MERGED-1725376609/apps.v1.Deployment.cert-manager.cert-manager	2026-05-18 15:52:25.088915551 +0000
@@ -9,8 +9,8 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager
   namespace: cert-manager
 spec:
@@ -40,15 +40,16 @@
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/version: v1.10.1
-        helm.sh/chart: cert-manager-v1.10.1
+        app.kubernetes.io/version: v1.20.2
+        helm.sh/chart: cert-manager-v1.20.2
     spec:
       containers:
       - args:
         - --v=2
+        - --config=/var/cert-manager/config/config.yaml
         - --cluster-resource-namespace=$(POD_NAMESPACE)
         - --leader-election-namespace=kube-system
-        - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.10.1
+        - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.20.2
         - --max-concurrent-challenges=60
         env:
         - name: POD_NAMESPACE
@@ -56,8 +57,18 @@
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-controller:v1.10.1
+        image: quay.io/jetstack/cert-manager-controller:v1.20.2
         imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 8
+          httpGet:
+            path: /livez
+            port: http-healthz
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 15
         name: cert-manager-controller
         ports:
         - containerPort: 9402
@@ -75,8 +86,12 @@
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /var/cert-manager/config
+          name: config
       dnsPolicy: ClusterFirst
       enableServiceLinks: false
       nodeSelector:
@@ -90,3 +105,8 @@
       serviceAccount: cert-manager
       serviceAccountName: cert-manager
       terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 420
+          name: cert-manager
+        name: config
diff -uN /tmp/LIVE-2184372934/apps.v1.Deployment.cert-manager.cert-manager-cainjector /tmp/MERGED-1725376609/apps.v1.Deployment.cert-manager.cert-manager-cainjector
--- /tmp/LIVE-2184372934/apps.v1.Deployment.cert-manager.cert-manager-cainjector	2026-05-18 15:52:25.079915591 +0000
+++ /tmp/MERGED-1725376609/apps.v1.Deployment.cert-manager.cert-manager-cainjector	2026-05-18 15:52:25.089915546 +0000
@@ -9,8 +9,8 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager-cainjector
   namespace: cert-manager
 spec:
@@ -29,6 +29,10 @@
     type: RollingUpdate
   template:
     metadata:
+      annotations:
+        prometheus.io/path: /metrics
+        prometheus.io/port: "9402"
+        prometheus.io/scrape: "true"
       creationTimestamp: null
       labels:
         app: cainjector
@@ -36,8 +40,8 @@
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: cainjector
-        app.kubernetes.io/version: v1.10.1
-        helm.sh/chart: cert-manager-v1.10.1
+        app.kubernetes.io/version: v1.20.2
+        helm.sh/chart: cert-manager-v1.20.2
     spec:
       containers:
       - args:
@@ -49,14 +53,19 @@
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-cainjector:v1.10.1
+        image: quay.io/jetstack/cert-manager-cainjector:v1.20.2
         imagePullPolicy: IfNotPresent
         name: cert-manager-cainjector
+        ports:
+        - containerPort: 9402
+          name: http-metrics
+          protocol: TCP
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
       dnsPolicy: ClusterFirst
diff -uN /tmp/LIVE-2184372934/apps.v1.Deployment.cert-manager.cert-manager-webhook /tmp/MERGED-1725376609/apps.v1.Deployment.cert-manager.cert-manager-webhook
--- /tmp/LIVE-2184372934/apps.v1.Deployment.cert-manager.cert-manager-webhook	2026-05-18 15:52:25.080915587 +0000
+++ /tmp/MERGED-1725376609/apps.v1.Deployment.cert-manager.cert-manager-webhook	2026-05-18 15:52:25.090915542 +0000
@@ -9,8 +9,8 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager-webhook
   namespace: cert-manager
 spec:
@@ -29,6 +29,10 @@
     type: RollingUpdate
   template:
     metadata:
+      annotations:
+        prometheus.io/path: /metrics
+        prometheus.io/port: "9402"
+        prometheus.io/scrape: "true"
       creationTimestamp: null
       labels:
         app: webhook
@@ -36,8 +40,8 @@
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: webhook
-        app.kubernetes.io/version: v1.10.1
-        helm.sh/chart: cert-manager-v1.10.1
+        app.kubernetes.io/version: v1.20.2
+        helm.sh/chart: cert-manager-v1.20.2
     spec:
       containers:
       - args:
@@ -54,13 +58,13 @@
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-webhook:v1.10.1
+        image: quay.io/jetstack/cert-manager-webhook:v1.20.2
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
           httpGet:
             path: /livez
-            port: 6080
+            port: healthcheck
             scheme: HTTP
           initialDelaySeconds: 60
           periodSeconds: 10
@@ -74,11 +78,14 @@
         - containerPort: 6080
           name: healthcheck
           protocol: TCP
+        - containerPort: 9402
+          name: http-metrics
+          protocol: TCP
         readinessProbe:
           failureThreshold: 3
           httpGet:
             path: /healthz
-            port: 6080
+            port: healthcheck
             scheme: HTTP
           initialDelaySeconds: 5
           periodSeconds: 5
@@ -89,6 +96,7 @@
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
       dnsPolicy: ClusterFirst
diff -uN /tmp/LIVE-2184372934/rbac.authorization.k8s.io.v1.Role.cert-manager.cert-manager-tokenrequest /tmp/MERGED-1725376609/rbac.authorization.k8s.io.v1.Role.cert-manager.cert-manager-tokenrequest
--- /tmp/LIVE-2184372934/rbac.authorization.k8s.io.v1.Role.cert-manager.cert-manager-tokenrequest	2026-05-18 15:52:25.080915587 +0000
+++ /tmp/MERGED-1725376609/rbac.authorization.k8s.io.v1.Role.cert-manager.cert-manager-tokenrequest	2026-05-18 15:52:25.091915537 +0000
@@ -1 +1,20 @@
-{}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
+  name: cert-manager-tokenrequest
+  namespace: cert-manager
+rules:
+- resourceNames:
+  - cert-manager
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
diff -uN /tmp/LIVE-2184372934/rbac.authorization.k8s.io.v1.Role.cert-manager.cert-manager-webhook:dynamic-serving /tmp/MERGED-1725376609/rbac.authorization.k8s.io.v1.Role.cert-manager.cert-manager-webhook:dynamic-serving
--- /tmp/LIVE-2184372934/rbac.authorization.k8s.io.v1.Role.cert-manager.cert-manager-webhook:dynamic-serving	2026-05-18 15:52:25.081915583 +0000
+++ /tmp/MERGED-1725376609/rbac.authorization.k8s.io.v1.Role.cert-manager.cert-manager-webhook:dynamic-serving	2026-05-18 15:52:25.091915537 +0000
@@ -7,8 +7,8 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager-webhook:dynamic-serving
   namespace: cert-manager
 rules:
diff -uN /tmp/LIVE-2184372934/rbac.authorization.k8s.io.v1.RoleBinding.cert-manager.cert-manager-tokenrequest /tmp/MERGED-1725376609/rbac.authorization.k8s.io.v1.RoleBinding.cert-manager.cert-manager-tokenrequest
--- /tmp/LIVE-2184372934/rbac.authorization.k8s.io.v1.RoleBinding.cert-manager.cert-manager-tokenrequest	2026-05-18 15:52:25.081915583 +0000
+++ /tmp/MERGED-1725376609/rbac.authorization.k8s.io.v1.RoleBinding.cert-manager.cert-manager-tokenrequest	2026-05-18 15:52:25.092915533 +0000
@@ -1 +1,21 @@
-{}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
+  name: cert-manager-tokenrequest
+  namespace: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-tokenrequest
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager
diff -uN /tmp/LIVE-2184372934/rbac.authorization.k8s.io.v1.RoleBinding.cert-manager.cert-manager-webhook:dynamic-serving /tmp/MERGED-1725376609/rbac.authorization.k8s.io.v1.RoleBinding.cert-manager.cert-manager-webhook:dynamic-serving
--- /tmp/LIVE-2184372934/rbac.authorization.k8s.io.v1.RoleBinding.cert-manager.cert-manager-webhook:dynamic-serving	2026-05-18 15:52:25.081915583 +0000
+++ /tmp/MERGED-1725376609/rbac.authorization.k8s.io.v1.RoleBinding.cert-manager.cert-manager-webhook:dynamic-serving	2026-05-18 15:52:25.092915533 +0000
@@ -7,8 +7,8 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager-webhook:dynamic-serving
   namespace: cert-manager
 roleRef:
diff -uN /tmp/LIVE-2184372934/v1.ConfigMap.cert-manager.cert-manager /tmp/MERGED-1725376609/v1.ConfigMap.cert-manager.cert-manager
--- /tmp/LIVE-2184372934/v1.ConfigMap.cert-manager.cert-manager	2026-05-18 15:52:25.082915578 +0000
+++ /tmp/MERGED-1725376609/v1.ConfigMap.cert-manager.cert-manager	2026-05-18 15:52:25.093915528 +0000
@@ -1,4 +1,11 @@
 apiVersion: v1
+data:
+  config.yaml: |
+    apiVersion: controller.config.cert-manager.io/v1alpha1
+    enableGatewayAPI: true
+    featureGates:
+      ListenerSets: true
+    kind: ControllerConfiguration
 kind: ConfigMap
 metadata:
   labels:
@@ -7,7 +14,7 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager
   namespace: cert-manager
diff -uN /tmp/LIVE-2184372934/v1.Service.cert-manager.cert-manager /tmp/MERGED-1725376609/v1.Service.cert-manager.cert-manager
--- /tmp/LIVE-2184372934/v1.Service.cert-manager.cert-manager	2026-05-18 15:52:25.083915574 +0000
+++ /tmp/MERGED-1725376609/v1.Service.cert-manager.cert-manager	2026-05-18 15:52:25.094915524 +0000
@@ -7,8 +7,8 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager
   namespace: cert-manager
 spec:
@@ -22,6 +22,7 @@
   ports:
   - name: tcp-prometheus-servicemonitor
     port: 9402
+    targetPort: http-metrics
   selector:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: cert-manager
diff -uN /tmp/LIVE-2184372934/v1.Service.cert-manager.cert-manager-cainjector /tmp/MERGED-1725376609/v1.Service.cert-manager.cert-manager-cainjector
--- /tmp/LIVE-2184372934/v1.Service.cert-manager.cert-manager-cainjector	2026-05-18 15:52:25.084915569 +0000
+++ /tmp/MERGED-1725376609/v1.Service.cert-manager.cert-manager-cainjector	2026-05-18 15:52:25.095915519 +0000
@@ -1 +1,28 @@
-{}
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: cainjector
+    app.kubernetes.io/component: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
+  name: cert-manager-cainjector
+  namespace: cert-manager
+spec:
+  clusterIP: 10.128.0.0
+  clusterIPs:
+  - 10.128.0.0
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - name: http-metrics
+    port: 9402
+  selector:
+    app.kubernetes.io/component: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
diff -uN /tmp/LIVE-2184372934/v1.Service.cert-manager.cert-manager-webhook /tmp/MERGED-1725376609/v1.Service.cert-manager.cert-manager-webhook
--- /tmp/LIVE-2184372934/v1.Service.cert-manager.cert-manager-webhook	2026-05-18 15:52:25.085915565 +0000
+++ /tmp/MERGED-1725376609/v1.Service.cert-manager.cert-manager-webhook	2026-05-18 15:52:25.096915515 +0000
@@ -7,8 +7,8 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager-webhook
   namespace: cert-manager
 spec:
@@ -23,6 +23,9 @@
   - name: https
     port: 443
     targetPort: https
+  - name: metrics
+    port: 9402
+    targetPort: http-metrics
   selector:
     app.kubernetes.io/component: webhook
     app.kubernetes.io/instance: cert-manager
diff -uN /tmp/LIVE-2184372934/v1.ServiceAccount.cert-manager.cert-manager /tmp/MERGED-1725376609/v1.ServiceAccount.cert-manager.cert-manager
--- /tmp/LIVE-2184372934/v1.ServiceAccount.cert-manager.cert-manager	2026-05-18 15:52:25.086915560 +0000
+++ /tmp/MERGED-1725376609/v1.ServiceAccount.cert-manager.cert-manager	2026-05-18 15:52:25.096915515 +0000
@@ -8,7 +8,7 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager
   namespace: cert-manager
diff -uN /tmp/LIVE-2184372934/v1.ServiceAccount.cert-manager.cert-manager-cainjector /tmp/MERGED-1725376609/v1.ServiceAccount.cert-manager.cert-manager-cainjector
--- /tmp/LIVE-2184372934/v1.ServiceAccount.cert-manager.cert-manager-cainjector	2026-05-18 15:52:25.086915560 +0000
+++ /tmp/MERGED-1725376609/v1.ServiceAccount.cert-manager.cert-manager-cainjector	2026-05-18 15:52:25.097915510 +0000
@@ -8,7 +8,7 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager-cainjector
   namespace: cert-manager
diff -uN /tmp/LIVE-2184372934/v1.ServiceAccount.cert-manager.cert-manager-webhook /tmp/MERGED-1725376609/v1.ServiceAccount.cert-manager.cert-manager-webhook
--- /tmp/LIVE-2184372934/v1.ServiceAccount.cert-manager.cert-manager-webhook	2026-05-18 15:52:25.086915560 +0000
+++ /tmp/MERGED-1725376609/v1.ServiceAccount.cert-manager.cert-manager-webhook	2026-05-18 15:52:25.097915510 +0000
@@ -8,7 +8,7 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager-webhook
   namespace: cert-manager
diff -uN /tmp/LIVE-1150504887/rbac.authorization.k8s.io.v1.Role.kube-system.cert-manager-cainjector:leaderelection /tmp/MERGED-155837341/rbac.authorization.k8s.io.v1.Role.kube-system.cert-manager-cainjector:leaderelection
--- /tmp/LIVE-1150504887/rbac.authorization.k8s.io.v1.Role.kube-system.cert-manager-cainjector:leaderelection	2026-05-18 15:52:35.223868992 +0000
+++ /tmp/MERGED-155837341/rbac.authorization.k8s.io.v1.Role.kube-system.cert-manager-cainjector:leaderelection	2026-05-18 15:52:35.229868963 +0000
@@ -7,8 +7,8 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 rules:
diff -uN /tmp/LIVE-1150504887/rbac.authorization.k8s.io.v1.Role.kube-system.cert-manager:leaderelection /tmp/MERGED-155837341/rbac.authorization.k8s.io.v1.Role.kube-system.cert-manager:leaderelection
--- /tmp/LIVE-1150504887/rbac.authorization.k8s.io.v1.Role.kube-system.cert-manager:leaderelection	2026-05-18 15:52:35.224868987 +0000
+++ /tmp/MERGED-155837341/rbac.authorization.k8s.io.v1.Role.kube-system.cert-manager:leaderelection	2026-05-18 15:52:35.229868963 +0000
@@ -7,8 +7,8 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager:leaderelection
   namespace: kube-system
 rules:
diff -uN /tmp/LIVE-1150504887/rbac.authorization.k8s.io.v1.RoleBinding.kube-system.cert-manager-cainjector:leaderelection /tmp/MERGED-155837341/rbac.authorization.k8s.io.v1.RoleBinding.kube-system.cert-manager-cainjector:leaderelection
--- /tmp/LIVE-1150504887/rbac.authorization.k8s.io.v1.RoleBinding.kube-system.cert-manager-cainjector:leaderelection	2026-05-18 15:52:35.225868983 +0000
+++ /tmp/MERGED-155837341/rbac.authorization.k8s.io.v1.RoleBinding.kube-system.cert-manager-cainjector:leaderelection	2026-05-18 15:52:35.230868958 +0000
@@ -7,8 +7,8 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 roleRef:
diff -uN /tmp/LIVE-1150504887/rbac.authorization.k8s.io.v1.RoleBinding.kube-system.cert-manager:leaderelection /tmp/MERGED-155837341/rbac.authorization.k8s.io.v1.RoleBinding.kube-system.cert-manager:leaderelection
--- /tmp/LIVE-1150504887/rbac.authorization.k8s.io.v1.RoleBinding.kube-system.cert-manager:leaderelection	2026-05-18 15:52:35.225868983 +0000
+++ /tmp/MERGED-155837341/rbac.authorization.k8s.io.v1.RoleBinding.kube-system.cert-manager:leaderelection	2026-05-18 15:52:35.231868953 +0000
@@ -7,8 +7,8 @@
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.10.1
-    helm.sh/chart: cert-manager-v1.10.1
+    app.kubernetes.io/version: v1.20.2
+    helm.sh/chart: cert-manager-v1.20.2
   name: cert-manager:leaderelection
   namespace: kube-system
 roleRef:

Errors/Warnings

=== Directory: ./_ ===
error: resource mapping not found for name: "eg" namespace: "" from "_/GatewayClass/eg.yaml": no matches for kind "GatewayClass" in version "gateway.networking.k8s.io/v1"
ensure CRDs are installed first

=== Directory: ./balancer ===
error: resource mapping not found for name: "balancer" namespace: "balancer" from "balancer/Gateway/balancer.yaml": no matches for kind "Gateway" in version "gateway.networking.k8s.io/v1"
ensure CRDs are installed first

=== Directory: ./browserless-chrome ===
error: resource mapping not found for name: "browserless-chrome" namespace: "browserless-chrome" from "browserless-chrome/Gateway/browserless-chrome.yaml": no matches for kind "Gateway" in version "gateway.networking.k8s.io/v1"
ensure CRDs are installed first

=== Directory: ./chime ===
error: resource mapping not found for name: "chime" namespace: "chime" from "chime/Gateway/chime.yaml": no matches for kind "Gateway" in version "gateway.networking.k8s.io/v1"
ensure CRDs are installed first

=== Directory: ./choose-native-plants ===
error: resource mapping not found for name: "choose-native-plants" namespace: "choose-native-plants" from "choose-native-plants/Gateway/choose-native-plants.yaml": no matches for kind "Gateway" in version "gateway.networking.k8s.io/v1"
ensure CRDs are installed first

=== Directory: ./code-for-philly ===
error: resource mapping not found for name: "code-for-philly" namespace: "code-for-philly" from "code-for-philly/Gateway/code-for-philly.yaml": no matches for kind "Gateway" in version "gateway.networking.k8s.io/v1"
ensure CRDs are installed first

=== Directory: ./echo-http ===
error: resource mapping not found for name: "echo-http" namespace: "echo-http" from "echo-http/Gateway/echo-http.yaml": no matches for kind "Gateway" in version "gateway.networking.k8s.io/v1"
ensure CRDs are installed first

=== Directory: ./envoy-gateway-system ===
Error from server (NotFound): namespaces "envoy-gateway-system" not found

=== Directory: ./grafana ===
error: resource mapping not found for name: "grafana" namespace: "grafana" from "grafana/Gateway/grafana.yaml": no matches for kind "Gateway" in version "gateway.networking.k8s.io/v1"
ensure CRDs are installed first

=== Directory: ./sealed-secrets ===
error: resource mapping not found for name: "sealed-secrets" namespace: "sealed-secrets" from "sealed-secrets/Gateway/sealed-secrets.yaml": no matches for kind "Gateway" in version "gateway.networking.k8s.io/v1"
ensure CRDs are installed first

=== Directory: ./third-places ===
error: resource mapping not found for name: "third-places" namespace: "third-places" from "third-places/Gateway/third-places.yaml": no matches for kind "Gateway" in version "gateway.networking.k8s.io/v1"
ensure CRDs are installed first

=== Directory: ./vaultwarden ===
error: resource mapping not found for name: "vaultwarden" namespace: "vaultwarden" from "vaultwarden/Gateway/vaultwarden.yaml": no matches for kind "Gateway" in version "gateway.networking.k8s.io/v1"
ensure CRDs are installed first

@themightychris
feat(envoy-gateway): bump civic-cloud v1.9.2 + add Gateway API founda…
50c87fa 
…tion (phase 1)

Bumps civic-cloud blueprint v1.7.7 → v1.9.2 which brings:
- cert-manager 1.13.3 → 1.20.2 (Gateway API integration + ListenerSets gate)
- Gateway API v1.5.1 CRDs (standard channel)
- Envoy Gateway v1.7.3 controller (installs to envoy-gateway-system)
- hairpin-proxy removed (Linode LKE now supports LB hairpin natively)
- Server-side apply for CRDs in deploy workflow

Adds _infra/envoy-gateway/ with the three foundation resources copied from
sandbox: GatewayClass `eg` references EnvoyProxy `shared` with mergeGateways
enabled (single LB for all Gateways), main-gateway has an HTTP catchall
listener used by both cert-manager solver routes and the global HTTP→HTTPS
redirect (added in phase 3.5).

Traffic still flows through ingress-nginx after this deploys — phase 1
is foundation only.

Refs: #144
@themightychris
feat(cert-manager): add parallel gateway ClusterIssuers (phase 2)
0db3585 
Adds `letsencrypt-prod-gateway` and `letsencrypt-staging-gateway` ClusterIssuers
using cert-manager 1.20's gatewayHTTPRoute solver against main-gateway. The
existing nginx-solver issuers in cert-manager.issuers.yaml stay untouched so
existing Ingress-managed Certs continue to renew normally — clean separation
between the two paths until each app cuts over.

Lesson from sandbox: mutating the existing solver in place couples Ingress
and Gateway renewal behavior in a way that's hard to reason about and hard
to revert. Parallel is the safer pattern.

Refs: #144
@themightychris
feat(gateways): pre-populate per-app Gateway + HTTPRoute (phase 3)
56a2240 
One file per app in _gateways/ — Gateway with per-hostname HTTPS listeners
(each with its own cert-manager-managed cert via the letsencrypt-prod-gateway
ClusterIssuer added in phase 2) plus a single HTTPRoute matching all the app's
hostnames and routing to its backend Service.

Cert Secret naming uses `-gw-tls` suffix to avoid collision with existing
Ingress-managed `<app>-tls` Certs — both coexist until each app's Ingress
is removed (phase 5).

Per-app HTTPRoutes attach only to the per-app HTTPS Gateway; HTTP→HTTPS
redirect is handled globally on main-gateway (phase 3.5), not per-app.

Apex domains (balancerproject.org, choosenativeplants.com, codeforphilly.org,
penn-chime.phl.io, vaultwarden.phl.io, bitwarden.phl.io) will not issue
certs until their DNS cuts over to Envoy — HTTP-01 challenge needs to reach
Envoy. Plan DNS cutover + cert issuance together for each apex.

For initial verification per app, the letsencrypt-prod-gateway annotation
can be swapped to letsencrypt-staging-gateway to avoid Let's Encrypt rate
limits during smoke testing — then flipped back to prod.

Refs: #144
@themightychris
feat(envoy-gateway): add global HTTP→HTTPS redirect HTTPRoute (phase …
0385d6b 
…3.5)

Single HTTPRoute on main-gateway with a RequestRedirect filter (no
hostnames, no path → matches everything that hits the HTTP listener).
ACME challenges bypass via Gateway API conflict resolution — cert-manager's
solver HTTPRoute carries both a hostname filter and pathType: Exact on
/.well-known/acme-challenge/<token>, both more specific.

Safe to deploy any time after phase 2 — doesn't depend on per-app
Gateways being ready. Once DNS cuts over per host, HTTP requests to that
host get a 301 to HTTPS instead of falling through to ingress-nginx.

Refs: #144
@themightychris
refactor: prefix non-workloads with _
a9a1ab6 
Adopts the convention sandbox settled on: top-level directories under the
workspace root use the `_` prefix when they hold infrastructure / glue /
admin manifests that aren't tied to a single workload. Workloads stay bare.

Renames:
  admins/  → _admins/
  docs/    → _docs/

Updates `.holo/branches/docs-site/{_,docs/}_cfp-live-cluster.toml` to read
from `_docs/`, and the k8s-manifests exclude to skip `_docs/**`. The docs-site
branch still publishes `docs/` at root — only the workspace source path moved.

Already on the `_` convention: `_infra/`, `_gateways/` (added in the in-flight
Envoy Gateway migration on this branch).

Refs: cfp-sandbox-cluster@d7af5bd8 + @4763b70e
@themightychris
docs(claude): add repo-local agent instructions
311f397 
Adapted from cfp-sandbox-cluster@fadcf31c. Same structure (projection model,
required local-diff QA, guardrails) but rewritten for live's situation:

- Migration is in flight (#144), not complete — sandbox is the source for
  patterns, live trails it
- Parallel ClusterIssuers `letsencrypt-{prod,staging}-gateway` coexist with
  the legacy nginx-solver `letsencrypt-{prod,staging}` at the repo root
- Wildcard DNS is `*.live.k8s.phl.io` not `*.sandbox.k8s.phl.io`
- Apex domains documented (balancerproject.org, codeforphilly.org, etc.) +
  the ACME-DNS-cutover dependency for them
- No cnpg / shared-cluster — per-app PostgreSQL StatefulSets where needed
- ingress-nginx + hairpin-proxy noted as currently-present, scheduled for
  removal in #144

Refs: cfp-sandbox-cluster@fadcf31c
@themightychris
Merge pull request #145 from CodeForPhilly/migrate-envoy-gateway
f39e903 
Envoy Gateway migration: phases 1–3.5 prep + workspace refactor
@themightychris
☀ projected k8s-manifests-github from f39e903
454249c 
Source-holobranch: k8s-manifests-github
Source-commit: f39e903
Source: f39e903
@themightychris themightychris merged commit 92b2b24 into deploys/k8s-manifests May 18, 2026
1 check passed
@github-actions
Copy link
Copy Markdown
Author

github-actions Bot commented May 18, 2026

kubectl apply output (excluding unchanged) for 92b2b24 was:

customresourcedefinition.apiextensions.k8s.io/backends.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtlspolicies.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clienttrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyextensionpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoypatchpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyproxies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutefilters.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/listenersets.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/sealedsecrets.bitnami.com serverside-applied
customresourcedefinition.apiextensions.k8s.io/securitypolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io serverside-applied
clusterissuer.cert-manager.io/letsencrypt-prod-gateway created
clusterissuer.cert-manager.io/letsencrypt-staging-gateway created
clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector configured
clusterrole.rbac.authorization.k8s.io/cert-manager-cluster-view configured
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io configured
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates configured
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests configured
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges configured
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers configured
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim configured
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers configured
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders configured
clusterrole.rbac.authorization.k8s.io/cert-manager-edit configured
clusterrole.rbac.authorization.k8s.io/cert-manager-view configured
clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews configured
clusterrole.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-certgen:envoy-gateway-system created
clusterrole.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-envoy-gateway-role created
clusterrole.rbac.authorization.k8s.io/grafana-clusterrole configured
clusterrole.rbac.authorization.k8s.io/prometheus-alertmanager configured
clusterrole.rbac.authorization.k8s.io/prometheus-pushgateway configured
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector configured
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io configured
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates configured
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests configured
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges configured
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers configured
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim configured
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers configured
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders configured
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews configured
clusterrolebinding.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-certgen:envoy-gateway-system created
clusterrolebinding.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-envoy-gateway-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/sealed-secrets configured
gatewayclass.gateway.networking.k8s.io/eg created
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/envoy-gateway-topology-injector.envoy-gateway-system created
namespace/envoy-gateway-system created
validatingadmissionpolicy.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io created
validatingadmissionpolicybinding.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io created
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission configured
secret/regcred created
gateway.gateway.networking.k8s.io/balancer created
httproute.gateway.networking.k8s.io/balancer created
gateway.gateway.networking.k8s.io/browserless-chrome created
httproute.gateway.networking.k8s.io/browserless-chrome created
configmap/cert-manager configured
deployment.apps/cert-manager-cainjector configured
deployment.apps/cert-manager-webhook configured
deployment.apps/cert-manager configured
role.rbac.authorization.k8s.io/cert-manager-tokenrequest created
role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving configured
rolebinding.rbac.authorization.k8s.io/cert-manager-tokenrequest created
rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving configured
service/cert-manager-cainjector created
service/cert-manager-webhook configured
service/cert-manager configured
serviceaccount/cert-manager-cainjector configured
serviceaccount/cert-manager-webhook configured
serviceaccount/cert-manager configured
gateway.gateway.networking.k8s.io/chime created
httproute.gateway.networking.k8s.io/chime created
gateway.gateway.networking.k8s.io/choose-native-plants created
httproute.gateway.networking.k8s.io/choose-native-plants created
deployment.apps/code-for-philly configured
gateway.gateway.networking.k8s.io/code-for-philly created
httproute.gateway.networking.k8s.io/code-for-philly created
gateway.gateway.networking.k8s.io/echo-http created
httproute.gateway.networking.k8s.io/echo-http created
configmap/envoy-gateway-config created
deployment.apps/envoy-gateway created
envoyproxy.gateway.envoyproxy.io/shared created
gateway.gateway.networking.k8s.io/main-gateway created
httproute.gateway.networking.k8s.io/http-redirect created
job.batch/envoy-gateway-gateway-helm-certgen created
role.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-certgen created
role.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-infra-manager created
role.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-leader-election-role created
rolebinding.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-certgen created
rolebinding.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-infra-manager created
rolebinding.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-leader-election-rolebinding created
service/envoy-gateway created
serviceaccount/envoy-gateway-gateway-helm-certgen created
serviceaccount/envoy-gateway created
configmap/grafana-dashboards-default configured
deployment.apps/grafana configured
gateway.gateway.networking.k8s.io/grafana created
httproute.gateway.networking.k8s.io/grafana created
deployment.apps/ingress-nginx-controller configured
deployment.apps/metrics-server configured
role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection configured
role.rbac.authorization.k8s.io/cert-manager:leaderelection configured
rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection configured
rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection configured
secret/promtail configured
statefulset.apps/loki configured
deployment.apps/prometheus-alertmanager configured
deployment.apps/prometheus-kube-state-metrics configured
deployment.apps/prometheus-pushgateway configured
deployment.apps/prometheus-server configured
serviceaccount/prometheus-kube-state-metrics configured
deployment.apps/sealed-secrets configured
gateway.gateway.networking.k8s.io/sealed-secrets created
httproute.gateway.networking.k8s.io/sealed-secrets created
rolebinding.rbac.authorization.k8s.io/sealed-secrets-key-admin configured
service/sealed-secrets configured
gateway.gateway.networking.k8s.io/third-places created
httproute.gateway.networking.k8s.io/third-places created
statefulset.apps/third-places-postgresql configured
gateway.gateway.networking.k8s.io/vaultwarden created
httproute.gateway.networking.k8s.io/vaultwarden created
statefulset.apps/vaultwarden-postgresql configured
clusterrole.rbac.authorization.k8s.io "hairpin-proxy-controller-cr" deleted
clusterrolebinding.rbac.authorization.k8s.io "hairpin-proxy-controller-crb" deleted
namespace "hairpin-proxy" deleted
configmap "cert-manager-webhook" deleted from cert-manager namespace
configmap "coredns-custom" deleted from kube-system namespace
role.rbac.authorization.k8s.io "hairpin-proxy-controller-r" deleted from kube-system namespace
rolebinding.rbac.authorization.k8s.io "hairpin-proxy-controller-rb" deleted from kube-system namespace

Errors/Warnings

=== Deleting: hairpin-proxy/Deployment/hairpin-proxy-controller ===
Error from server (NotFound): deployments.apps "hairpin-proxy-controller" not found

=== Deleting: hairpin-proxy/Deployment/hairpin-proxy-haproxy ===
Error from server (NotFound): deployments.apps "hairpin-proxy-haproxy" not found

=== Deleting: hairpin-proxy/Service/hairpin-proxy ===
Error from server (NotFound): services "hairpin-proxy" not found

=== Deleting: hairpin-proxy/ServiceAccount/hairpin-proxy-controller-sa ===
Error from server (NotFound): serviceaccounts "hairpin-proxy-controller-sa" not found

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@themightychris