use patched versions of kourier + cert-manager

Author: ReToCode

third_party/cert-manager-latest/net-certmanager.yaml

@@ -19,7 +19,7 @@ metadata:
   name: knative-serving-certmanager
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20231107-c09b46ca"
+    app.kubernetes.io/version: "20231110-57baadad"
     app.kubernetes.io/name: knative-serving
     serving.knative.dev/controller: "true"
     networking.knative.dev/certificate-provider: cert-manager
@@ -52,7 +52,7 @@ metadata:
   name: config.webhook.net-certmanager.networking.internal.knative.dev
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20231107-c09b46ca"
+    app.kubernetes.io/version: "20231110-57baadad"
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 webhooks:
@@ -93,7 +93,7 @@ metadata:
   namespace: knative-serving
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20231107-c09b46ca"
+    app.kubernetes.io/version: "20231110-57baadad"
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 
@@ -119,7 +119,7 @@ metadata:
   namespace: knative-serving
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20231107-c09b46ca"
+    app.kubernetes.io/version: "20231110-57baadad"
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 data:
@@ -138,23 +138,32 @@ data:
     # These sample configuration options may be copied out of
     # this block and unindented to actually change the configuration.
 
-    # issuerRef is a reference to the issuer for cluster external certificates used for ingress.
+    # issuerRef is a reference to the issuer for external-domain certificates used for ingress.
     # IssuerRef should be either `ClusterIssuer` or `Issuer`.
     # Please refer `IssuerRef` in https://github.com/cert-manager/cert-manager/tree/master/pkg/apis/certmanager/v1/types_certificate.go
     # for more details about IssuerRef configuration.
-    # If the issuerRef is not specified, the self-signed `knative-internal-encryption-ca` ClusterIssuer is used.
+    # If the issuerRef is not specified, the self-signed `knative-selfsigned-issuer` ClusterIssuer is used.
     issuerRef: |
       kind: ClusterIssuer
       name: letsencrypt-issuer
 
-    # clusterInternalIssuerRef is a reference to the issuer for cluster internal certificates used for ingress.
-    # ClusterInternalIssuerRef should be either `ClusterIssuer` or `Issuer`.
+    # clusterLocalIssuerRef is a reference to the issuer for cluster-local-domain certificates used for ingress.
+    # clusterLocalIssuerRef should be either `ClusterIssuer` or `Issuer`.
     # Please refer `IssuerRef` in https://github.com/cert-manager/cert-manager/tree/master/pkg/apis/certmanager/v1/types_certificate.go
     # for more details about ClusterInternalIssuerRef configuration.
-    # If the clusterInternalIssuerRef is not specified, the self-signed `knative-internal-encryption-ca` ClusterIssuer is used.
-    clusterInternalIssuerRef: |
+    # If the clusterLocalIssuerRef is not specified, the self-signed `knative-selfsigned-issuer` ClusterIssuer is used.
+    clusterLocalIssuerRef: |
       kind: ClusterIssuer
-      name: knative-internal-encryption-issuer
+      name: your-company-issuer
+
+    # systemInternalIssuerRef is a reference to the issuer for certificates for system-internal-tls certificates used by Knative internal components.
+    # systemInternalIssuerRef should be either `ClusterIssuer` or `Issuer`.
+    # Please refer `IssuerRef` in https://github.com/cert-manager/cert-manager/tree/master/pkg/apis/certmanager/v1/types_certificate.go
+    # for more details about ClusterInternalIssuerRef configuration.
+    # If the systemInternalIssuerRef is not specified, the self-signed `knative-selfsigned-issuer` ClusterIssuer is used.
+    systemInternalIssuerRef: |
+      kind: ClusterIssuer
+      name: knative-selfsigned-issuer
 
 ---
 # Copyright 2020 The Knative Authors
@@ -178,7 +187,7 @@ metadata:
   namespace: knative-serving
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20231107-c09b46ca"
+    app.kubernetes.io/version: "20231110-57baadad"
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 spec:
@@ -190,15 +199,15 @@ spec:
       labels:
         app: net-certmanager-controller
         app.kubernetes.io/component: net-certmanager
-        app.kubernetes.io/version: "20231107-c09b46ca"
+        app.kubernetes.io/version: "20231110-57baadad"
         app.kubernetes.io/name: knative-serving
     spec:
       serviceAccountName: controller
       containers:
         - name: controller
           # This is the Go import path for the binary that is containerized
           # and substituted here.
-          image: gcr.io/knative-nightly/knative.dev/net-certmanager/cmd/controller@sha256:b158663e24103e6b049557e3a666e6ebd8c42bf93a8224926fe21eabacb4520d
+          image: quay.io/rlehmann/net-certmanager-controller:latest
           resources:
             requests:
               cpu: 30m
@@ -239,7 +248,7 @@ metadata:
   labels:
     app: net-certmanager-controller
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20231107-c09b46ca"
+    app.kubernetes.io/version: "20231110-57baadad"
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
   name: net-certmanager-controller
@@ -277,7 +286,7 @@ metadata:
   name: selfsigned-cluster-issuer
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20231107-c09b46ca"
+    app.kubernetes.io/version: "20231110-57baadad"
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 spec:
@@ -286,28 +295,28 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-  name: knative-internal-encryption-issuer
+  name: knative-selfsigned-issuer
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20231107-c09b46ca"
+    app.kubernetes.io/version: "20231110-57baadad"
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 spec:
   ca:
-    secretName: knative-internal-encryption-ca
+    secretName: knative-selfsigned-ca
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: knative-internal-encryption-ca
+  name: knative-selfsigned-ca
   namespace: cert-manager #  If you want to use it as a ClusterIssuer the secret must be in the cert-manager namespace.
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20231107-c09b46ca"
+    app.kubernetes.io/version: "20231110-57baadad"
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 spec:
-  secretName: knative-internal-encryption-ca
+  secretName: knative-selfsigned-ca
   commonName: knative.dev
   usages:
     - server auth
@@ -338,7 +347,7 @@ metadata:
   namespace: knative-serving
   labels:
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20231107-c09b46ca"
+    app.kubernetes.io/version: "20231110-57baadad"
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 spec:
@@ -351,7 +360,7 @@ spec:
       labels:
         app: net-certmanager-webhook
         app.kubernetes.io/component: net-certmanager
-        app.kubernetes.io/version: "20231107-c09b46ca"
+        app.kubernetes.io/version: "20231110-57baadad"
         app.kubernetes.io/name: knative-serving
         role: net-certmanager-webhook
     spec:
@@ -360,7 +369,7 @@ spec:
         - name: webhook
           # This is the Go import path for the binary that is containerized
           # and substituted here.
-          image: gcr.io/knative-nightly/knative.dev/net-certmanager/cmd/webhook@sha256:5d890bbbabbe36c09f1c5c026fd3f4e12e0f4a5773d816bb434dbf9a518334c4
+          image: quay.io/rlehmann/net-certmanager-webhook:latest
           resources:
             requests:
               cpu: 20m
@@ -426,7 +435,7 @@ metadata:
   labels:
     role: net-certmanager-webhook
     app.kubernetes.io/component: net-certmanager
-    app.kubernetes.io/version: "20231107-c09b46ca"
+    app.kubernetes.io/version: "20231110-57baadad"
     app.kubernetes.io/name: knative-serving
     networking.knative.dev/certificate-provider: cert-manager
 spec:

third_party/kourier-latest/kourier.yaml

@@ -20,7 +20,7 @@ metadata:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20231102-1930e146"
+    app.kubernetes.io/version: "20231110-1c93d51b"
 
 ---
 # Copyright 2020 The Knative Authors
@@ -45,7 +45,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20231102-1930e146"
+    app.kubernetes.io/version: "20231110-1c93d51b"
     app.kubernetes.io/name: knative-serving
 data:
   envoy-bootstrap.yaml: |
@@ -55,7 +55,7 @@ data:
         api_type: GRPC
         rate_limit_settings: {}
         grpc_services:
-        - envoy_grpc: {cluster_name: xds_cluster}
+          - envoy_grpc: {cluster_name: xds_cluster}
       cds_config:
         resource_api_version: V3
         ads: {}
@@ -133,9 +133,9 @@ data:
           type: STRICT_DNS
     admin:
       access_log:
-      - name: envoy.access_loggers.stdout
-        typed_config:
-          "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+        - name: envoy.access_loggers.stdout
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
       address:
         pipe:
           path: /tmp/envoy.admin
@@ -168,7 +168,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20231102-1930e146"
+    app.kubernetes.io/version: "20231110-1c93d51b"
     app.kubernetes.io/name: knative-serving
 data:
   _example: |
@@ -248,7 +248,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20231102-1930e146"
+    app.kubernetes.io/version: "20231110-1c93d51b"
     app.kubernetes.io/name: knative-serving
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -258,7 +258,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20231102-1930e146"
+    app.kubernetes.io/version: "20231110-1c93d51b"
     app.kubernetes.io/name: knative-serving
 rules:
   - apiGroups: [""]
@@ -287,7 +287,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20231102-1930e146"
+    app.kubernetes.io/version: "20231110-1c93d51b"
     app.kubernetes.io/name: knative-serving
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -321,7 +321,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20231102-1930e146"
+    app.kubernetes.io/version: "20231110-1c93d51b"
     app.kubernetes.io/name: knative-serving
 spec:
   strategy:
@@ -343,7 +343,7 @@ spec:
         app: net-kourier-controller
     spec:
       containers:
-        - image: gcr.io/knative-nightly/knative.dev/net-kourier/cmd/kourier@sha256:f79c3befc15db6e0ab1890a9488fabe6e31e1158e762922ffa56ecb72d6771fe
+        - image: quay.io/rlehmann/kourier-controller/main.go:latest
           name: controller
           env:
             - name: CERTS_SECRET_NAMESPACE
@@ -395,7 +395,7 @@ spec:
               cpu: 200m
               memory: 200Mi
             limits:
-              cpu: 500m
+              cpu: "1"
               memory: 500Mi
       restartPolicy: Always
       serviceAccountName: net-kourier
@@ -408,7 +408,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20231102-1930e146"
+    app.kubernetes.io/version: "20231110-1c93d51b"
     app.kubernetes.io/name: knative-serving
 spec:
   ports:
@@ -443,7 +443,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20231102-1930e146"
+    app.kubernetes.io/version: "20231110-1c93d51b"
     app.kubernetes.io/name: knative-serving
 spec:
   strategy:
@@ -552,7 +552,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20231102-1930e146"
+    app.kubernetes.io/version: "20231110-1c93d51b"
     app.kubernetes.io/name: knative-serving
 spec:
   ports:
@@ -576,7 +576,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20231102-1930e146"
+    app.kubernetes.io/version: "20231110-1c93d51b"
     app.kubernetes.io/name: knative-serving
 spec:
   ports:
@@ -600,7 +600,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20231102-1930e146"
+    app.kubernetes.io/version: "20231110-1c93d51b"
     app.kubernetes.io/name: knative-serving
 spec:
   minReplicas: 1
@@ -626,7 +626,7 @@ metadata:
   labels:
     networking.knative.dev/ingress-provider: kourier
     app.kubernetes.io/component: net-kourier
-    app.kubernetes.io/version: "20231102-1930e146"
+    app.kubernetes.io/version: "20231110-1c93d51b"
     app.kubernetes.io/name: knative-serving
 spec:
   minAvailable: 80%