cert-manager: upgrade to 1.5.4 (#8069)

* cert-manager: update to 1.5.4

* cert-manager: remove outdated guidelines on creating an initial ClusterIssuer

README.md

@@ -150,7 +150,7 @@ Note: Upstart/SysV init based OS types are not supported.
   - [ambassador](https://github.com/datawire/ambassador): v1.5
   - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
   - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
-  - [cert-manager](https://github.com/jetstack/cert-manager) v1.0.4
+  - [cert-manager](https://github.com/jetstack/cert-manager) v1.5.4
   - [coredns](https://github.com/coredns/coredns) v1.8.0
   - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.0.0
 

docs/cert_manager.md

@@ -11,29 +11,13 @@
 
 Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
 
-The Kubespray out-of-the-box cert-manager deployment uses a TLS Root CA certificate and key stored as the Kubernetes `ca-key-pair` secret consisting of `tls.crt` and `tls.key`, which are the base64 encode values of the TLS Root CA certificate and key respectively.
-
-Integration with other PKI/Certificate management solutions, such as HashiCorp Vault will require some further development changes to the current cert-manager deployment and may be introduced in the future.
-
 ## Kubernetes TLS Root CA Certificate/Key Secret
 
 If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster.
 
-If these are already available, simply update `templates\secret-cert-manager.yml.j2` with the base64 encoded values of your TLS Root CA certificate and key prior to enabling and deploying cert-manager.
-
-e.g.
-
-```shell
-$ cat ca.pem | base64 -w 0
-LS0tLS1CRUdJTiBDRVJU...
-
-$ cat ca-key.pem | base64 -w 0
-LS0tLS1CRUdJTiBSU0Eg...
-```
-
 For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc.
 
-Once the base64 encoded values have been added to `templates\secret-cert-manager.yml.j2`, cert-manager can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and setting `cert_manager_enabled` to true.
+`cert-manager` can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s_cluster\addons.yml` and setting `cert_manager_enabled` to true.
 
 ```ini
 # Cert manager deployment

roles/download/defaults/main.yml

@@ -558,7 +558,7 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
 ingress_ambassador_image_tag: "v1.2.9"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.9"
-cert_manager_version: "v1.0.4"
+cert_manager_version: "v1.5.4"
 cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
 cert_manager_controller_image_tag: "{{ cert_manager_version }}"
 cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"

roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml

@@ -31,20 +31,8 @@
 - name: Cert Manager | Templates list
   set_fact:
     cert_manager_templates:
-      - { name: 00-namespace, file: 00-namespace.yml, type: ns }
-      - { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
-      - { name: crd-certificate, file: crd-certificate.yml, type: crd }
-      - { name: crd-challenge, file: crd-challenge.yml, type: crd }
-      - { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
-      - { name: crd-issuer, file: crd-issuer.yml, type: crd }
-      - { name: crd-order, file: crd-order.yml, type: crd }
-      - { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
-      - { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
-      - { name: role-cert-manager, file: role-cert-manager.yml, type: role }
-      - { name: rolebinding-cert-manager, file: rolebinding-cert-manager.yml, type: rolebinding }
-      - { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
-      - { name: svc-cert-manager, file: svc-cert-manager.yml, type: svc }
-      - { name: webhook-cert-manager, file: webhook-cert-manager.yml, type: webhook }
+      - { name: cert-manager, file: cert-manager.yml, type: all }
+      - { name: cert-manager.crds, file: cert-manager.crds.yml, type: crd }
 
 - name: Cert Manager | Create manifests
   template: