From c5bf2c938caadcda2b7ea381d49ae1021ae2492a Mon Sep 17 00:00:00 2001 From: Joakim Ahrlin Date: Mon, 17 Jan 2022 14:13:55 +0100 Subject: [PATCH 1/9] add CLI index Signed-off-by: Joakim Ahrlin --- content/en/docs/cli/_index.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 content/en/docs/cli/_index.md diff --git a/content/en/docs/cli/_index.md b/content/en/docs/cli/_index.md new file mode 100644 index 00000000000..09de1f0826f --- /dev/null +++ b/content/en/docs/cli/_index.md @@ -0,0 +1,6 @@ +--- +title: "CLI reference" +linkTitle: "CLI reference" +weight: 500 +type: "docs" +--- From dbc0af8a383682eea5bd80082680a9aeed8b1fe0 Mon Sep 17 00:00:00 2001 From: Joakim Ahrlin Date: Mon, 17 Jan 2022 14:14:18 +0100 Subject: [PATCH 2/9] add genclireference to generate script Signed-off-by: Joakim Ahrlin --- scripts/gendocs/generate | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/scripts/gendocs/generate b/scripts/gendocs/generate index d48a566fbf6..9528910181f 100755 --- a/scripts/gendocs/generate +++ b/scripts/gendocs/generate @@ -59,6 +59,12 @@ cd "$gitdir" genversion() { checkout "$1" gendocs "$2" + + genclireference "$2" "cmd/acmesolver/main.go" "acmesolver" + genclireference "$2" "cmd/cainjector/main.go" "cainjector" + genclireference "$2" "cmd/ctl/main.go" "cmctl" + genclireference "$2" "cmd/controller/main.go" "controller" + genclireference "$2" "cmd/webhook/main.go" "webhook" } checkout() { @@ -83,6 +89,39 @@ gendocs() { rm -rf vendor/ popd } + +genclireference() { + if ! test -f "$2"; then + return + fi + + outputdir="$1" + target="$2" + name="$3" + echo "+++ Generating CLI reference docs for $target ..." + + mkdir -p "${REPO_ROOT}/content/en/${outputdir}/cli/" + + output=$(go run "$target" --help) + cat >> "${REPO_ROOT}/content/en/${outputdir}/cli/$name.md" << EOF +--- +title: $name CLI reference +linkTitle: $name +weight: 960 +type: "docs" +--- +\`\`\` +$output +\`\`\` +EOF +} + +genclireference "docs" "cmd/acmesolver/main.go" "acmesolver" +genclireference "docs" "cmd/cainjector/main.go" "cainjector" +genclireference "docs" "cmd/ctl/main.go" "cmctl" +genclireference "docs" "cmd/controller/main.go" "controller" +genclireference "docs" "cmd/webhook/main.go" "webhook" + # The branches named here exist in the `jetstack/cert-manager` repo. genversion "release-1.7" "next-docs" From 0181fafc5eee26784a89f0284be363b56ebd3e5a Mon Sep 17 00:00:00 2001 From: Joakim Ahrlin Date: Thu, 20 Jan 2022 16:37:10 +0100 Subject: [PATCH 3/9] update gitignore for docs Signed-off-by: Joakim Ahrlin --- content/en/.gitignore | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/en/.gitignore b/content/en/.gitignore index 0468a40609a..cc1136c8877 100644 --- a/content/en/.gitignore +++ b/content/en/.gitignore @@ -1,2 +1,4 @@ /v*.*-docs/ -/next-docs/ \ No newline at end of file +/next-docs/ +docs/cli/* +!docs/cli/_index.md From 42071931915a00a6eda298c00f8ff8551452c19e Mon Sep 17 00:00:00 2001 From: Joakim Ahrlin Date: Thu, 20 Jan 2022 16:37:52 +0100 Subject: [PATCH 4/9] cover more corner cases when generating CLI reference docs Signed-off-by: Joakim Ahrlin --- scripts/gendocs/generate | 46 ++++++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 13 deletions(-) diff --git a/scripts/gendocs/generate b/scripts/gendocs/generate index 9528910181f..b49b6cfff7d 100755 --- a/scripts/gendocs/generate +++ b/scripts/gendocs/generate @@ -60,11 +60,16 @@ genversion() { checkout "$1" gendocs "$2" - genclireference "$2" "cmd/acmesolver/main.go" "acmesolver" - genclireference "$2" "cmd/cainjector/main.go" "cainjector" - genclireference "$2" "cmd/ctl/main.go" "cmctl" - genclireference "$2" "cmd/controller/main.go" "controller" - genclireference "$2" "cmd/webhook/main.go" "webhook" + genclireference "$2" "cmd/acmesolver" "acmesolver" + genclireference "$2" "cmd/cainjector" "cainjector" + genclireference "$2" "cmd/ctl" "cmctl" + genclireference "$2" "cmd/controller" "controller" + genclireference "$2" "cmd/webhook" "webhook" + + # if any of the above steps succeeded copy over the index file + if [ -d "$REPO_ROOT/content/en/$2/cli" ]; then + cp "$REPO_ROOT/content/en/docs/cli/_index.md" "${REPO_ROOT}/content/en/$2/cli/" + fi } checkout() { @@ -90,8 +95,23 @@ gendocs() { popd } +# genclireference will attempt to run main.go --help for the target and write the output to a markdown file genclireference() { - if ! test -f "$2"; then + if [ ! -f "$2/main.go" ]; then + echo "+++ target $2 does not exist, skipping..." + return + fi + + # hacky way to figure out if the target has the correct structure + # differs between older version but this catches the corner cases + if [[ ! -d "$2/app" ]] && [ ! -d "$2/cmd" ]; then + echo "+++ app directory for $2 does not exist, skipping..." + return + fi + + # combined with the check above we can handle all versions + # for example release-0.15 webhook has the correct directory structure but does not use cobra + if ! grep -q "@com_github_spf13_cobra//:go_default_library" "$2/app/BUILD.bazel" && ! grep -q "@com_github_spf13_cobra//:go_default_library" "$2/cmd/BUILD.bazel"; then return fi @@ -102,8 +122,8 @@ genclireference() { mkdir -p "${REPO_ROOT}/content/en/${outputdir}/cli/" - output=$(go run "$target" --help) - cat >> "${REPO_ROOT}/content/en/${outputdir}/cli/$name.md" << EOF + output=$(go run "$target/main.go" --help) + cat > "${REPO_ROOT}/content/en/${outputdir}/cli/$name.md" << EOF --- title: $name CLI reference linkTitle: $name @@ -116,11 +136,11 @@ $output EOF } -genclireference "docs" "cmd/acmesolver/main.go" "acmesolver" -genclireference "docs" "cmd/cainjector/main.go" "cainjector" -genclireference "docs" "cmd/ctl/main.go" "cmctl" -genclireference "docs" "cmd/controller/main.go" "controller" -genclireference "docs" "cmd/webhook/main.go" "webhook" +genclireference "docs" "cmd/acmesolver" "acmesolver" +genclireference "docs" "cmd/cainjector" "cainjector" +genclireference "docs" "cmd/ctl" "cmctl" +genclireference "docs" "cmd/controller" "controller" +genclireference "docs" "cmd/webhook" "webhook" # The branches named here exist in the `jetstack/cert-manager` repo. From aea8c2392bcbff014b1fcc61ac001150491fe499 Mon Sep 17 00:00:00 2001 From: Joakim Ahrlin Date: Fri, 21 Jan 2022 09:01:12 +0100 Subject: [PATCH 5/9] upgrade to go v1.17.6 Signed-off-by: Joakim Ahrlin --- .go-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.go-version b/.go-version index de646d2fc11..622f042fdce 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.16.6 +1.17.6 From e2d5f064bf175f362ab8893f24d95fb52e219ffb Mon Sep 17 00:00:00 2001 From: Joakim Ahrlin Date: Mon, 24 Jan 2022 13:59:55 +0100 Subject: [PATCH 6/9] make generating CLI reference optional Signed-off-by: Joakim Ahrlin --- scripts/gendocs/generate | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/scripts/gendocs/generate b/scripts/gendocs/generate index b49b6cfff7d..f83cac50a75 100755 --- a/scripts/gendocs/generate +++ b/scripts/gendocs/generate @@ -53,6 +53,10 @@ echo "+++ Cloning cert-manager repository..." git clone "https://github.com/jetstack/cert-manager.git" "$gitdir" cd "$gitdir" +# set arg1 to 1 to generate CLI reference for older versions +# current and next will always be generated +gencliversions="${1:-0}" + # genversion takes two arguments (branch in cert-manager repo and a directory in # this repo under content/en) and generates API reference docs from cert-manager # branch for the path in this repo. @@ -60,15 +64,17 @@ genversion() { checkout "$1" gendocs "$2" - genclireference "$2" "cmd/acmesolver" "acmesolver" - genclireference "$2" "cmd/cainjector" "cainjector" - genclireference "$2" "cmd/ctl" "cmctl" - genclireference "$2" "cmd/controller" "controller" - genclireference "$2" "cmd/webhook" "webhook" - - # if any of the above steps succeeded copy over the index file - if [ -d "$REPO_ROOT/content/en/$2/cli" ]; then - cp "$REPO_ROOT/content/en/docs/cli/_index.md" "${REPO_ROOT}/content/en/$2/cli/" + if [ "$gencliversions" == 1 ]; then + genclireference "$2" "cmd/acmesolver" "acmesolver" + genclireference "$2" "cmd/cainjector" "cainjector" + genclireference "$2" "cmd/ctl" "cmctl" + genclireference "$2" "cmd/controller" "controller" + genclireference "$2" "cmd/webhook" "webhook" + + # if any of the above steps succeeded copy over the index file + if [ -d "$REPO_ROOT/content/en/$2/cli" ]; then + cp "$REPO_ROOT/content/en/docs/cli/_index.md" "${REPO_ROOT}/content/en/$2/cli/" + fi fi } From fc6c6145896e83021248a56c1a1697e13c1fbdb0 Mon Sep 17 00:00:00 2001 From: Joakim Ahrlin Date: Mon, 24 Jan 2022 14:04:37 +0100 Subject: [PATCH 7/9] add CLI reference for older versions to git update gitignore Signed-off-by: Joakim Ahrlin --- content/en/.gitignore | 3 +- content/en/v0.15-docs/cli/_index.md | 6 +++ content/en/v0.15-docs/cli/cainjector.md | 39 ++++++++++++++ content/en/v0.15-docs/cli/cmctl.md | 41 ++++++++++++++ content/en/v0.15-docs/cli/controller.md | 64 ++++++++++++++++++++++ content/en/v0.16-docs/cli/_index.md | 6 +++ content/en/v0.16-docs/cli/acmesolver.md | 19 +++++++ content/en/v0.16-docs/cli/cainjector.md | 39 ++++++++++++++ content/en/v0.16-docs/cli/cmctl.md | 43 +++++++++++++++ content/en/v0.16-docs/cli/controller.md | 64 ++++++++++++++++++++++ content/en/v0.16-docs/cli/webhook.md | 38 +++++++++++++ content/en/v1.0-docs/cli/_index.md | 6 +++ content/en/v1.0-docs/cli/acmesolver.md | 19 +++++++ content/en/v1.0-docs/cli/cainjector.md | 39 ++++++++++++++ content/en/v1.0-docs/cli/cmctl.md | 44 +++++++++++++++ content/en/v1.0-docs/cli/controller.md | 64 ++++++++++++++++++++++ content/en/v1.0-docs/cli/webhook.md | 38 +++++++++++++ content/en/v1.1-docs/cli/_index.md | 6 +++ content/en/v1.1-docs/cli/acmesolver.md | 19 +++++++ content/en/v1.1-docs/cli/cainjector.md | 39 ++++++++++++++ content/en/v1.1-docs/cli/cmctl.md | 44 +++++++++++++++ content/en/v1.1-docs/cli/controller.md | 67 +++++++++++++++++++++++ content/en/v1.1-docs/cli/webhook.md | 38 +++++++++++++ content/en/v1.2-docs/cli/_index.md | 6 +++ content/en/v1.2-docs/cli/acmesolver.md | 19 +++++++ content/en/v1.2-docs/cli/cainjector.md | 42 +++++++++++++++ content/en/v1.2-docs/cli/cmctl.md | 45 ++++++++++++++++ content/en/v1.2-docs/cli/controller.md | 67 +++++++++++++++++++++++ content/en/v1.2-docs/cli/webhook.md | 38 +++++++++++++ content/en/v1.3-docs/cli/_index.md | 6 +++ content/en/v1.3-docs/cli/acmesolver.md | 19 +++++++ content/en/v1.3-docs/cli/cainjector.md | 42 +++++++++++++++ content/en/v1.3-docs/cli/cmctl.md | 47 ++++++++++++++++ content/en/v1.3-docs/cli/controller.md | 68 +++++++++++++++++++++++ content/en/v1.3-docs/cli/webhook.md | 39 ++++++++++++++ content/en/v1.4-docs/cli/_index.md | 6 +++ content/en/v1.4-docs/cli/acmesolver.md | 19 +++++++ content/en/v1.4-docs/cli/cainjector.md | 42 +++++++++++++++ content/en/v1.4-docs/cli/cmctl.md | 47 ++++++++++++++++ content/en/v1.4-docs/cli/controller.md | 70 ++++++++++++++++++++++++ content/en/v1.4-docs/cli/webhook.md | 40 ++++++++++++++ content/en/v1.5-docs/cli/_index.md | 6 +++ content/en/v1.5-docs/cli/acmesolver.md | 19 +++++++ content/en/v1.5-docs/cli/cainjector.md | 42 +++++++++++++++ content/en/v1.5-docs/cli/cmctl.md | 50 +++++++++++++++++ content/en/v1.5-docs/cli/controller.md | 72 +++++++++++++++++++++++++ content/en/v1.5-docs/cli/webhook.md | 40 ++++++++++++++ 47 files changed, 1675 insertions(+), 1 deletion(-) create mode 100644 content/en/v0.15-docs/cli/_index.md create mode 100644 content/en/v0.15-docs/cli/cainjector.md create mode 100644 content/en/v0.15-docs/cli/cmctl.md create mode 100644 content/en/v0.15-docs/cli/controller.md create mode 100644 content/en/v0.16-docs/cli/_index.md create mode 100644 content/en/v0.16-docs/cli/acmesolver.md create mode 100644 content/en/v0.16-docs/cli/cainjector.md create mode 100644 content/en/v0.16-docs/cli/cmctl.md create mode 100644 content/en/v0.16-docs/cli/controller.md create mode 100644 content/en/v0.16-docs/cli/webhook.md create mode 100644 content/en/v1.0-docs/cli/_index.md create mode 100644 content/en/v1.0-docs/cli/acmesolver.md create mode 100644 content/en/v1.0-docs/cli/cainjector.md create mode 100644 content/en/v1.0-docs/cli/cmctl.md create mode 100644 content/en/v1.0-docs/cli/controller.md create mode 100644 content/en/v1.0-docs/cli/webhook.md create mode 100644 content/en/v1.1-docs/cli/_index.md create mode 100644 content/en/v1.1-docs/cli/acmesolver.md create mode 100644 content/en/v1.1-docs/cli/cainjector.md create mode 100644 content/en/v1.1-docs/cli/cmctl.md create mode 100644 content/en/v1.1-docs/cli/controller.md create mode 100644 content/en/v1.1-docs/cli/webhook.md create mode 100644 content/en/v1.2-docs/cli/_index.md create mode 100644 content/en/v1.2-docs/cli/acmesolver.md create mode 100644 content/en/v1.2-docs/cli/cainjector.md create mode 100644 content/en/v1.2-docs/cli/cmctl.md create mode 100644 content/en/v1.2-docs/cli/controller.md create mode 100644 content/en/v1.2-docs/cli/webhook.md create mode 100644 content/en/v1.3-docs/cli/_index.md create mode 100644 content/en/v1.3-docs/cli/acmesolver.md create mode 100644 content/en/v1.3-docs/cli/cainjector.md create mode 100644 content/en/v1.3-docs/cli/cmctl.md create mode 100644 content/en/v1.3-docs/cli/controller.md create mode 100644 content/en/v1.3-docs/cli/webhook.md create mode 100644 content/en/v1.4-docs/cli/_index.md create mode 100644 content/en/v1.4-docs/cli/acmesolver.md create mode 100644 content/en/v1.4-docs/cli/cainjector.md create mode 100644 content/en/v1.4-docs/cli/cmctl.md create mode 100644 content/en/v1.4-docs/cli/controller.md create mode 100644 content/en/v1.4-docs/cli/webhook.md create mode 100644 content/en/v1.5-docs/cli/_index.md create mode 100644 content/en/v1.5-docs/cli/acmesolver.md create mode 100644 content/en/v1.5-docs/cli/cainjector.md create mode 100644 content/en/v1.5-docs/cli/cmctl.md create mode 100644 content/en/v1.5-docs/cli/controller.md create mode 100644 content/en/v1.5-docs/cli/webhook.md diff --git a/content/en/.gitignore b/content/en/.gitignore index cc1136c8877..c68a6dce680 100644 --- a/content/en/.gitignore +++ b/content/en/.gitignore @@ -1,4 +1,5 @@ -/v*.*-docs/ +v*.*-docs/* +!v*.*-docs/cli /next-docs/ docs/cli/* !docs/cli/_index.md diff --git a/content/en/v0.15-docs/cli/_index.md b/content/en/v0.15-docs/cli/_index.md new file mode 100644 index 00000000000..09de1f0826f --- /dev/null +++ b/content/en/v0.15-docs/cli/_index.md @@ -0,0 +1,6 @@ +--- +title: "CLI reference" +linkTitle: "CLI reference" +weight: 500 +type: "docs" +--- diff --git a/content/en/v0.15-docs/cli/cainjector.md b/content/en/v0.15-docs/cli/cainjector.md new file mode 100644 index 00000000000..3b131d42f19 --- /dev/null +++ b/content/en/v0.15-docs/cli/cainjector.md @@ -0,0 +1,39 @@ +--- +title: cainjector CLI reference +linkTitle: cainjector +weight: 960 +type: "docs" +--- +``` + +cert-manager CA injector is a Kubernetes addon to automate the injection of CA data into +webhooks and APIServices from cert-manager certificates. + +It will ensure that annotated webhooks and API services always have the correct +CA data from the referenced certificates, which can then be used to serve API +servers and webhook servers. + +Usage: + ca-injector [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header + --alsologtostderr log to standard error as well as files + -h, --help help for ca-injector + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cainjector will perform leader election between instances to ensure no more than one instance of cainjector operates at a time (default true) + --leader-election-namespace string Namespace used to perform leader election (defaults to controller's namespace). Only used if leader election is enabled + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master --kubeconfig (Deprecated: switch to --kubeconfig) The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster. + --namespace string If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace. + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v0.15-docs/cli/cmctl.md b/content/en/v0.15-docs/cli/cmctl.md new file mode 100644 index 00000000000..f0164c5cb6f --- /dev/null +++ b/content/en/v0.15-docs/cli/cmctl.md @@ -0,0 +1,41 @@ +--- +title: cmctl CLI reference +linkTitle: cmctl +weight: 960 +type: "docs" +--- +``` + +kubectl cert-manager is a CLI tool manage and configure cert-manager resources for Kubernetes + +Usage: + kubectl cert-manager [command] + +Available Commands: + convert Convert cert-manager config files between different API versions + help Help about any command + renew Mark a Certificate for manual renewal + version Print the kubectl cert-manager version + +Flags: + --as string Username to impersonate for the operation + --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. + --cache-dir string Default HTTP cache directory (default "/Users/joakim/.kube/http-cache") + --certificate-authority string Path to a cert file for the certificate authority + --client-certificate string Path to a client certificate file for TLS + --client-key string Path to a client key file for TLS + --cluster string The name of the kubeconfig cluster to use + --context string The name of the kubeconfig context to use + -h, --help help for cert-manager + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Path to the kubeconfig file to use for CLI requests. + --match-server-version Require server version to match client version + -n, --namespace string If present, the namespace scope for this CLI request + --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") + -s, --server string The address and port of the Kubernetes API server + --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used + --token string Bearer token for authentication to the API server + --user string The name of the kubeconfig user to use + +Use "kubectl cert-manager [command] --help" for more information about a command. +``` diff --git a/content/en/v0.15-docs/cli/controller.md b/content/en/v0.15-docs/cli/controller.md new file mode 100644 index 00000000000..29336820a10 --- /dev/null +++ b/content/en/v0.15-docs/cli/controller.md @@ -0,0 +1,64 @@ +--- +title: controller CLI reference +linkTitle: controller +weight: 960 +type: "docs" +--- +``` + +cert-manager is a Kubernetes addon to automate the management and issuance of +TLS certificates from various issuing sources. + +It will ensure certificates are valid and up to date periodically, and attempt +to renew certificates at an appropriate time before expiry. + +Usage: + cert-manager-controller [flags] + +Flags: + --acme-http01-solver-image string The docker image to use to solve ACME HTTP01 challenges. You most likely will not need to change this parameter unless you are testing a new feature or developing cert-manager. (default "quay.io/jetstack/cert-manager-acmesolver:canary") + --acme-http01-solver-resource-limits-cpu string Defines the resource limits CPU size when spawning new ACME HTTP01 challenge solver pods. (default "100m") + --acme-http01-solver-resource-limits-memory string Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --acme-http01-solver-resource-request-cpu string Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m") + --acme-http01-solver-resource-request-memory string Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --add_dir_header If true, adds the file directory to the header + --alsologtostderr log to standard error as well as files + --auto-certificate-annotations strings The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme]) + --cluster-issuer-ambient-credentials Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true) + --cluster-resource-namespace string Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system") + --controllers strings The set of controllers to enable. (default [issuers,clusterissuers,certificates,ingress-shim,orders,challenges,certificaterequests-issuer-acme,certificaterequests-issuer-ca,certificaterequests-issuer-selfsigned,certificaterequests-issuer-vault,certificaterequests-issuer-venafi,certificates]) + --default-issuer-group string Group of the Issuer to use when the tls is requested but issuer group is not specified on the ingress resource. (default "cert-manager.io") + --default-issuer-kind string Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer") + --default-issuer-name string Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource. + --dns01-recursive-nameservers strings A list of comma separated dns server endpoints used for DNS01 check requests. This should be a list containing host and port, for example 8.8.8.8:53,8.8.4.4:53 + --dns01-recursive-nameservers-only When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers. + --enable-certificate-owner-ref Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted. + --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are: + AllAlpha=true|false (ALPHA - default=false) + AllBeta=true|false (BETA - default=false) + ExperimentalCertificateControllers=true|false (ALPHA - default=false) + ValidateCAA=true|false (ALPHA - default=false) + -h, --help help for cert-manager-controller + --issuer-ambient-credentials Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cert-manager will perform leader election between instances to ensure no more than one instance of cert-manager operates at a time (default true) + --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s) + --leader-election-namespace string Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system") + --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s) + --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s) + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. + --max-concurrent-challenges int The maximum number of challenges that can be scheduled as 'processing' at once. (default 60) + --namespace string If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched + --renew-before-expiry-duration duration The default 'renew before expiry' time for Certificates. Once a certificate is within this duration until expiry, a new Certificate will be attempted to be issued. (default 720h0m0s) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v0.16-docs/cli/_index.md b/content/en/v0.16-docs/cli/_index.md new file mode 100644 index 00000000000..09de1f0826f --- /dev/null +++ b/content/en/v0.16-docs/cli/_index.md @@ -0,0 +1,6 @@ +--- +title: "CLI reference" +linkTitle: "CLI reference" +weight: 500 +type: "docs" +--- diff --git a/content/en/v0.16-docs/cli/acmesolver.md b/content/en/v0.16-docs/cli/acmesolver.md new file mode 100644 index 00000000000..473dc0aaa91 --- /dev/null +++ b/content/en/v0.16-docs/cli/acmesolver.md @@ -0,0 +1,19 @@ +--- +title: acmesolver CLI reference +linkTitle: acmesolver +weight: 960 +type: "docs" +--- +``` +HTTP server used to solve ACME challenges. + +Usage: + acmesolver [flags] + +Flags: + --domain string the domain name to verify + -h, --help help for acmesolver + --key string the challenge key to respond with + --listen-port int the port number to listen on for connections (default 8089) + --token string the challenge token to verify against +``` diff --git a/content/en/v0.16-docs/cli/cainjector.md b/content/en/v0.16-docs/cli/cainjector.md new file mode 100644 index 00000000000..3b131d42f19 --- /dev/null +++ b/content/en/v0.16-docs/cli/cainjector.md @@ -0,0 +1,39 @@ +--- +title: cainjector CLI reference +linkTitle: cainjector +weight: 960 +type: "docs" +--- +``` + +cert-manager CA injector is a Kubernetes addon to automate the injection of CA data into +webhooks and APIServices from cert-manager certificates. + +It will ensure that annotated webhooks and API services always have the correct +CA data from the referenced certificates, which can then be used to serve API +servers and webhook servers. + +Usage: + ca-injector [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header + --alsologtostderr log to standard error as well as files + -h, --help help for ca-injector + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cainjector will perform leader election between instances to ensure no more than one instance of cainjector operates at a time (default true) + --leader-election-namespace string Namespace used to perform leader election (defaults to controller's namespace). Only used if leader election is enabled + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master --kubeconfig (Deprecated: switch to --kubeconfig) The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster. + --namespace string If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace. + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v0.16-docs/cli/cmctl.md b/content/en/v0.16-docs/cli/cmctl.md new file mode 100644 index 00000000000..63b276c1a62 --- /dev/null +++ b/content/en/v0.16-docs/cli/cmctl.md @@ -0,0 +1,43 @@ +--- +title: cmctl CLI reference +linkTitle: cmctl +weight: 960 +type: "docs" +--- +``` + +kubectl cert-manager is a CLI tool manage and configure cert-manager resources for Kubernetes + +Usage: + kubectl cert-manager [command] + +Available Commands: + convert Convert cert-manager config files between different API versions + create Create cert-manager resources + help Help about any command + renew Mark a Certificate for manual renewal + status Get details on current status of cert-manager resources + version Print the kubectl cert-manager version + +Flags: + --as string Username to impersonate for the operation + --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. + --cache-dir string Default HTTP cache directory (default "/Users/joakim/.kube/http-cache") + --certificate-authority string Path to a cert file for the certificate authority + --client-certificate string Path to a client certificate file for TLS + --client-key string Path to a client key file for TLS + --cluster string The name of the kubeconfig cluster to use + --context string The name of the kubeconfig context to use + -h, --help help for cert-manager + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Path to the kubeconfig file to use for CLI requests. + --match-server-version Require server version to match client version + -n, --namespace string If present, the namespace scope for this CLI request + --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") + -s, --server string The address and port of the Kubernetes API server + --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used + --token string Bearer token for authentication to the API server + --user string The name of the kubeconfig user to use + +Use "kubectl cert-manager [command] --help" for more information about a command. +``` diff --git a/content/en/v0.16-docs/cli/controller.md b/content/en/v0.16-docs/cli/controller.md new file mode 100644 index 00000000000..07ba5779985 --- /dev/null +++ b/content/en/v0.16-docs/cli/controller.md @@ -0,0 +1,64 @@ +--- +title: controller CLI reference +linkTitle: controller +weight: 960 +type: "docs" +--- +``` + +cert-manager is a Kubernetes addon to automate the management and issuance of +TLS certificates from various issuing sources. + +It will ensure certificates are valid and up to date periodically, and attempt +to renew certificates at an appropriate time before expiry. + +Usage: + cert-manager-controller [flags] + +Flags: + --acme-http01-solver-image string The docker image to use to solve ACME HTTP01 challenges. You most likely will not need to change this parameter unless you are testing a new feature or developing cert-manager. (default "quay.io/jetstack/cert-manager-acmesolver:canary") + --acme-http01-solver-resource-limits-cpu string Defines the resource limits CPU size when spawning new ACME HTTP01 challenge solver pods. (default "100m") + --acme-http01-solver-resource-limits-memory string Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --acme-http01-solver-resource-request-cpu string Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m") + --acme-http01-solver-resource-request-memory string Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --add_dir_header If true, adds the file directory to the header + --alsologtostderr log to standard error as well as files + --auto-certificate-annotations strings The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme]) + --cluster-issuer-ambient-credentials Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true) + --cluster-resource-namespace string Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system") + --controllers strings The set of controllers to enable. (default [issuers,clusterissuers,CertificateMetrics,ingress-shim,orders,challenges,certificaterequests-issuer-acme,certificaterequests-issuer-ca,certificaterequests-issuer-selfsigned,certificaterequests-issuer-vault,certificaterequests-issuer-venafi,CertificateTrigger,CertificateIssuing,CertificateKeyManager,CertificateRequestManager,CertificateReadiness]) + --default-issuer-group string Group of the Issuer to use when the tls is requested but issuer group is not specified on the ingress resource. (default "cert-manager.io") + --default-issuer-kind string Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer") + --default-issuer-name string Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource. + --dns01-recursive-nameservers strings A list of comma separated dns server endpoints used for DNS01 check requests. This should be a list containing host and port, for example 8.8.8.8:53,8.8.4.4:53 + --dns01-recursive-nameservers-only When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers. + --enable-certificate-owner-ref Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted. + --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are: + AllAlpha=true|false (ALPHA - default=false) + AllBeta=true|false (BETA - default=false) + ValidateCAA=true|false (ALPHA - default=false) + -h, --help help for cert-manager-controller + --issuer-ambient-credentials Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cert-manager will perform leader election between instances to ensure no more than one instance of cert-manager operates at a time (default true) + --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s) + --leader-election-namespace string Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system") + --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s) + --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s) + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. + --max-concurrent-challenges int The maximum number of challenges that can be scheduled as 'processing' at once. (default 60) + --metrics-listen-address string The host and port that the metrics endpoint should listen on. (default "0.0.0.0:9402") + --namespace string If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched + --renew-before-expiry-duration duration The default 'renew before expiry' time for Certificates. Once a certificate is within this duration until expiry, a new Certificate will be attempted to be issued. (default 720h0m0s) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v0.16-docs/cli/webhook.md b/content/en/v0.16-docs/cli/webhook.md new file mode 100644 index 00000000000..25e47157ae3 --- /dev/null +++ b/content/en/v0.16-docs/cli/webhook.md @@ -0,0 +1,38 @@ +--- +title: webhook CLI reference +linkTitle: webhook +weight: 960 +type: "docs" +--- +``` +Webhook component providing API validation, mutation and conversion functionality for cert-manager (canary) () + +Usage: + webhook [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header + --alsologtostderr log to standard error as well as files + --dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates certificates + --dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs serving certificates + --dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the dynamic serving CA + --healthz-port int port number to listen on for insecure healthz connections (default 6080) + -h, --help help for webhook + --kubeconfig string optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --secure-port int port number to listen on for secure TLS connections (default 6443) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + --tls-cert-file string path to the file containing the TLS certificate to serve with + --tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be use. Possible values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA + --tls-min-version string Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 + --tls-private-key-file string path to the file containing the TLS private key to serve with + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.0-docs/cli/_index.md b/content/en/v1.0-docs/cli/_index.md new file mode 100644 index 00000000000..09de1f0826f --- /dev/null +++ b/content/en/v1.0-docs/cli/_index.md @@ -0,0 +1,6 @@ +--- +title: "CLI reference" +linkTitle: "CLI reference" +weight: 500 +type: "docs" +--- diff --git a/content/en/v1.0-docs/cli/acmesolver.md b/content/en/v1.0-docs/cli/acmesolver.md new file mode 100644 index 00000000000..473dc0aaa91 --- /dev/null +++ b/content/en/v1.0-docs/cli/acmesolver.md @@ -0,0 +1,19 @@ +--- +title: acmesolver CLI reference +linkTitle: acmesolver +weight: 960 +type: "docs" +--- +``` +HTTP server used to solve ACME challenges. + +Usage: + acmesolver [flags] + +Flags: + --domain string the domain name to verify + -h, --help help for acmesolver + --key string the challenge key to respond with + --listen-port int the port number to listen on for connections (default 8089) + --token string the challenge token to verify against +``` diff --git a/content/en/v1.0-docs/cli/cainjector.md b/content/en/v1.0-docs/cli/cainjector.md new file mode 100644 index 00000000000..94cc985f733 --- /dev/null +++ b/content/en/v1.0-docs/cli/cainjector.md @@ -0,0 +1,39 @@ +--- +title: cainjector CLI reference +linkTitle: cainjector +weight: 960 +type: "docs" +--- +``` + +cert-manager CA injector is a Kubernetes addon to automate the injection of CA data into +webhooks and APIServices from cert-manager certificates. + +It will ensure that annotated webhooks and API services always have the correct +CA data from the referenced certificates, which can then be used to serve API +servers and webhook servers. + +Usage: + ca-injector [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + -h, --help help for ca-injector + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cainjector will perform leader election between instances to ensure no more than one instance of cainjector operates at a time (default true) + --leader-election-namespace string Namespace used to perform leader election (defaults to controller's namespace). Only used if leader election is enabled + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master --kubeconfig (Deprecated: switch to --kubeconfig) The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster. + --namespace string If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace. + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.0-docs/cli/cmctl.md b/content/en/v1.0-docs/cli/cmctl.md new file mode 100644 index 00000000000..22a9d2b1eac --- /dev/null +++ b/content/en/v1.0-docs/cli/cmctl.md @@ -0,0 +1,44 @@ +--- +title: cmctl CLI reference +linkTitle: cmctl +weight: 960 +type: "docs" +--- +``` + +kubectl cert-manager is a CLI tool manage and configure cert-manager resources for Kubernetes + +Usage: + kubectl cert-manager [command] + +Available Commands: + convert Convert cert-manager config files between different API versions + create Create cert-manager resources + help Help about any command + renew Mark a Certificate for manual renewal + status Get details on current status of cert-manager resources + version Print the kubectl cert-manager version + +Flags: + --as string Username to impersonate for the operation + --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. + --cache-dir string Default cache directory (default "/Users/joakim/.kube/cache") + --certificate-authority string Path to a cert file for the certificate authority + --client-certificate string Path to a client certificate file for TLS + --client-key string Path to a client key file for TLS + --cluster string The name of the kubeconfig cluster to use + --context string The name of the kubeconfig context to use + -h, --help help for cert-manager + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Path to the kubeconfig file to use for CLI requests. + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --match-server-version Require server version to match client version + -n, --namespace string If present, the namespace scope for this CLI request + --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") + -s, --server string The address and port of the Kubernetes API server + --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used + --token string Bearer token for authentication to the API server + --user string The name of the kubeconfig user to use + +Use "kubectl cert-manager [command] --help" for more information about a command. +``` diff --git a/content/en/v1.0-docs/cli/controller.md b/content/en/v1.0-docs/cli/controller.md new file mode 100644 index 00000000000..766d1fc1bfb --- /dev/null +++ b/content/en/v1.0-docs/cli/controller.md @@ -0,0 +1,64 @@ +--- +title: controller CLI reference +linkTitle: controller +weight: 960 +type: "docs" +--- +``` + +cert-manager is a Kubernetes addon to automate the management and issuance of +TLS certificates from various issuing sources. + +It will ensure certificates are valid and up to date periodically, and attempt +to renew certificates at an appropriate time before expiry. + +Usage: + cert-manager-controller [flags] + +Flags: + --acme-http01-solver-image string The docker image to use to solve ACME HTTP01 challenges. You most likely will not need to change this parameter unless you are testing a new feature or developing cert-manager. (default "quay.io/jetstack/cert-manager-acmesolver:canary") + --acme-http01-solver-resource-limits-cpu string Defines the resource limits CPU size when spawning new ACME HTTP01 challenge solver pods. (default "100m") + --acme-http01-solver-resource-limits-memory string Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --acme-http01-solver-resource-request-cpu string Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m") + --acme-http01-solver-resource-request-memory string Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + --auto-certificate-annotations strings The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme]) + --cluster-issuer-ambient-credentials Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true) + --cluster-resource-namespace string Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system") + --controllers strings The set of controllers to enable. (default [issuers,clusterissuers,CertificateMetrics,ingress-shim,orders,challenges,certificaterequests-issuer-acme,certificaterequests-issuer-ca,certificaterequests-issuer-selfsigned,certificaterequests-issuer-vault,certificaterequests-issuer-venafi,CertificateTrigger,CertificateIssuing,CertificateKeyManager,CertificateRequestManager,CertificateReadiness]) + --default-issuer-group string Group of the Issuer to use when the tls is requested but issuer group is not specified on the ingress resource. (default "cert-manager.io") + --default-issuer-kind string Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer") + --default-issuer-name string Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource. + --dns01-recursive-nameservers strings A list of comma separated dns server endpoints used for DNS01 check requests. This should be a list containing host and port, for example 8.8.8.8:53,8.8.4.4:53 + --dns01-recursive-nameservers-only When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers. + --enable-certificate-owner-ref Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted. + --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are: + AllAlpha=true|false (ALPHA - default=false) + AllBeta=true|false (BETA - default=false) + ValidateCAA=true|false (ALPHA - default=false) + -h, --help help for cert-manager-controller + --issuer-ambient-credentials Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cert-manager will perform leader election between instances to ensure no more than one instance of cert-manager operates at a time (default true) + --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s) + --leader-election-namespace string Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system") + --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s) + --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s) + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. + --max-concurrent-challenges int The maximum number of challenges that can be scheduled as 'processing' at once. (default 60) + --metrics-listen-address string The host and port that the metrics endpoint should listen on. (default "0.0.0.0:9402") + --namespace string If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched + --renew-before-expiry-duration duration The default 'renew before expiry' time for Certificates. Once a certificate is within this duration until expiry, a new Certificate will be attempted to be issued. (default 720h0m0s) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.0-docs/cli/webhook.md b/content/en/v1.0-docs/cli/webhook.md new file mode 100644 index 00000000000..38577a651a3 --- /dev/null +++ b/content/en/v1.0-docs/cli/webhook.md @@ -0,0 +1,38 @@ +--- +title: webhook CLI reference +linkTitle: webhook +weight: 960 +type: "docs" +--- +``` +Webhook component providing API validation, mutation and conversion functionality for cert-manager (canary) () + +Usage: + webhook [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + --dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates certificates + --dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs serving certificates + --dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the dynamic serving CA + --healthz-port int port number to listen on for insecure healthz connections (default 6080) + -h, --help help for webhook + --kubeconfig string optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --secure-port int port number to listen on for secure TLS connections (default 6443) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + --tls-cert-file string path to the file containing the TLS certificate to serve with + --tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be use. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA + --tls-min-version string Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 + --tls-private-key-file string path to the file containing the TLS private key to serve with + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.1-docs/cli/_index.md b/content/en/v1.1-docs/cli/_index.md new file mode 100644 index 00000000000..09de1f0826f --- /dev/null +++ b/content/en/v1.1-docs/cli/_index.md @@ -0,0 +1,6 @@ +--- +title: "CLI reference" +linkTitle: "CLI reference" +weight: 500 +type: "docs" +--- diff --git a/content/en/v1.1-docs/cli/acmesolver.md b/content/en/v1.1-docs/cli/acmesolver.md new file mode 100644 index 00000000000..473dc0aaa91 --- /dev/null +++ b/content/en/v1.1-docs/cli/acmesolver.md @@ -0,0 +1,19 @@ +--- +title: acmesolver CLI reference +linkTitle: acmesolver +weight: 960 +type: "docs" +--- +``` +HTTP server used to solve ACME challenges. + +Usage: + acmesolver [flags] + +Flags: + --domain string the domain name to verify + -h, --help help for acmesolver + --key string the challenge key to respond with + --listen-port int the port number to listen on for connections (default 8089) + --token string the challenge token to verify against +``` diff --git a/content/en/v1.1-docs/cli/cainjector.md b/content/en/v1.1-docs/cli/cainjector.md new file mode 100644 index 00000000000..94cc985f733 --- /dev/null +++ b/content/en/v1.1-docs/cli/cainjector.md @@ -0,0 +1,39 @@ +--- +title: cainjector CLI reference +linkTitle: cainjector +weight: 960 +type: "docs" +--- +``` + +cert-manager CA injector is a Kubernetes addon to automate the injection of CA data into +webhooks and APIServices from cert-manager certificates. + +It will ensure that annotated webhooks and API services always have the correct +CA data from the referenced certificates, which can then be used to serve API +servers and webhook servers. + +Usage: + ca-injector [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + -h, --help help for ca-injector + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cainjector will perform leader election between instances to ensure no more than one instance of cainjector operates at a time (default true) + --leader-election-namespace string Namespace used to perform leader election (defaults to controller's namespace). Only used if leader election is enabled + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master --kubeconfig (Deprecated: switch to --kubeconfig) The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster. + --namespace string If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace. + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.1-docs/cli/cmctl.md b/content/en/v1.1-docs/cli/cmctl.md new file mode 100644 index 00000000000..22a9d2b1eac --- /dev/null +++ b/content/en/v1.1-docs/cli/cmctl.md @@ -0,0 +1,44 @@ +--- +title: cmctl CLI reference +linkTitle: cmctl +weight: 960 +type: "docs" +--- +``` + +kubectl cert-manager is a CLI tool manage and configure cert-manager resources for Kubernetes + +Usage: + kubectl cert-manager [command] + +Available Commands: + convert Convert cert-manager config files between different API versions + create Create cert-manager resources + help Help about any command + renew Mark a Certificate for manual renewal + status Get details on current status of cert-manager resources + version Print the kubectl cert-manager version + +Flags: + --as string Username to impersonate for the operation + --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. + --cache-dir string Default cache directory (default "/Users/joakim/.kube/cache") + --certificate-authority string Path to a cert file for the certificate authority + --client-certificate string Path to a client certificate file for TLS + --client-key string Path to a client key file for TLS + --cluster string The name of the kubeconfig cluster to use + --context string The name of the kubeconfig context to use + -h, --help help for cert-manager + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Path to the kubeconfig file to use for CLI requests. + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --match-server-version Require server version to match client version + -n, --namespace string If present, the namespace scope for this CLI request + --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") + -s, --server string The address and port of the Kubernetes API server + --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used + --token string Bearer token for authentication to the API server + --user string The name of the kubeconfig user to use + +Use "kubectl cert-manager [command] --help" for more information about a command. +``` diff --git a/content/en/v1.1-docs/cli/controller.md b/content/en/v1.1-docs/cli/controller.md new file mode 100644 index 00000000000..ceec2dbdb29 --- /dev/null +++ b/content/en/v1.1-docs/cli/controller.md @@ -0,0 +1,67 @@ +--- +title: controller CLI reference +linkTitle: controller +weight: 960 +type: "docs" +--- +``` + +cert-manager is a Kubernetes addon to automate the management and issuance of +TLS certificates from various issuing sources. + +It will ensure certificates are valid and up to date periodically, and attempt +to renew certificates at an appropriate time before expiry. + +Usage: + cert-manager-controller [flags] + +Flags: + --acme-http01-solver-image string The docker image to use to solve ACME HTTP01 challenges. You most likely will not need to change this parameter unless you are testing a new feature or developing cert-manager. (default "quay.io/jetstack/cert-manager-acmesolver:canary") + --acme-http01-solver-resource-limits-cpu string Defines the resource limits CPU size when spawning new ACME HTTP01 challenge solver pods. (default "100m") + --acme-http01-solver-resource-limits-memory string Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --acme-http01-solver-resource-request-cpu string Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m") + --acme-http01-solver-resource-request-memory string Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + --auto-certificate-annotations strings The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme]) + --cluster-issuer-ambient-credentials Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true) + --cluster-resource-namespace string Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system") + --controllers strings The set of controllers to enable. (default [issuers,clusterissuers,CertificateMetrics,ingress-shim,orders,challenges,certificaterequests-issuer-acme,certificaterequests-issuer-ca,certificaterequests-issuer-selfsigned,certificaterequests-issuer-vault,certificaterequests-issuer-venafi,CertificateTrigger,CertificateIssuing,CertificateKeyManager,CertificateRequestManager,CertificateReadiness]) + --default-issuer-group string Group of the Issuer to use when the tls is requested but issuer group is not specified on the ingress resource. (default "cert-manager.io") + --default-issuer-kind string Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer") + --default-issuer-name string Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource. + --dns01-check-retry-period duration The duration the controller should wait between checking if a ACME dns entry exists.This should be a valid duration string, for example 180s or 1h (default 10s) + --dns01-recursive-nameservers strings A list of comma separated dns server endpoints used for DNS01 check requests. This should be a list containing host and port, for example 8.8.8.8:53,8.8.4.4:53 + --dns01-recursive-nameservers-only When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers. + --enable-certificate-owner-ref Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted. + --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are: + AllAlpha=true|false (ALPHA - default=false) + AllBeta=true|false (BETA - default=false) + ValidateCAA=true|false (ALPHA - default=false) + -h, --help help for cert-manager-controller + --issuer-ambient-credentials Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. + --kube-api-burst int the maximum burst queries-per-second of requests sent to the Kubernetes apiserver (default 50) + --kube-api-qps float32 indicates the maximum queries-per-second requests to the Kubernetes apiserver (default 20) + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cert-manager will perform leader election between instances to ensure no more than one instance of cert-manager operates at a time (default true) + --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s) + --leader-election-namespace string Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system") + --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s) + --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s) + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. + --max-concurrent-challenges int The maximum number of challenges that can be scheduled as 'processing' at once. (default 60) + --metrics-listen-address string The host and port that the metrics endpoint should listen on. (default "0.0.0.0:9402") + --namespace string If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched + --renew-before-expiry-duration duration The default 'renew before expiry' time for Certificates. Once a certificate is within this duration until expiry, a new Certificate will be attempted to be issued. (default 720h0m0s) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.1-docs/cli/webhook.md b/content/en/v1.1-docs/cli/webhook.md new file mode 100644 index 00000000000..38577a651a3 --- /dev/null +++ b/content/en/v1.1-docs/cli/webhook.md @@ -0,0 +1,38 @@ +--- +title: webhook CLI reference +linkTitle: webhook +weight: 960 +type: "docs" +--- +``` +Webhook component providing API validation, mutation and conversion functionality for cert-manager (canary) () + +Usage: + webhook [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + --dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates certificates + --dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs serving certificates + --dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the dynamic serving CA + --healthz-port int port number to listen on for insecure healthz connections (default 6080) + -h, --help help for webhook + --kubeconfig string optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --secure-port int port number to listen on for secure TLS connections (default 6443) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + --tls-cert-file string path to the file containing the TLS certificate to serve with + --tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be use. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA + --tls-min-version string Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 + --tls-private-key-file string path to the file containing the TLS private key to serve with + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.2-docs/cli/_index.md b/content/en/v1.2-docs/cli/_index.md new file mode 100644 index 00000000000..09de1f0826f --- /dev/null +++ b/content/en/v1.2-docs/cli/_index.md @@ -0,0 +1,6 @@ +--- +title: "CLI reference" +linkTitle: "CLI reference" +weight: 500 +type: "docs" +--- diff --git a/content/en/v1.2-docs/cli/acmesolver.md b/content/en/v1.2-docs/cli/acmesolver.md new file mode 100644 index 00000000000..473dc0aaa91 --- /dev/null +++ b/content/en/v1.2-docs/cli/acmesolver.md @@ -0,0 +1,19 @@ +--- +title: acmesolver CLI reference +linkTitle: acmesolver +weight: 960 +type: "docs" +--- +``` +HTTP server used to solve ACME challenges. + +Usage: + acmesolver [flags] + +Flags: + --domain string the domain name to verify + -h, --help help for acmesolver + --key string the challenge key to respond with + --listen-port int the port number to listen on for connections (default 8089) + --token string the challenge token to verify against +``` diff --git a/content/en/v1.2-docs/cli/cainjector.md b/content/en/v1.2-docs/cli/cainjector.md new file mode 100644 index 00000000000..554718c5f31 --- /dev/null +++ b/content/en/v1.2-docs/cli/cainjector.md @@ -0,0 +1,42 @@ +--- +title: cainjector CLI reference +linkTitle: cainjector +weight: 960 +type: "docs" +--- +``` + +cert-manager CA injector is a Kubernetes addon to automate the injection of CA data into +webhooks and APIServices from cert-manager certificates. + +It will ensure that annotated webhooks and API services always have the correct +CA data from the referenced certificates, which can then be used to serve API +servers and webhook servers. + +Usage: + ca-injector [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + -h, --help help for ca-injector + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cainjector will perform leader election between instances to ensure no more than one instance of cainjector operates at a time (default true) + --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 15s) + --leader-election-namespace string Namespace used to perform leader election (defaults to controller's namespace). Only used if leader election is enabled + --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 10s) + --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 2s) + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master --kubeconfig (Deprecated: switch to --kubeconfig) The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster. + --namespace string If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace. + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.2-docs/cli/cmctl.md b/content/en/v1.2-docs/cli/cmctl.md new file mode 100644 index 00000000000..b29251a5b06 --- /dev/null +++ b/content/en/v1.2-docs/cli/cmctl.md @@ -0,0 +1,45 @@ +--- +title: cmctl CLI reference +linkTitle: cmctl +weight: 960 +type: "docs" +--- +``` + +kubectl cert-manager is a CLI tool manage and configure cert-manager resources for Kubernetes + +Usage: + kubectl cert-manager [command] + +Available Commands: + convert Convert cert-manager config files between different API versions + create Create cert-manager resources + help Help about any command + inspect Get details on certificate related resources + renew Mark a Certificate for manual renewal + status Get details on current status of cert-manager resources + version Print the kubectl cert-manager version + +Flags: + --as string Username to impersonate for the operation + --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. + --cache-dir string Default cache directory (default "/Users/joakim/.kube/cache") + --certificate-authority string Path to a cert file for the certificate authority + --client-certificate string Path to a client certificate file for TLS + --client-key string Path to a client key file for TLS + --cluster string The name of the kubeconfig cluster to use + --context string The name of the kubeconfig context to use + -h, --help help for cert-manager + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Path to the kubeconfig file to use for CLI requests. + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --match-server-version Require server version to match client version + -n, --namespace string If present, the namespace scope for this CLI request + --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") + -s, --server string The address and port of the Kubernetes API server + --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used + --token string Bearer token for authentication to the API server + --user string The name of the kubeconfig user to use + +Use "kubectl cert-manager [command] --help" for more information about a command. +``` diff --git a/content/en/v1.2-docs/cli/controller.md b/content/en/v1.2-docs/cli/controller.md new file mode 100644 index 00000000000..ddc0bb85722 --- /dev/null +++ b/content/en/v1.2-docs/cli/controller.md @@ -0,0 +1,67 @@ +--- +title: controller CLI reference +linkTitle: controller +weight: 960 +type: "docs" +--- +``` + +cert-manager is a Kubernetes addon to automate the management and issuance of +TLS certificates from various issuing sources. + +It will ensure certificates are valid and up to date periodically, and attempt +to renew certificates at an appropriate time before expiry. + +Usage: + cert-manager-controller [flags] + +Flags: + --acme-http01-solver-image string The docker image to use to solve ACME HTTP01 challenges. You most likely will not need to change this parameter unless you are testing a new feature or developing cert-manager. (default "quay.io/jetstack/cert-manager-acmesolver:canary") + --acme-http01-solver-resource-limits-cpu string Defines the resource limits CPU size when spawning new ACME HTTP01 challenge solver pods. (default "100m") + --acme-http01-solver-resource-limits-memory string Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --acme-http01-solver-resource-request-cpu string Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m") + --acme-http01-solver-resource-request-memory string Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + --auto-certificate-annotations strings The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme]) + --cluster-issuer-ambient-credentials Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true) + --cluster-resource-namespace string Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system") + --controllers strings The set of controllers to enable. (default [issuers,clusterissuers,CertificateMetrics,ingress-shim,orders,challenges,certificaterequests-issuer-acme,certificaterequests-issuer-ca,certificaterequests-issuer-selfsigned,certificaterequests-issuer-vault,certificaterequests-issuer-venafi,CertificateTrigger,CertificateIssuing,CertificateKeyManager,CertificateRequestManager,CertificateReadiness]) + --default-issuer-group string Group of the Issuer to use when the tls is requested but issuer group is not specified on the ingress resource. (default "cert-manager.io") + --default-issuer-kind string Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer") + --default-issuer-name string Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource. + --dns01-check-retry-period duration The duration the controller should wait between checking if a ACME dns entry exists.This should be a valid duration string, for example 180s or 1h (default 10s) + --dns01-recursive-nameservers strings A list of comma separated dns server endpoints used for DNS01 check requests. This should be a list containing host and port, for example 8.8.8.8:53,8.8.4.4:53 + --dns01-recursive-nameservers-only When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers. + --enable-certificate-owner-ref Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted. + --enable-profiling Enable profiling for controller. + --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are: + AllAlpha=true|false (ALPHA - default=false) + AllBeta=true|false (BETA - default=false) + ValidateCAA=true|false (ALPHA - default=false) + -h, --help help for cert-manager-controller + --issuer-ambient-credentials Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. + --kube-api-burst int the maximum burst queries-per-second of requests sent to the Kubernetes apiserver (default 50) + --kube-api-qps float32 indicates the maximum queries-per-second requests to the Kubernetes apiserver (default 20) + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cert-manager will perform leader election between instances to ensure no more than one instance of cert-manager operates at a time (default true) + --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s) + --leader-election-namespace string Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system") + --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s) + --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s) + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. + --max-concurrent-challenges int The maximum number of challenges that can be scheduled as 'processing' at once. (default 60) + --metrics-listen-address string The host and port that the metrics endpoint should listen on. (default "0.0.0.0:9402") + --namespace string If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.2-docs/cli/webhook.md b/content/en/v1.2-docs/cli/webhook.md new file mode 100644 index 00000000000..38577a651a3 --- /dev/null +++ b/content/en/v1.2-docs/cli/webhook.md @@ -0,0 +1,38 @@ +--- +title: webhook CLI reference +linkTitle: webhook +weight: 960 +type: "docs" +--- +``` +Webhook component providing API validation, mutation and conversion functionality for cert-manager (canary) () + +Usage: + webhook [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + --dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates certificates + --dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs serving certificates + --dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the dynamic serving CA + --healthz-port int port number to listen on for insecure healthz connections (default 6080) + -h, --help help for webhook + --kubeconfig string optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --secure-port int port number to listen on for secure TLS connections (default 6443) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + --tls-cert-file string path to the file containing the TLS certificate to serve with + --tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be use. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA + --tls-min-version string Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 + --tls-private-key-file string path to the file containing the TLS private key to serve with + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.3-docs/cli/_index.md b/content/en/v1.3-docs/cli/_index.md new file mode 100644 index 00000000000..09de1f0826f --- /dev/null +++ b/content/en/v1.3-docs/cli/_index.md @@ -0,0 +1,6 @@ +--- +title: "CLI reference" +linkTitle: "CLI reference" +weight: 500 +type: "docs" +--- diff --git a/content/en/v1.3-docs/cli/acmesolver.md b/content/en/v1.3-docs/cli/acmesolver.md new file mode 100644 index 00000000000..473dc0aaa91 --- /dev/null +++ b/content/en/v1.3-docs/cli/acmesolver.md @@ -0,0 +1,19 @@ +--- +title: acmesolver CLI reference +linkTitle: acmesolver +weight: 960 +type: "docs" +--- +``` +HTTP server used to solve ACME challenges. + +Usage: + acmesolver [flags] + +Flags: + --domain string the domain name to verify + -h, --help help for acmesolver + --key string the challenge key to respond with + --listen-port int the port number to listen on for connections (default 8089) + --token string the challenge token to verify against +``` diff --git a/content/en/v1.3-docs/cli/cainjector.md b/content/en/v1.3-docs/cli/cainjector.md new file mode 100644 index 00000000000..554718c5f31 --- /dev/null +++ b/content/en/v1.3-docs/cli/cainjector.md @@ -0,0 +1,42 @@ +--- +title: cainjector CLI reference +linkTitle: cainjector +weight: 960 +type: "docs" +--- +``` + +cert-manager CA injector is a Kubernetes addon to automate the injection of CA data into +webhooks and APIServices from cert-manager certificates. + +It will ensure that annotated webhooks and API services always have the correct +CA data from the referenced certificates, which can then be used to serve API +servers and webhook servers. + +Usage: + ca-injector [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + -h, --help help for ca-injector + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cainjector will perform leader election between instances to ensure no more than one instance of cainjector operates at a time (default true) + --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 15s) + --leader-election-namespace string Namespace used to perform leader election (defaults to controller's namespace). Only used if leader election is enabled + --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 10s) + --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 2s) + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master --kubeconfig (Deprecated: switch to --kubeconfig) The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster. + --namespace string If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace. + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.3-docs/cli/cmctl.md b/content/en/v1.3-docs/cli/cmctl.md new file mode 100644 index 00000000000..0da08e352e1 --- /dev/null +++ b/content/en/v1.3-docs/cli/cmctl.md @@ -0,0 +1,47 @@ +--- +title: cmctl CLI reference +linkTitle: cmctl +weight: 960 +type: "docs" +--- +``` + +kubectl cert-manager is a CLI tool manage and configure cert-manager resources for Kubernetes + +Usage: + kubectl cert-manager [command] + +Available Commands: + approve Approve a CertificateRequest + convert Convert cert-manager config files between different API versions + create Create cert-manager resources + deny Deny a CertificateRequest + help Help about any command + inspect Get details on certificate related resources + renew Mark a Certificate for manual renewal + status Get details on current status of cert-manager resources + version Print the kubectl cert-manager version + +Flags: + --as string Username to impersonate for the operation + --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. + --cache-dir string Default cache directory (default "/Users/joakim/.kube/cache") + --certificate-authority string Path to a cert file for the certificate authority + --client-certificate string Path to a client certificate file for TLS + --client-key string Path to a client key file for TLS + --cluster string The name of the kubeconfig cluster to use + --context string The name of the kubeconfig context to use + -h, --help help for cert-manager + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Path to the kubeconfig file to use for CLI requests. + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --match-server-version Require server version to match client version + -n, --namespace string If present, the namespace scope for this CLI request + --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") + -s, --server string The address and port of the Kubernetes API server + --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used + --token string Bearer token for authentication to the API server + --user string The name of the kubeconfig user to use + +Use "kubectl cert-manager [command] --help" for more information about a command. +``` diff --git a/content/en/v1.3-docs/cli/controller.md b/content/en/v1.3-docs/cli/controller.md new file mode 100644 index 00000000000..f369450a2e8 --- /dev/null +++ b/content/en/v1.3-docs/cli/controller.md @@ -0,0 +1,68 @@ +--- +title: controller CLI reference +linkTitle: controller +weight: 960 +type: "docs" +--- +``` + +cert-manager is a Kubernetes addon to automate the management and issuance of +TLS certificates from various issuing sources. + +It will ensure certificates are valid and up to date periodically, and attempt +to renew certificates at an appropriate time before expiry. + +Usage: + cert-manager-controller [flags] + +Flags: + --acme-http01-solver-image string The docker image to use to solve ACME HTTP01 challenges. You most likely will not need to change this parameter unless you are testing a new feature or developing cert-manager. (default "quay.io/jetstack/cert-manager-acmesolver:canary") + --acme-http01-solver-resource-limits-cpu string Defines the resource limits CPU size when spawning new ACME HTTP01 challenge solver pods. (default "100m") + --acme-http01-solver-resource-limits-memory string Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --acme-http01-solver-resource-request-cpu string Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m") + --acme-http01-solver-resource-request-memory string Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + --auto-certificate-annotations strings The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme]) + --cluster-issuer-ambient-credentials Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true) + --cluster-resource-namespace string Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system") + --controllers strings A list of controllers to enable. '--controllers=*' enables all on-by-default controllers, '--controllers=foo' enables just the controller named 'foo', '--controllers=*,-foo' disables the controller named 'foo'. + All controllers: issuers, clusterissuers, certificates-metrics, ingress-shim, orders, challenges, certificaterequests-issuer-acme, certificaterequests-approver, certificaterequests-issuer-ca, certificaterequests-issuer-selfsigned, certificaterequests-issuer-vault, certificaterequests-issuer-venafi, certificates-trigger, certificates-issuing, certificates-key-manager, certificates-request-manager, certificates-readiness, certificates-revision-manager (default [*]) + --default-issuer-group string Group of the Issuer to use when the tls is requested but issuer group is not specified on the ingress resource. (default "cert-manager.io") + --default-issuer-kind string Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer") + --default-issuer-name string Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource. + --dns01-check-retry-period duration The duration the controller should wait between checking if a ACME dns entry exists.This should be a valid duration string, for example 180s or 1h (default 10s) + --dns01-recursive-nameservers strings A list of comma separated dns server endpoints used for DNS01 check requests. This should be a list containing host and port, for example 8.8.8.8:53,8.8.4.4:53 + --dns01-recursive-nameservers-only When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers. + --enable-certificate-owner-ref Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted. + --enable-profiling Enable profiling for controller. + --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are: + AllAlpha=true|false (ALPHA - default=false) + AllBeta=true|false (BETA - default=false) + ValidateCAA=true|false (ALPHA - default=false) + -h, --help help for cert-manager-controller + --issuer-ambient-credentials Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. + --kube-api-burst int the maximum burst queries-per-second of requests sent to the Kubernetes apiserver (default 50) + --kube-api-qps float32 indicates the maximum queries-per-second requests to the Kubernetes apiserver (default 20) + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cert-manager will perform leader election between instances to ensure no more than one instance of cert-manager operates at a time (default true) + --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s) + --leader-election-namespace string Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system") + --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s) + --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s) + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. + --max-concurrent-challenges int The maximum number of challenges that can be scheduled as 'processing' at once. (default 60) + --metrics-listen-address string The host and port that the metrics endpoint should listen on. (default "0.0.0.0:9402") + --namespace string If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.3-docs/cli/webhook.md b/content/en/v1.3-docs/cli/webhook.md new file mode 100644 index 00000000000..799cca605a1 --- /dev/null +++ b/content/en/v1.3-docs/cli/webhook.md @@ -0,0 +1,39 @@ +--- +title: webhook CLI reference +linkTitle: webhook +weight: 960 +type: "docs" +--- +``` +Webhook component providing API validation, mutation and conversion functionality for cert-manager (canary) () + +Usage: + webhook [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + --api-server-host string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. + --dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates certificates + --dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs serving certificates + --dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the dynamic serving CA + --healthz-port int port number to listen on for insecure healthz connections (default 6080) + -h, --help help for webhook + --kubeconfig string optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --secure-port int port number to listen on for secure TLS connections (default 6443) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + --tls-cert-file string path to the file containing the TLS certificate to serve with + --tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be use. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA + --tls-min-version string Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 + --tls-private-key-file string path to the file containing the TLS private key to serve with + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.4-docs/cli/_index.md b/content/en/v1.4-docs/cli/_index.md new file mode 100644 index 00000000000..09de1f0826f --- /dev/null +++ b/content/en/v1.4-docs/cli/_index.md @@ -0,0 +1,6 @@ +--- +title: "CLI reference" +linkTitle: "CLI reference" +weight: 500 +type: "docs" +--- diff --git a/content/en/v1.4-docs/cli/acmesolver.md b/content/en/v1.4-docs/cli/acmesolver.md new file mode 100644 index 00000000000..473dc0aaa91 --- /dev/null +++ b/content/en/v1.4-docs/cli/acmesolver.md @@ -0,0 +1,19 @@ +--- +title: acmesolver CLI reference +linkTitle: acmesolver +weight: 960 +type: "docs" +--- +``` +HTTP server used to solve ACME challenges. + +Usage: + acmesolver [flags] + +Flags: + --domain string the domain name to verify + -h, --help help for acmesolver + --key string the challenge key to respond with + --listen-port int the port number to listen on for connections (default 8089) + --token string the challenge token to verify against +``` diff --git a/content/en/v1.4-docs/cli/cainjector.md b/content/en/v1.4-docs/cli/cainjector.md new file mode 100644 index 00000000000..6d7de877ad4 --- /dev/null +++ b/content/en/v1.4-docs/cli/cainjector.md @@ -0,0 +1,42 @@ +--- +title: cainjector CLI reference +linkTitle: cainjector +weight: 960 +type: "docs" +--- +``` + +cert-manager CA injector is a Kubernetes addon to automate the injection of CA data into +webhooks and APIServices from cert-manager certificates. + +It will ensure that annotated webhooks and API services always have the correct +CA data from the referenced certificates, which can then be used to serve API +servers and webhook servers. + +Usage: + ca-injector [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + -h, --help help for ca-injector + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cainjector will perform leader election between instances to ensure no more than one instance of cainjector operates at a time (default true) + --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 15s) + --leader-election-namespace string Namespace used to perform leader election (defaults to controller's namespace). Only used if leader election is enabled + --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 10s) + --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 2s) + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --namespace string If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace. + --one_output If true, only write logs to their native severity level (vs also writing to each lower severity level) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.4-docs/cli/cmctl.md b/content/en/v1.4-docs/cli/cmctl.md new file mode 100644 index 00000000000..0da08e352e1 --- /dev/null +++ b/content/en/v1.4-docs/cli/cmctl.md @@ -0,0 +1,47 @@ +--- +title: cmctl CLI reference +linkTitle: cmctl +weight: 960 +type: "docs" +--- +``` + +kubectl cert-manager is a CLI tool manage and configure cert-manager resources for Kubernetes + +Usage: + kubectl cert-manager [command] + +Available Commands: + approve Approve a CertificateRequest + convert Convert cert-manager config files between different API versions + create Create cert-manager resources + deny Deny a CertificateRequest + help Help about any command + inspect Get details on certificate related resources + renew Mark a Certificate for manual renewal + status Get details on current status of cert-manager resources + version Print the kubectl cert-manager version + +Flags: + --as string Username to impersonate for the operation + --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. + --cache-dir string Default cache directory (default "/Users/joakim/.kube/cache") + --certificate-authority string Path to a cert file for the certificate authority + --client-certificate string Path to a client certificate file for TLS + --client-key string Path to a client key file for TLS + --cluster string The name of the kubeconfig cluster to use + --context string The name of the kubeconfig context to use + -h, --help help for cert-manager + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Path to the kubeconfig file to use for CLI requests. + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --match-server-version Require server version to match client version + -n, --namespace string If present, the namespace scope for this CLI request + --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") + -s, --server string The address and port of the Kubernetes API server + --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used + --token string Bearer token for authentication to the API server + --user string The name of the kubeconfig user to use + +Use "kubectl cert-manager [command] --help" for more information about a command. +``` diff --git a/content/en/v1.4-docs/cli/controller.md b/content/en/v1.4-docs/cli/controller.md new file mode 100644 index 00000000000..8c01bf8e531 --- /dev/null +++ b/content/en/v1.4-docs/cli/controller.md @@ -0,0 +1,70 @@ +--- +title: controller CLI reference +linkTitle: controller +weight: 960 +type: "docs" +--- +``` + +cert-manager is a Kubernetes addon to automate the management and issuance of +TLS certificates from various issuing sources. + +It will ensure certificates are valid and up to date periodically, and attempt +to renew certificates at an appropriate time before expiry. + +Usage: + cert-manager-controller [flags] + +Flags: + --acme-http01-solver-image string The docker image to use to solve ACME HTTP01 challenges. You most likely will not need to change this parameter unless you are testing a new feature or developing cert-manager. (default "quay.io/jetstack/cert-manager-acmesolver:canary") + --acme-http01-solver-resource-limits-cpu string Defines the resource limits CPU size when spawning new ACME HTTP01 challenge solver pods. (default "100m") + --acme-http01-solver-resource-limits-memory string Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --acme-http01-solver-resource-request-cpu string Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m") + --acme-http01-solver-resource-request-memory string Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + --auto-certificate-annotations strings The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme]) + --cluster-issuer-ambient-credentials Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true) + --cluster-resource-namespace string Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system") + --controllers strings A list of controllers to enable. '--controllers=*' enables all on-by-default controllers, '--controllers=foo' enables just the controller named 'foo', '--controllers=*,-foo' disables the controller named 'foo'. + All controllers: issuers, clusterissuers, certificates-metrics, ingress-shim, orders, challenges, certificaterequests-issuer-acme, certificaterequests-approver, certificaterequests-issuer-ca, certificaterequests-issuer-selfsigned, certificaterequests-issuer-vault, certificaterequests-issuer-venafi, certificates-trigger, certificates-issuing, certificates-key-manager, certificates-request-manager, certificates-readiness, certificates-revision-manager (default [*]) + --default-issuer-group string Group of the Issuer to use when the tls is requested but issuer group is not specified on the ingress resource. (default "cert-manager.io") + --default-issuer-kind string Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer") + --default-issuer-name string Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource. + --dns01-check-retry-period duration The duration the controller should wait between checking if a ACME dns entry exists.This should be a valid duration string, for example 180s or 1h (default 10s) + --dns01-recursive-nameservers strings A list of comma separated dns server endpoints used for DNS01 check requests. This should be a list containing host and port, for example 8.8.8.8:53,8.8.4.4:53 + --dns01-recursive-nameservers-only When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers. + --enable-certificate-owner-ref Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted. + --enable-profiling Enable profiling for controller. + --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are: + AllAlpha=true|false (ALPHA - default=false) + AllBeta=true|false (BETA - default=false) + ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false) + ValidateCAA=true|false (ALPHA - default=false) + -h, --help help for cert-manager-controller + --issuer-ambient-credentials Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. + --kube-api-burst int the maximum burst queries-per-second of requests sent to the Kubernetes apiserver (default 50) + --kube-api-qps float32 indicates the maximum queries-per-second requests to the Kubernetes apiserver (default 20) + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cert-manager will perform leader election between instances to ensure no more than one instance of cert-manager operates at a time (default true) + --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s) + --leader-election-namespace string Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system") + --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s) + --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s) + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. + --max-concurrent-challenges int The maximum number of challenges that can be scheduled as 'processing' at once. (default 60) + --metrics-listen-address string The host and port that the metrics endpoint should listen on. (default "0.0.0.0:9402") + --namespace string If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched + --one_output If true, only write logs to their native severity level (vs also writing to each lower severity level) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.4-docs/cli/webhook.md b/content/en/v1.4-docs/cli/webhook.md new file mode 100644 index 00000000000..9a17b132654 --- /dev/null +++ b/content/en/v1.4-docs/cli/webhook.md @@ -0,0 +1,40 @@ +--- +title: webhook CLI reference +linkTitle: webhook +weight: 960 +type: "docs" +--- +``` +Webhook component providing API validation, mutation and conversion functionality for cert-manager (canary) () + +Usage: + webhook [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + --api-server-host string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. + --dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates certificates + --dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs serving certificates + --dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the dynamic serving CA + --healthz-port int port number to listen on for insecure healthz connections (default 6080) + -h, --help help for webhook + --kubeconfig string optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --one_output If true, only write logs to their native severity level (vs also writing to each lower severity level) + --secure-port int port number to listen on for secure TLS connections (default 6443) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + --tls-cert-file string path to the file containing the TLS certificate to serve with + --tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be use. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA + --tls-min-version string Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 + --tls-private-key-file string path to the file containing the TLS private key to serve with + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.5-docs/cli/_index.md b/content/en/v1.5-docs/cli/_index.md new file mode 100644 index 00000000000..09de1f0826f --- /dev/null +++ b/content/en/v1.5-docs/cli/_index.md @@ -0,0 +1,6 @@ +--- +title: "CLI reference" +linkTitle: "CLI reference" +weight: 500 +type: "docs" +--- diff --git a/content/en/v1.5-docs/cli/acmesolver.md b/content/en/v1.5-docs/cli/acmesolver.md new file mode 100644 index 00000000000..473dc0aaa91 --- /dev/null +++ b/content/en/v1.5-docs/cli/acmesolver.md @@ -0,0 +1,19 @@ +--- +title: acmesolver CLI reference +linkTitle: acmesolver +weight: 960 +type: "docs" +--- +``` +HTTP server used to solve ACME challenges. + +Usage: + acmesolver [flags] + +Flags: + --domain string the domain name to verify + -h, --help help for acmesolver + --key string the challenge key to respond with + --listen-port int the port number to listen on for connections (default 8089) + --token string the challenge token to verify against +``` diff --git a/content/en/v1.5-docs/cli/cainjector.md b/content/en/v1.5-docs/cli/cainjector.md new file mode 100644 index 00000000000..6d7de877ad4 --- /dev/null +++ b/content/en/v1.5-docs/cli/cainjector.md @@ -0,0 +1,42 @@ +--- +title: cainjector CLI reference +linkTitle: cainjector +weight: 960 +type: "docs" +--- +``` + +cert-manager CA injector is a Kubernetes addon to automate the injection of CA data into +webhooks and APIServices from cert-manager certificates. + +It will ensure that annotated webhooks and API services always have the correct +CA data from the referenced certificates, which can then be used to serve API +servers and webhook servers. + +Usage: + ca-injector [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + -h, --help help for ca-injector + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cainjector will perform leader election between instances to ensure no more than one instance of cainjector operates at a time (default true) + --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 15s) + --leader-election-namespace string Namespace used to perform leader election (defaults to controller's namespace). Only used if leader election is enabled + --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 10s) + --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 2s) + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --namespace string If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace. + --one_output If true, only write logs to their native severity level (vs also writing to each lower severity level) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.5-docs/cli/cmctl.md b/content/en/v1.5-docs/cli/cmctl.md new file mode 100644 index 00000000000..7d28a93a1dc --- /dev/null +++ b/content/en/v1.5-docs/cli/cmctl.md @@ -0,0 +1,50 @@ +--- +title: cmctl CLI reference +linkTitle: cmctl +weight: 960 +type: "docs" +--- +``` + +kubectl cert-manager is a CLI tool manage and configure cert-manager resources for Kubernetes + +Usage: + kubectl cert-manager [command] + +Available Commands: + approve Approve a CertificateRequest + check Check cert-manager components + completion generate the autocompletion script for the specified shell + convert Convert cert-manager config files between different API versions + create Create cert-manager resources + deny Deny a CertificateRequest + experimental Interact with experimental features + help Help about any command + inspect Get details on certificate related resources + renew Mark a Certificate for manual renewal + status Get details on current status of cert-manager resources + version Print the cert-manager kubectl plugin version and the deployed cert-manager version + +Flags: + --as string Username to impersonate for the operation + --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. + --cache-dir string Default cache directory (default "/Users/joakim/.kube/cache") + --certificate-authority string Path to a cert file for the certificate authority + --client-certificate string Path to a client certificate file for TLS + --client-key string Path to a client key file for TLS + --cluster string The name of the kubeconfig cluster to use + --context string The name of the kubeconfig context to use + -h, --help help for cert-manager + --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure + --kubeconfig string Path to the kubeconfig file to use for CLI requests. + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --match-server-version Require server version to match client version + -n, --namespace string If present, the namespace scope for this CLI request + --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") + -s, --server string The address and port of the Kubernetes API server + --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used + --token string Bearer token for authentication to the API server + --user string The name of the kubeconfig user to use + +Use "kubectl cert-manager [command] --help" for more information about a command. +``` diff --git a/content/en/v1.5-docs/cli/controller.md b/content/en/v1.5-docs/cli/controller.md new file mode 100644 index 00000000000..34a3a0cc3a7 --- /dev/null +++ b/content/en/v1.5-docs/cli/controller.md @@ -0,0 +1,72 @@ +--- +title: controller CLI reference +linkTitle: controller +weight: 960 +type: "docs" +--- +``` + +cert-manager is a Kubernetes addon to automate the management and issuance of +TLS certificates from various issuing sources. + +It will ensure certificates are valid and up to date periodically, and attempt +to renew certificates at an appropriate time before expiry. + +Usage: + cert-manager-controller [flags] + +Flags: + --acme-http01-solver-image string The docker image to use to solve ACME HTTP01 challenges. You most likely will not need to change this parameter unless you are testing a new feature or developing cert-manager. (default "quay.io/jetstack/cert-manager-acmesolver:canary") + --acme-http01-solver-resource-limits-cpu string Defines the resource limits CPU size when spawning new ACME HTTP01 challenge solver pods. (default "100m") + --acme-http01-solver-resource-limits-memory string Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --acme-http01-solver-resource-request-cpu string Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m") + --acme-http01-solver-resource-request-memory string Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + --auto-certificate-annotations strings The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme]) + --cluster-issuer-ambient-credentials Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true) + --cluster-resource-namespace string Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system") + --controllers strings A list of controllers to enable. '--controllers=*' enables all on-by-default controllers, '--controllers=foo' enables just the controller named 'foo', '--controllers=*,-foo' disables the controller named 'foo'. + All controllers: issuers, clusterissuers, certificates-metrics, ingress-shim, gateway-shim, orders, challenges, certificaterequests-issuer-acme, certificaterequests-approver, certificaterequests-issuer-ca, certificaterequests-issuer-selfsigned, certificaterequests-issuer-vault, certificaterequests-issuer-venafi, certificates-trigger, certificates-issuing, certificates-key-manager, certificates-request-manager, certificates-readiness, certificates-revision-manager (default [*]) + --copied-annotation-prefixes strings Specify which annotations should/shouldn't be copiedfrom Certificate to CertificateRequest and Order, as well as from CertificateSigningRequest to Order, by passing a list of annotation key prefixes.A prefix starting with a dash(-) specifies an annotation that shouldn't be copied. Example: '*,-kubectl.kuberenetes.io/'- all annotationswill be copied apart from the ones where the key is prefixed with 'kubectl.kubernetes.io/'. (default [*,-kubectl.kubernetes.io/,-fluxcd.io/,-argocd.argoproj.io/]) + --default-issuer-group string Group of the Issuer to use when the tls is requested but issuer group is not specified on the ingress resource. (default "cert-manager.io") + --default-issuer-kind string Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer") + --default-issuer-name string Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource. + --dns01-check-retry-period duration The duration the controller should wait between checking if a ACME dns entry exists.This should be a valid duration string, for example 180s or 1h (default 10s) + --dns01-recursive-nameservers strings A list of comma separated dns server endpoints used for DNS01 check requests. This should be a list containing host and port, for example 8.8.8.8:53,8.8.4.4:53 + --dns01-recursive-nameservers-only When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers. + --enable-certificate-owner-ref Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted. + --enable-profiling Enable profiling for controller. + --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are: + AllAlpha=true|false (ALPHA - default=false) + AllBeta=true|false (BETA - default=false) + ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false) + ExperimentalGatewayAPISupport=true|false (ALPHA - default=false) + ValidateCAA=true|false (ALPHA - default=false) + -h, --help help for cert-manager-controller + --issuer-ambient-credentials Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. + --kube-api-burst int the maximum burst queries-per-second of requests sent to the Kubernetes apiserver (default 50) + --kube-api-qps float32 indicates the maximum queries-per-second requests to the Kubernetes apiserver (default 20) + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cert-manager will perform leader election between instances to ensure no more than one instance of cert-manager operates at a time (default true) + --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s) + --leader-election-namespace string Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system") + --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s) + --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s) + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --master string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. + --max-concurrent-challenges int The maximum number of challenges that can be scheduled as 'processing' at once. (default 60) + --metrics-listen-address string The host and port that the metrics endpoint should listen on. (default "0.0.0.0:9402") + --namespace string If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched + --one_output If true, only write logs to their native severity level (vs also writing to each lower severity level) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` diff --git a/content/en/v1.5-docs/cli/webhook.md b/content/en/v1.5-docs/cli/webhook.md new file mode 100644 index 00000000000..9a17b132654 --- /dev/null +++ b/content/en/v1.5-docs/cli/webhook.md @@ -0,0 +1,40 @@ +--- +title: webhook CLI reference +linkTitle: webhook +weight: 960 +type: "docs" +--- +``` +Webhook component providing API validation, mutation and conversion functionality for cert-manager (canary) () + +Usage: + webhook [flags] + +Flags: + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files + --api-server-host string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. + --dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates certificates + --dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs serving certificates + --dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the dynamic serving CA + --healthz-port int port number to listen on for insecure healthz connections (default 6080) + -h, --help help for webhook + --kubeconfig string optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory + --log_file string If non-empty, use this log file + --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --one_output If true, only write logs to their native severity level (vs also writing to each lower severity level) + --secure-port int port number to listen on for secure TLS connections (default 6443) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files + --stderrthreshold severity logs at or above this threshold go to stderr (default 2) + --tls-cert-file string path to the file containing the TLS certificate to serve with + --tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be use. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA + --tls-min-version string Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 + --tls-private-key-file string path to the file containing the TLS private key to serve with + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` From 4988804e09a81d7a88c128607160cc5fa6757ca3 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Mon, 24 Jan 2022 14:52:14 +0000 Subject: [PATCH 8/9] add release step for updating algolia index Signed-off-by: Ashley Davis --- content/en/docs/contributing/release-process.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/content/en/docs/contributing/release-process.md b/content/en/docs/contributing/release-process.md index fb41ed6df16..b5460929dad 100644 --- a/content/en/docs/contributing/release-process.md +++ b/content/en/docs/contributing/release-process.md @@ -511,3 +511,8 @@ page if a step is missing or if it is outdated. the latest version. This should be done after every release, including patch releases as we want to encourage users to always install the latest patch. + + 9. Open a PR against our + [Algolia indexing configuration](https://github.com/algolia/docsearch-configs/blob/master/configs/cert-manager.json#L7-L13) + including the new version for search indexing, as in + [this PR](https://github.com/algolia/docsearch-configs/pull/2278). From 52afa259cfcc06c18b2c9b028bda2e8782d7617c Mon Sep 17 00:00:00 2001 From: Joakim Ahrlin Date: Tue, 25 Jan 2022 13:33:12 +0100 Subject: [PATCH 9/9] add comment for versioning releases Signed-off-by: Joakim Ahrlin --- scripts/gendocs/generate | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/gendocs/generate b/scripts/gendocs/generate index f83cac50a75..5a25b6c5ba2 100755 --- a/scripts/gendocs/generate +++ b/scripts/gendocs/generate @@ -174,6 +174,9 @@ rm -r pkg/apis/certmanager/v1alpha3 rm -r pkg/apis/certmanager/v1beta1 gendocs "v1.6-docs" +# when adding a new version here run +# ./scripts/gendocs/generate 1 to force generation of CLI docs +# and add them to the git index genversion "release-1.5" "v1.5-docs" genversion "release-1.4" "v1.4-docs" genversion "release-1.3" "v1.3-docs"