From a7e08cf77abe236997c89a55fb284c13c9fceb14 Mon Sep 17 00:00:00 2001
From: gitea-bot <gitea-bot@alexlebens.net>
Date: Tue, 2 Dec 2025 23:44:24 +0000
Subject: [PATCH] chore: Update manifests after change

---
 .../kubelet-serving-cert-approver.yaml        | 254 ++++++++++++++++++
 1 file changed, 254 insertions(+)
 create mode 100644 clusters/cl01tl/manifests/kubelet-serving-cert-approver/kubelet-serving-cert-approver.yaml

diff --git a/clusters/cl01tl/manifests/kubelet-serving-cert-approver/kubelet-serving-cert-approver.yaml b/clusters/cl01tl/manifests/kubelet-serving-cert-approver/kubelet-serving-cert-approver.yaml
new file mode 100644
index 000000000..36c1a92d3
--- /dev/null
+++ b/clusters/cl01tl/manifests/kubelet-serving-cert-approver/kubelet-serving-cert-approver.yaml
@@ -0,0 +1,254 @@
+---
+# Source: kubelet-serving-cert-approver/templates/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubelet-serving-cert-approver
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: kubelet-serving-cert-approver
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/warn: restricted
+---
+# Source: kubelet-serving-cert-approver/charts/kubelet-serving-cert-approver/templates/common.yaml
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubelet-serving-cert-approver
+  labels:
+    app.kubernetes.io/instance: kubelet-serving-cert-approver
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    helm.sh/chart: kubelet-serving-cert-approver-4.4.0
+  namespace: kubelet-serving-cert-approver
+secrets:
+  - name: kubelet-serving-cert-approver-kubelet-serving-cert-approver-sa-token
+---
+# Source: kubelet-serving-cert-approver/charts/kubelet-serving-cert-approver/templates/common.yaml
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: kubelet-serving-cert-approver-kubelet-serving-cert-approver-sa-token
+  labels:
+    app.kubernetes.io/instance: kubelet-serving-cert-approver
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    helm.sh/chart: kubelet-serving-cert-approver-4.4.0
+  annotations:
+    kubernetes.io/service-account.name: kubelet-serving-cert-approver
+  namespace: kubelet-serving-cert-approver
+---
+# Source: kubelet-serving-cert-approver/templates/cluster-role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: "certificates-kubelet-serving-cert-approver"
+  namespace: kubelet-serving-cert-approver
+  labels:
+    app.kubernetes.io/name: "certificates-kubelet-serving-cert-approver"
+    app.kubernetes.io/instance: kubelet-serving-cert-approver
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+rules:
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests/approval
+    verbs:
+      - update
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+  - apiGroups:
+      - certificates.k8s.io
+    resourceNames:
+      - kubernetes.io/kubelet-serving
+    resources:
+      - signers
+    verbs:
+      - approve
+---
+# Source: kubelet-serving-cert-approver/templates/cluster-role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: "events-kubelet-serving-cert-approver"
+  namespace: kubelet-serving-cert-approver
+  labels:
+    app.kubernetes.io/name: "events-kubelet-serving-cert-approver"
+    app.kubernetes.io/instance: kubelet-serving-cert-approver
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+---
+# Source: kubelet-serving-cert-approver/templates/cluster-role-binding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubelet-serving-cert-approver
+  namespace: kubelet-serving-cert-approver
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: kubelet-serving-cert-approver
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "certificates-kubelet-serving-cert-approver"
+subjects:
+  - kind: ServiceAccount
+    name: kubelet-serving-cert-approver
+    namespace: kubelet-serving-cert-approver
+---
+# Source: kubelet-serving-cert-approver/templates/role-binding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "events-kubelet-serving-cert-approver"
+  namespace: kubelet-serving-cert-approver
+  labels:
+    app.kubernetes.io/name: "events-kubelet-serving-cert-approver"
+    app.kubernetes.io/instance: kubelet-serving-cert-approver
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "events-kubelet-serving-cert-approver"
+subjects:
+  - kind: ServiceAccount
+    name: kubelet-serving-cert-approver
+    namespace: kubelet-serving-cert-approver
+---
+# Source: kubelet-serving-cert-approver/charts/kubelet-serving-cert-approver/templates/common.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: kubelet-serving-cert-approver
+  labels:
+    app.kubernetes.io/instance: kubelet-serving-cert-approver
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/service: kubelet-serving-cert-approver
+    helm.sh/chart: kubelet-serving-cert-approver-4.4.0
+  namespace: kubelet-serving-cert-approver
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8080
+      targetPort: 8080
+      protocol: TCP
+      name: health
+    - port: 9090
+      targetPort: 9090
+      protocol: TCP
+      name: metrics
+  selector:
+    app.kubernetes.io/controller: main
+    app.kubernetes.io/instance: kubelet-serving-cert-approver
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+---
+# Source: kubelet-serving-cert-approver/charts/kubelet-serving-cert-approver/templates/common.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kubelet-serving-cert-approver
+  labels:
+    app.kubernetes.io/controller: main
+    app.kubernetes.io/instance: kubelet-serving-cert-approver
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    helm.sh/chart: kubelet-serving-cert-approver-4.4.0
+  namespace: kubelet-serving-cert-approver
+spec:
+  revisionHistoryLimit: 3
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/controller: main
+      app.kubernetes.io/name: kubelet-serving-cert-approver
+      app.kubernetes.io/instance: kubelet-serving-cert-approver
+  template:
+    metadata:
+      annotations: 
+        checksum/secrets: 591a33eca0bc5c4a8475d0538f3f4840841582c86a3ac2c97147b2b00e5774c5
+      labels: 
+        app.kubernetes.io/controller: main
+        app.kubernetes.io/instance: kubelet-serving-cert-approver
+        app.kubernetes.io/name: kubelet-serving-cert-approver
+    spec: 
+      enableServiceLinks: false
+      serviceAccountName: kubelet-serving-cert-approver
+      automountServiceAccountToken: true
+      priorityClassName: system-cluster-critical
+      securityContext: 
+        fsGroup: 65534
+        runAsGroup: 65534
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      hostIPC: false
+      hostNetwork: false
+      hostPID: false
+      dnsPolicy: ClusterFirst
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - preference:
+              matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: DoesNotExist
+              - key: node-role.kubernetes.io/control-plane
+                operator: DoesNotExist
+            weight: 100
+      tolerations: 
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+      containers: 
+        - args:
+          - serve
+          env:
+          - name: NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          image: ghcr.io/alex1989hu/kubelet-serving-cert-approver:0.10.0
+          imagePullPolicy: Always
+          name: main
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true