weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Fix typos

Browse Source 
Signed-off-by: Nathan Baulch <nathan.baulch@gmail.com>
This commit is contained in:
Nathan Baulch 2024-09-19 14:00:15 +10:00
parent 060354a673
commit a39748ae77
No known key found for this signature in database
132 changed files with 253 additions and 253 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
RELEASE.md
View File

@ -6,12 +6,12 @@ The release schedule for cert-manager is defined on the [cert-manager website](h
## Process
The release process is descibed in detail on the [cert-manager website](https://cert-manager.io/docs/contributing/release-process/).
The release process is described in detail on the [cert-manager website](https://cert-manager.io/docs/contributing/release-process/).
## Artifacts
The cert-manager project will produce the following artifacts each release. For documentation on how those artifacts are produced see the "Process" section.
- *Container Images* - Container images for the cert-manager project are published for all cert-manager components.
- *Helm chart* - An offical Helm chart is mainained within this repo and published to `charts.jetstack.io` on each cert-manager release.
- *Binaries* - Until version 1.15 the cmctl binary was maintained within this repo and published as part of the cert-manager release. For releases after 1.15 the CLI has moved to its [own repository](https://github.com/cert-manager/cmctl). Binary builds are still avaiable for download from this new location.
- *Helm chart* - An official Helm chart is maintained within this repo and published to `charts.jetstack.io` on each cert-manager release.
- *Binaries* - Until version 1.15 the cmctl binary was maintained within this repo and published as part of the cert-manager release. For releases after 1.15 the CLI has moved to its [own repository](https://github.com/cert-manager/cmctl). Binary builds are still available for download from this new location.

2
cmd/cainjector/app/cainjector.go
View File

@ -94,7 +94,7 @@ servers and webhook servers.`,
}
// ValidateCAInjectorConfiguration should already have validated the
// logging flags, the logging API does not have a Apply-only function
// logging flags, the logging API does not have an Apply-only function
// so we validate again here. This should not catch any validation errors
// anymore.
if err := logf.ValidateAndApply(&cainjectorConfig.Logging); err != nil {

4
cmd/controller/app/options/options.go
View File

@ -108,7 +108,7 @@ func AddConfigFlags(fs *pflag.FlagSet, c *config.ControllerConfiguration) {
"need to change this parameter unless you are testing a new feature or developing cert-manager.")
// HTTP-01 solver pod configuration via flags is a now deprecated
// mechanism- please use pod template instead when adding any new
// mechanism - please use pod template instead when adding any new
// configuration options
// https://github.com/cert-manager/cert-manager/blob/f1d7c432763100c3fb6eb6a1654d29060b479b3c/pkg/apis/acme/v1/types_issuer.go#L270
// These flags however will not be deprecated for backwards compatibility purposes.
@ -142,7 +142,7 @@ func AddConfigFlags(fs *pflag.FlagSet, c *config.ControllerConfiguration) {
"AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata.")
fs.StringSliceVar(&c.IngressShimConfig.DefaultAutoCertificateAnnotations, "auto-certificate-annotations", c.IngressShimConfig.DefaultAutoCertificateAnnotations, ""+
"The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate")
"The annotation consumed by the ingress-shim controller to indicate an ingress is requesting a certificate")
fs.StringVar(&c.IngressShimConfig.DefaultIssuerName, "default-issuer-name", c.IngressShimConfig.DefaultIssuerName, ""+
"Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource.")
fs.StringVar(&c.IngressShimConfig.DefaultIssuerKind, "default-issuer-kind", c.IngressShimConfig.DefaultIssuerKind, ""+

2
cmd/controller/app/options/options_test.go
View File

@ -46,7 +46,7 @@ func TestEnabledControllers(t *testing.T) {
controllers: []string{"*"},
expEnabled: sets.New(defaults.DefaultEnabledControllers...),
},
"if all controllers enabled, some diabled, return all controllers with disabled": {
"if all controllers enabled, some disabled, return all controllers with disabled": {
controllers: []string{"*", "-clusterissuers", "-issuers"},
expEnabled: sets.New(defaults.DefaultEnabledControllers...).Delete("clusterissuers", "issuers"),
},

2
cmd/controller/app/start.go
View File

@ -104,7 +104,7 @@ to renew certificates at an appropriate time before expiry.`,
}
// ValidateControllerConfiguration should already have validated the
// logging flags, the logging API does not have a Apply-only function
// logging flags, the logging API does not have an Apply-only function
// so we validate again here. This should not catch any validation errors
// anymore.
if err := logf.ValidateAndApply(&controllerConfig.Logging); err != nil {

2
cmd/webhook/app/webhook.go
View File

@ -101,7 +101,7 @@ functionality for cert-manager.`,
}
// ValidateWebhookConfiguration should already have validated the
// logging flags, the logging API does not have a Apply-only function
// logging flags, the logging API does not have an Apply-only function
// so we validate again here. This should not catch any validation errors
// anymore.
if err := logf.ValidateAndApply(&webhookConfig.Logging); err != nil {

6
deploy/charts/cert-manager/README.template.md
View File

@ -298,7 +298,7 @@ Override the "cert-manager.fullname" value. This value is used as part of most o
#### **nameOverride** ~ `string`
Override the "cert-manager.name" value, which is used to annotate some of the resources that are created by this Chart (using "app.kubernetes.io/name"). NOTE: There are some inconsitencies in the Helm chart when it comes to these annotations (some resources use eg. "cainjector.name" which resolves to the value "cainjector").
Override the "cert-manager.name" value, which is used to annotate some of the resources that are created by this Chart (using "app.kubernetes.io/name"). NOTE: There are some inconsistencies in the Helm chart when it comes to these annotations (some resources use eg. "cainjector.name" which resolves to the value "cainjector").
#### **serviceAccount.create** ~ `bool`
> Default value:
@ -421,7 +421,7 @@ ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
Additional command line flags to pass to cert-manager controller binary. To see all available flags run `docker run quay.io/jetstack/cert-manager-controller:<version> --help`.
Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificiateRequests approver.
Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificateRequests approver.
For example:
@ -662,7 +662,7 @@ enableServiceLinks indicates whether information about services should be inject
Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a
ServiceMonitor resource.
Otherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in a error.
Otherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
#### **prometheus.servicemonitor.enabled** ~ `bool`
> Default value:
> ```yaml

2
deploy/charts/cert-manager/templates/_helpers.tpl
View File

@ -175,7 +175,7 @@ https://github.com/helm/helm/issues/5358
{{/*
Util function for generating the image URL based on the provided options.
IMPORTANT: This function is standarized across all charts in the cert-manager GH organization.
IMPORTANT: This function is standardized across all charts in the cert-manager GH organization.
Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ...
See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
*/}}

2
deploy/charts/cert-manager/templates/rbac.yaml
View File

@ -567,7 +567,7 @@ subjects:
{{- end -}}
# Permission to:
# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
# - Update and sign CertificateSigningRequests referencing cert-manager.io Issuers and ClusterIssuers
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole

4
deploy/charts/cert-manager/values.schema.json
View File

@ -643,7 +643,7 @@
},
"helm-values.extraArgs": {
"default": [],
"description": "Additional command line flags to pass to cert-manager controller binary. To see all available flags run `docker run quay.io/jetstack/cert-manager-controller:<version> --help`.\n\nUse this flag to enable or disable arbitrary controllers. For example, to disable the CertificiateRequests approver.\n\nFor example:\nextraArgs:\n - --controllers=*,-certificaterequests-approver",
"description": "Additional command line flags to pass to cert-manager controller binary. To see all available flags run `docker run quay.io/jetstack/cert-manager-controller:<version> --help`.\n\nUse this flag to enable or disable arbitrary controllers. For example, to disable the CertificateRequests approver.\n\nFor example:\nextraArgs:\n - --controllers=*,-certificaterequests-approver",
"items": {},
"type": "array"
},
@ -991,7 +991,7 @@
},
"helm-values.prometheus.enabled": {
"default": true,
"description": "Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a\nServiceMonitor resource.\nOtherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in a error.",
"description": "Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a\nServiceMonitor resource.\nOtherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.",
"type": "boolean"
},
"helm-values.prometheus.podmonitor": {

8
deploy/charts/cert-manager/values.yaml
View File

@ -173,7 +173,7 @@ namespace: ""
# Override the "cert-manager.name" value, which is used to annotate some of
# the resources that are created by this Chart (using "app.kubernetes.io/name").
# NOTE: There are some inconsitencies in the Helm chart when it comes to
# NOTE: There are some inconsistencies in the Helm chart when it comes to
# these annotations (some resources use eg. "cainjector.name" which resolves
# to the value "cainjector").
# +docs:property
@ -276,7 +276,7 @@ approveSignerNames:
# Additional command line flags to pass to cert-manager controller binary.
# To see all available flags run `docker run quay.io/jetstack/cert-manager-controller:<version> --help`.
#
# Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificiateRequests approver.
# Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificateRequests approver.
#
# For example:
# extraArgs:
@ -489,7 +489,7 @@ prometheus:
# Otherwise, 'prometheus.io' annotations are added to the cert-manager and
# cert-manager-webhook Deployments.
# Note that you can not enable both PodMonitor and ServiceMonitor as they are
# mutually exclusive. Enabling both will result in a error.
# mutually exclusive. Enabling both will result in an error.
enabled: true
servicemonitor:
@ -542,7 +542,7 @@ prometheus:
# +docs:property
endpointAdditionalProperties: {}
# Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in a error.
# Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
podmonitor:
# Create a PodMonitor to add cert-manager to Prometheus.
enabled: false

2
deploy/crds/crd-certificaterequests.yaml
View File

@ -44,7 +44,7 @@ spec:
name: Issuer
type: string
- jsonPath: .spec.username
name: Requestor
name: Requester
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status

6
deploy/crds/crd-certificates.yaml
View File

@ -428,7 +428,7 @@ spec:
re-issuance is being processed.
If set to `Never`, a private key will only be generated if one does not
already exist in the target `spec.secretName`. If one does exists but it
already exist in the target `spec.secretName`. If one does exist but it
does not have the correct algorithm or size, a warning will be raised
to await user intervention.
If set to `Always`, a private key matching the specified requirements
@ -654,7 +654,7 @@ spec:
Known condition types are `Ready` and `Issuing`.
type: array
items:
description: CertificateCondition contains condition information for an Certificate.
description: CertificateCondition contains condition information for a Certificate.
type: object
required:
- status
@ -708,7 +708,7 @@ spec:
type: integer
lastFailureTime:
description: |-
LastFailureTime is set only if the lastest issuance for this
LastFailureTime is set only if the latest issuance for this
Certificate failed and contains the time of the failure. If an
issuance has failed, the delay till the next issuance will be
calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -

6
deploy/crds/crd-challenges.yaml
View File

@ -528,7 +528,7 @@ spec:
description: Name of the ServiceAccount used to request a token.
type: string
hostedZoneID:
description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
description: If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
type: string
region:
description: Always set the region when using AccessKeyID and SecretAccessKey
@ -784,7 +784,7 @@ spec:
type: object
properties:
annotations:
description: Annotations that should be added to the create ACME HTTP01 solver pods.
description: Annotations that should be added to the created ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string
@ -1963,7 +1963,7 @@ spec:
type: object
properties:
annotations:
description: Annotations that should be added to the create ACME HTTP01 solver pods.
description: Annotations that should be added to the created ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string

6
deploy/crds/crd-clusterissuers.yaml
View File

@ -635,7 +635,7 @@ spec:
description: Name of the ServiceAccount used to request a token.
type: string
hostedZoneID:
description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
description: If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
type: string
region:
description: Always set the region when using AccessKeyID and SecretAccessKey
@ -891,7 +891,7 @@ spec:
type: object
properties:
annotations:
description: Annotations that should be added to the create ACME HTTP01 solver pods.
description: Annotations that should be added to the created ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string
@ -2070,7 +2070,7 @@ spec:
type: object
properties:
annotations:
description: Annotations that should be added to the create ACME HTTP01 solver pods.
description: Annotations that should be added to the created ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string

6
deploy/crds/crd-issuers.yaml
View File

@ -635,7 +635,7 @@ spec:
description: Name of the ServiceAccount used to request a token.
type: string
hostedZoneID:
description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
description: If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
type: string
region:
description: Always set the region when using AccessKeyID and SecretAccessKey
@ -891,7 +891,7 @@ spec:
type: object
properties:
annotations:
description: Annotations that should be added to the create ACME HTTP01 solver pods.
description: Annotations that should be added to the created ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string
@ -2070,7 +2070,7 @@ spec:
type: object
properties:
annotations:
description: Annotations that should be added to the create ACME HTTP01 solver pods.
description: Annotations that should be added to the created ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string

6
design/20190708.certificate-request-crd.md
View File

@ -243,14 +243,14 @@ rejected by the API server.
Setting the Approved or Denied conditions are restricted by the approver having
sufficient RBAC permissions. These permissions are based upon the request
itself- specifically the request's IssuerRef:
itself - specifically the request's IssuerRef:
```yaml
apiGroups: ["cert-manager.io"]
resources: ["signers"]
verbs: ["approve"]
resourceNames:
# namesapced signers
# namespaced signers
- "<signer-resource-types>.<signer-group>/<signer-namespace>.<signer-name>"
# cluster scoped signers
- "<signer-resource-types>.<signer-group>/<signer-name>"
@ -363,7 +363,7 @@ The webhook will keep a cache of the [Discovery
API](https://github.com/kubernetes/client-go/blob/f6ce18ae578c8cca64d14ab9687824d9e1305a67/discovery/discovery_client.go#L55)
which will be used to determine whether a referenced signer is namespaced or
not. If it is namespaced, the `<signer-namespace>` will be populated with the
namesapce that the CertificateRequest resides in. If the scope of the resource
namespace that the CertificateRequest resides in. If the scope of the resource
cannot be determined, the request will be rejected.

2
design/20200326.extensible-certificate-controller.md
View File

@ -241,7 +241,7 @@ resources that are owned by Certificates.
* Delete all owned Secret resources with the `cert-manager.io/next-private-key: "true"`
* Ensure `status.nextPrivateKeySecretName` is unset - we may want to
consider not doing this in case a user has manually specified this field
and pointed it at an 'un-owned' Secret. This depends whether we want to
and pointed it at an 'un-owned' Secret. This depends on whether we want to
support this as a mode of operation.
When creating a 'next private key' Secret resource, the

4
design/20210209.certificates.k8s.io-adoption.md
View File

@ -168,13 +168,13 @@ rules:
[Until 1.22](https://github.com/kubernetes/kubernetes/pull/99494)
`CertificateSigningRequests` did not include a `duration` field. To have parity
with the `CertificateRequest` resource, the duration field will be moved to the
annotation `experimental.cert-manager.io/request-duration` who's value is a [Go
annotation `experimental.cert-manager.io/request-duration` whose value is a [Go
time duration string](https://golang.org/pkg/time/#Duration.String).
When 1.22 is released, cert-manager can optimistically read the
`expirationSeconds` `CertificateSigningRequest` field to discover the requested
duration. If this field hasn't been set or the user is using an older version of
Kubernetes, cert-manager can fallback to this annotation.
Kubernetes, cert-manager can fall back to this annotation.
### CA Field

4
design/20220118.certificate-issuance-exponential-backoff.md
View File

@ -46,7 +46,7 @@ created.
## Motivation
Currently failed issuances are retried once an hour without a backoff or time limit. This means that 1) continuous failures in large installations can overwhelm external services 2) rate limits can be easily hit in case of longer lasting issuance problems (see [Let'sEncrypt rate limts](https://letsencrypt.org/docs/rate-limits/))
Currently failed issuances are retried once an hour without a backoff or time limit. This means that 1) continuous failures in large installations can overwhelm external services 2) rate limits can be easily hit in case of longer lasting issuance problems (see [Let'sEncrypt rate limits](https://letsencrypt.org/docs/rate-limits/))
### Goals
@ -80,7 +80,7 @@ Similarly to [`status.LastFailureTime`](https://github.com/jetstack/cert-manager
`IssuanceAttempts` will be set by [`certificates-issuing` controller](https://github.com/jetstack/cert-manager/tree/ce1424162ea4f363bdb7aa4f201432ec63da1145/pkg/controller/certificates/issuing) after a failed issuance by either bumping the already existing value by 1 or setting it to 1 (first failure). In case of a succeeded issuance, `certificates-issuing` controller will ensure that `status.IssuanceAttempts` is not set.
The delay till the next issuance will then be calculated by [`certificates-trigger` controller](https://github.com/jetstack/cert-manager/tree/ce1424162ea4f363bdb7aa4f201432ec63da1145/pkg/controller/certificates/trigger) using the formula `if status.LastFailureTime != nil then next_issuance_attempt_time = status.LastFailureTime + time.Hour x 2 ^ (status.IssuanceAttempts- 1)` (binary exponential- so the sequence will be 1h, 2h, 4h, 8h etc). This ensures that the first delay is 1 hour from the last failure time which is the current behaviour. In case of continuous failures, the delay should keep increasing up to a maximum backoff period of 32h, after which it should be retried every 32h whilst the failures persist.
The delay till the next issuance will then be calculated by [`certificates-trigger` controller](https://github.com/jetstack/cert-manager/tree/ce1424162ea4f363bdb7aa4f201432ec63da1145/pkg/controller/certificates/trigger) using the formula `if status.LastFailureTime != nil then next_issuance_attempt_time = status.LastFailureTime + time.Hour x 2 ^ (status.IssuanceAttempts - 1)` (binary exponential, so the sequence will be 1h, 2h, 4h, 8h etc). This ensures that the first delay is 1 hour from the last failure time which is the current behaviour. In case of continuous failures, the delay should keep increasing up to a maximum backoff period of 32h, after which it should be retried every 32h whilst the failures persist.
### API changes

4
design/20220118.server-side-apply.md
View File

@ -170,11 +170,11 @@ Some fields, such as the Certificate Issuing Condition are managed by more than
one controller (issuing and trigger Certificate controllers, and cmctl), and as
such, will need to make use of the `force` parameter in their API calls. This
option tells the API server to revoke management of that field from the previous
owner, overwrite the field, and change owner ship to the new client. Since some
owner, overwrite the field, and change ownership to the new client. Since some
fields, such as the Issuing Condition, may have an undefined number of potential
managers (both internal and external to the cert-manager controller), using the
same manager for things is not a possibility. You can read more about the
`force` paramerter on the Kubernetes documentation on
`force` parameter on the Kubernetes documentation on
[Server-Side Apply](https://kubernetes.io/docs/reference/using-api/server-side-apply/),
and in particular the
[Conflicts](https://kubernetes.io/docs/reference/using-api/server-side-apply/#conflicts)

4
design/20220614-timeouts.md
View File

@ -128,7 +128,7 @@ The affected controllers appear to be those which have an `accounts.Getter`:
- [acmeorders](https://github.com/cert-manager/cert-manager/blob/c16b3cca7b418ba0d0b2bf1066514b8762984517/pkg/controller/acmeorders/controller.go#L50)
These timeouts have two issues. One is that the location they're added is unintuitive; the timeouts are added in
_logging_ middleware which which doesn't otherwise mention that it also introduces timeouts.
_logging_ middleware which doesn't otherwise mention that it also introduces timeouts.
That's confusing; we might reasonably expect a timeout on writing the logs themselves (i.e. the actual operation of
writing to a log) but this functionality doesn't manage that.
@ -214,7 +214,7 @@ The idea here is "if it's good enough for crossplane why should it not be good e
The current cert-manager timeouts are arbitrary. Likely the crossplane timeouts are also arbitrary. We can at least
have confidence that a big project with a tonne of controllers and CRDs is using longer timeouts and clearly not seeing
world-ending problems, and people want to _increase_ the timeouts from that base too, as envidenced by the above open
world-ending problems, and people want to _increase_ the timeouts from that base too, as evidenced by the above open
issue.
Another relevant timeout is certbot, which has a [45s](https://github.com/certbot/certbot/blob/295fc5e33a68c945d2f62e84ed8e6aaecfe93102/acme/acme/client.py#L46)

34
design/20221205-memory-management.md
View File

@ -91,7 +91,7 @@ This proposal suggests a mechanism how to avoid caching cert-manager unrelated `
- use the same mechanism to improve memory consumption by cainjector. This proposal focuses on controller only as it is the more complex part however we need to fix this problem in cainjector too and it would be nice to be consistent
> 📖 Update: In [#7161: Reduce memory usage by only caching the metadata of Secret resources](https://github.com/cert-manager/cert-manager/pull/716199)
> we addressed the high startup memory usage of cainjector with metatdata-only caching features of controller-runtime.
> we addressed the high startup memory usage of cainjector with metadata-only caching features of controller-runtime.
> We did not use the split cache design that was implemented for the
> controller, and this contradicts the goal above: "use the same mechanism to
> improve memory consumption by cainjector ... to be consistent".
@ -140,7 +140,7 @@ cert-manager needs to watch all `Secret`s in the cluster because some user creat
- in some cases a missing `Secret` does not cause issuer reconcile ([such as a missing ACME EAB key where we explicitly rely on `Secret` events to retry issuer setup](https://github.com/cert-manager/cert-manager/blob/v1.10.1/pkg/issuer/acme/setup.go#L228)). In this case, it is more efficient as well as a better user experience to reconcile on `Secret` creation event as that way we avoid wasting CPU cycles whilst waiting for the user to create the `Secret` and when the `Secret` does get created, the issuer will be reconciled immediately.
The caching mechanim is required for ensuring quick issuance and not taking too much of kube apiserver's resources. `Secret`s with the issued X.509 certificates and with temporary private keys get retrieved a number of times during issuance and all the control loops involved in issuance need full `Secret` data. Currently the `Secret`s are retrieved from informers cache. Retrieving them from kube apiserver would mean a large number of additional calls to kube apiserver, which is undesirable. The default cert-manager installation uses a rate-limited client (20QPS with a burst of 50). There is also server-side [API Priority and Fairness system](https://kubernetes.io/docs/concepts/cluster-administration/flow-control/) that prevents rogue clients from overwhelming kube apiserver. Both these mechanisms mean that the result of a large number of additional calls will be slower issuance as cert-manager will get rate limited (either client-side or server-side). The rate limiting can be modified to allow higher throughput for cert-manager, but this would have an impact of kube apiserver's availability for other tenants - so in either case additional API calls would have a cost for the user.
The caching mechanism is required for ensuring quick issuance and not taking too much of kube apiserver's resources. `Secret`s with the issued X.509 certificates and with temporary private keys get retrieved a number of times during issuance and all the control loops involved in issuance need full `Secret` data. Currently the `Secret`s are retrieved from informers cache. Retrieving them from kube apiserver would mean a large number of additional calls to kube apiserver, which is undesirable. The default cert-manager installation uses a rate-limited client (20QPS with a burst of 50). There is also server-side [API Priority and Fairness system](https://kubernetes.io/docs/concepts/cluster-administration/flow-control/) that prevents rogue clients from overwhelming kube apiserver. Both these mechanisms mean that the result of a large number of additional calls will be slower issuance as cert-manager will get rate limited (either client-side or server-side). The rate limiting can be modified to allow higher throughput for cert-manager, but this would have an impact of kube apiserver's availability for other tenants, so in either case additional API calls would have a cost for the user.
### User Stories
@ -242,9 +242,9 @@ func (f *filteredSecretsInformer) Lister() corelisters.SecretLister {
}
func newFilteredSecretsInformer(client kubernetes.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
secretLabelSeclector, _ := knownCertManagerSecretLabelSelector()
secretLabelSelector, _ := knownCertManagerSecretLabelSelector()
return coreinformers.NewFilteredSecretInformer(client, "", resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, func(listOptions *metav1.ListOptions) {
listOptions.LabelSelector = secretLabelSeclector
listOptions.LabelSelector = secretLabelSelector
})
}
@ -315,7 +315,7 @@ The tests were run on a kind cluster.
#### Cluster with large cert-manager unrelated secrets
Test the memory spike caused by the inital LIST-ing of `Secret`s, the size of cache after the inital LIST has been processed and a spike caused by changes to `Secret` resources.
Test the memory spike caused by the initial LIST-ing of `Secret`s, the size of cache after the initial LIST has been processed and a spike caused by changes to `Secret` resources.
##### cert-manager v1.11
@ -327,11 +327,11 @@ Install cert-manager from [latest master with client-go metrics enabled](https:/
Wait for cert-manager to start and populate the caches.
Apply a label to all `Secret`s to initate cache resync:
Apply a label to all `Secret`s to initiate cache resync:
![alt text](/design/images/20221205-memory-management/labelsecret.png)
Observe that memory consumption spikes on controller startup when all `Secret`s are initally listed, there is a second smaller spike around the time the `Secret`s got labelled and that memory consumption remains high:
Observe that memory consumption spikes on controller startup when all `Secret`s are initially listed, there is a second smaller spike around the time the `Secret`s got labelled and that memory consumption remains high:
![alt text](/design/images/20221205-memory-management/latestmastersecrets.png)
@ -345,7 +345,7 @@ Deploy cert-manager from [partial metadata prototype](https://github.com/irbekrm
Wait for cert-manager to start and populate the caches.
Apply a label to all `Secret`s to initate cache resync:
Apply a label to all `Secret`s to initiate cache resync:
![alt text](/design/images/20221205-memory-management/labelsecret.png)
@ -530,7 +530,7 @@ There are a number of existing upstream mechanisms how to limit what gets stored
Filtering which objects get watched using [label or field selectors](https://github.com/kubernetes/apimachinery/blob/v0.26.0/pkg/apis/meta/v1/types.go#L328-L332). These selectors allow to filter what resources are retrieved during the initial list call and watch calls to kube apiserver by informer's `ListerWatcher` component (and therefore will end up in the cache). client-go informer factory allows configuring individual informers with [list options](https://github.com/kubernetes/client-go/blob/v12.0.0/informers/factory.go#L78-L84) that will be used [for list and watch calls](https://github.com/kubernetes/client-go/blob/v12.0.0/informers/core/v1/secret.go#L59-L72).
This mechanism is used by other projects that use client-go controllers, for example [istio](https://github.com/istio/istio/blob/1.16.0/pilot/pkg/status/distribution/state.go#L100-L103).
The same filtering mechanism is [also available for cert-manager.io resources](https://github.com/cert-manager/cert-manager/blob/v1.10.1/pkg/client/informers/externalversions/factory.go#L63-L69). We shouldn't need to filter what cert-manager.io resoruces we watch though.
The same filtering mechanism is [also available for cert-manager.io resources](https://github.com/cert-manager/cert-manager/blob/v1.10.1/pkg/client/informers/externalversions/factory.go#L63-L69). We shouldn't need to filter what cert-manager.io resources we watch though.
This mechanism seems the most straightforward to use, but currently we don't have a way to identify all resources (secrets) we need to watch using a label or field selector, see [###Secrets].
##### Partial object metadata
@ -616,15 +616,15 @@ This would need to start as an alpha feature and would require alpha/beta testin
[Here](https://github.com/irbekrm/cert-manager/tree/experimental_transform_funcs) is a prototype of this solution.
In the prototype [`Secrets Transformer` function](https://github.com/irbekrm/cert-manager/blob/d44d4ed2e27fb9b7695a74ae254113f3166aadb4/pkg/controller/util.go#L219-L238)
is the tranform that gets applied to all `Secret`s before they are cached. If a `Secret` does not have any known cert-manager labels or annotations it removes `data`, `metada.managedFields` and `metadata.Annotations` and applies a `cert-manager.io/metadata-only` label.
[`SecretGetter`](https://github.com/irbekrm/cert-manager/blob/d44d4ed2e27fb9b7695a74ae254113f3166aadb4/pkg/controller/util.go#L241-L261) is used by any control loop that needs to GET a `Secret`. It retrieves it from kube apiserver or cache dependign on whether `cert-manager.io/metadata-only` label was found.
is the transform that gets applied to all `Secret`s before they are cached. If a `Secret` does not have any known cert-manager labels or annotations it removes `data`, `metadata.managedFields` and `metadata.Annotations` and applies a `cert-manager.io/metadata-only` label.
[`SecretGetter`](https://github.com/irbekrm/cert-manager/blob/d44d4ed2e27fb9b7695a74ae254113f3166aadb4/pkg/controller/util.go#L241-L261) is used by any control loop that needs to GET a `Secret`. It retrieves it from kube apiserver or cache depending on whether `cert-manager.io/metadata-only` label was found.
#### Drawbacks
- All cluster `Secret`s are still listed
- The transform functions only get run before the object is placed into informer's cache. The full object will be in controller's memory for a period of time before that (in DeltaFIFO store (?)). So the users will still see memory spikes when events related to cert-manager unrelated cluster `Secret`s occur.
See performance of the protototype:
See performance of the prototype:
Create 300 cert-manager unrelated `Secret`s of size ~1Mb:
@ -636,7 +636,7 @@ Wait for cert-manager caches to sync, then run a command to label all `Secret`s
![alt text](/design/images/20221205-memory-management/labelsecret.png)
Observe that altough altogether memory consumption remains quite low, there is a spike corresponding to the initial listing of `Secret`s:
Observe that although altogether memory consumption remains quite low, there is a spike corresponding to the initial listing of `Secret`s:
![alt text](/design/images/20221205-memory-management/transformfunctionsgrafana.png)
@ -672,17 +672,17 @@ LIST calls to kube apiserver can be [paginated](https://kubernetes.io/docs/refer
Perhaps not getting all objects at once on the initial LIST would limit the spike in memory when cert-manager controller starts up.
However, currently it is not possible to paginate the initial LISTs made by client-go informers.
Although it is possible to set [page limit](https://github.com/kubernetes/apimachinery/blob/v0.26.0/pkg/apis/meta/v1/types.go#L371-L387) when creating a client-go informer factory or an individual informer, this will in practice not be used for the inital LIST.
Although it is possible to set [page limit](https://github.com/kubernetes/apimachinery/blob/v0.26.0/pkg/apis/meta/v1/types.go#L371-L387) when creating a client-go informer factory or an individual informer, this will in practice not be used for the initial LIST.
LIST requests can be served either from etcd or [kube apiserver watch cache](https://github.com/kubernetes/apiserver/tree/v0.26.0/pkg/storage/cacher).
Watch cache does not support pagination, so if a request is forwarded to the cache, the response will contain a full list.
Client-go makes the inital LIST request [with resource version 0](https://github.com/kubernetes/client-go/blob/v0.26.0/tools/cache/reflector.go#L592-L596) for performance reasons (to ensure that watch cache is used) and this results in [the response being served from kube apiserver watch cache](https://github.com/kubernetes/apiserver/blob/v0.26.0/pkg/storage/cacher/cacher.go#L621-L635).
Client-go makes the initial LIST request [with resource version 0](https://github.com/kubernetes/client-go/blob/v0.26.0/tools/cache/reflector.go#L592-L596) for performance reasons (to ensure that watch cache is used) and this results in [the response being served from kube apiserver watch cache](https://github.com/kubernetes/apiserver/blob/v0.26.0/pkg/storage/cacher/cacher.go#L621-L635).
There is currently an open PR to implement pagination from watch cache https://github.com/kubernetes/kubernetes/pull/108392.
### Filter the Secrets to watch with a label
Only watch `Secret`s with known `cert-manager.io` labels. Ensure that label gets applied to all `Secret`s we manage (such as `spec.secretName` `Secret` for `Certificate`).
We already ensure that all `spec.secretName` `Secret`s get annotated when synced- we can use the same mechanism to apply a label.
We already ensure that all `spec.secretName` `Secret`s get annotated when synced - we can use the same mechanism to apply a label.
Users will have to ensure that `Secret`s they create are labelled.
We can help them to discover which `Secret`s that are currently deployed to cluster and need labelling with a `cmctl` command.
In terms of resource consumption and calls to apiserver, this would be the most efficient solution (only relevant `Secret`s are being listed/watched/cached and all relevant `Secret`s are cached in full).
@ -705,7 +705,7 @@ It might work well for cases where 'known' selectors need to be passed that we c
#### Drawbacks
- bad user experience- no straightforward way to tell if the selector actually does what was expected and an easy footgun especially when users attempt to specify which `Secret`s _should_ (rather than _shouldn't_) be watched
- bad user experience - no straightforward way to tell if the selector actually does what was expected and an easy footgun especially when users attempt to specify which `Secret`s _should_ (rather than _shouldn't_) be watched
- users should aim to use 'negative' selectors, but that be complicated if there is a large number of random `Secret`s in cluster that don't have a unifying selector

10
design/20230302.gomod.md
View File

@ -78,7 +78,7 @@ Since we have one `go.mod` file for all of our built binaries, it's not possible
either. If, say, only the `controller` component were to report as having a critical vulnerability, we'd have no
way of fixing only that one vulnerability while leaving everything else untouched.
Essentially, our current project layout forces us to made difficult choices whenever we need to upgrade things.
Essentially, our current project layout forces us to make difficult choices whenever we need to upgrade things.
### Problem Example
@ -189,7 +189,7 @@ require (
```
To be clear: using replace directives like this will break anyone who tries to import the `github.com/cert-manager/cert-manager/controller-binary`
module - or anyone who was previously importing `github.com/cert-manager/cert-manager/cmd/controller` before this proposal.
module or anyone who was previously importing `github.com/cert-manager/cert-manager/cmd/controller` before this proposal.
## Potential Issues
@ -219,7 +219,7 @@ This would mean that we create two PRs for a change; the first changes the core
module to import the new core module version created by the previous PR.
UPDATE: As we implemented this design, it was decided that we didn't want to break imports of `cmctl` because it was
used in several other cert-manager subprojects - so cmctl uses the approach described above.
used in several other cert-manager subprojects, so cmctl uses the approach described above.
#### Potential Solution for Developer Experience: Dynamic `go.work`
@ -269,14 +269,14 @@ Since there are two types of code in `test/`, we can split it.
There are [known external importers](https://pkg.go.dev/github.com/cert-manager/cert-manager@v1.11.0/test/unit/gen?tab=importedby)
of `test/unit/` which means it's difficult to move that without breaking people.
As such, we could move test/e2e and test/integration - or we could make them both independent modules and keep them
As such, we could move test/e2e and test/integration or we could make them both independent modules and keep them
where they are.
The diff for the main repository `go.mod` after separating out the tests is presented in footnote [2].
### Increased Time to Patch Everything
Having multiple go.mod files wil mean that when we share a dependency across many components (such as the Kubernetes
Having multiple go.mod files will mean that when we share a dependency across many components (such as the Kubernetes
libraries) we'll have to update multiple files rather than just one. Alternatively, if we update a dependency for the
core `go.mod` file we'll maybe want to also update every other go.mod which imports that one.

2
design/20230601.gateway-route-hostnames.md
View File

@ -44,7 +44,7 @@ This reduces configuration duplication, and allows the cluster owner to delegate
Currently, the gateway-shim only looks at the `hostname` in [`Listener`](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.Listener).
This field is optional, and its purpose is to filter which hostnames routes are allowed to match.
This double-configuration allows the cluster owner to set allowed hostnames in `GatewaySpec`, while individual site owners update their `HTTPRouteSpec`.
In cases where this permission model is unnecessary (either because all hostnames are allowed, or because the cluster and site owners are the same team,) this leads to awkward duplication.
In cases where this permission model is unnecessary (either because all hostnames are allowed, or because the cluster and site owners are the same team), this leads to awkward duplication.
As with any configuration duplication, it is easy to miss an update in one place, causing difficult-to-find bugs, and requiring teams to maintain more internal documentation.
E.g. Envoy Gateway already supports running a `Gateway` without hostnames in the `Listener`.

2
design/20240122.scarf.md
View File

@ -44,7 +44,7 @@ The open-source Scarf Gateway is the power behind the Scarf platform. The Scarf
- Update helm charts referencing "jetstack" binary paths, replacing with the new download domain.
- Update code referencing "jetstack" binary paths, replacing with the new download domain.
- Add Scarf pixels to selective documentation pages, giving us insight into which pages are most useful or areas to focus on for improvement.
- Automate regular analytics gathering leveraging the Scarf API to publish relevant stats and info publically. E.g.
- Automate regular analytics gathering leveraging the Scarf API to publish relevant stats and info publicly. E.g.
- Region
- Operating System
- Container Tags / Versions

8
design/20240206.helm-resource-policy.md
View File

@ -1,5 +1,5 @@
<!--
This template is adapted from Kubernetes Enchancements KEP template https://raw.githubusercontent.com/kubernetes/enhancements/a86942e8ba802d0035ec7d4a9c992f03bca7dce9/keps/NNNN-kep-template/README.md
This template is adapted from Kubernetes Enhancements KEP template https://raw.githubusercontent.com/kubernetes/enhancements/a86942e8ba802d0035ec7d4a9c992f03bca7dce9/keps/NNNN-kep-template/README.md
-->
# Proposal: add "helm.sh/resource-policy: keep" CRD annotation and uniformise CRD options.
@ -73,7 +73,7 @@ This is where we get down to the specifics of what the proposal actually is.
What is the desired outcome and how do we measure success?
This should have enough detail that reviewers can understand exactly what
you're proposing, but should not include things like API designs or
implementation- those should go into "Design Details" below.
implementation - those should go into "Design Details" below.
-->
I would like to introduce the following options to all Helm charts that install CRDs (based on https://github.com/cert-manager/cert-manager/pull/5777):
@ -133,5 +133,5 @@ not need to be as detailed as the proposal, but should include enough
information to express the idea and why it was not acceptable.
-->
Install CRDs seperately (eg. using `kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.1/cert-manager.crds.yaml` or using a seperate Helm chart) and manage them seperately from the Helm chart.
This would require us to publish a seperate Helm chart for the CRDs or a static manifest for the CRDs.
Install CRDs separately (eg. using `kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.1/cert-manager.crds.yaml` or using a separate Helm chart) and manage them separately from the Helm chart.
This would require us to publish a separate Helm chart for the CRDs or a static manifest for the CRDs.

2
design/20240518.push-to-multiple-registries.md
View File

@ -87,7 +87,7 @@ This is where we get down to the specifics of what the proposal actually is.
What is the desired outcome and how do we measure success?
This should have enough detail that reviewers can understand exactly what
you're proposing, but should not include things like API designs or
implementation- those should go into "Design Details" below.
implementation - those should go into "Design Details" below.
-->
### User Stories (Optional)

2
design/20240625.push-charts-to-oci.md
View File

@ -110,7 +110,7 @@ This is where we get down to the specifics of what the proposal actually is.
What is the desired outcome and how do we measure success?
This should have enough detail that reviewers can understand exactly what
you're proposing, but should not include things like API designs or
implementation- those should go into "Design Details" below.
implementation - those should go into "Design Details" below.
-->
### Risks and Mitigations

2
design/acme-orders-challenges-crd.md
View File

@ -174,7 +174,7 @@ const (
Processing State = "processing"
// Invalid signifies that an ACME resource is invalid for some reason.
// If an Order is marked 'invalid', one of its validations be have invalid for some reason.
// If an Order is marked 'invalid', one of its validations must be invalid for some reason.
// This is a final state.
Invalid State = "invalid"

2
design/template.md
View File

@ -80,7 +80,7 @@ This is where we get down to the specifics of what the proposal actually is.
What is the desired outcome and how do we measure success?
This should have enough detail that reviewers can understand exactly what
you're proposing, but should not include things like API designs or
implementation- those should go into "Design Details" below.
implementation - those should go into "Design Details" below.
-->
### User Stories (Optional)

2
hack/latest-base-images.sh
View File

@ -19,7 +19,7 @@ set -eu -o pipefail
# This script fetches the latest sha256 digest of each base image for each architecture we support on servers
# and writes those hashes to Makefile-formatted variables for use in Makefiles.
# This in turn allows us to easily update all base images to their latest versions, while mantaining the use
# This in turn allows us to easily update all base images to their latest versions, while maintaining the use
# of digests rather than tags when we refer to these base images.
CRANE=crane

2
hack/verify-upgrade.sh
View File

@ -96,7 +96,7 @@ $kubectl wait --for=condition=Ready cert/test1 --timeout=180s
# 2. BUILD AND UPGRADE TO HELM CHART FROM THE CURRENT MASTER
# e2e-setup-certamanager both builds and deploys the latest available chart based on the current checkout
# e2e-setup-certmanager both builds and deploys the latest available chart based on the current checkout
make e2e-setup-certmanager
# Wait for the cert-manager api to be available

4
internal/apis/acme/types_issuer.go
View File

@ -279,7 +279,7 @@ type ACMEChallengeSolverHTTP01IngressPodTemplate struct {
}
type ACMEChallengeSolverHTTP01IngressPodObjectMeta struct {
// Annotations that should be added to the create ACME HTTP01 solver pods.
// Annotations that should be added to the created ACME HTTP01 solver pods.
Annotations map[string]string
// Labels that should be added to the created ACME HTTP01 solver pods.
@ -531,7 +531,7 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
// or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
Role string
// If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
// If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
HostedZoneID string
// Always set the region when using AccessKeyID and SecretAccessKey

2
internal/apis/acme/types_order.go
View File

@ -204,7 +204,7 @@ const (
Processing State = "processing"
// Invalid signifies that an ACME resource is invalid for some reason.
// If an Order is marked 'invalid', one of its validations be have invalid for some reason.
// If an Order is marked 'invalid', one of its validations must be invalid for some reason.
// This is a final state.
Invalid State = "invalid"

4
internal/apis/acme/v1alpha2/types_issuer.go
View File

@ -305,7 +305,7 @@ type ACMEChallengeSolverHTTP01IngressPodTemplate struct {
}
type ACMEChallengeSolverHTTP01IngressPodObjectMeta struct {
// Annotations that should be added to the create ACME HTTP01 solver pods.
// Annotations that should be added to the created ACME HTTP01 solver pods.
// +optional
Annotations map[string]string `json:"annotations,omitempty"`
@ -582,7 +582,7 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
// +optional
Role string `json:"role,omitempty"`
// If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
// If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
// +optional
HostedZoneID string `json:"hostedZoneID,omitempty"`

2
internal/apis/acme/v1alpha2/types_order.go
View File

@ -221,7 +221,7 @@ const (
Processing State = "processing"
// Invalid signifies that an ACME resource is invalid for some reason.
// If an Order is marked 'invalid', one of its validations be have invalid for some reason.
// If an Order is marked 'invalid', one of its validations must be invalid for some reason.
// This is a final state.
Invalid State = "invalid"

4
internal/apis/acme/v1alpha3/types_issuer.go
View File

@ -305,7 +305,7 @@ type ACMEChallengeSolverHTTP01IngressPodTemplate struct {
}
type ACMEChallengeSolverHTTP01IngressPodObjectMeta struct {
// Annotations that should be added to the create ACME HTTP01 solver pods.
// Annotations that should be added to the created ACME HTTP01 solver pods.
// +optional
Annotations map[string]string `json:"annotations,omitempty"`
@ -582,7 +582,7 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
// +optional
Role string `json:"role,omitempty"`
// If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
// If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
// +optional
HostedZoneID string `json:"hostedZoneID,omitempty"`

2
internal/apis/acme/v1alpha3/types_order.go
View File

@ -221,7 +221,7 @@ const (
Processing State = "processing"
// Invalid signifies that an ACME resource is invalid for some reason.
// If an Order is marked 'invalid', one of its validations be have invalid for some reason.
// If an Order is marked 'invalid', one of its validations must be invalid for some reason.
// This is a final state.
Invalid State = "invalid"

4
internal/apis/acme/v1beta1/types_issuer.go
View File

@ -304,7 +304,7 @@ type ACMEChallengeSolverHTTP01IngressPodTemplate struct {
}
type ACMEChallengeSolverHTTP01IngressPodObjectMeta struct {
// Annotations that should be added to the create ACME HTTP01 solver pods.
// Annotations that should be added to the created ACME HTTP01 solver pods.
// +optional
Annotations map[string]string `json:"annotations,omitempty"`
@ -581,7 +581,7 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
// +optional
Role string `json:"role,omitempty"`
// If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
// If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
// +optional
HostedZoneID string `json:"hostedZoneID,omitempty"`

2
internal/apis/acme/v1beta1/types_order.go
View File

@ -222,7 +222,7 @@ const (
Processing State = "processing"
// Invalid signifies that an ACME resource is invalid for some reason.
// If an Order is marked 'invalid', one of its validations be have invalid for some reason.
// If an Order is marked 'invalid', one of its validations must be invalid for some reason.
// This is a final state.
Invalid State = "invalid"

10
internal/apis/certmanager/types_certificate.go
View File

@ -291,7 +291,7 @@ type CertificatePrivateKey struct {
// re-issuance is being processed.
//
// If set to `Never`, a private key will only be generated if one does not
// already exist in the target `spec.secretName`. If one does exists but it
// already exist in the target `spec.secretName`. If one does exist but it
// does not have the correct algorithm or size, a warning will be raised
// to await user intervention.
// If set to `Always`, a private key matching the specified requirements
@ -335,7 +335,7 @@ type PrivateKeyRotationPolicy string
var (
// RotationPolicyNever means a private key will only be generated if one
// does not already exist in the target `spec.secretName`.
// If one does exists but it does not have the correct algorithm or size,
// If one does exist but it does not have the correct algorithm or size,
// a warning will be raised to await user intervention.
RotationPolicyNever PrivateKeyRotationPolicy = "Never"
@ -482,7 +482,7 @@ type CertificateStatus struct {
// Known condition types are `Ready` and `Issuing`.
Conditions []CertificateCondition
// LastFailureTime is set only if the lastest issuance for this
// LastFailureTime is set only if the latest issuance for this
// Certificate failed and contains the time of the failure. If an
// issuance has failed, the delay till the next issuance will be
// calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
@ -534,7 +534,7 @@ type CertificateStatus struct {
FailedIssuanceAttempts *int
}
// CertificateCondition contains condition information for an Certificate.
// CertificateCondition contains condition information for a Certificate.
type CertificateCondition struct {
// Type of the condition, known values are (`Ready`, `Issuing`).
Type CertificateConditionType
@ -562,7 +562,7 @@ type CertificateCondition struct {
ObservedGeneration int64
}
// CertificateConditionType represents an Certificate condition value.
// CertificateConditionType represents a Certificate condition value.
type CertificateConditionType string
const (

2
internal/apis/certmanager/types_certificaterequest.go
View File

@ -196,7 +196,7 @@ type CertificateRequestCondition struct {
Message string
}
// CertificateRequestConditionType represents an Certificate condition value.
// CertificateRequestConditionType represents a Certificate condition value.
type CertificateRequestConditionType string
const (

10
internal/apis/certmanager/v1alpha2/types_certificate.go
View File

@ -203,7 +203,7 @@ type CertificateSpec struct {
// and will default to `256` if not specified.
// No other values are allowed.
// +optional
KeySize int `json:"keySize,omitempty"` // Validated by webhook. Be mindful of adding OpenAPI validation- see https://github.com/cert-manager/cert-manager/issues/3644 .
KeySize int `json:"keySize,omitempty"` // Validated by webhook. Be mindful of adding OpenAPI validation - see https://github.com/cert-manager/cert-manager/issues/3644 .
// KeyAlgorithm is the private key algorithm of the corresponding private key
// for this certificate. If provided, allowed values are either `rsa` or `ecdsa`
@ -276,7 +276,7 @@ type CertificatePrivateKey struct {
// RotationPolicy controls how private keys should be regenerated when a
// re-issuance is being processed.
// If set to Never, a private key will only be generated if one does not
// already exist in the target `spec.secretName`. If one does exists but it
// already exist in the target `spec.secretName`. If one does exist but it
// does not have the correct algorithm or size, a warning will be raised
// to await user intervention.
// If set to Always, a private key matching the specified requirements
@ -293,7 +293,7 @@ type PrivateKeyRotationPolicy string
var (
// RotationPolicyNever means a private key will only be generated if one
// does not already exist in the target `spec.secretName`.
// If one does exists but it does not have the correct algorithm or size,
// If one does exist but it does not have the correct algorithm or size,
// a warning will be raised to await user intervention.
RotationPolicyNever PrivateKeyRotationPolicy = "Never"
@ -468,7 +468,7 @@ type CertificateStatus struct {
FailedIssuanceAttempts *int `json:"failedIssuanceAttempts,omitempty"`
}
// CertificateCondition contains condition information for an Certificate.
// CertificateCondition contains condition information for a Certificate.
type CertificateCondition struct {
// Type of the condition, known values are (`Ready`, `Issuing`).
Type CertificateConditionType `json:"type"`
@ -500,7 +500,7 @@ type CertificateCondition struct {
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}
// CertificateConditionType represents an Certificate condition value.
// CertificateConditionType represents a Certificate condition value.
type CertificateConditionType string
const (

2
internal/apis/certmanager/v1alpha2/types_certificaterequest.go
View File

@ -180,7 +180,7 @@ type CertificateRequestCondition struct {
Message string `json:"message,omitempty"`
}
// CertificateRequestConditionType represents an Certificate condition value.
// CertificateRequestConditionType represents a Certificate condition value.
type CertificateRequestConditionType string
const (

10
internal/apis/certmanager/v1alpha3/types_certificate.go
View File

@ -201,7 +201,7 @@ type CertificateSpec struct {
// and will default to `256` if not specified.
// No other values are allowed.
// +optional
KeySize int `json:"keySize,omitempty"` // Validated by webhook. Be mindful of adding OpenAPI validation- see https://github.com/cert-manager/cert-manager/issues/3644 .
KeySize int `json:"keySize,omitempty"` // Validated by webhook. Be mindful of adding OpenAPI validation - see https://github.com/cert-manager/cert-manager/issues/3644 .
// KeyAlgorithm is the private key algorithm of the corresponding private key
// for this certificate. If provided, allowed values are either `rsa` or `ecdsa`
@ -274,7 +274,7 @@ type CertificatePrivateKey struct {
// RotationPolicy controls how private keys should be regenerated when a
// re-issuance is being processed.
// If set to Never, a private key will only be generated if one does not
// already exist in the target `spec.secretName`. If one does exists but it
// already exist in the target `spec.secretName`. If one does exist but it
// does not have the correct algorithm or size, a warning will be raised
// to await user intervention.
// If set to Always, a private key matching the specified requirements
@ -291,7 +291,7 @@ type PrivateKeyRotationPolicy string
var (
// RotationPolicyNever means a private key will only be generated if one
// does not already exist in the target `spec.secretName`.
// If one does exists but it does not have the correct algorithm or size,
// If one does exist but it does not have the correct algorithm or size,
// a warning will be raised to await user intervention.
RotationPolicyNever PrivateKeyRotationPolicy = "Never"
@ -476,7 +476,7 @@ type CertificateStatus struct {
FailedIssuanceAttempts *int `json:"failedIssuanceAttempts,omitempty"`
}
// CertificateCondition contains condition information for an Certificate.
// CertificateCondition contains condition information for a Certificate.
type CertificateCondition struct {
// Type of the condition, known values are (`Ready`, `Issuing`).
Type CertificateConditionType `json:"type"`
@ -508,7 +508,7 @@ type CertificateCondition struct {
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}
// CertificateConditionType represents an Certificate condition value.
// CertificateConditionType represents a Certificate condition value.
type CertificateConditionType string
const (

2
internal/apis/certmanager/v1alpha3/types_certificaterequest.go
View File

@ -180,7 +180,7 @@ type CertificateRequestCondition struct {
Message string `json:"message,omitempty"`
}
// CertificateRequestConditionType represents an Certificate condition value.
// CertificateRequestConditionType represents a Certificate condition value.
type CertificateRequestConditionType string
const (

10
internal/apis/certmanager/v1beta1/types_certificate.go
View File

@ -251,7 +251,7 @@ type CertificatePrivateKey struct {
// RotationPolicy controls how private keys should be regenerated when a
// re-issuance is being processed.
// If set to Never, a private key will only be generated if one does not
// already exist in the target `spec.secretName`. If one does exists but it
// already exist in the target `spec.secretName`. If one does exist but it
// does not have the correct algorithm or size, a warning will be raised
// to await user intervention.
// If set to Always, a private key matching the specified requirements
@ -283,7 +283,7 @@ type CertificatePrivateKey struct {
// and will default to `256` if not specified.
// No other values are allowed.
// +optional
Size int `json:"size,omitempty"` // Validated by webhook. Be mindful of adding OpenAPI validation- see https://github.com/cert-manager/cert-manager/issues/3644 .
Size int `json:"size,omitempty"` // Validated by webhook. Be mindful of adding OpenAPI validation - see https://github.com/cert-manager/cert-manager/issues/3644 .
}
// Denotes how private keys should be generated or sourced when a Certificate
@ -293,7 +293,7 @@ type PrivateKeyRotationPolicy string
var (
// RotationPolicyNever means a private key will only be generated if one
// does not already exist in the target `spec.secretName`.
// If one does exists but it does not have the correct algorithm or size,
// If one does exist but it does not have the correct algorithm or size,
// a warning will be raised to await user intervention.
RotationPolicyNever PrivateKeyRotationPolicy = "Never"
@ -473,7 +473,7 @@ type CertificateStatus struct {
FailedIssuanceAttempts *int `json:"failedIssuanceAttempts,omitempty"`
}
// CertificateCondition contains condition information for an Certificate.
// CertificateCondition contains condition information for a Certificate.
type CertificateCondition struct {
// Type of the condition, known values are (`Ready`, `Issuing`).
Type CertificateConditionType `json:"type"`
@ -505,7 +505,7 @@ type CertificateCondition struct {
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}
// CertificateConditionType represents an Certificate condition value.
// CertificateConditionType represents a Certificate condition value.
type CertificateConditionType string
const (

2
internal/apis/certmanager/v1beta1/types_certificaterequest.go
View File

@ -181,7 +181,7 @@ type CertificateRequestCondition struct {
Message string `json:"message,omitempty"`
}
// CertificateRequestConditionType represents an Certificate condition value.
// CertificateRequestConditionType represents a Certificate condition value.
type CertificateRequestConditionType string
const (

4
internal/apis/config/cainjector/types.go
View File

@ -33,7 +33,7 @@ type CAInjectorConfiguration struct {
// If set, this limits the scope of cert-manager to a single namespace and
// ClusterIssuers are disabled. If not specified, all namespaces will be
// watched"
// watched
Namespace string
// LeaderElectionConfig configures the behaviour of the leader election
@ -72,7 +72,7 @@ type CAInjectorConfiguration struct {
}
type EnableDataSourceConfig struct {
// Certificates detemines whether cainjector's control loops will watch
// Certificates determines whether cainjector's control loops will watch
// cert-manager Certificate resources as potential sources of CA data.
Certificates bool
}

6
internal/apis/config/controller/types.go
View File

@ -45,7 +45,7 @@ type ControllerConfiguration struct {
// If set, this limits the scope of cert-manager to a single namespace and
// ClusterIssuers are disabled. If not specified, all namespaces will be
// watched"
// watched
Namespace string
// Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in.
@ -90,7 +90,7 @@ type ControllerConfiguration struct {
// CertificateRequest and Order, as well as from CertificateSigningRequest to
// Order, by passing a list of annotation key prefixes. A prefix starting with
// a dash(-) specifies an annotation that shouldn't be copied. Example:
// '*,-kubectl.kuberenetes.io/'- all annotations will be copied apart from the
// '*,-kubectl.kubernetes.io/'- all annotations will be copied apart from the
// ones where the key is prefixed with 'kubectl.kubernetes.io/'.
CopiedAnnotationPrefixes []string
@ -157,7 +157,7 @@ type IngressShimConfig struct {
// not specified on the ingress resource.
DefaultIssuerGroup string
// The annotation consumed by the ingress-shim controller to indicate a ingress
// The annotation consumed by the ingress-shim controller to indicate an ingress
// is requesting a certificate
DefaultAutoCertificateAnnotations []string
}

4
internal/apis/config/controller/validation/validation_test.go
View File

@ -283,7 +283,7 @@ func TestValidateControllerConfiguration(t *testing.T) {
nil,
},
{
"with inalid acme dns recursive nameserver missing port",
"with invalid acme dns recursive nameserver missing port",
&config.ControllerConfiguration{
Logging: logsapi.LoggingConfiguration{
Format: "text",
@ -307,7 +307,7 @@ func TestValidateControllerConfiguration(t *testing.T) {
},
},
{
"with inalid acme dns recursive nameserver invalid url",
"with invalid acme dns recursive nameserver invalid url",
&config.ControllerConfiguration{
Logging: logsapi.LoggingConfiguration{
Format: "text",

2
internal/controller/certificates/apply.go
View File

@ -29,7 +29,7 @@ import (
cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
)
// Apply will make a Apply API call with the given client to the certificates
// Apply will make an Apply API call with the given client to the certificates
// resource endpoint. All data in the given Certificate's status field is
// dropped.
// The given fieldManager is will be used as the FieldManager in the Apply

2
internal/controller/certificates/policies/checks.go
View File

@ -274,7 +274,7 @@ func CurrentCertificateNearingExpiry(c clock.Clock) Func {
renewIn := renewalTime.Time.Sub(c.Now())
if renewIn > 0 {
// renewal time is in future, no need to renew
// renewal time is in the future, no need to renew
return "", "", false
}

2
internal/controller/certificates/policies/constants.go
View File

@ -48,7 +48,7 @@ const (
// CertificateRequest not valid for Certificate's spec.
RequestChanged string = "RequestChanged"
// Renewing is a policy violation reason for a scenario where
// Certificate's renewal time is now or in past.
// Certificate's renewal time is now or in the past.
Renewing string = "Renewing"
// Expired is a policy violation reason for a scenario where Certificate has
// expired.

8
internal/controller/certificates/policies/policies.go
View File

@ -63,7 +63,7 @@ func (c Chain) Evaluate(input Input) (string, string, bool) {
return "", "", false
}
// NewTriggerPolicyChain includes trigger policy checks, which if return true,
// NewTriggerPolicyChain includes trigger policy checks, which if returns true,
// should cause a Certificate to be marked for issuance.
func NewTriggerPolicyChain(c clock.Clock) Chain {
return Chain{
@ -81,7 +81,7 @@ func NewTriggerPolicyChain(c clock.Clock) Chain {
}
}
// NewReadinessPolicyChain includes readiness policy checks, which if return
// NewReadinessPolicyChain includes readiness policy checks, which if returns
// true, would cause a Certificate to be marked as not ready.
func NewReadinessPolicyChain(c clock.Clock) Chain {
return Chain{
@ -106,9 +106,9 @@ func NewSecretPostIssuancePolicyChain(ownerRefEnabled bool, fieldManager string)
return Chain{
SecretBaseLabelsMismatch, // Make sure the managed labels have the correct values
SecretCertificateDetailsAnnotationsMismatch, // Make sure the managed certificate details annotations have the correct values
SecretManagedLabelsAndAnnotationsManagedFieldsMismatch(fieldManager), // Make sure the only the expected managed labels and annotations exist
SecretManagedLabelsAndAnnotationsManagedFieldsMismatch(fieldManager), // Make sure only the expected managed labels and annotations exist
SecretSecretTemplateMismatch, // Make sure the template label and annotation values match the secret
SecretSecretTemplateManagedFieldsMismatch(fieldManager), // Make sure the only the expected template labels and annotations exist
SecretSecretTemplateManagedFieldsMismatch(fieldManager), // Make sure only the expected template labels and annotations exist
SecretAdditionalOutputFormatsMismatch,
SecretAdditionalOutputFormatsManagedFieldsMismatch(fieldManager),
SecretOwnerReferenceMismatch(ownerRefEnabled),

4
internal/controller/challenges/apply.go
View File

@ -29,7 +29,7 @@ import (
cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
)
// Apply will make a Apply API call with the given client to the challenges
// Apply will make an Apply API call with the given client to the challenges
// endpoint. All data in the given Challenges object is dropped; expect for the
// name, namespace, and spec object. The given fieldManager is will be used as
// the FieldManager in the Apply call. Always sets Force Apply to true.
@ -45,7 +45,7 @@ func Apply(ctx context.Context, cl cmclient.Interface, fieldManager string, chal
)
}
// ApplyStatus will make a Apply API call with the given client to the
// ApplyStatus will make an Apply API call with the given client to the
// challenges status sub-resource endpoint. All data in the given Challenges
// object is dropped; expect for the name, namespace, and status object. The
// given fieldManager is will be used as the FieldManager in the Apply call.

2
internal/controller/orders/apply.go
View File

@ -29,7 +29,7 @@ import (
cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
)
// ApplyStatus will make a Apply API call with the given client to the order's
// ApplyStatus will make an Apply API call with the given client to the order's
// status sub-resource endpoint. All data in the given Order object is dropped;
// expect for the name, namespace, and status object. The given fieldManager is
// will be used as the FieldManager in the Apply call.

4
internal/informers/core.go
View File

@ -27,7 +27,7 @@ import (
// This file contains common informers functionality such as shared interfaces
// The interfaces defined here are mostly a subset of similar interfaces upstream.
// Defining our own instead of reusing the upstream ones allows us to:
// - create smaller interfaces that don't have methods that our control loops don't need (thus avoiding to define unnecessary methods in implementations)
// - create smaller interfaces that don't have methods that our control loops don't need (thus avoid defining unnecessary methods in implementations)
// - swap embedded upstream interfaces for our own ones
var secretsGVR = corev1.SchemeGroupVersion.WithResource("secrets")
@ -67,7 +67,7 @@ type SecretLister interface {
// Informer is a subset of client-go SharedIndexInformer https://github.com/kubernetes/client-go/blob/release-1.26/tools/cache/shared_informer.go#L35-L211
type Informer interface {
// AddEventHadler allows reconcile loop to register an event handler so
// AddEventHandler allows the reconcile loop to register an event handler so
// it gets triggered when the informer has a new event
AddEventHandler(handler cache.ResourceEventHandler) (cache.ResourceEventHandlerRegistration, error)
// HasSynced returns true if the informer's cache has synced (at least

6
internal/informers/core_filteredsecrets.go
View File

@ -104,7 +104,7 @@ func (bf *filteredSecretsFactory) WaitForCacheSync(stopCh <-chan struct{}) map[s
partialMetaCaches := bf.metadataInformerFactory.WaitForCacheSync(stopCh)
// We have to cast the keys into string type. It is not possible to
// create a generic type here as neither of the types returned by
// WaitForCacheSync are valid map key arguments in generics- they aren't
// WaitForCacheSync are valid map key arguments in generics - they aren't
// comparable types.
for key, val := range typedCaches {
caches[key.String()] = val
@ -159,7 +159,7 @@ func (f *filteredSecretInformer) Informer() Informer {
metadataInformer := f.metadataInformerFactory.ForResource(secretsGVR).Informer()
if err := metadataInformer.SetTransform(partialMetadataRemoveAll); err != nil {
panic(fmt.Sprintf("internal error: error setting transfomer on the metadata informer: %v", err))
panic(fmt.Sprintf("internal error: error setting transformer on the metadata informer: %v", err))
}
return &informer{
typedInformer: typedInformer,
@ -307,7 +307,7 @@ func (snl *secretNamespaceLister) List(selector labels.Selector) ([]*corev1.Secr
// here in case we do it sometime in the future at which point
// we can see whether the metadata functionality is performant
// enough.
log.V(logf.InfoLevel).Info("unexpected behaviour: secrets LISTed from metadata cache. Please open an isue")
log.V(logf.InfoLevel).Info("unexpected behaviour: secrets LISTed from metadata cache. Please open an issue")
}
// In practice this section will never be used. The only place
// where we LIST Secrets is in keymanager controller where we list

2
internal/informers/fakes.go
View File

@ -130,7 +130,7 @@ func (fsi FakeSecretInterface) Delete(ctx context.Context, name string, opts met
panic("not implemented")
}
func (fsi FakeSecretInterface) DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error {
panic("not implemeted")
panic("not implemented")
}
func (fsi FakeSecretInterface) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) {
panic("not implemented")

0
internal/informers/transfomers.go → internal/informers/transformers.go
View File

2
internal/vault/vault.go
View File

@ -559,7 +559,7 @@ func (v *Vault) requestTokenWithKubernetesAuth(ctx context.Context, client Clien
// Vault backend can bind the kubernetes auth backend role to the service account and specific namespace of the service account.
// Providing additional audiences is not considered a major non-mitigatable security risk
// as if someone creates an Issuer in another namespace/globally with the same audiences
// in attempt to highjack the certificate vault (if role config mandates sa:namespace) won't authorise the connection
// in attempt to hijack the certificate vault (if role config mandates sa:namespace) won't authorise the connection
// as token subject won't match vault role requirement to have SA originated from the specific namespace.
Audiences: audiences,

10
internal/vault/vault_test.go
View File

@ -805,7 +805,7 @@ func TestSetToken(t *testing.T) {
}
},
fakeClient: vaultfake.NewFakeClient().WithRawRequestFn(func(t *testing.T, req *vault.Request) (*vault.Response, error) {
// Vault exhanges the Kubernetes token with a Vault token.
// Vault exchanges the Kubernetes token with a Vault token.
assert.Equal(t, "kube-sa-token", req.Obj.(map[string]string)["jwt"])
assert.Equal(t, "kube-vault-role", req.Obj.(map[string]string)["role"])
return &vault.Response{Response: &http.Response{Body: io.NopCloser(strings.NewReader(
@ -842,7 +842,7 @@ func TestSetToken(t *testing.T) {
}
},
fakeClient: vaultfake.NewFakeClient().WithRawRequestFn(func(t *testing.T, req *vault.Request) (*vault.Response, error) {
// Vault exhanges the Kubernetes token with a Vault token.
// Vault exchanges the Kubernetes token with a Vault token.
assert.Equal(t, "kube-sa-token", req.Obj.(map[string]string)["jwt"])
assert.Equal(t, "kube-vault-role", req.Obj.(map[string]string)["role"])
return &vault.Response{Response: &http.Response{Body: io.NopCloser(strings.NewReader(
@ -884,7 +884,7 @@ func TestSetToken(t *testing.T) {
}
},
fakeClient: vaultfake.NewFakeClient().WithRawRequestFn(func(t *testing.T, req *vault.Request) (*vault.Response, error) {
// Vault exhanges the Kubernetes token with a Vault token.
// Vault exchanges the Kubernetes token with a Vault token.
assert.Equal(t, "kube-sa-token", req.Obj.(map[string]string)["jwt"])
assert.Equal(t, "kube-vault-role", req.Obj.(map[string]string)["role"])
return &vault.Response{Response: &http.Response{Body: io.NopCloser(strings.NewReader(
@ -926,7 +926,7 @@ func TestSetToken(t *testing.T) {
}
},
fakeClient: vaultfake.NewFakeClient().WithRawRequestFn(func(t *testing.T, req *vault.Request) (*vault.Response, error) {
// Vault exhanges the Kubernetes token with a Vault token.
// Vault exchanges the Kubernetes token with a Vault token.
assert.Equal(t, "kube-sa-token", req.Obj.(map[string]string)["jwt"])
assert.Equal(t, "kube-vault-role", req.Obj.(map[string]string)["role"])
return &vault.Response{Response: &http.Response{Body: io.NopCloser(strings.NewReader(
@ -1632,7 +1632,7 @@ func TestNewWithVaultNamespaces(t *testing.T) {
})
require.NoError(t, err)
assert.Equal(t, tc.vaultNS, c.(*Vault).client.(*vault.Client).Namespace(),
"The vault client should have the namespace provided in the Issuer recource")
"The vault client should have the namespace provided in the Issuer resource")
assert.Equal(t, "", c.(*Vault).clientSys.(*vault.Client).Namespace(),
"The vault sys client should never have a namespace")
})

2
make/config/lib.sh
View File

@ -95,7 +95,7 @@ color() {
trace() {
# This mysterious awk expression makes sure to double-quote the arguments
# that have special characters in them, such as spaces, curly braces (since
# zsh interprets curly braces), interogation marks, simple braces, and "*".
# zsh interprets curly braces), interrogation marks, simple braces, and "*".
for arg in "$@"; do echo "$arg"; done \
| awk '{if (NR==1) printf "'"$yel"'%s '"$bold"'",$0; else if ($0 ~ / |\}|\{|\(|\)|\\|\*|\?/) printf "\"%s\" ",$0; else printf "%s ",$0} END {printf "\n"}'

2
make/config/projectcontour/contour.yaml
View File

@ -17,7 +17,7 @@ gateway:
# kubeconfig: /path/to/.kube/config
#
# Disable RFC-compliant behavior to strip "Content-Length" header if
# "Tranfer-Encoding: chunked" is also set.
# "Transfer-Encoding: chunked" is also set.
# disableAllowChunkedLength: false
#
# Disable Envoy's non-standard merge_slashes path transformation option

2
make/e2e-setup.mk
View File

@ -356,7 +356,7 @@ e2e-setup-gatewayapi: $(bin_dir)/scratch/gateway-api-$(GATEWAY_API_VERSION).yaml
# v1 NGINX-Ingress by default only watches Ingresses with Ingress class
# defined. When configuring solver block for ACME HTTTP01 challenge on an
# defined. When configuring solver block for ACME HTTP01 challenge on an
# ACME issuer, cert-manager users can currently specify either an Ingress
# name or a class. We also e2e test these two ways of creating Ingresses
# with ingress-shim. For the ingress controller to watch our Ingresses that

2
make/e2e.sh
View File

@ -52,7 +52,7 @@ BINDIR=${BINDIR:-$_default_bindir}
# | 40 | 26m 26s | 26 | 29m 29s | 3m 3s (hot) | [6][] |
# | 50 | interrupted (*) | | | (hot) | [7][] |
#
# The startup time is calculated by substracting the "started time" visible
# The startup time is calculated by subtracting the "started time" visible
# on the Prow UI with the first line that has a timestamp. This time
# depends on whether this Kubernetes node already has a cache or not.
#

4
pkg/acme/accounts/client.go
View File

@ -56,14 +56,14 @@ func NewClient(client *http.Client, config cmacme.ACMEIssuer, privateKey *rsa.Pr
})
}
// BuildHTTPClient returns a instrumented HTTP client to be used by an ACME client.
// BuildHTTPClient returns an instrumented HTTP client to be used by an ACME client.
// For the time being, we construct a new HTTP client on each invocation, because we need
// to set the 'skipTLSVerify' flag on the HTTP client itself distinct from the ACME client
func BuildHTTPClient(metrics *metrics.Metrics, skipTLSVerify bool) *http.Client {
return BuildHTTPClientWithCABundle(metrics, skipTLSVerify, nil)
}
// BuildHTTPClientWithCABundle returns a instrumented HTTP client to be used by an ACME
// BuildHTTPClientWithCABundle returns an instrumented HTTP client to be used by an ACME
// client, with an optional custom CA bundle set.
// For the time being, we construct a new HTTP client on each invocation, because we need
// to set the 'skipTLSVerify' flag and the CA bundle on the HTTP client itself, distinct

4
pkg/acme/client/interfaces.go
View File

@ -49,10 +49,10 @@ type Interface interface {
WaitAuthorization(ctx context.Context, url string) (*acme.Authorization, error)
Register(ctx context.Context, acct *acme.Account, prompt func(tosURL string) bool) (*acme.Account, error)
GetReg(ctx context.Context, url string) (*acme.Account, error)
// HTTP01ChallengeResponse will be called once when an cert-manager.io
// HTTP01ChallengeResponse will be called once when a cert-manager.io
// Challenge for an http-01 challenge type is being created.
HTTP01ChallengeResponse(token string) (string, error)
// DNS01ChallengeResponse will be called once when an cert-manager.io
// DNS01ChallengeResponse will be called once when a cert-manager.io
// Challenge for an http-01 challenge type is being created.
DNS01ChallengeRecord(token string) (string, error)
Discover(ctx context.Context) (acme.Directory, error)

2
pkg/acme/webhook/apis/acme/v1alpha1/types.go
View File

@ -112,7 +112,7 @@ type ChallengeRequest struct {
}
// ChallengeAction represents an action associated with a challenge such as
// 'present' or cleanup'.
// 'present' or 'cleanup'.
type ChallengeAction string
const (

2
pkg/acme/webhook/cmd/cmd.go
View File

@ -30,7 +30,7 @@ import (
logf "github.com/cert-manager/cert-manager/pkg/logs"
)
// RunWebhookServer creates and starts a new apiserver that acts as a external
// RunWebhookServer creates and starts a new apiserver that acts as an external
// webhook server for solving DNS challenges using the provided solver
// implementations. This can be used as an entry point by external webhook
// implementations, see

4
pkg/acme/webhook/openapi/zz_generated.openapi.go
View File

@ -778,7 +778,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionSpec(ref common.Re
},
"scope": {
SchemaProps: spec.SchemaProps{
Description: "scope indicates whether the defined custom resource is cluster- or namespace-scoped. Allowed values are `Cluster` and `Namespaced`.",
Description: "scope indicates whether the defined custom resource is cluster or namespace-scoped. Allowed values are `Cluster` and `Namespaced`.",
Default: "",
Type: []string{"string"},
Format: "",
@ -1573,7 +1573,7 @@ func schema_pkg_apis_apiextensions_v1_SelectableField(ref common.ReferenceCallba
Properties: map[string]spec.Schema{
"jsonPath": {
SchemaProps: spec.SchemaProps{
Description: "jsonPath is a simple JSON path which is evaluated against each custom resource to produce a field selector value. Only JSON paths without the array notation are allowed. Must point to a field of type string, boolean or integer. Types with enum values and strings with formats are allowed. If jsonPath refers to absent field in a resource, the jsonPath evaluates to an empty string. Must not point to metdata fields. Required.",
Description: "jsonPath is a simple JSON path which is evaluated against each custom resource to produce a field selector value. Only JSON paths without the array notation are allowed. Must point to a field of type string, boolean or integer. Types with enum values and strings with formats are allowed. If jsonPath refers to absent field in a resource, the jsonPath evaluates to an empty string. Must not point to metadata fields. Required.",
Default: "",
Type: []string{"string"},
Format: "",

4
pkg/apis/acme/v1/types_issuer.go
View File

@ -309,7 +309,7 @@ type ACMEChallengeSolverHTTP01IngressPodTemplate struct {
}
type ACMEChallengeSolverHTTP01IngressPodObjectMeta struct {
// Annotations that should be added to the create ACME HTTP01 solver pods.
// Annotations that should be added to the created ACME HTTP01 solver pods.
// +optional
Annotations map[string]string `json:"annotations,omitempty"`
@ -595,7 +595,7 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
// +optional
Role string `json:"role,omitempty"`
// If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
// If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
// +optional
HostedZoneID string `json:"hostedZoneID,omitempty"`

2
pkg/apis/acme/v1/types_order.go
View File

@ -223,7 +223,7 @@ const (
Processing State = "processing"
// Invalid signifies that an ACME resource is invalid for some reason.
// If an Order is marked 'invalid', one of its validations be have invalid for some reason.
// If an Order is marked 'invalid', one of its validations must be invalid for some reason.
// This is a final state.
Invalid State = "invalid"

12
pkg/apis/certmanager/v1/types_certificate.go
View File

@ -22,7 +22,7 @@ import (
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
)
// NOTE: Be mindful of adding OpenAPI validation- see https://github.com/cert-manager/cert-manager/issues/3644
// NOTE: Be mindful of adding OpenAPI validation - see https://github.com/cert-manager/cert-manager/issues/3644
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@ -316,7 +316,7 @@ type CertificatePrivateKey struct {
// re-issuance is being processed.
//
// If set to `Never`, a private key will only be generated if one does not
// already exist in the target `spec.secretName`. If one does exists but it
// already exist in the target `spec.secretName`. If one does exist but it
// does not have the correct algorithm or size, a warning will be raised
// to await user intervention.
// If set to `Always`, a private key matching the specified requirements
@ -365,7 +365,7 @@ type PrivateKeyRotationPolicy string
var (
// RotationPolicyNever means a private key will only be generated if one
// does not already exist in the target `spec.secretName`.
// If one does exists but it does not have the correct algorithm or size,
// If one does exist but it does not have the correct algorithm or size,
// a warning will be raised to await user intervention.
RotationPolicyNever PrivateKeyRotationPolicy = "Never"
@ -536,7 +536,7 @@ type CertificateStatus struct {
// +optional
Conditions []CertificateCondition `json:"conditions,omitempty"`
// LastFailureTime is set only if the lastest issuance for this
// LastFailureTime is set only if the latest issuance for this
// Certificate failed and contains the time of the failure. If an
// issuance has failed, the delay till the next issuance will be
// calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
@ -595,7 +595,7 @@ type CertificateStatus struct {
FailedIssuanceAttempts *int `json:"failedIssuanceAttempts,omitempty"`
}
// CertificateCondition contains condition information for an Certificate.
// CertificateCondition contains condition information for a Certificate.
type CertificateCondition struct {
// Type of the condition, known values are (`Ready`, `Issuing`).
Type CertificateConditionType `json:"type"`
@ -627,7 +627,7 @@ type CertificateCondition struct {
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}
// CertificateConditionType represents an Certificate condition value.
// CertificateConditionType represents a Certificate condition value.
type CertificateConditionType string
const (

2
pkg/apis/certmanager/v1/types_certificaterequest.go
View File

@ -220,7 +220,7 @@ type CertificateRequestCondition struct {
Message string `json:"message,omitempty"`
}
// CertificateRequestConditionType represents an Certificate condition value.
// CertificateRequestConditionType represents a Certificate condition value.
type CertificateRequestConditionType string
const (

2
pkg/apis/config/cainjector/v1alpha1/types.go
View File

@ -75,7 +75,7 @@ type CAInjectorConfiguration struct {
}
type EnableDataSourceConfig struct {
// Certificates detemines whether cainjector's control loops will watch
// Certificates determines whether cainjector's control loops will watch
// cert-manager Certificate resources as potential sources of CA data.
// If not set, defaults to true.
Certificates *bool `json:"certificates"`

6
pkg/apis/config/controller/v1alpha1/types.go
View File

@ -45,7 +45,7 @@ type ControllerConfiguration struct {
// If set, this limits the scope of cert-manager to a single namespace and
// ClusterIssuers are disabled. If not specified, all namespaces will be
// watched"
// watched
Namespace string `json:"namespace,omitempty"`
// Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in.
@ -90,7 +90,7 @@ type ControllerConfiguration struct {
// CertificateRequest and Order, as well as from CertificateSigningRequest to
// Order, by passing a list of annotation key prefixes. A prefix starting with
// a dash(-) specifies an annotation that shouldn't be copied. Example:
// '*,-kubectl.kuberenetes.io/'- all annotations will be copied apart from the
// '*,-kubectl.kubernetes.io/'- all annotations will be copied apart from the
// ones where the key is prefixed with 'kubectl.kubernetes.io/'.
CopiedAnnotationPrefixes []string `json:"copiedAnnotationPrefixes,omitempty"`
@ -159,7 +159,7 @@ type IngressShimConfig struct {
// not specified on the ingress resource.
DefaultIssuerGroup string `json:"defaultIssuerGroup,omitempty"`
// The annotation consumed by the ingress-shim controller to indicate a ingress
// The annotation consumed by the ingress-shim controller to indicate an ingress
// is requesting a certificate
DefaultAutoCertificateAnnotations []string `json:"defaultAutoCertificateAnnotations,omitempty"`
}

4
pkg/client/clientset/versioned/typed/certmanager/v1/fake/fake_issuer.go
View File

@ -81,7 +81,7 @@ func (c *FakeIssuers) Watch(ctx context.Context, opts metav1.ListOptions) (watch
}
// Create takes the representation of a issuer and creates it. Returns the server's representation of the issuer, and an error, if there is any.
// Create takes the representation of an issuer and creates it. Returns the server's representation of the issuer, and an error, if there is any.
func (c *FakeIssuers) Create(ctx context.Context, issuer *v1.Issuer, opts metav1.CreateOptions) (result *v1.Issuer, err error) {
emptyResult := &v1.Issuer{}
obj, err := c.Fake.
@ -93,7 +93,7 @@ func (c *FakeIssuers) Create(ctx context.Context, issuer *v1.Issuer, opts metav1
return obj.(*v1.Issuer), err
}
// Update takes the representation of a issuer and updates it. Returns the server's representation of the issuer, and an error, if there is any.
// Update takes the representation of an issuer and updates it. Returns the server's representation of the issuer, and an error, if there is any.
func (c *FakeIssuers) Update(ctx context.Context, issuer *v1.Issuer, opts metav1.UpdateOptions) (result *v1.Issuer, err error) {
emptyResult := &v1.Issuer{}
obj, err := c.Fake.

2
pkg/controller/acmechallenges/sync_test.go
View File

@ -46,7 +46,7 @@ func (f *fakeSolver) Present(ctx context.Context, issuer v1.GenericIssuer, ch *c
}
// Check should return Error only if propagation check cannot be performed.
// It MUST return `false, nil` if can contact all relevant services and all is
// It MUST return `false, nil` if it can contact all relevant services and all it is
// doing is waiting for propagation
func (f *fakeSolver) Check(ctx context.Context, issuer v1.GenericIssuer, ch *cmacme.Challenge) error {
return f.fakeCheck(ctx, issuer, ch)

2
pkg/controller/acmechallenges/update.go
View File

@ -67,7 +67,7 @@ func newObjectUpdater(cl versioned.Interface, fieldManager string) objectUpdater
// the UpdateStatus method.
// Both updates will be attempted, even if one fails, except in the case where
// one of the updates fails with a Not Found error.
// If the any of the API operations results in a Not Found error, updateObject
// If any of the API operations results in a Not Found error, updateObject
// will exit without error and the remaining operations will be skipped.
// Only the Finalizers and Status fields may be modified. If there are any
// modifications to new object, outside of the Finalizers and Status fields,

2
pkg/controller/cainjector/indexers.go
View File

@ -128,7 +128,7 @@ func certToInjectableMapFuncBuilder(cl client.Reader, log logr.Logger, config se
// secretForInjectableMapFuncBuilder returns a handler.MapFunc that, for a
// config for particular injectable type (i.e CRD, APIService) and a Secret,
// returns all injectables that have the inject-ca-from-secret annotion with the
// returns all injectables that have the inject-ca-from-secret annotation with the
// given secret name. This will be used in an event handler to ensure that
// changes to a Secret triggers a reconcile loop for the relevant injectable.
func secretForInjectableMapFuncBuilder(cl client.Reader, log logr.Logger, config setup) handler.MapFunc {

4
pkg/controller/cainjector/reconciler.go
View File

@ -37,13 +37,13 @@ import (
)
// This file contains logic to create reconcilers. By default a
// reconciler is created for each of the injectables- CustomResourceDefinition,
// reconciler is created for each of the injectables - CustomResourceDefinition,
// Validating/MutatingWebhookConfiguration, APIService and gets triggered for
// events on those resources as well as on Secrets and Certificates.
// reconciler syncs CA data from source to injectable.
type reconciler struct {
// newInjectableTarget knows how to create a new injectable targt for
// newInjectableTarget knows how to create a new injectable target for
// the injectable being reconciled.
newInjectableTarget NewInjectableTarget
// sources is a list of available 'data sources' that can be used to extract

12
pkg/controller/cainjector/sources.go
View File

@ -96,9 +96,9 @@ func (c *certificateDataSource) ReadCA(ctx context.Context, log logr.Logger, met
}
if namespace != "" && certName.Namespace != namespace {
err := fmt.Errorf("cannot read CA data from Certificate in namespace %s, cainjector is scoped to namespace %s", certName.Namespace, namespace)
forbidenErr := apierrors.NewForbidden(cmapi.Resource("certificates"), certName.Name, err)
log.Error(forbidenErr, "cannot read data source")
return nil, forbidenErr
forbiddenErr := apierrors.NewForbidden(cmapi.Resource("certificates"), certName.Name, err)
log.Error(forbiddenErr, "cannot read data source")
return nil, forbiddenErr
}
var cert cmapi.Certificate
@ -172,9 +172,9 @@ func (c *secretDataSource) ReadCA(ctx context.Context, log logr.Logger, metaObj
if namespace != "" && secretName.Namespace != namespace {
err := fmt.Errorf("cannot read CA data from Secret in namespace %s, cainjector is scoped to namespace %s", secretName.Namespace, namespace)
forbidenErr := apierrors.NewForbidden(cmapi.Resource("certificates"), secretName.Name, err)
log.Error(forbidenErr, "cannot read data source")
return nil, forbidenErr
forbiddenErr := apierrors.NewForbidden(cmapi.Resource("certificates"), secretName.Name, err)
log.Error(forbiddenErr, "cannot read data source")
return nil, forbiddenErr
}
// grab the associated secret

2
pkg/controller/certificaterequests/acme/acme.go
View File

@ -235,7 +235,7 @@ func (a *ACME) Sign(ctx context.Context, cr *cmapi.CertificateRequest, issuer cm
log.V(logf.InfoLevel).Info("certificate issued")
// Order valid, return cert. The calling controller will update with ready if its happy with the cert.
// Order valid, return cert. The calling controller will update with ready if it's happy with the cert.
return &issuerpkg.IssueResponse{
Certificate: order.Status.Certificate,
}, nil

4
pkg/controller/certificaterequests/controller.go
View File

@ -44,7 +44,7 @@ type Issuer interface {
Sign(context.Context, *v1.CertificateRequest, v1.GenericIssuer) (*issuer.IssueResponse, error)
}
// Issuer Contractor builds a Issuer instance using the given controller
// Issuer Contractor builds an Issuer instance using the given controller
// context.
type IssuerConstructor func(*controllerpkg.Context) Issuer
@ -103,7 +103,7 @@ type Controller struct {
// New will construct a new certificaterequest controller using the given
// Issuer implementation.
// Note: the registerExtraInfromers passed here will be 'waited' for when
// Note: the registerExtraInformers passed here will be 'waited' for when
// starting to ensure their corresponding listers have synced.
// The caller is responsible for ensuring the informer work functions are setup
// correctly on any informer.

2
pkg/controller/certificaterequests/sync_test.go
View File

@ -445,7 +445,7 @@ func TestSync(t *testing.T) {
},
},
},
"should return error to try again if there was a error getting issuer wasn't a not found error": {
"should return error to try again if there was an error getting issuer wasn't a not found error": {
certificateRequest: baseCR.DeepCopy(),
helper: &issuerfake.Helper{
GetGenericIssuerFunc: func(cmmeta.ObjectReference, string) (cmapi.GenericIssuer, error) {

2
pkg/controller/certificates/issuing/internal/secret_test.go
View File

@ -807,7 +807,7 @@ func Test_getCertificateSecret(t *testing.T) {
Type: corev1.SecretTypeTLS,
},
},
"if secret exists, expect onlt basic metadata to be retuned, but the Type set to tls": {
"if secret exists, expect only basic metadata to be retuned, but the Type set to tls": {
existingSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: "test-namespace", Name: "test-secret",

2
pkg/controller/certificates/issuing/issuing_controller.go
View File

@ -282,7 +282,7 @@ func (c *controller) ProcessItem(ctx context.Context, key types.NamespacedName)
// issuance will be retried with a delay (the logic for that lives in
// certificates-trigger controller). Final states are: Denied condition
// with status True => fail issuance InvalidRequest condition with
// status True => fail issuance Ready conidtion with reason Failed =>
// status True => fail issuance Ready condition with reason Failed =>
// fail issuance Ready condition with reason Issued => finalize issuance
// as succeeded.

2
pkg/controller/certificates/metrics/controller.go
View File

@ -87,7 +87,7 @@ func (c *controller) ProcessItem(ctx context.Context, key types.NamespacedName)
crt, err := c.certificateLister.Certificates(namespace).Get(name)
if apierrors.IsNotFound(err) {
// If the Certificate no longer exists, remove it's metrics from being exposed.
// If the Certificate no longer exists, remove its metrics from being exposed.
c.metrics.RemoveCertificate(key)
return nil
}

4
pkg/controller/certificates/readiness/readiness_controller_test.go
View File

@ -222,7 +222,7 @@ func TestProcessItem(t *testing.T) {
Message: "ready message",
})),
},
"update status for a Certificate that has a Ready condition and the policy evaluates to True- should remain True": {
"update status for a Certificate that has a Ready condition and the policy evaluates to True - should remain True": {
condition: cmapi.CertificateCondition{
Type: cmapi.CertificateConditionReady,
Status: cmmeta.ConditionTrue,
@ -291,7 +291,7 @@ func TestProcessItem(t *testing.T) {
c := gen.CertificateFrom(test.cert,
gen.SetCertificateStatusCondition(test.condition))
// gen package functions don't accept pointers- we need to test setting these values to nil in some scenarios.
// gen package functions don't accept pointers - we need to test setting these values to nil in some scenarios.
c.Status.NotAfter = test.notAfter
c.Status.NotBefore = test.notBefore
c.Status.RenewalTime = test.renewalTime

8
pkg/controller/certificates/revisionmanager/revisionmanager_controller.go
View File

@ -143,7 +143,7 @@ func (c *controller) ProcessItem(ctx context.Context, key types.NamespacedName)
for _, req := range toDelete {
logf.WithRelatedResourceName(log, req.Name, req.Namespace, cmapi.CertificateRequestKind).
WithValues("revision", req.rev).Info("garbage collecting old certificate request revsion")
WithValues("revision", req.rev).Info("garbage collecting old certificate request revision")
err = c.client.CertmanagerV1().CertificateRequests(req.Namespace).Delete(ctx, req.Name, metav1.DeleteOptions{})
if apierrors.IsNotFound(err) {
continue
@ -173,13 +173,13 @@ func certificateRequestsToDelete(log logr.Logger, limit int, requests []*cmapi.C
log = logf.WithRelatedResource(log, req)
if req.Annotations == nil || req.Annotations[cmapi.CertificateRequestRevisionAnnotationKey] == "" {
log.Error(errors.New("skipping processing request with missing revsion"), "")
log.Error(errors.New("skipping processing request with missing revision"), "")
continue
}
rn, err := strconv.Atoi(req.Annotations[cmapi.CertificateRequestRevisionAnnotationKey])
if err != nil {
log.Error(err, "failed to parse request revsion")
log.Error(err, "failed to parse request revision")
continue
}
@ -190,7 +190,7 @@ func certificateRequestsToDelete(log logr.Logger, limit int, requests []*cmapi.C
return revisions[i].rev < revisions[j].rev
})
// Return the oldest revsions which are over the limit
// Return the oldest revisions which are over the limit
remaining := len(revisions) - limit
if remaining < 0 {
return nil

2
pkg/controller/certificates/trigger/trigger_controller.go
View File

@ -170,7 +170,7 @@ func (c *controller) ProcessItem(ctx context.Context, key types.NamespacedName)
// It is possible for multiple Certificates to reference the same Secret. In that case, without this check,
// the duplicate Certificates would each be issued and store their version of the X.509 certificate in the
// target Secret, triggering the re-issuance of the other Certificate resources who's spec no longer matches
// target Secret, triggering the re-issuance of the other Certificate resources whose spec no longer matches
// what is in the Secret. This would cause a flood of re-issuance attempts and overloads the Kubernetes API
// and the API server of the issuing CA.
isOwner, duplicates, err := internalcertificates.CertificateOwnsSecret(ctx, c.certificateLister, c.secretLister, crt)

2
pkg/controller/certificates/trigger/trigger_controller_test.go
View File

@ -414,7 +414,7 @@ func Test_controller_ProcessItem(t *testing.T) {
// TODO(mael): we should really remove the Certificate field from
// DataForCertificate since the input certificate is always expected
// to be the same as the output certiticate.
// to be the same as the output certificate.
test.mockDataForCertificateReturn.Certificate = test.existingCertificate
gotDataForCertificateCalled := false

2
pkg/controller/certificatesigningrequests/controller.go
View File

@ -96,7 +96,7 @@ type Controller struct {
// New will construct a new certificatesigningrequest controller using the
// given Signer implementation.
// Note: the registerExtraInfromers passed here will be 'waited' for when
// Note: the registerExtraInformers passed here will be 'waited' for when
// starting to ensure their corresponding listers have synced.
// The caller is responsible for ensuring the informer work functions are setup
// correctly on any informer.

4
pkg/controller/context.go
View File

@ -238,7 +238,7 @@ type SchedulerOptions struct {
MaxConcurrentChallenges int
}
// ContextFactory is used for constructing new Contexts who's clients have been
// ContextFactory is used for constructing new Contexts whose clients have been
// configured with a User Agent built from the component name.
type ContextFactory struct {
// baseRestConfig is the base Kubernetes REST config that can authenticate to
@ -323,7 +323,7 @@ func NewContextFactory(ctx context.Context, opts ContextOptions) (*ContextFactor
}, nil
}
// Build builds a new controller Context who's clients have a User Agent
// Build builds a new controller Context whose clients have a User Agent
// derived from the optional component name.
func (c *ContextFactory) Build(component ...string) (*Context, error) {
restConfig := util.RestConfigWithUserAgent(c.baseRestConfig, component...)

2
pkg/controller/util.go
View File

@ -52,7 +52,7 @@ func DefaultACMERateLimiter() workqueue.TypedRateLimiter[types.NamespacedName] {
return workqueue.NewTypedItemExponentialFailureRateLimiter[types.NamespacedName](time.Second*5, time.Minute*30)
}
// HandleOwnedResourceNamespacedFunc returns a function thataccepts a
// HandleOwnedResourceNamespacedFunc returns a function that accepts a
// Kubernetes object and adds its owner references to the workqueue.
// https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/#owners-and-dependents
func HandleOwnedResourceNamespacedFunc[T metav1.Object](

12
pkg/issuer/acme/dns/akamai/akamai_test.go
View File

@ -48,7 +48,7 @@ func testRecordBodyDataExist() *dns.RecordBody {
}
}
// OpenEdggrid DNS Stub
// OpenEdgegrid DNS Stub
type StubOpenDNSConfig struct {
FuncOutput map[string]interface{}
FuncErrors map[string]error
@ -74,7 +74,7 @@ func TestNewDNSProvider(t *testing.T) {
akamai, err := NewDNSProvider("akamai.example.com", "token", "secret", "access-token", util.RecursiveNameservers)
assert.NoError(t, err)
// samplee couple important fields
// sample couple important fields
assert.Equal(t, akamai.serviceConsumerDomain, "akamai.example.com")
assert.Equal(t, fmt.Sprintf("%T", akamai.dnsclient), "*akamai.OpenDNSConfig")
@ -316,7 +316,7 @@ func (o StubOpenDNSConfig) GetRecord(zone string, name string, recordType string
return nil, fmt.Errorf("GetRecord: Unexpected nil")
}
rec = exp.(*dns.RecordBody)
// comare passed with expected
// compare passed with expected
if name != rec.Name {
return nil, fmt.Errorf("GetRecord: expected/actual Name don't match")
}
@ -333,7 +333,7 @@ func (o StubOpenDNSConfig) RecordSave(rec *dns.RecordBody, zone string) error {
exp, ok := o.FuncOutput["RecordSave"]
if ok {
// comare passed with expected
// compare passed with expected
if rec.Name != exp.(*dns.RecordBody).Name {
return fmt.Errorf("RecordSave: expected/actual Name don't match")
}
@ -360,7 +360,7 @@ func (o StubOpenDNSConfig) RecordUpdate(rec *dns.RecordBody, zone string) error
exp, ok := o.FuncOutput["RecordUpdate"]
if ok {
// comare passed with expected
// compare passed with expected
if rec.Name != exp.(*dns.RecordBody).Name {
return fmt.Errorf("RecordUpdate: expected/actual Name don't match")
}
@ -386,7 +386,7 @@ func (o StubOpenDNSConfig) RecordDelete(rec *dns.RecordBody, zone string) error
exp, ok := o.FuncOutput["RecordDelete"]
if ok {
// comare passed with expected
// compare passed with expected
if rec.Name != exp.(*dns.RecordBody).Name {
return fmt.Errorf("RecordDelete: expected/actual Name don't match")
}

2
pkg/issuer/acme/dns/azuredns/azuredns.go
View File

@ -271,7 +271,7 @@ func (c *DNSProvider) updateTXTRecord(ctx context.Context, fqdn string, updater
// is the same to avoid spurious challenge updates.
//
// The given error must not be nil. This function must be called everywhere
// we have a non-nil error coming from a azure-sdk func that makes API calls.
// we have a non-nil error coming from an azure-sdk func that makes API calls.
func stabilizeError(err error) error {
if err == nil {
return nil

Some files were not shown because too many files have changed in this diff Show More