diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index 7c04885b7..ef5bb7816 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -88,7 +88,7 @@ spec: - keySecretRef properties: keyAlgorithm: - description: '(deprecated) keyAlgorithm is the MAC key algorithm that the key is used for. Valid values are "HS256", "HS384" and "HS512". Deprecation warning: this value is no longer used as golang/x/crypto/acme hardcodes the algorithm to HS256.' + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' type: string enum: - HS256 @@ -1125,7 +1125,7 @@ spec: - keySecretRef properties: keyAlgorithm: - description: '(deprecated) keyAlgorithm is the MAC key algorithm that the key is used for. Valid values are "HS256", "HS384" and "HS512". Deprecation warning: this value is no longer used as golang/x/crypto/acme hardcodes the algorithm to HS256.' + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' type: string enum: - HS256 @@ -2164,7 +2164,7 @@ spec: - keySecretRef properties: keyAlgorithm: - description: '(deprecated) keyAlgorithm is the MAC key algorithm that the key is used for. Valid values are "HS256", "HS384" and "HS512". Deprecation warning: this value is no longer used as golang/x/crypto/acme hardcodes the algorithm to HS256.' + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' type: string enum: - HS256 @@ -3203,7 +3203,7 @@ spec: - keySecretRef properties: keyAlgorithm: - description: '(deprecated) keyAlgorithm is the MAC key algorithm that the key is used for. Valid values are "HS256", "HS384" and "HS512". Deprecation warning: this value is no longer used as golang/x/crypto/acme hardcodes the algorithm to HS256.' + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' type: string enum: - HS256 diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index aee4b22f4..040901865 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -88,7 +88,7 @@ spec: - keySecretRef properties: keyAlgorithm: - description: '(deprecated) keyAlgorithm is the MAC key algorithm that the key is used for. Valid values are "HS256", "HS384" and "HS512". Deprecation warning: this value is no longer used as golang/x/crypto/acme hardcodes the algorithm to HS256.' + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' type: string enum: - HS256 @@ -1125,7 +1125,7 @@ spec: - keySecretRef properties: keyAlgorithm: - description: '(deprecated) keyAlgorithm is the MAC key algorithm that the key is used for. Valid values are "HS256", "HS384" and "HS512". Deprecation warning: this value is no longer used as golang/x/crypto/acme hardcodes the algorithm to HS256.' + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' type: string enum: - HS256 @@ -2164,7 +2164,7 @@ spec: - keySecretRef properties: keyAlgorithm: - description: '(deprecated) keyAlgorithm is the MAC key algorithm that the key is used for. Valid values are "HS256", "HS384" and "HS512". Deprecation warning: this value is no longer used as golang/x/crypto/acme hardcodes the algorithm to HS256.' + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' type: string enum: - HS256 @@ -3203,7 +3203,7 @@ spec: - keySecretRef properties: keyAlgorithm: - description: '(deprecated) keyAlgorithm is the MAC key algorithm that the key is used for. Valid values are "HS256", "HS384" and "HS512". Deprecation warning: this value is no longer used as golang/x/crypto/acme hardcodes the algorithm to HS256.' + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' type: string enum: - HS256 diff --git a/go.mod b/go.mod index d95216083..42f35884f 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.16 // this if a fork to add EAB and alternative chains in ACME // to be replaced after https://go-review.googlesource.com/c/crypto/+/277294/ merges -replace golang.org/x/crypto => github.com/cert-manager/crypto v0.0.0-20210331051623-e6485987d0e4 +replace golang.org/x/crypto => github.com/cert-manager/crypto v0.0.0-20210409161129-d4c19753215a require ( github.com/Azure/azure-sdk-for-go v46.3.0+incompatible diff --git a/go.sum b/go.sum index 8a6507475..a1f852946 100644 --- a/go.sum +++ b/go.sum @@ -106,8 +106,8 @@ github.com/blang/semver v3.5.0+incompatible h1:CGxCgetQ64DKk7rdZ++Vfnb1+ogGNnB17 github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/census-instrumentation/opencensus-proto v0.2.1 h1:glEXhBS5PSLLv4IXzLA5yPRVX4bilULVyxxbrfOtDAk= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cert-manager/crypto v0.0.0-20210331051623-e6485987d0e4 h1:5Q/efCr8RAQPVg1LZbzWyB8XWBMQ4VkJ7mUBLN1BPbY= -github.com/cert-manager/crypto v0.0.0-20210331051623-e6485987d0e4/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= +github.com/cert-manager/crypto v0.0.0-20210409161129-d4c19753215a h1:HXp46OGPFPV7He+NPxUbCgEDCBL56R7BkQRGWEkznVQ= +github.com/cert-manager/crypto v0.0.0-20210409161129-d4c19753215a/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY= diff --git a/hack/build/repos.bzl b/hack/build/repos.bzl index fd0167720..4c97fb539 100644 --- a/hack/build/repos.bzl +++ b/hack/build/repos.bzl @@ -3381,8 +3381,8 @@ def go_repositories(): build_file_proto_mode = "disable", importpath = "golang.org/x/crypto", replace = "github.com/cert-manager/crypto", - sum = "h1:5Q/efCr8RAQPVg1LZbzWyB8XWBMQ4VkJ7mUBLN1BPbY=", - version = "v0.0.0-20210331051623-e6485987d0e4", + sum = "h1:HXp46OGPFPV7He+NPxUbCgEDCBL56R7BkQRGWEkznVQ=", + version = "v0.0.0-20210409161129-d4c19753215a", ) go_repository( name = "org_golang_x_exp", diff --git a/pkg/apis/acme/v1/types_issuer.go b/pkg/apis/acme/v1/types_issuer.go index 867b0689d..76691fb4d 100644 --- a/pkg/apis/acme/v1/types_issuer.go +++ b/pkg/apis/acme/v1/types_issuer.go @@ -118,10 +118,9 @@ type ACMEExternalAccountBinding struct { // encoded data. Key cmmeta.SecretKeySelector `json:"keySecretRef"` - // (deprecated) keyAlgorithm is the MAC key algorithm that the key is used - // for. Valid values are "HS256", "HS384" and "HS512". - // Deprecation warning: this value is no longer used as - // golang/x/crypto/acme hardcodes the algorithm to HS256. + // Deprecated: keyAlgorithm field exists for historical compatibility + // reasons and should not be used. The algorithm is now hardcoded to HS256 + // in golang/x/crypto/acme. // +optional KeyAlgorithm HMACKeyAlgorithm `json:"keyAlgorithm,omitempty"` } diff --git a/pkg/apis/acme/v1alpha2/types_issuer.go b/pkg/apis/acme/v1alpha2/types_issuer.go index 2c9436a2a..21b268894 100644 --- a/pkg/apis/acme/v1alpha2/types_issuer.go +++ b/pkg/apis/acme/v1alpha2/types_issuer.go @@ -118,10 +118,9 @@ type ACMEExternalAccountBinding struct { // encoded data. Key cmmeta.SecretKeySelector `json:"keySecretRef"` - // (deprecated) keyAlgorithm is the MAC key algorithm that the key is used - // for. Valid values are "HS256", "HS384" and "HS512". - // Deprecation warning: this value is no longer used as - // golang/x/crypto/acme hardcodes the algorithm to HS256. + // Deprecated: keyAlgorithm field exists for historical compatibility + // reasons and should not be used. The algorithm is now hardcoded to HS256 + // in golang/x/crypto/acme. // +optional KeyAlgorithm HMACKeyAlgorithm `json:"keyAlgorithm,omitempty"` } diff --git a/pkg/apis/acme/v1alpha3/types_issuer.go b/pkg/apis/acme/v1alpha3/types_issuer.go index 11a89f165..ca132658e 100644 --- a/pkg/apis/acme/v1alpha3/types_issuer.go +++ b/pkg/apis/acme/v1alpha3/types_issuer.go @@ -118,10 +118,9 @@ type ACMEExternalAccountBinding struct { // encoded data. Key cmmeta.SecretKeySelector `json:"keySecretRef"` - // (deprecated) keyAlgorithm is the MAC key algorithm that the key is used - // for. Valid values are "HS256", "HS384" and "HS512". - // Deprecation warning: this value is no longer used as - // golang/x/crypto/acme hardcodes the algorithm to HS256. + // Deprecated: keyAlgorithm field exists for historical compatibility + // reasons and should not be used. The algorithm is now hardcoded to HS256 + // in golang/x/crypto/acme. // +optional KeyAlgorithm HMACKeyAlgorithm `json:"keyAlgorithm,omitempty"` } diff --git a/pkg/apis/acme/v1beta1/types_issuer.go b/pkg/apis/acme/v1beta1/types_issuer.go index 726845c1d..b08260a9e 100644 --- a/pkg/apis/acme/v1beta1/types_issuer.go +++ b/pkg/apis/acme/v1beta1/types_issuer.go @@ -118,10 +118,9 @@ type ACMEExternalAccountBinding struct { // encoded data. Key cmmeta.SecretKeySelector `json:"keySecretRef"` - // (deprecated) keyAlgorithm is the MAC key algorithm that the key is used - // for. Valid values are "HS256", "HS384" and "HS512". - // Deprecation warning: this value is no longer used as - // golang/x/crypto/acme hardcodes the algorithm to HS256. + // Deprecated: keyAlgorithm field exists for historical compatibility + // reasons and should not be used. The algorithm is now hardcoded to HS256 + // in golang/x/crypto/acme. // +optional KeyAlgorithm HMACKeyAlgorithm `json:"keyAlgorithm,omitempty"` } diff --git a/pkg/internal/apis/acme/types_issuer.go b/pkg/internal/apis/acme/types_issuer.go index 1f0ddad24..1bbdde545 100644 --- a/pkg/internal/apis/acme/types_issuer.go +++ b/pkg/internal/apis/acme/types_issuer.go @@ -108,8 +108,9 @@ type ACMEExternalAccountBinding struct { // encoded data. Key cmmeta.SecretKeySelector - // keyAlgorithm is deprecated. This value will not be used - // as golang/x/crypto/acme hardcodes the algorithm to HS256. + // Deprecated: keyAlgorithm exists for historical compatibility reasons and + // should not be used. golang/x/crypto/acme hardcodes the algorithm to HS256 + // so setting this field will have no effect. // See https://github.com/jetstack/cert-manager/issues/3220#issuecomment-809438314 KeyAlgorithm HMACKeyAlgorithm } diff --git a/test/e2e/suite/issuers/acme/issuer.go b/test/e2e/suite/issuers/acme/issuer.go index 4dfca9afc..5edb8a33c 100644 --- a/test/e2e/suite/issuers/acme/issuer.go +++ b/test/e2e/suite/issuers/acme/issuer.go @@ -283,7 +283,6 @@ var _ = framework.CertManagerDescribe("ACME Issuer", func() { key = "kid-secret-1" ) - // TODO: this value will get base64 encoded twice. Investigate why we need to do this. keyBytes := []byte(base64.RawURLEncoding.EncodeToString([]byte(key))) s := gen.Secret(secretName, gen.SetSecretNamespace(f.Namespace.Name),