weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
7,658 Commits 45 Branches 0 Tags 96 MiB
01a511cd7a
Commit Graph

3066 Commits

Author SHA1 Message Date
Tobo Atchou
ee638a91ff cert-manager-webhook to provide logs when handling request 
Signed-off-by: Tobo Atchou <tobo.atchou@gmail.com>
 2023-04-22 10:41:44 +02:00
jetstack-bot
ece30e655f
Merge pull request #5949 from TrilokGeer/key-replace-sha256checksum 
Fixes status change on privateKey update on acme issuer
 2023-04-18 15:04:07 +01:00
jetstack-bot
bfa7eaaf0d
Merge pull request #5766 from irbekrm/cainjector_limit_controllers 
Cainjector limit controllers
 2023-04-18 11:14:21 +01:00
TrilokGeer
bdc0cb7c40 Fixes status change on privateKey update on acme issuer 
Signed-off-by: TrilokGeer <tgeer@redhat.com>
 2023-04-14 21:33:44 +05:30
Tim Ramlot
415da885a1
remove ioutil 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-04-07 11:19:52 +02:00
jetstack-bot
50501d2f64
Merge pull request #5824 from irbekrm/controller_partial_metadata 
Controller partial metadata
 2023-04-06 15:38:02 +01:00
irbekrm
7e6f2be820 Fixes goimports 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:29:41 +01:00
irbekrm
8217ff8714 Adds some extra unit tests 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
e14d17b1b0 Adds a couple comments to ACME call methods 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
dba18119aa Ensures that key for an ACME challenge is only retrieved from the ACME server once 
Thus reducing the number of HTTP01ChallengeResponse/DNS01ChallengeResponse calls

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
202d75ffe6 Updates code comment 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
0964d6d03d Removes extra GET calls for ACME order resource 
In cases where a synced Order does not require any processing from this controller

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
b2b3eade26 Updates cert.status.lastFailureTime description 
To match the current behaviour

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 12:54:14 +01:00
irbekrm
de34694516 Makes some updates to CertificateRequests design 
The design is out of date in general though

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-27 09:57:44 +01:00
irbekrm
6e294ae359 Certificate-requests controller does not process invalid certificaterequests 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-24 15:38:34 +00:00
irbekrm
f5ea958317 Issuing controller fails issuances for denied/invalid CRs 
This is not necessarily a breaking change as this appears to have been the current behaviour in most cases due to the race condition that this commit fixes

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-24 15:37:57 +00:00
irbekrm
26563feae1 remove invalid check 
GVK cannot be reliably checked here, see TODO, this is not expected to cause issues

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
c3bd14ead7 Uses the filtered informer factory if the SecretsFilteredCaching feature is enabled 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
7d592a8270 Swap upstream core informers factory with out wrapper 
This does not actually change how the informers work. This also adds a partial metadata client to root context

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
a7e2abe5fa Allows secrets event handler predicate to accept partial metadata 
This will only be needed by the SecretsFilteredCaching feature, but I cannot think of any harm by adding it to general path

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
5d7614ddd4 Passes controller context into all NewController funcs 
Instead of individual arguments. For readability and consistency.

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
8f3ea9a40d Update comment on controller.cert-manager.io/fao label key 
As this PR actually starts using this label to filter secrets

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
jetstack-bot
0c071f8d2f
Merge pull request #5878 from avi-08/handle-foreground-deletion 
Skip syncing resources deleted via foreground cascading
 2023-03-21 12:01:38 +00:00
Avi Sharma
a62f92e33d Add testcases for foreground deletion sync 
Signed-off-by: Avi Sharma <avi.08.sh@gmail.com>
 2023-03-21 15:33:53 +05:30
Avi Sharma
e5d9745078 Skip syncing resources deleted via foreground cascading 
Signed-off-by: Avi Sharma <avi.08.sh@gmail.com>
 2023-03-21 15:33:28 +05:30
jetstack-bot
706ad574b9
Merge pull request #5820 from lucacome/bump-k8s.io-deps 
Bump k8s.io dependencies
 2023-03-20 12:13:41 +00:00
Andrew Starr-Bochicchio
70594bd7ca digitalocean: Pass user agent string to godo client. 
Signed-off-by: Andrew Starr-Bochicchio <a.starr.b@gmail.com>
 2023-03-16 11:20:56 -04:00
Luca Comellini
0f64e055ae
Bump k8s.io dependencies 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2023-03-10 14:55:26 -08:00
Maël Valais
f0449ddb3b ingressClassName: document the "oneOf" contraint for the "name" field 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-09 15:15:39 +01:00
Maël Valais
ca9aaa0440 ingressClassName: let's remove the link placeholder 
The link itself is way too long to fit in the API reference.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-09 14:42:21 +01:00
Maël Valais
1b9cd207d3 remove unused test func 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-07 15:06:58 +01:00
Maël Valais
6458ed1543 Move from a flag to the Issuer field "ingressClassName" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-03 17:50:30 +01:00
Daniel Sonck
44d1467217 Add flag to allow switching ingressClassName specification 
Adds a flag to allow between using the old class name annotation or the new
ingressClassName that is gaining support in more ingress controllers.

Signed-off-by: Daniel Sonck <daniel@sonck.nl>
 2023-03-03 17:42:43 +01:00
Tim Ramlot
f36c06f10d
move cmd/util/ to internal/cmd/util/, since it is also imported by packages outside of cmd/ 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-02-28 12:38:59 +01:00
Michael Malov
dc621e9306 Add imagePullSecrets for AMCE http01 solver pod 
Signed-off-by: Michael Malov <mmeemail@gmail.com>
 2023-02-13 14:18:50 +03:00
Maël Valais
7a856af843 serviceAccountRef: update tests of the controller-side validation 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-07 13:26:35 +01:00
Maël Valais
c35a245631 serviceAccountRef: fix panicking since serviceAccountRef can now be nil 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
ac9791abae api: explicit the fact that no "oneOf" validation is performed 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
f1cfffd06b serviceAccountRef: detail why secretRef isn't a pointer 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
aed8a2ec85 serviceAccountRef: auto-generate "aud" and hardcode "exp" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
bfce543640 serviceAccountRef: remove aud and exp, secretRef now a pointer 
Changing SecretRef to be a pointer will break people using the package as
a library.

I disabled the ability to set the audience and expiry time for security
reasons:

We decided to generate the audience dynamically instead of letting the
user configure it, and we also decided to encode the namespace and
issuer name into the audience to remediate the risk of hijacking an
existing issuer and service account with a malicious issuer.

Regarding the expiration duration of the JWT, it doesn't make sense to
let the user configure it since cert-manager will authenticate using the
JWT and immediately discard it. We thought that 1 minute would be
acceptable, although the Kubernetes API server may return a totally
different duration.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
76eef68730 serviceAccountRef: the vault issuer can now use bound SA tokens 
Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).

With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
15748767ef vault: add unit tests around Setup 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-03 16:27:52 +01:00
irbekrm
56cf4dfd3c Allows to modify configured injectable kinds for cainjector via flags 
Also changes name of --watch-certs flag to --enable-certificate-data-source

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-02-01 11:43:00 +00:00
irbekrm
0c64cebfc5 Rename injector.go -> injectables.go 
To reduce the variations of naming

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-02-01 11:43:00 +00:00
irbekrm
767aa39ddb Simplify injectable logic 
Reduce the amount of interfaces enclosing the injectable instance from 3 to 1. Also some minor renaming and comments cleanup

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-02-01 11:43:00 +00:00
irbekrm
3e58a442b7 Cleanup reconciler logic 
Make the file structure and struct naming more intuitive, add some comments

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-02-01 11:43:00 +00:00
jetstack-bot
7ab1461674
Merge pull request #5764 from irbekrm/cainjector_filter_injectables 
Cainjector: only reconcile annotated injectables
 2023-02-01 11:41:49 +00:00
irbekrm
74b258c3be Code review feedback 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-02-01 08:53:27 +00:00
irbekrm
7e4dea1c2e Clarify the error message when secret annotation is missing namespace prefix 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-31 11:12:31 +00:00