Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Improve validation of certificates. Fix bug in checking certificate validity
**What this PR does / why we need it**:
Improves the validation of dnsNames and commonNames on certificate resources.
Fixes a bug in checking certificate validity.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#176, fixes#175
**Release note**:
```release-note
Fix a bug in checking certificate validity and improve validation of dnsNames and commonName
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add basic validation to ACME issuer
**What this PR does / why we need it**:
Improves validation of existing certificate resources
**Release note**:
```release-note
Fix bugs when checking validity of certificate resources
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set TLS certificate secret type to TLS type
**What this PR does / why we need it**:
Set the Kubernetes secret type to TLS
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#133
**Release note**:
```release-note
Set the Kubernetes secret type to TLS.
Action required: this will cause renewals of existing certificates to fail. You **must** delete certificates that have been previously produced by cert-manager else cert-manager may enter a renewal loop when saving the new certificates. Alternatively, you may specify a new secret to store your certificate in and manually update your ingress resource/applications reference the secret.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Only ever create http01 solver service instead of also updating
**What this PR does / why we need it**:
Previously the ensureService function was written to update a service if it already exists. There should never be a case where the http01 solver needs to update an existing *service*, so this PR simplifies this functionality into a simple `createService` function.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Error if existing presented key and expected key do not match
**What this PR does / why we need it**:
A type in the HTTP01 solver caused it to not return an error if the key presented by the ingress and the expected key do not match.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#163
**Special notes for your reviewer**:
**Release note**:
```release-note
Fix bug in ACME HTTP01 solver causing self-check to return true before paths have propagated
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ensure ACME HTTP01 reachability test passes 5 times before issuing certificate
**What this PR does / why we need it**:
See #154 for details. Sometimes HTTP routes have not propagated yet when using a controller such as GCLB. This forces us to wait for 5 consecutive passes of the HTTP01 self-check before proceeding.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Closes#154
**Special notes for your reviewer**:
* This adds an extra 10s delay onto *any* HTTP01 validation
* The '5 tries' number is hardcoded into the HTTP01 solver
**Release note**:
```release-note
Ensure 5 consecutive HTTP01 self-checks to pass before issuing ACME certificate
```
Build images whilst services are starting
Exit on setup boulder errors
Install nsenter
Don't build nsenter
Turn up e2e pod verbosity
Set pullPolicy IfNotPresent on HTTP challenge solver
