weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
7,393 Commits 45 Branches 0 Tags 96 MiB
093610997e
Commit Graph

2988 Commits

Author SHA1 Message Date
irbekrm
eaf814cffa Code review feedback- better comment 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-05 17:42:40 +00:00
irbekrm
8ed0faf228 Fix integration tests 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-05 12:07:25 +00:00
irbekrm
036b013942 Ensures that only one secrets cache is created for cert-manager controller 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-05 10:11:48 +00:00
jetstack-bot
094b4c763e
Merge pull request #5662 from lucacome/bump-controller-tools 
Bump sigs.k8s.io deps
 2023-01-04 14:02:00 +00:00
Ashley Davis
0225cc9234
avoid logging confusing error messages for external issuers 
See https://github.com/cert-manager/cert-manager/issues/5601

When referring to external issuers whose kind is not "Issuer" or
"ClusterIssuer" we log an error message thanks to a new check added in
a previous PR[1] which should only trigger for SelfSigned issuers.

The error previously looked like:

```text
"error"="invalid value \"x\" for issuerRef.kind. Must
be empty, \"Issuer\" or \"ClusterIssuer\""
```

After this PR, any CR with an issuer whose group or kind doesn't
match what's expected for a built-in issuer will be skipped

https://github.com/cert-manager/cert-manager/pull/5336

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>

WIP: test other issuer kinds

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2023-01-04 12:10:34 +00:00
jetstack-bot
d8a6ec0dcb
Merge pull request #5663 from weisdd/fix/azure-workload-identity-early-reconcilation 
fix(AzureDNS): prevent early reconciliations for misconfigured Workload Identity
 2023-01-03 18:00:10 +00:00
Igor Beliakov
1c01973813 fix(AzureDNS): suppress original message in adal.TokenRefreshError to prevent early CR reconciliations due to unique data (timestamp, Trace ID) that lands to CR status 
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
 2022-12-22 11:59:37 +01:00
Luca Comellini
dbd6dc9b16
Bump sigs.k8s.io deps 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2022-12-21 09:47:41 -08:00
Ashley Davis
c5924f54a1
add + use CABundle field for ACME servers in issuers 
Previously it wasn't possible to set a custom CA bundle for an ACME
server, leading users to either patch the cert-manager system CA bundle
manually or else use SkipTLSVerify which is a security issue.

This adds CABundle for ACME, similar to what we have for Vault and
Venafi TPP issuers.

Longer term we'd like to have a more fully featured approach. It would
for example make sense to support loading CA bundles from ConfigMaps or
Secrets (similar to what we do for Vault issuers today), but for now this
change is the simplest change.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-12-15 16:21:07 +00:00
Ashley Davis
f68693bb6a
change wording on descriptions for Vault and TPP 'CABundle' fields 
Clarifies language a little; makes it clearer that the bundle
should be base64 encoded. Previously it was slightly confusing
in that PEM certificates are themselves base64 encoded.

Also makes it clearer what our CABundle validation does and does not do
by adding a standalone validation function and tweaking the error
message for an invalid CA bundle.

Also updates validation to not print CA bundle for Vault issuer when the
bundle is invalid, since it won't help with debugging anything.
Currently the bundle is printed as byte values ("0x32, 0x58, 0x43...")
and in any case printing the whole bundle could be noisy if it's large

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-12-15 16:21:02 +00:00
Luca Comellini
c99c147059
Bump k8s.io deps to v0.26.0 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2022-12-14 21:53:42 -08:00
Sathyanarayanan Saravanamuthu
f719247d2b Addressing review comments 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
Sathyanarayanan Saravanamuthu
94fa9eeee6 Addressing review comments 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
Sathyanarayanan Saravanamuthu
42ae76ae30 Refreshing secrets when the keystore fields change 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
irbekrm
486c72f122 Update reference to HTTPRoute docs 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-12-05 15:04:18 +00:00
jetstack-bot
6ec8da3366
Merge pull request #5583 from lvyanru8200/uodateGwVerison 
feature: update gateway api to v1beta1
 2022-12-05 14:52:48 +00:00
lv
a13c76d312 feature: update gateway api to v1beta1 
Signed-off-by: lvyanru <yanru.lv@daocloud.io>

feature: update gateway api to v1beta1

Signed-off-by: lvyanru <1113706590@qq.com>
 2022-12-05 14:03:21 +00:00
Martín Montes
f884dac555 Return error when Gateway has a cross-namespace secret ref 
Signed-off-by: Martín Montes <martin11lrx@gmail.com>
 2022-12-01 12:46:33 +01:00
jetstack-bot
77c410f5cb
Merge pull request #5570 from weisdd/feature/azure-workload-identity 
feat(AzureDNS): Add support for Workload Identity
 2022-11-30 18:00:32 +00:00
Igor Beliakov
df20fcd3e4 chore(AzureDNS): added more comments as requested by @wallrj 
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
 2022-11-24 22:42:18 +01:00
Houssem El Fekih
8af2d64f3b Gofmt files 
Signed-off-by: Houssem El Fekih <houssem.elfekih@jetstack.io>
 2022-11-18 10:55:56 +00:00
Houssem El Fekih
f41cf33efe Add support for required LDAP (rfc4514) RDNs in LiteralSubject 
* Add OID translation for mandatory DC component
* Used extensively in LDAP certificates, also required by rfc5280
* Add support for UID, mentioned in LDAP RFC
* solves https://github.com/cert-manager/cert-manager/issues/5582

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2022-11-18 10:22:39 +00:00
Igor Beliakov
964f4bbd8d feat(AzureDNS): add a test for federated SPT 
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
 2022-11-17 17:42:05 +01:00
Corey McGalliard
7e6e0940a2 updating to match feedback and adjust the RunAsNonRoot options for http01 solver to be more descriptive 
Signed-off-by: Corey McGalliard <cmcgalliard@redventures.com>
 2022-11-16 11:20:36 -05:00
jetstack-bot
95dc198cd6
Merge pull request #5571 from inteon/cleanup_csr_generation 
Improve gen.CSR and use it in all tests
 2022-11-15 14:08:44 +00:00
jetstack-bot
4ffd6213e7
Merge pull request #5552 from sathyanarays/isCaFix 
Fixing CA flag in basic constraints extension
 2022-11-10 13:37:47 +00:00
Sathyanarayanan Saravanamuthu
860ba8465a Addressing review comments 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-11-10 14:27:26 +05:30
Tim Ramlot
b999749854
improve gen.CSR and use it everywhere 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-11-10 09:21:31 +01:00
Richard Wall
df42b81326 Fix typos in explanatory comment 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-09 17:50:27 +00:00
Richard Wall
1f1ed47c2a Always initialize tlsClientConfig if the default is nil 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-09 17:45:52 +00:00
Richard Wall
218cdb7e0f Use RenegotiateOnceAsClient and explain why 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-09 17:25:31 +00:00
Igor Beliakov
efae037cec chore(Azure): improve naming, add comments 
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
 2022-11-09 17:33:28 +01:00
Sathyanarayanan Saravanamuthu
d4de98d35b Adding unit tests 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-11-06 09:36:26 +05:30
Sathyanarayanan Saravanamuthu
bb39c5cf79 Fixing CA flag in basic constraints extension 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-11-03 15:34:25 +05:30
Igor Beliakov
741fa3cfb4 feat(Azure): add support for workload identity 
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
 2022-10-29 15:43:33 +02:00
joshvanl
e804431dba Fire event for informational purposes when the CertificateRequest has not yet been approved. 
Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-10-23 18:04:58 +01:00
jetstack-bot
277bcfc305
Merge pull request #5504 from sathyanarays/nit_fix 
[NIT] Changing variable name to denote right type
 2022-10-14 17:17:30 +01:00
jetstack-bot
da3265115b
Merge pull request #5387 from Tolsto/vault-ca-bundle-secret-ref 
Add option to load Vault CA bundle from Kubernetes Secret
 2022-10-13 09:55:09 +01:00
Sathyanarayanan Saravanamuthu
1bc773cbcf [NIT] Changing variable name to denote right type 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-12 13:41:23 +05:30
Sathyanarayanan Saravanamuthu
204fa78dd8 [NIT] Changing variable name to denote right type 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-12 13:37:35 +05:30
Sathyanarayanan Saravanamuthu
2969202fe2 Addressing review comments 
Co-authored-by: Cody W Eilar <ecody@vmware.com>

Signed-off-by: Cody W Eilar <ecody@vmware.com>
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-11 17:22:38 +05:30
Sathyanarayanan Saravanamuthu
40947b0ef4 Generate Certificate Request with predictable name 
Co-authored-by: Cody W Eilar <ecody@vmware.com>

Signed-off-by: Cody W Eilar <ecody@vmware.com>
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-11 17:01:26 +05:30
jetstack-bot
a624f49386
Merge pull request #5469 from sathyanarays/unit_test_improve 
Increasing unit test coverage for pkg/issuer/acme/setup.go
 2022-10-06 15:23:27 +01:00
Tim Ramlot
e917e4a103
log more information on why the get CertificateRequest request failed 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-10-05 18:53:53 +02:00
Sathyanarayanan Saravanamuthu
401fb2dc34 Improving unit test coverage of pkg/issuer/acme/setup.go 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathya.chozhanaadan@gmail.com>
 2022-10-04 16:59:40 +05:30
Danny Kulchinsky
9074f5a081 refactor RemoveCertificate to use DeletePartialMatch 
Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>
 2022-09-28 10:24:30 -04:00
Danny Kulchinsky
cc1d982b33 fix incorrect func signature in certificate metrics controller 
Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>
 2022-09-28 10:21:36 -04:00
Danny Kulchinsky
ef9030303a fix formatting 
Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>
 2022-09-28 10:21:36 -04:00
Danny Kulchinsky
81c85ee15c add issuer_{group|name|kind} labels to prom metrics 
Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>
 2022-09-28 10:21:36 -04:00
Luca Comellini
4498b7cc47
Bump Go to 1.19 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2022-09-27 11:38:51 -07:00