weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
7,393 Commits 45 Branches 0 Tags 96 MiB
093610997e
Commit Graph

1308 Commits

Author SHA1 Message Date
Ashley Davis
0225cc9234
avoid logging confusing error messages for external issuers 
See https://github.com/cert-manager/cert-manager/issues/5601

When referring to external issuers whose kind is not "Issuer" or
"ClusterIssuer" we log an error message thanks to a new check added in
a previous PR[1] which should only trigger for SelfSigned issuers.

The error previously looked like:

```text
"error"="invalid value \"x\" for issuerRef.kind. Must
be empty, \"Issuer\" or \"ClusterIssuer\""
```

After this PR, any CR with an issuer whose group or kind doesn't
match what's expected for a built-in issuer will be skipped

https://github.com/cert-manager/cert-manager/pull/5336

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>

WIP: test other issuer kinds

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2023-01-04 12:10:34 +00:00
Sathyanarayanan Saravanamuthu
f719247d2b Addressing review comments 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
Sathyanarayanan Saravanamuthu
94fa9eeee6 Addressing review comments 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
Sathyanarayanan Saravanamuthu
42ae76ae30 Refreshing secrets when the keystore fields change 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
jetstack-bot
6ec8da3366
Merge pull request #5583 from lvyanru8200/uodateGwVerison 
feature: update gateway api to v1beta1
 2022-12-05 14:52:48 +00:00
lv
a13c76d312 feature: update gateway api to v1beta1 
Signed-off-by: lvyanru <yanru.lv@daocloud.io>

feature: update gateway api to v1beta1

Signed-off-by: lvyanru <1113706590@qq.com>
 2022-12-05 14:03:21 +00:00
Martín Montes
f884dac555 Return error when Gateway has a cross-namespace secret ref 
Signed-off-by: Martín Montes <martin11lrx@gmail.com>
 2022-12-01 12:46:33 +01:00
Corey McGalliard
7e6e0940a2 updating to match feedback and adjust the RunAsNonRoot options for http01 solver to be more descriptive 
Signed-off-by: Corey McGalliard <cmcgalliard@redventures.com>
 2022-11-16 11:20:36 -05:00
Tim Ramlot
b999749854
improve gen.CSR and use it everywhere 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-11-10 09:21:31 +01:00
joshvanl
e804431dba Fire event for informational purposes when the CertificateRequest has not yet been approved. 
Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-10-23 18:04:58 +01:00
jetstack-bot
277bcfc305
Merge pull request #5504 from sathyanarays/nit_fix 
[NIT] Changing variable name to denote right type
 2022-10-14 17:17:30 +01:00
jetstack-bot
da3265115b
Merge pull request #5387 from Tolsto/vault-ca-bundle-secret-ref 
Add option to load Vault CA bundle from Kubernetes Secret
 2022-10-13 09:55:09 +01:00
Sathyanarayanan Saravanamuthu
1bc773cbcf [NIT] Changing variable name to denote right type 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-12 13:41:23 +05:30
Sathyanarayanan Saravanamuthu
204fa78dd8 [NIT] Changing variable name to denote right type 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-12 13:37:35 +05:30
Sathyanarayanan Saravanamuthu
2969202fe2 Addressing review comments 
Co-authored-by: Cody W Eilar <ecody@vmware.com>

Signed-off-by: Cody W Eilar <ecody@vmware.com>
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-11 17:22:38 +05:30
Sathyanarayanan Saravanamuthu
40947b0ef4 Generate Certificate Request with predictable name 
Co-authored-by: Cody W Eilar <ecody@vmware.com>

Signed-off-by: Cody W Eilar <ecody@vmware.com>
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-11 17:01:26 +05:30
Tim Ramlot
e917e4a103
log more information on why the get CertificateRequest request failed 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-10-05 18:53:53 +02:00
Tim Ramlot
39fa9f51b4 upgrade dependencies 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-09-26 11:43:12 +02:00
Renato Costa
162777aab2 Fix incorrect uses of loop variable 
This fixes two instances where loop variables were being incorrectly
used:

- using a loop variable in a closure passed to `ginkgo.It()` is
incorrect, as the capture happens by reference and only the last test
case will be executed (multiple times).
- a similar issue happens in the context of a goroutine; specifically,
we need to create a copy of the `runDurationFunc` before calling it in
a goroutine as done by the controller's `Run` function.

With regards to the second issue, I believe it never came to the
surface because, in production code, only one `runDurationFunc` is
passed; tests don't exercise the multiple funcs path either.

Issues were automatically found with the `loopvarcapture` linter.

Signed-off-by: Renato Costa <renato@cockroachlabs.com>
 2022-08-26 15:08:30 -04:00
jetstack-bot
12f98dbc7e
Merge pull request #5376 from inteon/upgrade_gateway_api 
Upgrade gateway api to v0.5.0
 2022-08-25 16:08:10 +01:00
jetstack-bot
d1a8f7f52d
Merge pull request #5336 from JoshVanL/controllers-certificaterequests-secrets-informer 
CertificateRequest: re-sync SelfSigned CertificateRequest when target Secret is informed.
 2022-08-23 16:46:23 +01:00
Nils
81e6c24293 fixup! Add option to load Vault CA bundle from Kubernetes Secret 
Co-authored-by: Josh van Leeuwen <joshua.vanleeuwen@jetstack.io>
Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-21 07:41:15 +03:00
joshvanl
7b168cc059 Updates selfsigned CertificateSigningRequest controller with new Secret 
informer, and no longer mark the request as Failed when the private key
Secret is malformed. This behaviour matches the CertificateRequest
self signed controller.

Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-08-09 11:16:10 +01:00
joshvanl
fc9554a617 Adds secret handler function for selfsigned CertificateSigningRequest 
controller, which re-syncs requests which reference the Secret via the
`experimental.cert-manager.io/private-key-secret-name` annotation.

Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-08-09 11:14:22 +01:00
joshvanl
b03e6f11f5 Updates ACME CertificateSigningRequest for new informer registration 
format

Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-08-09 11:13:29 +01:00
joshvanl
dfd1e512d8 Update CertificateSigningRequest controller to accept a list of 
RegisterExtraInformerFn, which control the extra informers.

Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-08-09 11:12:41 +01:00
joshvanl
ccf579cf31 Adds extra informer for the CertificateRequest SelfSigned controller, 
so that CertificateRequets will be re-synced on informed Secrets which
are referenced with "cert-manager.io/private-key-secret-name"

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-08-09 08:39:50 +01:00
Tim Ramlot
836793e7e3 upgrade gateway api to v0.5.0 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-08 08:52:59 +00:00
jetstack-bot
07677c57bc
Merge pull request #5366 from munnerz/privatekey-regen-test 
Ensures CertificateRequests marked as 'InvalidRequest' are properly handled as failures & retried
 2022-08-05 16:23:30 +01:00
James Munnelly
7b4d04cdef bugfix: fix issue where CertificateRequests marked InvalidRequest were not properly marked as Failed 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-08-04 12:21:41 +01:00
James Munnelly
11ada1d3d3 rename policyEvaluator->BuildReadyConditionFromChain 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-08-04 12:21:41 +01:00
Tim Ramlot
93caba980e apply go fmt for go1.19 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-04 09:51:57 +00:00
Ashley Davis
fb231ab641
Remove bazel 🎉 
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.

There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-07-26 11:38:50 +01:00
jetstack-bot
ca9e48c7e3
Merge pull request #5323 from JoshVanL/controllers-certificatesigningrequests-selfsigned-no-fail-missing-secret 
[SelfSigned] CertificateSigningRequest: don't mark failed when referenced Secret doesn't exist
 2022-07-21 15:58:56 +01:00
joshvanl
91e0a5ceca TestManyPasswordLengths: pre-create password test cases outside of 
concurrent tests

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-07-21 09:30:28 +01:00
joshvanl
bbc6823163 When a CertificateSigningRequest using the SelfSigned issuer references 
a Secret which does not exist, return error, rather than marking the
request as failed.

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-07-20 13:39:11 +01:00
jetstack-bot
5a4e7654d4
Merge pull request #5097 from lucacome/bump-k8s-deps 
Bump k8s.io dependencies
 2022-07-04 14:44:45 +01:00
irbekrm
bcc691db08 Bump informerResyncPeriod 
As minimum resync period in client-go is 1s. Also makes sure that the tests don't sleep for 'too long'.

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-07-04 08:52:02 +01:00
jetstack-bot
5c6bc8fb4e
Merge pull request #5250 from irbekrm/remove_networking_beta 
Removes support for networking/v1beta1 Ingress
 2022-07-01 16:52:38 +01:00
jetstack-bot
d15d2d51ec
Merge pull request #5199 from irbekrm/fix_keyrotation_warning 
Fix keyrotation warning
 2022-06-30 14:14:03 +01:00
irbekrm
1d326af871 Runs ./hack/update-bazel.sh 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-06-30 10:20:40 +01:00
irbekrm
05a3133b34 Removes support for networking/v1beta1 Ingress 
As the lowest version of Kubernetes that we support now is v1.20 that serves v1 networking

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-06-30 09:24:59 +01:00
oGi4i
cb2cabb06f
Add private key Ingress annotations to set private key properties for Certificate 
Signed-off-by: oGi4i <das.ogi4i@gmail.com>
 2022-06-28 17:45:08 +03:00
Ashley Davis
a40fdd64b5
Incease issuer and clusterissuer controller timeouts 
This follows ideas presented in
https://github.com/cert-manager/cert-manager/pull/5214

It might be nice to add these big timeouts globally to all controllers
but we're intentionally keeping these changes small and targeted for now
in order to minimise the risk when backporting these changes.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-06-22 11:35:00 +01:00
Joost Buskermolen
40bda26e8b
Set static (Cluster)Issuers timeout to 90 seconds 
Signed-off-by: Joost Buskermolen <joost@buskervezel.nl>
 2022-06-22 11:16:37 +01:00
Rodrigo Fior Kuntzer
afeb543c3c CertificateRequests controllers must wait for the core secrets informer to be synced 
Signed-off-by: Rodrigo Fior Kuntzer <rodrigo@miro.com>
 2022-06-22 07:21:32 +02:00
oGi4i
3148b17fa5
Add revision history limit Ingress annotation to set field on the Certificate 
Signed-off-by: oGi4i <das.ogi4i@gmail.com>
 2022-06-21 15:12:09 +03:00
irbekrm
bb124a0f61 Corrects the cert.spec.privateKey path in logs 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-06-09 15:30:08 +01:00
irbekrm
ede76c3c25 Clarifies the warning if private key cannot be regenerated, but spec has changed 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-06-09 14:41:35 +01:00
Alessandro Vermeulen
1da01211ee Feature gated support for using literal subjects in Certificates 
Signed-off-by: Alessandro Vermeulen <alessandro.vermeulen@ing.com>
 2022-06-08 20:50:00 +02:00