since the acmesolver image has defaults (i.e. the repository is set by
default[1]), the helm chart changes introduced in #5554 will always set
the `--acme-http01-solver-image` parameter.
This can break users who previously had this parameter set via the
extraArgs Helm option, which was found and reported on Slack[2].
This commit moves the new Helm value added in #5554 above extraArgs,
so that if extraArgs is set it will take precedence and nothing should
change as users upgrade.
[1] a5d67d3a21/deploy/charts/cert-manager/values.yaml (L504-L516)
[2] https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1672925692339849
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Previously it wasn't possible to set a custom CA bundle for an ACME
server, leading users to either patch the cert-manager system CA bundle
manually or else use SkipTLSVerify which is a security issue.
This adds CABundle for ACME, similar to what we have for Vault and
Venafi TPP issuers.
Longer term we'd like to have a more fully featured approach. It would
for example make sense to support loading CA bundles from ConfigMaps or
Secrets (similar to what we do for Vault issuers today), but for now this
change is the simplest change.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Clarifies language a little; makes it clearer that the bundle
should be base64 encoded. Previously it was slightly confusing
in that PEM certificates are themselves base64 encoded.
Also makes it clearer what our CABundle validation does and does not do
by adding a standalone validation function and tweaking the error
message for an invalid CA bundle.
Also updates validation to not print CA bundle for Vault issuer when the
bundle is invalid, since it won't help with debugging anything.
Currently the bundle is printed as byte values ("0x32, 0x58, 0x43...")
and in any case printing the whole bundle could be noisy if it's large
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Vault distributions like "Bank Vaults" automatically configure
and provision Vault and provide the CA bundle via a Kubernetes
Secret. Having to hard-code the bundle in the Issuer instead
of dynamically referencing it through the Secret requires
a manual second step when using a GitOps workflow.
Signed-off-by: Nils Mueller <nm@impactful.it>
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.
There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
- includes a run of make update-crds which causes some trivial changes
- updates version of YQ to latest
- makes hack/update-crds.sh just call make
- makes hack/verify-crds.sh just call make
- moves functionality of hack/verify-crds.sh to hack/check-crds.sh,
using the makefile for generating alternative CRDs for comparison
- removes the bazel test associated with CRDs
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This allows for cleaner debugging by adding/removing a line at a time.
The pflag library used allows multiple arguments like this, see
85dd5c8bc6/string_slice.go (L132-L135)
Signed-off-by: James Callahan <jamescallahan@bitgo.com>
