weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
5,162 Commits 45 Branches 0 Tags 96 MiB
109b3e0b28
Commit Graph

2205 Commits

Author SHA1 Message Date
joshvanl
746cd7460b Updates approval review comment to correctly state cluster scope and 
issuer name

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
d69e798b83 Update validation approved tests for new string 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
ed22fb99f6 Change approved/denied forbidden error to read better for EU 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
13d8cc707f Adds SubjectAccessReview checks in webhook, if ValidateUpdate Succeeds 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
92c6ce88bb Register approval checks with validation init registration 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
53cb1835f7 Adds SubjectAccessReview registry to the validation Registry 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
78aba9c01f Adds approval condition SubjectAccessReview check 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
jetstack-bot
bad96f5102
Merge pull request #3582 from lalitadithya/vault_health_check_and_namespace_fix 
Vault health check and namespace fix
 2021-03-26 15:20:58 +00:00
jetstack-bot
19ae739ab7
Merge pull request #3760 from SgtCoDFish/selfsigned-validity-3634 
selfsigned: warn when certs are issued with empty issuer DNs
 2021-03-26 12:30:58 +00:00
Ashley Davis
5e31fa37ff
selfsigned: warn when certs have empty issuer DNs 
as raised in#3634 - RFC 5280 states that the issuer field cannot be
empty, but this could easily happen with selfsigned certs which had
an empty subject (as the issuer matches the subject when the cert is
self signed)

this commit detects when a cert would be issued selfsigned with an
empty subject DN and emits a warning event, allowing cluster operators
to detect the warning and potentially either re-issue to generate a
compliant cert, or else accept the risk.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-03-26 11:51:46 +00:00
jetstack-bot
a8c75fab1a
Merge pull request #3773 from JoshVanL/certificate-revision-history-limit 
Certificate revision history limit
 2021-03-26 11:13:58 +00:00
jetstack-bot
7946df1da7
Merge pull request #3788 from maelvls/refactor-trigger-unit-tests 
Refactor trigger-controller unit tests
 2021-03-25 11:41:36 +00:00
Maël Valais
7e21f730cc PR comment: typo: "the following are" instead of "is" 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Jake Sanders <i@am.so-aweso.me>
 2021-03-25 09:07:45 +01:00
Maël Valais
fe3617a41c PR comment: a sentence starts with a capital letter and ends with a dot 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-03-24 19:19:34 +01:00
joshvanl
fd78593b59 Fixes Certificates revision manager controller name 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-24 17:32:45 +00:00
Omair Khan
68271f105b Certificate Readiness controller will only try to update the 
certificate status if there is a change.

Signed-off-by: OmairK <omairkhan064@gmail.com>
 2021-03-24 20:45:19 +05:30
jetstack-bot
3a367927dc
Merge pull request #3793 from JoshVanL/dont-log-cr-deleted 
Don't log from multiple controllers when a CertificateRequest is deleted
 2021-03-24 13:27:46 +00:00
jetstack-bot
dffbf391db
Merge pull request #3733 from jakexks/renewBefore 
Clarify the default values for the renewBefore and duration fields
 2021-03-24 10:53:46 +00:00
joshvanl
14d6f0720a Don't log from multiple controllers when a CertificateRequest is deleted 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-23 17:49:52 +00:00
joshvanl
dd0b2bf510 Standardise the name of controllers so there is consistency across the 
project

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-23 16:08:59 +00:00
joshvanl
59ca6ca850 Move CertificateRequest revisionHistoryLimit validation to OpenAPI 
validation

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-23 15:58:14 +00:00
joshvanl
5983290317 Change the prune and delete list function to certificateRequestsToDelete 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-23 15:57:32 +00:00
Maël Valais
71e707387a trigger-controller: refactor test, inject gatherer and policychain 
Injecting the whole Gatherer struct was not necessary for testing
since DataForCertificate is now fully unit-tested. With that, we
can mock the Gatherer.Evaluate function. Since there is no reason
to inject a full Gatherer object into the trigger controller, I chose
to inject a simple policies.Func. I named the function "shouldReissue"
since this is exactly what this function does.

I also refactored the test cases to use the same gen.Certificate
that we use in the rest of the codebase.

Signed-off-by: Maël Valais <mael@vls.dev>
 2021-03-23 13:55:11 +01:00
Maël Valais
cdb6c16c6d trigger-controller: log a msg when cert must be reissued 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-03-21 16:45:58 +01:00
Ashley Davis
ef5aa91f35
improve comment to match the function definition 
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-03-19 13:59:33 +00:00
Ashley Davis
2404aceef4
remove unused function 
this behaviour seems to be handled by translateIngressAnnotations

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-03-19 13:59:33 +00:00
Ashley Davis
b246c92a45
clarify exact curve types of current ECDSA keys 
it's conceivable that in the future we could have Ed25519 certs,
which would also have a key size of 256 but would be a new named entry
here

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-03-19 13:59:30 +00:00
lalit@lalitadithya.com
127acfc7e1 Fix null pointer in tests 
Signed-off-by: lalit@lalitadithya.com <lalit@lalitadithya.com>
 2021-03-17 19:03:16 +05:30
lalit@lalitadithya.com
b654eaf564 Fix broken test build 
Signed-off-by: lalit@lalitadithya.com <lalit@lalitadithya.com>
 2021-03-17 19:03:16 +05:30
lalit@lalitadithya.com
1858692619 Add vault namespace to requestTokenWithKubernetesAuth 
Signed-off-by: lalit@lalitadithya.com <lalit@lalitadithya.com>
 2021-03-17 19:03:15 +05:30
lalit@lalitadithya.com
22fcbcfa2f Append headers instead of replacing them when headers is not nil 
Signed-off-by: lalit@lalitadithya.com <lalit@lalitadithya.com>
 2021-03-17 19:03:15 +05:30
lalit@lalitadithya.com
df80da0838 Fix typo 
Signed-off-by: lalit@lalitadithya.com <lalit@lalitadithya.com>
 2021-03-17 19:03:15 +05:30
Lalit Adithya
917b9b2b98 Checking if vault is unsealed and active using the HTTP endpoint 
Signed-off-by: lalit@lalitadithya.com <lalit@lalitadithya.com>
 2021-03-17 19:03:08 +05:30
Lalit Adithya
3343c69be8 Added X-VAULT-NAMESPACE header for the requestTokenWithAppRoleRef API call 
Signed-off-by: lalit@lalitadithya.com <lalit@lalitadithya.com>
 2021-03-17 18:53:44 +05:30
joshvanl
65acf10858 Don't log error output in approver when CertificateRequest is deleted 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
b9646a832e Updates certificate request validation to use new signature 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
32d0c5af4e Updates Approved/Denied tests for new reasons 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
c94ad99731 Updates approver controller to use custom Approved Reason 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
98a33791e4 Remove CertificateRequest Approve/Deny Reasons 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
a3e63b1787 Update CertificateRequest controllers to use new Denied type, and add 
tests for when a CertificateRequest is denied

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
09f91a2a99 Update approver controller to use new Denied condition type 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
4e042011e6 Adds CertificateRequest approval condition validation to ensure: 
- Only a single Approve _or_ Deny condition may exist
- They cannot be modified once set
- They must always have a status of `True`

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
5df29e41e7 Updates api/util CertificateRequest approved helpers to use new 
condition type

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
417b947733 Updates CertificateRequest conditions to include a distinct 'Denied' 
condition type

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
e62e8c517b Updates CertificateRequest signer tests to check Approved behaviour 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
1d758a5ccf Updates the base CertificateRequest controller to first check for the 
approval condition to be present and set to true, before processing
further

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
2db7582586 Adds CertificateRequest approver controller. This controller will 
currently _always_ set the Approved condition to true on
CertificateRequests

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
0ef25daeb3 Adds helper CertificateRequest api/util funcs for checking approval 
condition

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
d61ccb1730 Adds CertificateRequest Approved condition type, with Approved and 
Denied Reasons

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
e6ece1f36b Updates Issuer CRDs with new ObservedGeneration field 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-15 15:06:22 +00:00