Makes sure that when an unlabelled Secret is encountered at any point (even outside issuance) it will be labelled
Signed-off-by: irbekrm <irbekrm@gmail.com>
cainjector will still watch cluster-scoped resources such as CRDs, so it can get references to Secrets or Certificates in namespaces that are out of scope
Signed-off-by: irbekrm <irbekrm@gmail.com>
Ensures that when cainjector has the namespace flag passed, namespaced resource caching is scoped to that namespace
Signed-off-by: irbekrm <irbekrm@gmail.com>
See https://github.com/cert-manager/cert-manager/issues/5601
When referring to external issuers whose kind is not "Issuer" or
"ClusterIssuer" we log an error message thanks to a new check added in
a previous PR[1] which should only trigger for SelfSigned issuers.
The error previously looked like:
```text
"error"="invalid value \"x\" for issuerRef.kind. Must
be empty, \"Issuer\" or \"ClusterIssuer\""
```
After this PR, any CR with an issuer whose group or kind doesn't
match what's expected for a built-in issuer will be skipped
https://github.com/cert-manager/cert-manager/pull/5336
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
WIP: test other issuer kinds
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This fixes two instances where loop variables were being incorrectly
used:
- using a loop variable in a closure passed to `ginkgo.It()` is
incorrect, as the capture happens by reference and only the last test
case will be executed (multiple times).
- a similar issue happens in the context of a goroutine; specifically,
we need to create a copy of the `runDurationFunc` before calling it in
a goroutine as done by the controller's `Run` function.
With regards to the second issue, I believe it never came to the
surface because, in production code, only one `runDurationFunc` is
passed; tests don't exercise the multiple funcs path either.
Issues were automatically found with the `loopvarcapture` linter.
Signed-off-by: Renato Costa <renato@cockroachlabs.com>
informer, and no longer mark the request as Failed when the private key
Secret is malformed. This behaviour matches the CertificateRequest
self signed controller.
Signed-off-by: joshvanl <me@joshvanl.dev>
controller, which re-syncs requests which reference the Secret via the
`experimental.cert-manager.io/private-key-secret-name` annotation.
Signed-off-by: joshvanl <me@joshvanl.dev>
so that CertificateRequets will be re-synced on informed Secrets which
are referenced with "cert-manager.io/private-key-secret-name"
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.
There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This follows ideas presented in
https://github.com/cert-manager/cert-manager/pull/5214
It might be nice to add these big timeouts globally to all controllers
but we're intentionally keeping these changes small and targeted for now
in order to minimise the risk when backporting these changes.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
