The main reason for bumping Vault's version is because 1.2.3 is not
compatible with the config parameter `disable_iss_validation`, which is
needed for accommodating the future tests [1] that rely on bound tokens
and static tokens.
For context, Vault 1.2.3 was released on Sep 9, 2019 [2] but
`disable_iss_validation` was only added on July 21st, 2020 in Vault
1.5.0.
Due to a breaking change that happened in Vault 1.5.0 [3] in which Vault
started loading the pod's token instead of using the same token (to be
reviewed) for authenticating. An alternative solution could have been to
prevent the service account from being mounted to the pod, but I figured
that having the two service accounts separated is a better practice.
[1]: https://github.com/cert-manager/cert-manager/pull/5502
[2]: https://github.com/hashicorp/vault/commit/c14bd9a2
[3]: https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#150
Signed-off-by: Maël Valais <mael@vls.dev>
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.
There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This change adds the ability to express certificate duration using
the Kubernetes CSR spec.expirationSeconds field alongside the existing
approach of using the experimental.cert-manager.io/request-duration
annotation. Both approaches are supported as the expirationSeconds
field requires Kubernetes v1.22+.
Signed-off-by: Monis Khan <mok@vmware.com>
DER Format to create key.der binary format of the private key.
CombinedPEM Format to create tls-combined.pem containing tls.key + tls.crt.
Added Unit and e2e tests for secret with Additional output format.
Feature flag AdditionalCertificateOutputFormats to enable feature.
Signed-off-by: Thierry Sallé <seuf76@gmail.com>
rather than using the default suggested `v1` names for some imports, we
use more descriptive names
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
The io/ioutil package has been deprecated in Go 1.16. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
this is disabled for all issuers except selfsigned and CA. the intention
is to pave the way for adding maxPathLen support later.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
this function doesn't appear to be used anywhere, which makes it a
little confusing when trying to work out how the checks are done in the
e2e tests.
given that we encourage people not to import cert-manager as a module
and that anyone who does is likely not to use functions in the test
directory, it seems safe enough to remove this rather than deprecating
it.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
