weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
6,027 Commits 45 Branches 0 Tags 96 MiB
3bd35642a7
Commit Graph

1114 Commits

Author SHA1 Message Date
jetstack-bot
e5cc0be04b
Merge pull request #4399 from irbekrm/fix_renewal_issue 
Fix renewalTime skew issue
 2021-08-23 16:36:50 +01:00
irbekrm
ec1bdc4983 Adds a test case for renewal time skew and a comment 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-08-23 15:00:57 +01:00
Eng Zer Jun
54e70d2cc4
refactor: move from io/ioutil to io and os package 
The io/ioutil package has been deprecated in Go 1.16. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 2021-08-23 19:50:42 +08:00
irbekrm
50e90dfe6e Fix renewalTime skew issue 
Ensure the time returned by RenewalTime function is the same time as that which will be read from Certificate's status

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-08-20 17:57:35 +01:00
Ashley Davis
68f5ceb3b4
Fix manually specified Certificate and CertificateRequest versions 
Basically all modern X.509 certs are version 3, but confusingly to
specify "version 3" in an encoded cert, the version number is actually
2.

For PKCS#10 CSRs, the only valid version is 1, which again
confusingly has the value "0" when encoded.

This was incorrect in many places, including one place in which the
version number on a CSR was used as a certificate's version number,
when the two are entirely unrelated.

Go ignores these values, so there's no functional changes here; still,
it's better to be accurate.

Go ignoring CSR version and specifying 0:
https://cs.opensource.google/go/go/+/refs/tags/go1.17:src/crypto/x509/x509.go;l=1958

Go ignoring Certificate version and specifying 2:
https://cs.opensource.google/go/go/+/refs/tags/go1.17:src/crypto/x509/x509.go;l=1534

PKCS#10 CSR specification in RFC 2986 section 4.1:
https://datatracker.ietf.org/doc/html/rfc2986#section-4

X.509 Cert specification in RFC 5280 section 4.1.2.1:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.1

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-08-19 14:48:12 +01:00
irbekrm
904d4e3c15 Don't error if owner not found in cache 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-08-17 08:31:49 +01:00
jetstack-bot
d647e543e3
Merge pull request #4276 from jakexks/gateway-http01 
Experimental Gateway API support for ACME HTTP-01 Solving
 2021-08-03 18:51:49 +01:00
jetstack-bot
be8079b504
Merge pull request #4293 from maelvls/fix-nil-pointer 
Nil pointer exception: certificateRef and TLS can now be left empty
 2021-08-03 16:04:49 +01:00
Maël Valais
30af205777 nil pointer: the Gateway API is full of pointers 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-08-03 15:43:16 +02:00
Jonathan Prates
50bb91a032 feat: update object description explaning the current behaviour 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 09:26:23 +01:00
Jonathan Prates
12363f91e2 fix: move secretTemplate validations to validation package 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
6e8f74b4f8 tests: add Labels map to the expected secret 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
e1034c219e feat: add validation for annotations and labels 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
c5e81b13f6 fix: labels cannot be shown if no labels were changed 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
811069cac7 fix: do not create secret labels if template is empty 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
936ad33539 fix: ensure secret annotations and labels will be copied if updated in the cert 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
47bc03e7c4 feat: add support to secretTemplates 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jake Sanders
deb9ccc5a9
HTTP01 solver support for the Gateway API 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-02 14:06:16 +01:00
Maël Valais
e4f981da66 Revert "memory leak: clean up scheduler goroutine on cert deletion" 
This reverts commit 641960b6. The reason we decided to revert this is
that we are unsure about the implications of adding the
scheduledWorkQueue.Forget call. The new Forget call is left untested,
and it makes us nervous not to know exactly if it works as intended.

The "Forget" memory leak that we are reverting now is the cause of a
tiny fraction of the overall memory leakage that was fixed in the PR
in the scheduler itself.  Reverting this means that some goroutines will
be leaked, but only when a Certificate gets removed and never recreated
with the same name.

Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-28 19:19:39 +02:00
jetstack-bot
d062176777
Merge pull request #4243 from inteon/improved_go_routines 
Cleanup goroutine management
 2021-07-28 15:36:41 +01:00
Inteon
d867fcc44d
remove unnecessary wait.Until 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-27 21:43:54 +02:00
jetstack-bot
3b50d78ae4
Merge pull request #4225 from jakexks/ingressv1 
Feature: Support both v1 and v1beta1 ingresses.
 2021-07-27 20:11:37 +01:00
irbekrm
2ddf6fe637 Allows for annotations passed from CSR to Order to be filtered 
Using the value from copied-annotation-prefixes flag, where by default kubectl, fluxcd, argocd annotations are excluded

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-27 10:55:09 +01:00
Jake Sanders
83857fdc03
Remove stray reference to v1beta1 Ingress 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-26 20:29:35 +01:00
Irbe Krumina
3834a8fc0a Code review feedback 
Co-authored-by: Josh Van Leeuwen <joshua.vanleeuwen@jetstack.io>
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-26 20:00:37 +01:00
irbekrm
143c5ce38d Adds a test for copying the annotations from Certificate 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-26 20:00:24 +01:00
irbekrm
ddf7e130b7 Allow users to specify which annotations should be copied from Certificate to CertificateRequest 
Default to all being copied except for kubectl, fluxcd, argocd annotations

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-26 20:00:10 +01:00
Jake Sanders
87bf05601f
Update pkg/controller/test/context_builder.go 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>

Co-authored-by: Maël Valais <mael@vls.dev>
 2021-07-26 18:29:56 +01:00
Jake Sanders
67c6586161
Addressing code review comments in #4225 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-26 18:29:54 +01:00
Jake Sanders
b2278f8642
nit: imports 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-26 18:29:48 +01:00
Jake Sanders
0d93b93fc5
Feature: Support both v1 and v1beta1 ingresses. 
Kubernetes is removing support for the v1beta1 Ingress type in 1.22: https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/#api-changes
However, we still wish to support k8s v1.16 until mid 2022 when Openshift 3 becomes out of support.

cert-manager will now use v1 Ingress if available by using the discovery API.

Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-26 18:29:42 +01:00
jetstack-bot
ceb9fdf6ac
Merge pull request #4231 from maelvls/fix-concurrent-read-write 
Data race: fix concurrent read and write of secret annotations and certificaterequests
 2021-07-26 13:34:12 +01:00
jetstack-bot
218408a741
Merge pull request #4112 from JoshVanL/certificate-signing-request=acme 
CertificateSigningRequest ACME Controller
 2021-07-26 11:51:12 +01:00
jetstack-bot
1021b58286
Merge pull request #4233 from maelvls/goroutine-leak 
Memory leak: fix the scheduler's goroutine leakage
 2021-07-23 20:34:19 +01:00
joshvanl
247807162f Expect event fired when ACME CSR request is not yet approved 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:34:21 +01:00
joshvanl
a81ba4fcb3 Change test name to make it clear it is not a duplicate 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:10:35 +01:00
joshvanl
e18e29ea45 Adds unit tests for CertificateSigningRequest ACME handle owner 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:00:09 +01:00
joshvanl
9e322a4033 Removes old comment which is no longer relevant 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:00:09 +01:00
joshvanl
b84e3edcc9 Review comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:00:09 +01:00
joshvanl
bec5d5be32 Remove CA annotation from ACME CertificateSigningRequest controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:00:09 +01:00
joshvanl
43f002b0f0 Adds CertificateSigningRequest ACME controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:00:09 +01:00
Maël Valais
641960b666 memory leak: clean up scheduler goroutine on certificate deletion 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-23 16:57:10 +02:00
Inteon
81e216eeba
wait for goroutines to end before exiting 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-23 15:30:26 +02:00
Inteon
81aa09cd88
call WaitGroup.Done() at the right time 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-23 15:30:02 +02:00
Maël Valais
af9a1e434f data race: fix certificate requests in cache being mutated 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-20 19:50:26 +02:00
Maël Valais
a96dc55e1e data race: fix concurrent read and write of secret annotations 
This bug can be reproduced using "go run -race" and by creating many
Certificates and renewing them continuously. With 5000 Certificate
objects, a data race is found in less than a minute.

Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-20 19:50:26 +02:00
joshvanl
37dbf770da Fire event when CertificateSigningRequest hasn't been signed yet 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-20 10:39:27 +01:00
joshvanl
a1a953f40f More comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-19 19:29:40 +01:00
joshvanl
0fdd52e603 Adds comments to some func's and changes return err names to be more 
clear

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-19 15:50:23 +01:00
joshvanl
0116bf18bd Changed Venafi CSR request "the request will be retried" -> "waiting" 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-19 15:50:23 +01:00