weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
7,715 Commits 45 Branches 0 Tags 96 MiB
3d1134a975
Commit Graph

3093 Commits

Author SHA1 Message Date
irbekrm
3d1134a975 Update cainjector inejctable setup 
To work with latest controller runtime

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-05-05 16:32:25 +01:00
Luca Comellini
1bfc131e6a Bump sigs.k8s.io/controller-tools to v0.12.0 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2023-05-05 16:32:25 +01:00
Luca Comellini
df6ec95cd1 Update OnAdd 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2023-05-05 16:32:25 +01:00
Luca Comellini
a57c4abb14 Bump k8s.io dependencies 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2023-05-05 16:32:25 +01:00
jetstack-bot
ab4415837c
Merge pull request #6022 from wallrj/fix-flaky-leader-election-healthz-tests 
Fix flaky leader election healthz tests
 2023-05-05 16:26:07 +01:00
Richard Wall
83ce550c4c Simulate a remote leader that always updates its lease 
Fixes test flakes caused by the local node taking over leadership,
because it did not observe any change in the leader election record held by the
remote node.

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2023-05-05 15:56:18 +01:00
jetstack-bot
a64088792d
Merge pull request #5991 from inteon/pr/JoshVanL/4810 
Server Side Apply: Adds support for CA Injector controller
 2023-05-05 14:21:07 +01:00
Tim Ramlot
a3dbd22752
only apply patch if patch is != nil 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-05-05 15:01:57 +02:00
jetstack-bot
5035dda25e
Merge pull request #6006 from vidarno/cache-private-key-hash-on-issuer-status 
Cache private key hash on issuer status
 2023-05-05 08:05:07 +01:00
jetstack-bot
09e71c37d4
Merge pull request #5972 from vinzent/bugfix/issue-5755 
Check JKS/PKCS12 truststore in Secrets only if issuer provides the CA
 2023-05-04 11:04:37 +01:00
vidarno
616a41ac8f Test TestRegistry_AddClient_UpdatesClientPKChecksum must compare private key with a checksum 
Signed-off-by: vidarno <>
 2023-05-03 22:17:03 +02:00
Tim Ramlot
bce882b477
use cainjector feature flags 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-05-03 19:52:13 +02:00
Tim Ramlot
4d81f1877a
resolve feedback 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-05-03 11:18:10 +02:00
jetstack-bot
694d3d1bd2
Merge pull request #5747 from inteon/request_matches_spec 
BUGFIX: if a LiteralSubject is set, the RequestMatchesSpec function does skip too many checks
 2023-05-02 11:23:27 +01:00
vidarno
a1f156c2b6 Merge branch 'cert-manager:master' into cache-private-key-hash-on-issuer-status 
Signed-off-by: vidarno <>
 2023-05-02 11:58:18 +02:00
vidarno
f7390903be Update tests after adding new LastPrivateKeyHash field in status of issuer CRDs 
Signed-off-by: vidarno <>
 2023-04-29 09:14:07 +02:00
vidarno
92da674e9a Update logic in function IsKeyCheckSumCached to compare private key with hash in status field of CRD instead of from Secret 
Signed-off-by: vidarno <>
 2023-04-29 09:13:54 +02:00
vidarno
4934183927 Extend CRDs and structs to include LastPrivateKeyHash field 
Signed-off-by: vidarno <>
 2023-04-29 09:12:56 +02:00
Thomas Müller
12483d3d54 Check JKS/PKCS12 truststores only if issuer provides the CA 
The current policy check for keystores in Secrets creates a loop because
the truststore.jks or truststore.p12 will never exist when the issuer didn't
provide the CA certificate. This behaviour was introduced by #5597

The JKS and PKCS12 truststores are only added to the Secret
if the CA is provided by the issuer. The CertificateRequest API
reference states:

> The PEM encoded x509 certificate of the signer, also known
> as the CA (Certificate Authority). This is set on a best-effort basis by
> different issuers. If not set, the CA is assumed to be unknown/not available.

This change will only check the PKCS12/JKS truststores if the CA cert from the
issuer exists in the secret.

Fixes #5755

Signed-off-by: Thomas Müller <thomas@chaschperli.ch>
 2023-04-27 17:09:41 +02:00
jetstack-bot
19104fcb4a
Merge pull request #5962 from wallrj/5670-controller-manager-liveness-probe 
Report controller-manager as unhealthy if leader election has failed to renew the lease but process is wedged
 2023-04-27 15:09:54 +01:00
Tim Ramlot
927cef3c22
switch to SSA for cainjector 
Co-authored-by: joshvanl <vleeuwenjoshua@gmail.com>
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-04-26 17:04:11 +02:00
Richard Wall
dd34e58b5a Make it clear that the tests are concerned only with LeaderElection healthz 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2023-04-26 10:50:03 +01:00
Richard Wall
4d182e9c7b Add /livez endpoint which reports the leaderElection status 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2023-04-26 07:53:26 +01:00
irbekrm
300fe72ff0 Code review 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-25 13:45:06 +01:00
irbekrm
0d1d66d900 Fixes tests 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-25 06:20:58 +01:00
irbekrm
3d82e94789 Ensures metadata only is cached for pods and services 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-25 06:20:58 +01:00
Tobo Atchou
ee638a91ff cert-manager-webhook to provide logs when handling request 
Signed-off-by: Tobo Atchou <tobo.atchou@gmail.com>
 2023-04-22 10:41:44 +02:00
jetstack-bot
ece30e655f
Merge pull request #5949 from TrilokGeer/key-replace-sha256checksum 
Fixes status change on privateKey update on acme issuer
 2023-04-18 15:04:07 +01:00
jetstack-bot
bfa7eaaf0d
Merge pull request #5766 from irbekrm/cainjector_limit_controllers 
Cainjector limit controllers
 2023-04-18 11:14:21 +01:00
TrilokGeer
bdc0cb7c40 Fixes status change on privateKey update on acme issuer 
Signed-off-by: TrilokGeer <tgeer@redhat.com>
 2023-04-14 21:33:44 +05:30
Tim Ramlot
415da885a1
remove ioutil 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-04-07 11:19:52 +02:00
jetstack-bot
50501d2f64
Merge pull request #5824 from irbekrm/controller_partial_metadata 
Controller partial metadata
 2023-04-06 15:38:02 +01:00
irbekrm
7e6f2be820 Fixes goimports 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:29:41 +01:00
irbekrm
8217ff8714 Adds some extra unit tests 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
e14d17b1b0 Adds a couple comments to ACME call methods 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
dba18119aa Ensures that key for an ACME challenge is only retrieved from the ACME server once 
Thus reducing the number of HTTP01ChallengeResponse/DNS01ChallengeResponse calls

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
202d75ffe6 Updates code comment 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
0964d6d03d Removes extra GET calls for ACME order resource 
In cases where a synced Order does not require any processing from this controller

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
b2b3eade26 Updates cert.status.lastFailureTime description 
To match the current behaviour

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 12:54:14 +01:00
irbekrm
de34694516 Makes some updates to CertificateRequests design 
The design is out of date in general though

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-27 09:57:44 +01:00
irbekrm
6e294ae359 Certificate-requests controller does not process invalid certificaterequests 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-24 15:38:34 +00:00
irbekrm
f5ea958317 Issuing controller fails issuances for denied/invalid CRs 
This is not necessarily a breaking change as this appears to have been the current behaviour in most cases due to the race condition that this commit fixes

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-24 15:37:57 +00:00
irbekrm
26563feae1 remove invalid check 
GVK cannot be reliably checked here, see TODO, this is not expected to cause issues

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
c3bd14ead7 Uses the filtered informer factory if the SecretsFilteredCaching feature is enabled 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
7d592a8270 Swap upstream core informers factory with out wrapper 
This does not actually change how the informers work. This also adds a partial metadata client to root context

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
a7e2abe5fa Allows secrets event handler predicate to accept partial metadata 
This will only be needed by the SecretsFilteredCaching feature, but I cannot think of any harm by adding it to general path

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
5d7614ddd4 Passes controller context into all NewController funcs 
Instead of individual arguments. For readability and consistency.

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
8f3ea9a40d Update comment on controller.cert-manager.io/fao label key 
As this PR actually starts using this label to filter secrets

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
jetstack-bot
0c071f8d2f
Merge pull request #5878 from avi-08/handle-foreground-deletion 
Skip syncing resources deleted via foreground cascading
 2023-03-21 12:01:38 +00:00
Avi Sharma
a62f92e33d Add testcases for foreground deletion sync 
Signed-off-by: Avi Sharma <avi.08.sh@gmail.com>
 2023-03-21 15:33:53 +05:30