weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
8,169 Commits 45 Branches 0 Tags 96 MiB
4209de2371
Commit Graph

8169 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
jetstack-bot
4209de2371
Merge pull request #6533 from inteon/cleanup_literal_subject_validation 
BUGFIX: LiteralCertificateSubject webhook logic
 2023-12-06 16:24:44 +01:00
Tim Ramlot
c5d7f15aa1
LiteralCertificateSubject: improve webhook logic 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-06 16:09:06 +01:00
jetstack-bot
40951826ab
Merge pull request #6531 from inteon/rename_fields_internal_api 
Rename internal API fields to match the field names in the public API
 2023-12-06 14:46:43 +01:00
Tim Ramlot
25eec9514a
rename internal API fields to match the fieldnames in the public API 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-06 13:59:59 +01:00
jetstack-bot
202a80e218
Merge pull request #6519 from JoeNorth/master 
Update AWS SDK for Go to 1.48.7
 2023-11-29 15:12:49 +01:00
Tim Ramlot
63c1636a83
run 'make tidy' and 'make update-licenses' 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-11-29 13:41:46 +01:00
Joe North
4e03eb1283 Update AWS SDK for Go version 
Signed-off-by: Joe North <jbnorth@amazon.com>
 2023-11-28 19:55:23 +00:00
jetstack-bot
e47444db80
Merge pull request #6491 from inteon/pprof_non_leaders 
BUGFIX: run pprof server on non-leaderelected replicas
 2023-11-27 19:52:06 +01:00
jetstack-bot
554ceac1c8
Merge pull request #6517 from inteon/use_pkcs12_legacyrc2 
Replace deprecated pkcs12 function call with pkcs12.LegacyRC2
 2023-11-27 17:34:06 +01:00
Tim Ramlot
6f7ebbed7b
replace deprecated pkcs12 function call with pkcs12.LegacyRC2 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-11-27 12:32:19 +01:00
jetstack-bot
cc40c405d6
Merge pull request #6512 from inteon/bump_jose 
Bump the go-jose dependency
 2023-11-27 10:26:05 +01:00
Tim Ramlot
99d473bbf1
bump the go-jose dependency 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-11-24 14:32:53 +01:00
jetstack-bot
630dba760a
Merge pull request #6498 from inteon/fix_webhook_bug 
BUGFIX: Limit webhook admission input
 2023-11-22 15:00:40 +01:00
jetstack-bot
0e5f9c679d
Merge pull request #6499 from avi-08/fix-helm-controller-featuregates 
Fix controller feature gates config in helm
 2023-11-17 17:51:38 +01:00
Avi Sharma
c72fc28773 Fix controller feautregates config in helm 
Signed-off-by: Avi Sharma <avi.08.sh@gmail.com>
 2023-11-17 21:38:44 +05:30
jetstack-bot
c9e028f3db
Merge pull request #6347 from lauraseidler/fix/gateway-warning-http 
Do not process Gateway listeners that do not support TLS
 2023-11-17 16:18:19 +01:00
jetstack-bot
30205eab85
Merge pull request #6497 from SgtCoDFish/bestpractices 
Add Core Infrastructure Initiative Best Practices badge
 2023-11-17 14:27:47 +01:00
Tim Ramlot
073d90611e
limit webhook admission input 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-11-17 14:23:57 +01:00
Ashley Davis
d25471e58d
Add Core Infrastructure Initiative Best Practices badge 
I filled out the form on the CII site and they gave us a badge!

This is part of the work towards graduation - this is a required
step listed in:

https://github.com/cncf/toc/blob/main/process/graduation_criteria.md
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
 2023-11-17 13:03:36 +00:00
jetstack-bot
7dca7210e7
Merge pull request #6495 from wallrj/6482-startupapicheck-verbose-logging 
Enable verbose logging in startupapicheck by default
 2023-11-17 12:57:46 +01:00
Richard Wall
a2ca3c714f Enable verbose logging in startupapicheck by default 
So that if it fails, users can know exactly what caused the failure.

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-11-17 09:09:41 +00:00
jetstack-bot
c4aa1ec50b
Merge pull request #6486 from jeremycampbell-okta/caissuers-extension 
Add x509 v3 CA Issuers Extension
 2023-11-17 09:06:46 +01:00
Jeremy Campbell
dc876fef16
Add x509 v3 CA Issuers Extension 
Signed-off-by: Jeremy Campbell <jeremy.campbell@okta.com>
 2023-11-16 12:45:16 -06:00
jetstack-bot
b0ed333413
Merge pull request #6459 from shlomitubul/master 
feat(helm) Add support for PodMonitor
 2023-11-16 14:45:00 +01:00
jetstack-bot
b4c3b313d4
Merge pull request #6488 from wallrj/increase-default-webhook-timeout 
Increase the default webhook timeout to its maximum value of 30 seconds
 2023-11-16 11:44:00 +01:00
Tim Ramlot
05de994587
BUGFIX: run pprof server on non-leaderelected replicas 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-11-16 11:21:34 +01:00
jetstack-bot
8c7615f896
Merge pull request #6490 from inteon/fix_cve_alert 
Bump docker to fix cve alert
 2023-11-16 09:46:00 +01:00
Tim Ramlot
aa23a7e973
bump docker to fix cve alert 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-11-15 22:29:04 +01:00
Richard Wall
a0e5afc0f4 Increase the webhook timeout to its maximum value 
Users sometimes report that the connection between the K8S API server and the
cert-manager webhook server times out.

But the error message is often only "context deadline exceeded",
which doesn't help the user know what phase of the HTTPS connection timed out.

It could be during DNS resolution, TCP connection, TLS negotiation, HTTP channel
negotiation, or slow HTTP response from the webhook server.

So this change increases the context timeout to its maximum value
so that the underlying timeout error message has more chance of being returned to the end user.

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-11-15 17:54:43 +00:00
jetstack-bot
3938a8c2c1
Merge pull request #6487 from inteon/fix_cve_alert 
Fix CVE alert
 2023-11-15 15:34:08 +01:00
Tim Ramlot
c953e48b7e
fix CVE alert 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-11-15 15:04:59 +01:00
jetstack-bot
6fddbe538f
Merge pull request #6433 from vinny-sabatini/issue-5782 
fix error message when setting up vault issuer
 2023-11-14 16:30:01 +01:00
jetstack-bot
ac88b3e330
Merge pull request #6479 from SgtCoDFish/distroless 
Use explicit debian version for base images
 2023-11-14 16:20:01 +01:00
jetstack-bot
943cbfdfda
Merge pull request #6477 from SgtCoDFish/bumpcerts 
Regenerate hardcoded certs
 2023-11-14 15:44:31 +01:00
Ashley Davis
f7937c7372
Use explicit debian version for base images 
Fixes #6478

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
 2023-11-14 14:30:45 +00:00
Ashley Davis
96e081fbd3
regenerate hardcoded certs 
fixes #6476

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
 2023-11-14 13:26:24 +00:00
jetstack-bot
d2f6bbe579
Merge pull request #6028 from inteon/fix_scheme_errors 
Stop using global runtime.Scheme variables
 2023-11-06 22:57:09 +01:00
Tim Ramlot
4c94f3ef10
create ad-hoc schemes instead of sharing global ones 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-11-06 21:58:24 +01:00
jetstack-bot
7373e1f386
Merge pull request #6467 from inteon/cainjector_cleanup 
cainjector: Use controller-runtime manager to manage goroutine instead of errorgroup.
 2023-11-05 21:05:59 +01:00
Tim Ramlot
80e3960f91
Use controller-runtime manager instead of errorgroup. 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-11-02 13:29:05 +01:00
jetstack-bot
5141dddf2c
Merge pull request #6462 from wallrj/policy-compliant-acme-solver-pod 
Ensure ACME solver Pod complies with Pod Security Standards
 2023-10-31 17:01:21 +01:00
Richard Wall
80896bce36 Update documentation of the Kyverno policies Kustomization file 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-31 15:44:10 +00:00
Richard Wall
9b5dd86084 Configure HTTP01 solver Pod with readOnlyRootFilesystem 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-31 14:47:24 +00:00
Richard Wall
c8640908e7 Apply Kyverno policies to E2E test namespaces too 
By using ClusterPolicy with exlusion rules for the namespaces of non-compliant E2E test tools.

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-31 14:11:41 +00:00
jetstack-bot
2f6e9f484b
Merge pull request #6461 from wallrj/run-as-non-root 
Remove redundant / misleading runAsNonRoot examples from values.yaml
 2023-10-31 13:46:20 +01:00
Richard Wall
8eb547d9cb Remove redundant / misleading runAsNonRoot examples from values.yaml 
`runAsNonRoot` is already set to true in the *Pod*SecurityContext,
so there isn't really any reason to set it at the Container SecurityContext too.

Having it in the example values.yaml file gives the misleading impression that
runAsNonRoot is not the default.

 * https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#podsecuritycontext-v1-core

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-31 11:08:54 +00:00
jetstack-bot
32418051c3
Merge pull request #6460 from erikgb/helm-ca-injector-feature-gates 
feat(helm): allow configuration of cainjector feature gates
 2023-10-31 11:39:20 +01:00
jetstack-bot
dd3fe1fe02
Merge pull request #6453 from wallrj/read-only-root-filesystem 
Enable readOnlyRootFilesystem by default
 2023-10-31 11:27:20 +01:00
Richard Wall
6d206795c7 Enable readOnlyRootFilesystem by default 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-31 09:55:23 +00:00
Erik Godding Boye
af3e88c6da
feat(helm): allow configuration of cainjector feature gates 
Signed-off-by: Erik Godding Boye <egboye@gmail.com>
 2023-10-31 10:54:17 +01:00