weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
1,041 Commits 45 Branches 0 Tags 96 MiB
4216a4fba4
Commit Graph

260 Commits

Author SHA1 Message Date
James Munnelly
686e9159e5 Wait for ACME Orders to be in 'ready' state before attempting finalization 2018-07-25 18:05:45 +01:00
Louis Taylor
bcf135c7ae
clouddns: use fqdn for challenge cleanup 
This is the same as the problem fixed in #750, but for cleanup.
 2018-07-22 20:17:11 +01:00
jetstack-bot
398e1560a3
Merge pull request #670 from gurvindersingh/master 
add support CNAME for dns-01 challenge
 2018-07-20 19:36:06 +01:00
jetstack-bot
b15a18be98
Merge pull request #746 from euank/route53-invalid-change-batch 
issuer/route53: fix delete for 'NotExist' errors
 2018-07-20 18:36:59 +01:00
Euan Kemp
ea84532a5c issuer/route53: log ignored InvalidChangeBatch err 2018-07-20 10:10:02 -07:00
Louis Taylor
082f815773
clouddns: find hosted zone for challenge record 
Previously this would fail if you use a CNAME for the _acme-challenge
record.
 2018-07-20 16:53:12 +01:00
Euan Kemp
15d497b4ca issuer/route53: fix delete for 'NotExist' errors 
Fixes #736.

Prior to this change, it was quite possible to end up with a queue of
cleanup tasks that would never succeed.
 2018-07-19 10:20:27 -07:00
jetstack-bot
6348c6ffca
Merge pull request #722 from autonomic-ai/support-ec-keys 
Add keyAlgorithm and keySize fields to Certificates, and support ECDSA keys
 2018-07-18 10:00:36 +01:00
Afolabi Badmos
445e522432 Add support for EC keys 
- This PR adds two fields to CertificateSpec:
  - `keyAlgorithm`, denotes which algorithm to use when generating
    a private key. Can be either `rsa` or `ecdsa`. When not set, the
    default algorithm used `rsa`.
  - `keySize`, denotes the key size of the private key being generated.
    For `rsa`, minimum key size is 2048 and maximum is 8192.
    For `ecdsa`, sizes 224, 256, 384 & 521 are supported.
    See https://golang.org/pkg/crypto/elliptic

- `keySize` can be set without being explicit about `keyAlgorithm`.
  - If `keySize` is specified and `keyAlgorithm` is not provided, `rsa` will
    be used as the key algorithm.

- `keyAlgorithm` can be set without being explicit about `keySize`.
  - If `keyAlgorithm` is specified and `keySize` is not provided, key size
    key size of `256` will be used for `ecdsa` key algorithm and
    key size of `2048` will be used for `rsa` key algorithm.

- helper functions in `pki` package now return crypto.PrivateKey
 2018-07-17 12:42:07 -04:00
jetstack-bot
a162a5bb8e
Merge pull request #612 from vdesjardins/custom-approle-path 
Vault: configurable appRole authentication path
 2018-07-11 17:53:33 +01:00
jetstack-bot
c08cd80730
Merge pull request #622 from munnerz/istio-annotation 
Add auth.istio.io annotation to ACME HTTP01 service
 2018-07-11 17:18:33 +01:00
Vincent Desjardins
7fae0fccf1 code review fixes 2018-07-11 16:00:39 +00:00
Vincent Desjardins
ca3b909cb7 code review modifications 2018-07-11 16:00:39 +00:00
Vincent Desjardins
2995cc90a3 Vault: configurable appRole authentication path 2018-07-11 16:00:39 +00:00
jetstack-bot
bd7f15d5f4
Merge pull request #710 from kragniz/dns-flag 
Add flag for setting nameservers for DNS01 check
 2018-07-11 14:26:33 +01:00
Gustav Westling
641b497242 route53: update managed by DNS record comment 2018-07-08 12:09:00 +02:00
Louis Taylor
cbc61ef7f9
Fix tests 2018-07-05 12:41:33 +01:00
Louis Taylor
3eaca6a318
Add flag for custom dns01 nameservers 2018-07-05 12:40:53 +01:00
André Cruz
936e2b98ee Support the new "ready" order status 2018-07-03 15:31:14 +01:00
James Munnelly
bbb65baa38 Run go fmt 2018-06-26 01:24:52 +01:00
Guilherme Blanco
8d69e1e811 Added annotation to pod to prevent istio-sidecar-injector to add an envoy-proxy 2018-06-26 01:24:52 +01:00
James Munnelly
65b6ae2643 Add auth.istio.io annotation to ACME HTTP01 service 2018-06-26 01:24:52 +01:00
James Munnelly
fe5e748170 Don't return invalid/expired orders in shouldAttemptValidation 2018-06-25 10:46:10 +01:00
Gurvinder Singh
bfde429b8e add support CNAME for dns-01 challenge 
Domain for which certificate is asked for can have a CNAME, so we should check it.
If domain has a CNAME, create the challange TXT record in the alias domain.

This is useful in the scenario where a company like us is using some DNS provider
which is not supported dynamically. We can then create a CNAME for records like

_acme-challenge.example.com -> example.aws.hosted.com

So this will allow us getting cert for *.example.com with creating txt record in route53 for above exxample.
 2018-06-21 21:48:16 +02:00
jetstack-bot
61729fb96a
Merge pull request #637 from munnerz/selfsigned 
Add self signed Issuer type
 2018-06-15 14:31:33 +01:00
jetstack-bot
cb107f3b89
Merge pull request #652 from euank/r53-owner 
issuer/dns/route53: add myself as owner
 2018-06-14 12:32:36 +01:00
jetstack-bot
12d603f511
Merge pull request #629 from groner/check-acme-issuer-challenge-type 
Check the acme issuer has the challenge type configured.
 2018-06-14 11:54:37 +01:00
Euan Kemp
27b5e49732 issuer/dns/route53: add myself as owner 2018-06-12 18:32:49 -07:00
jetstack-bot
df4b493b38
Merge pull request #582 from ThatWasBrilliant/master 
FindZoneByFqdn fixes from lego
 2018-06-12 16:25:41 +01:00
James Munnelly
00e558a9e7 Fix package naming 2018-06-08 17:49:26 +01:00
James Munnelly
6cfdc62f6b Add self signed Issuer type 2018-06-08 15:48:30 +01:00
James Munnelly
1fd8cdf13e Create common GenerateCSR and GenerateTemplate methods for creating Certificate/CertificateRequest 2018-06-08 15:15:27 +01:00
Kai Groner
b7a8c4c623 Check the acme issuer has the challenge type configured. 2018-06-06 10:19:22 -04:00
jetstack-bot
3cafdd9401
Merge pull request #598 from euank/log-namespaces 
issuer/acme/*: log namespaces for resources
 2018-06-06 09:52:53 +01:00
jetstack-bot
c61f392163
Merge pull request #555 from paultiplady/debug/gcloud-errors 
Improve logs for CloudDNS service account errors
 2018-06-06 01:40:39 +01:00
Euan Kemp
a09e9037de issuer/acme/http: log namespaces for resources 
It's useful to know what namespace is being operated on, so log
namespaces all over the place!
 2018-05-30 20:10:17 -07:00
Euan Kemp
09a5846412 issuer/acme/http: remove unused test code 
¯\_(ツ)_/¯
 2018-05-30 20:03:00 -07:00
Euan Kemp
36b57ba475 issuer/acme/dns: log namespace for secret errors 
If we can't find the secret, the user should probably also know what
namespace we looked in.

xref #540 for a case where this might help with debugging
 2018-05-30 20:00:21 -07:00
Euan Kemp
910a9e8859 issuer/acme/dns: remove redundant 'Error' calls 2018-05-30 19:57:44 -07:00
jetstack-bot
e51edb398e
Merge pull request #587 from vdesjardins/fix-vault-panic-on-sealed 
vault: fix panic when vault is sealed or uninitialized
 2018-05-29 12:13:15 +01:00
Vincent Desjardins
37db332b46 vault: fix panic when vault is sealed or uninitialized 2018-05-29 01:36:00 +00:00
Anders Petersson
6d5b199d74
Fixed a typo in error msg. 2018-05-27 19:52:05 +02:00
Brian Hardy
e52aefb34a FindZoneByFqdn fixes from lego 2018-05-25 14:00:29 -05:00
Paul Tiplady
1089667ceb Make CloudDNS service account errors debuggable 
Improve logging in the case where the Service Account Secret is
loaded, but the Key is not found.

Previous behaviour was to fail without giving much help as to
why.

New behaviour confirms the key name and namespace/secret-name.

FIXES: 539
 2018-05-11 08:56:09 -07:00
jetstack-bot
0bb19e9453
Merge pull request #546 from munnerz/cloudflare-idempotent 
Update Cloudflare provider to be idempotent when calling Present
 2018-05-09 16:18:19 +01:00
James Munnelly
707a113870 Update Cloudflare provider to be idempotent when calling Present 2018-05-09 14:45:11 +01:00
James Munnelly
3fc74f7f86 Set Issuer ready condition to false if ACMEv1 endpoints are used 2018-05-09 14:17:20 +01:00
James Munnelly
a597c02701 Fix panic in shouldAttemptValidation 2018-05-09 12:11:41 +01:00
Vincent Desjardins
b35343786e Vault issuer support 
vault remove duration
 2018-05-02 00:45:55 +00:00
James Munnelly
944ed571fc Ensure challenge list gets updated after attempting authzs 2018-04-25 19:02:15 +01:00