Makes sure that when an unlabelled Secret is encountered at any point (even outside issuance) it will be labelled
Signed-off-by: irbekrm <irbekrm@gmail.com>
cainjector will still watch cluster-scoped resources such as CRDs, so it can get references to Secrets or Certificates in namespaces that are out of scope
Signed-off-by: irbekrm <irbekrm@gmail.com>
Ensures that when cainjector has the namespace flag passed, namespaced resource caching is scoped to that namespace
Signed-off-by: irbekrm <irbekrm@gmail.com>
See https://github.com/cert-manager/cert-manager/issues/5601
When referring to external issuers whose kind is not "Issuer" or
"ClusterIssuer" we log an error message thanks to a new check added in
a previous PR[1] which should only trigger for SelfSigned issuers.
The error previously looked like:
```text
"error"="invalid value \"x\" for issuerRef.kind. Must
be empty, \"Issuer\" or \"ClusterIssuer\""
```
After this PR, any CR with an issuer whose group or kind doesn't
match what's expected for a built-in issuer will be skipped
https://github.com/cert-manager/cert-manager/pull/5336
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
WIP: test other issuer kinds
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This fixes two instances where loop variables were being incorrectly
used:
- using a loop variable in a closure passed to `ginkgo.It()` is
incorrect, as the capture happens by reference and only the last test
case will be executed (multiple times).
- a similar issue happens in the context of a goroutine; specifically,
we need to create a copy of the `runDurationFunc` before calling it in
a goroutine as done by the controller's `Run` function.
With regards to the second issue, I believe it never came to the
surface because, in production code, only one `runDurationFunc` is
passed; tests don't exercise the multiple funcs path either.
Issues were automatically found with the `loopvarcapture` linter.
Signed-off-by: Renato Costa <renato@cockroachlabs.com>
informer, and no longer mark the request as Failed when the private key
Secret is malformed. This behaviour matches the CertificateRequest
self signed controller.
Signed-off-by: joshvanl <me@joshvanl.dev>
controller, which re-syncs requests which reference the Secret via the
`experimental.cert-manager.io/private-key-secret-name` annotation.
Signed-off-by: joshvanl <me@joshvanl.dev>
so that CertificateRequets will be re-synced on informed Secrets which
are referenced with "cert-manager.io/private-key-secret-name"
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.
There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
