Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
docs: fix value name that disables rbac
**What this PR does / why we need it**:
Proper documentation for deploying cert-manager for k8s clusters without rbac enabled (happens to be the default for cdk on localhost).
**Which issue this PR fixes**
No issue per se, a follow-up on #256.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add Endpoints back into the cert-manager RBAC policy
**What this PR does / why we need it**:
Adds permission to CRUD Endpoints resources back into the cert-manager RBAC role. This is to prevent deployments using the 'master' version of the Helm chart failing when deploying a pre-0.3 (unreleased) release of cert-manager.
We will remove this in 0.4. This is in order to reduce friction for new users if they forget/decide not to use a tagged release of the Helm chart.
**Release note**:
```release-note
NONE
```
/cc @davecheney @mikebryant
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set default cluster resource namespace to current pod namespace
**What this PR does / why we need it**:
Changes the default cluster resource namespace from kube-system to the current namespace of the cert-manager deployment.
**Which issue this PR fixes**: fixes#103
**Release note**:
```release-note
Supporting resources for ClusterIssuer's (e.g. signing CA certificates, or ACME account private keys) will now be stored in the same namespace as cert-manager, instead of kube-system in previous versions. Action required: you will need to ensure to properly manually migrate these referenced resources across into the deployment namespace of cert-manager, else cert-manager may not be able to find account private keys or signing CA certificates.
```
/cc @mikebryant
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Create a Namespace resource as part of the static manifest bundle
**What this PR does / why we need it**:
Create a Namespace resource as part of the static deployment manifests bundle, to make it easier for users to deploy cert-manager without a Helm chart
**Release note**:
```release-note
NONE
```
/cc @davecheney @wallrj
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update default deployment namespace to be 'cert-manager'
**What this PR does / why we need it**:
Previously, our deployment manifests deployed into the 'default' namespace. This changes them to deploy into 'cert-manager' instead.
**Release note**:
```release-note
The static deployment manifests now automatically deploy into the 'cert-manager' namespace by default
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Rename Event types to be prefixed 'Err' instead of 'Error' for brevity
**What this PR does / why we need it**:
Shortens the event type names we use to be prefixed 'Err' instead of 'Error'
**Special notes for your reviewer**:
This brings us in-line with the issuer and cluster issuer controllers, and other controllers in Kubernetes.
**Release note**:
```release-note
Rename Event types to be prefixed 'Err' instead of 'Error' for brevity
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make existing TLS certificate check emit a Normal event instead of Warning when the existing certificate is invalid
**What this PR does / why we need it**:
Previously, when requesting a certificate for the first time, the following events are logged:
```
Warning ErrorCheckCertificate 1m cert-manager-controller Error checking existing TLS certificate: secret "httpbin" not found
Normal PrepareCertificate 1m cert-manager-controller Preparing certificate with issuer
```
This has caused confusion for users when they see a Warning/Error being logged. This PR changes that to be:
```
Normal ErrorCheckCertificate 1m cert-manager-controller Error checking existing TLS certificate, will re-issue: secret "httpbin" not found
Normal PrepareCertificate 1m cert-manager-controller Preparing certificate with issuer
```
**Release note**:
```release-note
Clearer event logging when issuing a certificate for the first time
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add default shortNames to certificates CRD
Defaults to `[cert, certs]` and is configurable with `certificateCRDShortNames` parameter.
**What this PR does / why we need it**:
Simplifies manual certificate management with kubectl.
Fixes#311
<div name="review-notes" />
**Special notes for your reviewer**:
Instead of a boolean switch do/dont include the shortNames, the value defines the aliases. This may be handy if anybody prefers `[crt, crts]` instead.
I'm not too keen on the `certificateCRDShortNames` variable name. It might be better to use `Resource` instead of `CRD` to be consistent with the `createCustomResource` var.
Other CRDs are probably ok without an alias, but other people workflows may differ. Should these also be configurable? In that case, the variables could be `shortNames: {certificates: [], …}`.
**Release note**:
```release-note
Add Certificate CRD shortnames `cert` and `certs`. This is configurable in the Helm Chart with `certificateResourceShortNames`.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix: Use ConfigMaps for leaderelection
**What this PR does / why we need it**:
Use ConfigMaps for leader election. Improves scalability by not modifying Endpoints, which are watched by kube-proxy.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#293
**Special notes for your reviewer**:
**Release note**:
```release-note
action required: Before upgrading, scale the cert-manager Deployment to 0, to avoid two controllers attempting to operate on the same resources
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Check the value of the tls-acme annotation, not just its existence
**What this PR does / why we need it**: Previously the ingress-shim would sync an Ingress resource if it simply contained the `kubernetes.io/tls-acme` annotation, regardless of the value; now it will only do so if the annotation value is truthy (e.g., "true", "t", "1", so forth).
**Special notes for your reviewer**: This could probably be done in a way that doesn't disrupt the function's aesthetics so much. Open to all suggestions.
**Release note**:
```release-note
ingress-shim will only sync Ingress resources with `kubernetes.io/tls-acme` annotation if the value of that annotation is true.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Install Helm during .gitlab-ci.yml release build
Install Helm during .gitlab-ci.yml script
(in future, this file will go away altogether once we have set up a 'trusted' build cluster to push releases)
**Release note**:
```release-note
NONE
```
/assign
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Log potential errors while waiting for DNS record propagation
**What this PR does / why we need it**:
This helps debugging, e.g. if there are network problems.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Added Azure DNS support for DNS01 challange
**What this PR does / why we need it**:
Adds another provider (Azure DNS) for DNS01 challange
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#230
**Special notes for your reviewer**:
**Release note**:
```release-note
ACME DNS-01 challenge mechanism for Azure DNS
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bundle the CA public key in issued certificate
**What this PR does / why we need it**:
If the CA used is only an intermediate CA, and the root CA is trusted by the client, the client needs help verifying the certificate chain.
This also makes the CA present in the certificate even if it's the root CA.
**Which issue this PR fixes**:
Trusting certs issued by intermediate CAs used by cert-manager.
**Special notes for your reviewer**:
I have tested this locally with my own intermediate CA used by cert-manager, issued by my own root CA trusted by my macOS client. The whole certificate chain is now presented in the browser.
The idea to just append the certificates is based on cfssl's mkbundle:
https://github.com/cloudflare/cfssl/blob/1.3.0/cmd/mkbundle/mkbundle.go#L97
**Release note**:
```release-note
CA Issuer: bundle CA certificate with issued certificates
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ensure certificate is valid for given domains during e2e tests
**What this PR does / why we need it**:
Updates our e2e tests to ensure the certificate being tested is valid for the domains requested on the certificate under test
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update helm chart to align with k/charts feedback
**What this PR does / why we need it**:
This PR brings the helm chart in line with what is found in kubernetes/charts (changes contained here: 008d52cbc4).
It also addresses some feedback (https://github.com/kubernetes/charts/issues/3513) in order to improve our post-installation documentation by providing links to how to configure issuers/ingress-shim.
**Release note**:
```release-note
Remove default resource requests in Helm chart. Improve post-deployment informational messages.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Generate and publish deployment manifests for cert-manager
**What this PR does / why we need it**:
This adds scripts to automatically generate deployment manifests for cert-manager.
This allows us to keep the helm chart as the authoritative source of truth, but still publish an alternate deployment mechanism.
If the Helm chart changes, or any of the values files change, the developer submitting the PR will need to run `./hack/update-deploy-gen.sh`. CI automatically verifies these files are up to date.
As a result of this, and due to https://github.com/kubernetes/helm/issues/3377, I have removed support for TPR creation in the Helm chart based on server capabilities. CRDs have been present since 1.7, and we do not test against 1.6 so I propose we drop support unless the user configures it manually. Besides, there's currently no way to disable the ClusterIssuer control loop meaning cert-manager doesn't run on 1.6 anyway (#201).
**Which issue this PR fixes**:
Fixes#272
**Release note**:
```release-note
Provide static deployment manifests as an alternative to a Helm chart based deployment
```
/cc @f-f @whereisaaron
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Optionally write junit reports into artifacts during e2e tests
**What this PR does / why we need it**:
Output junit reports during e2e tests for gubernator to display test details more clearly.
/release-note-none
/assign
