Previously it wasn't possible to set a custom CA bundle for an ACME
server, leading users to either patch the cert-manager system CA bundle
manually or else use SkipTLSVerify which is a security issue.
This adds CABundle for ACME, similar to what we have for Vault and
Venafi TPP issuers.
Longer term we'd like to have a more fully featured approach. It would
for example make sense to support loading CA bundles from ConfigMaps or
Secrets (similar to what we do for Vault issuers today), but for now this
change is the simplest change.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.
There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Previously, in v1alpha1, an HTTPRoute was matched to a Gateway using
the label selectors present on the Gateways. For example, with the
following Gateway:
apiVersion: networking.x-k8s.io/v1alpha1
kind: Gateway
metadata:
name: acmesolver
spec:
listeners:
- protocol: HTTP
port: 80
routes:
kind: HTTPRoute
selector:
matchLabels:
app: foo
you would have to use the following labels on the HTTPRoute in order to
get the above Gateway to be used:
apiVersion: networking.x-k8s.io/v1alpha1
kind: HTTPRoute
metadata:
labels:
app: foo
With v1alpha2, the label selectors have been dropped. Instead, the
HTTPRoute has to give a direct reference to the Gateway:
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
spec:
parentRefs:
- kind: Gateway
name: acmesolver
namespace: traefik
This means that the "labels" field on the gatewayHTTPRoute solver is now
optional:
apiVersion: cert-manager.io/v1
kind: Issuer
spec:
acme:
solvers:
- http01:
gatewayHTTPRoute:
labels: | This field is
app: test | now optional.
parentRefs:
- kind: Gateway
name: acmesolver
Signed-off-by: Maël Valais <mael@vls.dev>
These tests have external dependencies (rendered CRDs) which mean they
can't pass on a clean checkout without further setup. We define such
tests as integration tests, and so these are moved to test/integration.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
