This implements ambient credential support for AWS, gated behind flags
for issuers and cluster issuers.
This adds the pair of flags discussed in
https://github.com/jetstack/cert-manager/issues/308.
It provides an implementation for those flag's effects for the route53
solver.
The zone id is never read from the environment; this test tests
functionality which doesn't exist in the actual software, so there's no
point in having it.
This change maintains backwards compatibility, but makes the `accessKeyID` and `secretAccessKeySecretRef` fields of the `route53` DNS provider optional.
If not provided, AWS credentials will be loaded from `AWS_*` environment variables or the EC2 metadata service.
This should also work for things that impersonate the EC2 metadata service, such as [kube2iam](https://github.com/jtblin/kube2iam) and [kail](https://github.com/uswitch/kiam).
Signed-off-by: Matt Moyer <moyer@heptio.com>
Previously, each provider's package-level 'New' function was being
called.
That made mocking it out for a different function that records data or
returns different output quite difficult.
This PR introduces an additional layer of abstraction in the form of
effectively a vtable struct for the dns providers. It's defaulted to the
same package-level constructors as before, but unit tests in the dns
package can easily override it.
A new test for the previously-introduced route53 trimming behavior is
also added.
If /etc/resolv.conf does not have any entries, then its unlikely
that the domain name representation of google's DNS would get
resolved too. Hence using IP address directly makes sense.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Rename Event types to be prefixed 'Err' instead of 'Error' for brevity
**What this PR does / why we need it**:
Shortens the event type names we use to be prefixed 'Err' instead of 'Error'
**Special notes for your reviewer**:
This brings us in-line with the issuer and cluster issuer controllers, and other controllers in Kubernetes.
**Release note**:
```release-note
Rename Event types to be prefixed 'Err' instead of 'Error' for brevity
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Log potential errors while waiting for DNS record propagation
**What this PR does / why we need it**:
This helps debugging, e.g. if there are network problems.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Added Azure DNS support for DNS01 challange
**What this PR does / why we need it**:
Adds another provider (Azure DNS) for DNS01 challange
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#230
**Special notes for your reviewer**:
**Release note**:
```release-note
ACME DNS-01 challenge mechanism for Azure DNS
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update Secrets instead of replacing to preserve additional metadata
**What this PR does / why we need it**:
Previously we always overwrite the existing certificate if it already existed. Some users have requested a way to automatically create the target secrets using a helm chart, so that all artifacts can be cleaned up cleanly upon `helm delete`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#192
**Release note**:
```release-note
Update existing secrets instead of replacing in order to preserve annotations/labels
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix panic in acme authorize function
**What this PR does / why we need it**:
Fixes a panic in the authorize() method of the acme issuer
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#206
**Release note**:
```release-note
Fix a bug in the ACME authorizer that would cause cert-manager to panic when certificate.spec.acme was not specified
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Improve validation of certificates. Fix bug in checking certificate validity
**What this PR does / why we need it**:
Improves the validation of dnsNames and commonNames on certificate resources.
Fixes a bug in checking certificate validity.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#176, fixes#175
**Release note**:
```release-note
Fix a bug in checking certificate validity and improve validation of dnsNames and commonName
```
