weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
8,782 Commits 45 Branches 0 Tags 96 MiB
515559ac7c
Commit Graph

247 Commits

Author SHA1 Message Date
Tim Ramlot
515559ac7c
re-generate crds 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-05-17 14:33:23 +02:00
Tim Ramlot
e51f4a46db
update CRD field comments 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-05-14 17:49:56 +02:00
pwhitehead
35571e014d refactor to use token request API 
Signed-off-by: Paul Whitehead <pwhitehead@splunk.com>
 2024-05-07 11:11:21 -06:00
Paul Whitehead
528428b31f support assumeRoleWithWebIdentity for Route53 issuer 
Signed-off-by: Paul Whitehead <pwhitehead@splunk.com>

fix test signature
 2024-05-07 11:10:17 -06:00
Tim Ramlot
a8b5178fc5
fix dupword linter 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-04-29 13:47:25 +02:00
cert-manager-prow[bot]
54feeece10
Merge pull request #6970 from erikgb/additional-formats-beta 
Promote AdditionalCertificateOutputFormats feature gate to Beta
 2024-04-29 07:42:36 +00:00
Erik Godding Boye
003c1b12e8
Promote AdditionalCertificateOutputFormats feature gate to Beta and enable by default 
Signed-off-by: Erik Godding Boye <egboye@gmail.com>
 2024-04-28 17:29:35 +02:00
Erik Godding Boye
8f99f40cbb
Upgrade K8s dependencies to v0.30.0 
Signed-off-by: Erik Godding Boye <egboye@gmail.com>
 2024-04-28 13:02:36 +02:00
Bill Waldrep
d4911ebfaa
Add optional flag to specify jks keystore alias. 
Previously the JKS keystore alias was hardcoded to "certificate".
This change adds an optional configuration point to allow users
to specify a custom keystore alias. If the flag is omitted we
will default to the previous behavior.

Signed-off-by: Bill Waldrep <bwaldrep@palantir.com>
 2024-03-04 13:23:09 -05:00
Tim Ramlot
d7a23387c3
run 'make update-crds' 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-02-22 13:26:29 +01:00
jetstack-bot
f643eef2b2
Merge pull request #6755 from import-shiburin/master 
bugfix: wrong certificate chain is used if preferredChain is configured
 2024-02-20 15:29:07 +00:00
jetstack-bot
0b379e4b5c
Merge pull request #6760 from inteon/add_crd_keep 
Add `crds.keep` and `crds.enabled` Helm options
 2024-02-20 12:09:35 +00:00
Tim Ramlot
815dbc9e8f
remove unused and in Helm template 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-02-19 14:24:57 +01:00
Tim Ramlot
f44238fd80
run 'make update-crds' 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-02-18 20:16:09 +01:00
jetstack-bot
7f92e38988
Merge pull request #6614 from rodrigorfk/feat-vault-mtls 
feat: Add the ability to communicate with Vault via mTLS
 2024-02-16 18:11:26 +00:00
Tim Ramlot
d34e2c8589
add CRD keep annotation 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-02-15 15:28:09 +01:00
Jason Witkowski
72b627d12a
Move helm hook from labels to annotations 
Signed-off-by: Jason Witkowski <jwitko1@gmail.com>
 2024-02-15 10:49:35 +01:00
Jason Witkowski
a6f665353f
feat: Add option to keep CRDs when helm chart is uninstalled 
Signed-off-by: Jason Witkowski <jwitko1@gmail.com>
 2024-02-15 10:49:35 +01:00
cloudwiz
75d1449903
move audiences under the SA ref 
Signed-off-by: cloudwiz <andrey.dubnik@maersk.com>
 2024-02-08 14:07:03 +00:00
cloudwiz
624f874d69
updated spelling and generated CRDs 
Signed-off-by: cloudwiz <andrey.dubnik@maersk.com>
 2024-02-06 15:06:31 +00:00
cloudwiz
9cf9cb7ea5
Vault extra audiences (#3) 
---------

Signed-off-by: cloudwiz <andrey.dubnik@maersk.com>
 2024-02-06 10:06:17 +00:00
Rodrigo Fior Kuntzer
199c98689f
feat: supporting Vault server mTLS 
Signed-off-by: Rodrigo Fior Kuntzer <rodrigo@miro.com>
 2024-01-15 09:25:30 -03:00
Tim Ramlot
67f8a03cae
update AzureDNS auth API comments 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-12 12:07:02 +01:00
Tim Ramlot
9e2c6ae08a
run 'make update-crds' 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-03 16:18:35 +01:00
Tim Ramlot
41404a7fd7
rename UseCertificateRequestNameConstraints to NameConstraints 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-03 15:49:18 +01:00
jetstack-bot
cc8925ae9f
Merge pull request #6404 from SpectralHiss/hef/otherNameSANs 
Other name sans support in Certificates
 2024-01-03 14:16:23 +00:00
jetstack-bot
4af78fe98a
Merge pull request #6548 from snorwin/modern-pkcs12 
New option to specify encryption and MAC algorithms for PKCS#12 keystores.
 2024-01-03 12:54:22 +00:00
Tim Ramlot
8223df9e91
rename Algorithms to Profile 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-03 13:45:02 +01:00
Tim Ramlot
24794feac0
update API comments 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-20 11:26:52 +01:00
SpectralHiss
e7f29f8bb3 UTF8Value -> utf8Value in CRD JSON schema 
* Still following Go standard with UTF8Value for struct field name

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-20 08:30:54 +00:00
SpectralHiss
c87a2f6691 Add early feedback validation for otherName syntax and tests 
* Fixed warning

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-19 20:02:02 +00:00
Adam Talbot
247a034116 feat: update gateway api to v1 
Signed-off-by: Adam Talbot <adam.talbot@venafi.com>
 2023-12-18 21:00:42 +00:00
Norwin Schnyder
ebf58b9967 apply PR feedback 
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
 2023-12-15 10:52:57 +01:00
SpectralHiss
4bdee5f010 Rename otherNameSANs to otherNames 
* Improve the CRD godoc comments

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-13 16:21:56 +00:00
Norwin Schnyder
b8ad8a3704 apply PR feedback 
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
 2023-12-13 12:00:39 +00:00
Tim Ramlot
721f71ed60 Refactor the solution 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-13 09:37:21 +00:00
Tim Ramlot
bfd9a65160 Add OtherNameSANs field to Certificates 
* Added an otherName SAN extension mechanism
* Can take any otherName OID with String (UTF-8) like value
* cf [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280) p 37 for
  more info
* otherName is only a subset of GeneralName, our specific need for for
  UserPrincipalName used in Microsoft AD/ LDAP
* We treat UPN special but we might remove this in a later commit

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-13 09:12:23 +00:00
Norwin Schnyder
b79e73f484 fix controller-gen errors 
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
 2023-12-12 18:25:15 +01:00
Norwin Schnyder
c583278ce8 generate manifests 
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
 2023-12-12 14:27:41 +00:00
tanujd11
28ca4312b3 fix: additional review comments 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:30:31 +05:30
tanujd11
84d7dd4aed Addressed review comments 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:30:31 +05:30
tanujd11
d1b3e5ca83 Move critical from NameConstraintItem to NameConstraint and remove validateNameConstraints 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:30:29 +05:30
tanujd11
50d84c1bbc nits: added new line at EOF and comment fix 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:27:42 +05:30
tanujd11
589030dec1 feature: added name constraints 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:27:31 +05:30
Jeremy Campbell
dc876fef16
Add x509 v3 CA Issuers Extension 
Signed-off-by: Jeremy Campbell <jeremy.campbell@okta.com>
 2023-11-16 12:45:16 -06:00
Tim Ramlot
9749f1253d
upgrade dependencies 
Co-authored-by: Paul Merrison <paul@tetrate.io>
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-09-12 11:38:10 +02:00
Tim Ramlot
468b970f81
run make update-crds 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-09-01 12:21:42 +02:00
jetstack-bot
5035dda25e
Merge pull request #6006 from vidarno/cache-private-key-hash-on-issuer-status 
Cache private key hash on issuer status
 2023-05-05 08:05:07 +01:00
vidarno
4934183927 Extend CRDs and structs to include LastPrivateKeyHash field 
Signed-off-by: vidarno <>
 2023-04-29 09:12:56 +02:00
Thomas Müller
12483d3d54 Check JKS/PKCS12 truststores only if issuer provides the CA 
The current policy check for keystores in Secrets creates a loop because
the truststore.jks or truststore.p12 will never exist when the issuer didn't
provide the CA certificate. This behaviour was introduced by #5597

The JKS and PKCS12 truststores are only added to the Secret
if the CA is provided by the issuer. The CertificateRequest API
reference states:

> The PEM encoded x509 certificate of the signer, also known
> as the CA (Certificate Authority). This is set on a best-effort basis by
> different issuers. If not set, the CA is assumed to be unknown/not available.

This change will only check the PKCS12/JKS truststores if the CA cert from the
issuer exists in the secret.

Fixes #5755

Signed-off-by: Thomas Müller <thomas@chaschperli.ch>
 2023-04-27 17:09:41 +02:00