After testing the suggested policy both with the AWS policy simulator and by using it with cert-manager I have found that the ARN prefix in the resources included in the statement cause the provider to fail with an access denied error. This new policy is equivalent and valid according to the AWS policy simulator.
Add annotation to the ingress-shim documentation
Remove debug output.
Update documentation errors.
Implement suggestions of using edit-in-place annotation to control behaviour.
Fix reference to editInPlaceAnnotation
Remove the presence of editInPlaceAnnotation from returning true to shouldSync() and relevant test.
Update comment reference to correct annotation name.
Remove tests that relied on annotation impacting result from shouldSync()
Only edit in-place when explicitly requested to do so.
Don't return error if unable to determine Ingress class, continue without setting either ingress or ingressClass.
Update annotation to certmanager.k8s.io/acme-http01-edit-in-place in order to make use case more obvious and have consistent naming.
Update docs to reflect possible values more accurately
This change maintains backwards compatibility, but makes the `accessKeyID` and `secretAccessKeySecretRef` fields of the `route53` DNS provider optional.
If not provided, AWS credentials will be loaded from `AWS_*` environment variables or the EC2 metadata service.
This should also work for things that impersonate the EC2 metadata service, such as [kube2iam](https://github.com/jtblin/kube2iam) and [kail](https://github.com/uswitch/kiam).
Signed-off-by: Matt Moyer <moyer@heptio.com>
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Clarify ClusterIssuer resource namespace
**What this PR does / why we need it**:
Clarify ClusterIssuer resource namespace in the migrating from kube lego guide
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Document common ingressShim.extraArgs use case in chart
**What this PR does / why we need it**:
Lots of new users don't realize:
(a) They need to create a Issuer/ClusterIssuer themselves
(b) They need to tell `ingress-shim` the name via `extra-args`
This PR adds a comment to the helm chart `values.yaml` to address these issues.
(Ideally the `helm` would create an ClusterIssuer for you by default, and set these options, if you specify and email address to use with LE.)
Release note:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
docs/devel: add 'deploy to minikube' docs
**What this PR does / why we need it**:
I felt that the steps to deploy/run/test cert-manager in minikube were non-trivial enough that it was worth documenting.
Let me know if this should live somewhere else in the repo or if you have suggestions for how to better document this.
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Helm Chart: Add support for affinity and tolerations
Adds support for setting the node affinity and tolerations scheduling options
```release-note
Add support for node affinity and tolerations in Helm chart
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Document the minimum necessary permissions for using cert-manager with Route53
**What this PR does / why we need it**: Necessary permissions previously not documented.
**Release note**:
```release-note
Document the minimum necessary permissions for using cert-manager with Route53
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
docs: fix value name that disables rbac
**What this PR does / why we need it**:
Proper documentation for deploying cert-manager for k8s clusters without rbac enabled (happens to be the default for cdk on localhost).
**Which issue this PR fixes**
No issue per se, a follow-up on #256.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add Endpoints back into the cert-manager RBAC policy
**What this PR does / why we need it**:
Adds permission to CRUD Endpoints resources back into the cert-manager RBAC role. This is to prevent deployments using the 'master' version of the Helm chart failing when deploying a pre-0.3 (unreleased) release of cert-manager.
We will remove this in 0.4. This is in order to reduce friction for new users if they forget/decide not to use a tagged release of the Helm chart.
**Release note**:
```release-note
NONE
```
/cc @davecheney @mikebryant
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set default cluster resource namespace to current pod namespace
**What this PR does / why we need it**:
Changes the default cluster resource namespace from kube-system to the current namespace of the cert-manager deployment.
**Which issue this PR fixes**: fixes#103
**Release note**:
```release-note
Supporting resources for ClusterIssuer's (e.g. signing CA certificates, or ACME account private keys) will now be stored in the same namespace as cert-manager, instead of kube-system in previous versions. Action required: you will need to ensure to properly manually migrate these referenced resources across into the deployment namespace of cert-manager, else cert-manager may not be able to find account private keys or signing CA certificates.
```
/cc @mikebryant
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add default shortNames to certificates CRD
Defaults to `[cert, certs]` and is configurable with `certificateCRDShortNames` parameter.
**What this PR does / why we need it**:
Simplifies manual certificate management with kubectl.
Fixes#311
<div name="review-notes" />
**Special notes for your reviewer**:
Instead of a boolean switch do/dont include the shortNames, the value defines the aliases. This may be handy if anybody prefers `[crt, crts]` instead.
I'm not too keen on the `certificateCRDShortNames` variable name. It might be better to use `Resource` instead of `CRD` to be consistent with the `createCustomResource` var.
Other CRDs are probably ok without an alias, but other people workflows may differ. Should these also be configurable? In that case, the variables could be `shortNames: {certificates: [], …}`.
**Release note**:
```release-note
Add Certificate CRD shortnames `cert` and `certs`. This is configurable in the Helm Chart with `certificateResourceShortNames`.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Added Azure DNS support for DNS01 challange
**What this PR does / why we need it**:
Adds another provider (Azure DNS) for DNS01 challange
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#230
**Special notes for your reviewer**:
**Release note**:
```release-note
ACME DNS-01 challenge mechanism for Azure DNS
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
provider names in issuer.yml and certificate.yml must match
**What this PR does / why we need it**:
Documentation fix. For further information see #209.
**Which issue this PR fixes**
fixes#209
```release-note
NONE
```
