cert-manager

Author	SHA1	Message	Date
tanujd11	adb9311f56	validate name constraint before signing CSR Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>	2023-12-07 22:29:45 +05:30
tanujd11	50d84c1bbc	nits: added new line at EOF and comment fix Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>	2023-12-07 22:27:42 +05:30
tanujd11	589030dec1	feature: added name constraints Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>	2023-12-07 22:27:31 +05:30
jetstack-bot	e7e3e5f4de	Merge pull request #6534 from wallrj/server-timeout Mitigate potential Slowloris attacks by setting ReadHeaderTimeout in all http.Server instances	2023-12-07 13:28:05 +01:00
Richard Wall	8bed166858	Add ReadHeaderTimeout to all http.Server where that setting is missing Signed-off-by: Richard Wall <richard.wall@venafi.com>	2023-12-07 11:42:22 +00:00
Tim Ramlot	767764d598	refactor GenerateCSR and deprecated the helper functions Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-12-06 18:16:19 +01:00
Tim Ramlot	6f7ebbed7b	replace deprecated pkcs12 function call with pkcs12.LegacyRC2 Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-11-27 12:32:19 +01:00
jetstack-bot	630dba760a	Merge pull request #6498 from inteon/fix_webhook_bug BUGFIX: Limit webhook admission input	2023-11-22 15:00:40 +01:00
jetstack-bot	c9e028f3db	Merge pull request #6347 from lauraseidler/fix/gateway-warning-http Do not process Gateway listeners that do not support TLS	2023-11-17 16:18:19 +01:00
Tim Ramlot	073d90611e	limit webhook admission input Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-11-17 14:23:57 +01:00
Jeremy Campbell	dc876fef16	Add x509 v3 CA Issuers Extension Signed-off-by: Jeremy Campbell <jeremy.campbell@okta.com>	2023-11-16 12:45:16 -06:00
jetstack-bot	6fddbe538f	Merge pull request #6433 from vinny-sabatini/issue-5782 fix error message when setting up vault issuer	2023-11-14 16:30:01 +01:00
jetstack-bot	d2f6bbe579	Merge pull request #6028 from inteon/fix_scheme_errors Stop using global runtime.Scheme variables	2023-11-06 22:57:09 +01:00
Tim Ramlot	4c94f3ef10	create ad-hoc schemes instead of sharing global ones Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-11-06 21:58:24 +01:00
Richard Wall	9b5dd86084	Configure HTTP01 solver Pod with readOnlyRootFilesystem Signed-off-by: Richard Wall <richard.wall@venafi.com>	2023-10-31 14:47:24 +00:00
Vinny Sabatini	d15e55a16c	Update pkg/issuer/vault/setup.go Co-authored-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> Signed-off-by: Vinny Sabatini <vincent.sabatini@gmail.com>	2023-10-24 09:52:52 -05:00
Vinny Sabatini	ef6ef1f0db	additional improvements to vault issuer error messages When initializing a Vault issuer: * Create different error messages depending on if Vault is sealed or not initialized * Do not explicitly parse the Vault server URL (this is covered when trying to access health endpoint) Signed-off-by: Vinny Sabatini <vincent.sabatini@kohls.com>	2023-10-20 16:36:11 -05:00
Vincent Sabatini	298ceb3b2a	fix error message when setting up vault issuer * Ensure Vault URL can be parsed * Separate generic http errors from vault specific errors when checking health endpoint Signed-off-by: Vincent Sabatini <vincent.sabatini@gmail.com>	2023-10-19 08:23:04 -05:00
Max Brauer	432430b311	Rename webhookConfig to controllerConfig Signed-off-by: Max Brauer <mbrauer@vmware.com>	2023-10-18 15:28:14 +02:00
Tim Ramlot	15bc387da6	make changes based on feedback Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-10-13 19:42:13 +02:00
Tim Ramlot	e63d061269	add tests Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-10-11 13:48:01 +02:00
Tim Ramlot	d40dae9d67	Fix DuplicateSecretName issue Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-10-11 13:47:44 +02:00
Laura Seidler	6ac88fd6b9	Do not process Gateway listeners that do not support TLS Otherwise, these will raise warnings in the next steps (e.g. about empty TLS blocks, which are not supported for HTTP listeners). Signed-off-by: Laura Seidler <hello@laura-seidler.de>	2023-10-11 12:48:55 +02:00
Laura Seidler	6240ecbea3	Add test case to explicitly support TLS listeners Signed-off-by: Laura Seidler <hello@laura-seidler.de>	2023-10-11 12:48:45 +02:00
Laura Seidler	9165f186cb	Use constants instead of strings for gateway protocol types These were already used in some places, this makes the usage more consistent and easier to grep where different protocols are being used. Signed-off-by: Laura Seidler <hello@laura-seidler.de>	2023-10-11 12:48:39 +02:00
Maël Valais	d1d92b6398	venafi: ResetCertificate wasn't working Signed-off-by: Maël Valais <mael@vls.dev>	2023-10-06 16:24:15 +02:00
jetstack-bot	df4d15ce4a	Merge pull request #6053 from inteon/critical_change Make KeyUsage and BasicConstraints Critical extensions in the CSR blob	2023-10-05 17:13:56 +02:00
Tim Ramlot	e5f50002e1	introduce configfile for cainjector options Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-09-28 12:56:11 +02:00
Tim Ramlot	ef3bd7d3b2	upgrade all dependencies Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-09-28 12:07:27 +02:00
jetstack-bot	8aafddb974	Merge pull request #6328 from inteon/add_clock_health Add health probe that detects skew between system clock and monotonic go process clock	2023-09-27 11:37:11 +02:00
Tim Ramlot	5049cd4d35	increase maxClockSkew to 5 minutes, just to be safe Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-09-27 11:20:48 +02:00
Tim Ramlot	2dc22bc8e7	add extra comment Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-09-25 15:58:51 +02:00
Tim Ramlot	eac230f93e	add more test cases and fix typo Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-09-22 12:44:52 +02:00
Tim Ramlot	860df2294b	fix feedback: make hash secure Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-09-21 13:24:07 +02:00
Tim Ramlot	6006182435	add uniqueness check for names util Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-09-20 20:28:00 +02:00
Tim Ramlot	5d876c5b91	improvements based on PR feedback Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-09-20 18:23:13 +02:00
Tim Ramlot	fa2d9333e3	BUGFIX: CertificateRequest short names must be unique. Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-09-20 14:51:24 +02:00
Josh Soref	05117f5f75	Add cluster-autoscaler.kubernetes.io/safe-to-evict Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2023-09-14 12:47:04 -04:00
Tim Ramlot	8d75a003e9	add health probe that detects skew between 'real' system clock and 'monotonic' internal clock Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-09-14 13:55:44 +02:00
Eng Zer Jun	c274d7e929	refactor: remove redundant nil check From the Go specification: "3. If the map is nil, the number of iterations is 0." [1] Therefore, an additional nil check for before the loop is unnecessary. [1]: https://go.dev/ref/spec#For_range Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2023-09-05 19:05:59 +08:00
jetstack-bot	798116152c	Merge pull request #6302 from inteon/update_api_comments Review Certificate and CertificateRequest API comments	2023-09-01 12:38:39 +02:00
Tim Ramlot	b98043f6b8	apply review suggestions Co-authored-by: Maël Valais <mael@vls.dev> Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-09-01 12:20:00 +02:00
Tim Ramlot	7c2b4adee7	Rewrite comments in cert-manager API Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-09-01 12:19:35 +02:00
jetstack-bot	3216d18f84	Merge pull request #6298 from inteon/feature_gates Feature gates: promote StableCertificateRequestName and SecretsFilteredCaching to Beta	2023-08-30 19:25:45 +02:00
Tim Ramlot	cf8e37291a	replace k8s.io/utils/pointer with k8s.io/utils/ptr Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-28 09:33:10 +02:00
Tim Ramlot	68cbbf8c42	update tests to work with StableCertificateRequestName featuregate being enabled by default Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-25 21:32:08 +02:00
Tim Ramlot	c70d9aba08	Rename DontAllowInsecureCSRUsageDefinition feature flag to DisallowInsecureCSRUsageDefinition and make it a Beta flag. Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-25 15:18:14 +02:00
jetstack-bot	9ebc08cd64	Merge pull request #5879 from maelvls/structured-logs-deprecate Deprecate klog flags and add a deprecation message	2023-08-25 14:42:10 +02:00
Maël Valais	1c85525d45	klog: warn people that the flags may get removed in the future Signed-off-by: Maël Valais <mael@vls.dev>	2023-08-25 08:54:54 +02:00
Tim Ramlot	6a159bb2d7	fix changed slices.SortFunc signature Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-24 19:54:30 +02:00
Tim Ramlot	3fc1f8a580	upgrade all dependencies Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-24 19:54:25 +02:00
jetstack-bot	ba73f80b14	Merge pull request #6289 from inteon/acme_webhook_openapi Add openapi definitions to acme API server	2023-08-24 16:49:48 +02:00
jetstack-bot	cce304b9d6	Merge pull request #6293 from SgtCoDFish/ipv6compare Fix invalid handling of ip addresses in comparisons	2023-08-24 16:36:48 +02:00
Ashley Davis	bbbc758ccd	fix invalid handling of ip addresses in comparisons Signed-off-by: Ashley Davis <ashley.davis@venafi.com>	2023-08-24 15:21:42 +01:00
jetstack-bot	8d9052f3a9	Merge pull request #6291 from inteon/remove_maxpathlen Remove MaxPathLen CSR blob validation logic	2023-08-24 15:11:17 +02:00
Tim Ramlot	66b1c6e19b	only set logging settings once Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-23 14:28:40 +02:00
Tim Ramlot	1858ccf369	remove MaxPathLen CSR blob validation logic Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-23 14:24:36 +02:00
Tim Ramlot	9d2d1cd6ef	add openapi definitions to acme API server Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-23 14:12:51 +02:00
jetstack-bot	15b2643abf	Merge pull request #6253 from fayvori/master Fix messageAppRoleAuthKeyRequired error message	2023-08-17 19:01:31 +02:00
Tim Ramlot	80a3923fd2	use logsapi.LoggingConfiguration instead of logs.Options Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-17 12:51:19 +02:00
Tim Ramlot	31b5ed6620	Make webhook Logging options configurable using configfile. Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-17 12:00:50 +02:00
Tim Ramlot	e8b5b2e354	Fix bug in ControllerConfiguration's defaulting of logging config, where config would not be correctly defaulted in case a partial logging configuration is provided. Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-17 11:19:16 +02:00
jetstack-bot	061c1337e6	Merge pull request #6275 from inteon/use_int32_instead_of_int WebhookConfiguration: change the types of ports from int to int32	2023-08-16 12:18:05 +02:00
Tim Ramlot	db1fcdabb1	add comment explaining port 0 behavior Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-16 11:08:36 +02:00
Tim Ramlot	b19d11d267	change the types of ports in the WebhookConfiguration: internal: int -> int32 public: int -> *int32 Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-15 20:53:58 +02:00
Ashley Davis	87102cf47e	add tests for ipv6 in ingress-shim Signed-off-by: Ashley Davis <ashley.davis@venafi.com>	2023-08-15 10:52:57 +01:00
jetstack-bot	9462d8ae9d	Merge pull request #6267 from zhangzhiqiangcs/distinguish-dns-names-ip-address distinguish dns names and ip address	2023-08-15 11:00:03 +02:00
zhangzhiqiang02	a518056e0b	distinguish dns names and ip address Signed-off-by: zhangzhiqiang02 <zhangzhiqiang02@megvii.com>	2023-08-15 09:56:36 +08:00
guiyong.ou	ad27e88a4b	fix small possible Signed-off-by: guiyong.ou <guiyong.ou@daocloud.io>	2023-08-14 19:51:52 +08:00
guiyong.ou	3d76c20f51	cleanup: some redundant code clean up Signed-off-by: guiyong.ou <guiyong.ou@daocloud.io>	2023-08-14 17:36:25 +08:00
jetstack-bot	9d618a17fb	Merge pull request #6242 from inteon/restructure_controller_configfile Restructure the controller configfile	2023-08-10 15:37:09 +02:00
Tim Ramlot	f50167ce31	restructure the controller configfile Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-10 11:30:33 +02:00
Ignat Belousov	17c34eaafa	Returned time to each function Signed-off-by: Ignat Belousov <ignat.belousov2000@yahoo.com>	2023-08-10 10:05:37 +02:00
Ignat Belousov	88f1500843	Fix messageAppRoleAuthKeyRequired error message Signed-off-by: Ignat Belousov <ignatbelousov@Ignats-MacBook-Pro.local>	2023-08-10 10:05:37 +02:00
Ashley Davis	a53bec25e7	Update nameserver lookup test to use upstream targets In the long term I don't think this test should be run as a unit test because it can randomly break due to changes in DNS config we don't control, which is a pretty poor user experience for someone trying to change unrelated code. If we're going to run this kind of check, we should probably run it as a periodic rather than a presubmit, perhaps with the test being run on presubmit when the DNS util code is changed. But that's all more work than I can really do now. Instead, I'll copy what the upstream go-lego is doing, which should unblock us for now: `07c4daeff3/challenge/dns01/nameserver_test.go` Signed-off-by: Ashley Davis <ashley.davis@venafi.com>	2023-08-09 09:27:30 +01:00
Tim Ramlot	ae287461d0	prepare cmctl improvements Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-08-01 10:32:35 +02:00
Cody W. Eilar	282a6d58a9	Preserve internal types - Needed to add custom conversion functions to handle conversions from public facing types to internal ones. Signed-off-by: Cody W. Eilar <ecody@vmware.com>	2023-07-27 16:44:38 -07:00
Cody W. Eilar	6212b63e51	Address the non-optional values in internal config - This commit changes the internal config to have fewer number of optional parameters. It changes the types to match the ones that are already present in https://github.com/kubernetes/apimachinery/blob/master/pkg/apis/meta/v1/conversion.go so that custom converters do not have to be written for types "int" and "float32". Signed-off-by: Cody W. Eilar <ecody@vmware.com>	2023-07-27 16:44:38 -07:00
Cody W. Eilar	1243fe285b	Add to ability to start controller with config file Signed-off-by: Cody W. Eilar <ecody@vmware.com>	2023-07-27 16:44:38 -07:00
jetstack-bot	9de9809ac5	Merge pull request #6108 from inteon/ctl_logging Use logging library with json support in cmctl (part 1)	2023-07-27 17:54:51 +02:00
jetstack-bot	0b9366c0fb	Merge pull request #6232 from inteon/fix_log_reassignment [BUGFIX] Incorrect re-assignment of cross-invocation variable	2023-07-26 13:35:07 +02:00
Ashley Davis	7e1ce241ac	use supplied context where possible this was discovered as part of the investigation into #6104 Signed-off-by: Ashley Davis <ashley.davis@venafi.com>	2023-07-26 11:06:31 +01:00
Tim Ramlot	c7d0e0a13e	instead of creating a new local log variable, we were updating the cross-invocation log variable and were adding more Values to the log variable, causing high memory usage and incorrect log messages Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-07-25 20:31:47 +02:00
jetstack-bot	4de06a19d7	Merge pull request #6152 from inteon/improve_policy_chain_v0 Improve Trigger, Readiness and PostIssuance Policy chains	2023-07-24 17:06:42 +02:00
Tim Ramlot	36ddf19e2e	improve Trigger, Readiness and PostIssuance Policy chains Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-07-24 09:42:19 +02:00
Luca Comellini	3ff638b6f3	Bump k8s.io dependencies Signed-off-by: Luca Comellini <luca.com@gmail.com>	2023-07-20 10:35:20 -07:00
Tim Ramlot	90f84b9c40	remove VCert fork dependency replace statement Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-07-10 11:26:16 +02:00
jetstack-bot	843deed22f	Merge pull request #6199 from inteon/add_validation_to_pki Add validation to pki CertificateTemplate functions	2023-07-07 09:32:14 +02:00
Tim Ramlot	5ba29272c0	add validation to pki CertificateTemplate function and add support for add DontAllowInsecureCSRUsageDefinition featuregate to use old behavior in controller Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-07-05 13:04:21 +02:00
jetstack-bot	914944c020	Merge pull request #6176 from inteon/reconcile_managed_annotations_and_labels Reconcile when managed annotations/ labels are out-of-sync	2023-07-04 11:55:29 +02:00
jetstack-bot	e66a92ac52	Merge pull request #6182 from inteon/stricter_certificaterequest_csr_webhook_validation BUGFIX: Stricter CertificateRequest CSR webhook validation	2023-06-29 18:10:43 +02:00
Richard Boldiš	2b2ada9491	fix: handle multiple cloudflare dns-01 challenges for the same FQDN Signed-off-by: Richard Boldiš <richard@boldis.dev>	2023-06-27 18:13:35 +02:00
Tim Ramlot	3938c75850	improve (Extended)KeyUsage parsing to be more consistent Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-26 10:06:55 +02:00
Tim Ramlot	a9339849e5	improve label and annotation checks Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-23 17:05:42 +02:00
jetstack-bot	4d1486bbfc	Merge pull request #6168 from inteon/add_public_key_match Add SecretPublicKeysDiffersFromCurrentCertificateRequest check	2023-06-23 16:55:40 +02:00
Tim Ramlot	02b008fe6d	improve documentation of ParseSingleCertificateChain Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-22 12:46:08 +02:00
Tim Ramlot	19377b43b1	fix feedback from @wallrj Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-21 15:31:20 +02:00
jetstack-bot	529893556b	Merge pull request #6154 from inteon/fix_basic_constraints_alpha_feature BUGFIX: I incidentally removed the feature gate check that enables the UseCertificateRequestBasicConstraints feature	2023-06-21 14:01:26 +02:00
Tim Ramlot	82499eb75b	fix failing TestNewReadinessPolicyChain test Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-20 19:06:02 +02:00
jetstack-bot	716bd301a1	Merge pull request #5003 from FlorianLiebhart/DNS-over-https-check Implement the DNS-over-HTTPS check	2023-06-20 18:04:54 +02:00
Florian Liebhart	b47c5a1361	update documentation on the DNSQuery function Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>	2023-06-20 10:36:27 +02:00
Florian Liebhart	ae27bfb0d6	write some unit tests for CAA Validation Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>	2023-06-19 16:27:00 +02:00
Florian Liebhart	9ddf2bab90	remove HTTPS endpoint for default nameservers; remove DNS-over-TLS Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>	2023-06-19 16:06:39 +02:00
Tim Ramlot	3a29635c66	add support for DoH and DoT Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-19 15:59:40 +02:00
Florian Liebhart	894e1f99d6	fix error for dns endpoint propagation Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>	2023-06-19 15:32:01 +02:00
Florian Liebhart	a934bbf462	Make the DNS-Over-HTTPS Json endpoint configurable Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>	2023-06-19 15:32:01 +02:00
Florian Liebhart	857d0aef9e	Add logging for the DNS over HTTPS selfcheck Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>	2023-06-19 15:32:01 +02:00
Florian Liebhart	fa2f063c28	rebase master Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>	2023-06-19 15:32:01 +02:00
Tim Ramlot	bdb685d62e	ip address is missing from error message Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-14 21:32:13 +02:00
Tim Ramlot	9000a06956	BUGFIX: we incidentally removed the feature gate check that enables the UseCertificateRequestBasicConstraints feature Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-14 21:31:25 +02:00
Tim Ramlot	fe4f4e4aa6	re-add TODO comment and make the message more clear Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-14 14:51:39 +02:00
Tim Ramlot	8ddf016b00	fix a bug that caused the issuer-ref and certificate-name annotations on Secrets to be correct when being updated. Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-13 16:54:32 +02:00
schrodit	53a5a95d9f	Add enableServiceLink to test pod definition Signed-off-by: schrodit <mail@timschrodi.tech>	2023-06-12 09:54:37 +02:00
schrodit	c9559882c4	Remove service links from http solver pod Signed-off-by: schrodit <mail@timschrodi.tech>	2023-06-12 09:26:22 +02:00
cui fliter	4723347260	fix function name in comments Signed-off-by: cui fliter <imcusg@gmail.com>	2023-06-07 17:17:07 +08:00
jetstack-bot	f8940ab5c4	Merge pull request #6125 from irbekrm/explain_fao Document what fao stands for in the controller.cert-manager.io/fao label	2023-06-06 14:09:45 +02:00
irbekrm	f4dc243b77	Document what fao stands for in the controller.cert-manager.io/fao label Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-06-02 13:45:10 +01:00
Tim Ramlot	c4c5899887	Update pkg/util/cmapichecker/cmapichecker.go Co-authored-by: Siggi Skulason <siggi@skulason.com> Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-01 11:16:33 +01:00
Hans Arnholm	501581ad06	issuer: acme: clouddns: Only clean up own records If running multiple certmanagers they can race against each other Signed-off-by: Hans Arnholm <hans@arnholm.dk>	2023-06-01 10:15:54 +02:00
Tim Ramlot	3490a005b1	prepare cmctl libraries to support logging Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-30 18:35:45 +02:00
jetstack-bot	c5e6bf39d6	Merge pull request #6054 from inteon/correct_versions Use Version 3 for *x509.Certificate	2023-05-26 13:57:32 +01:00
irbekrm	b1a59164e0	Don't import controller's feature gate setup into a shared library To prevent controller's feature gates from overwriting other component's feature gates Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-05-23 12:01:30 +01:00
irbekrm	524998abdf	Don't run API Priority and Fairness controller in webhook extension apiserver Because it is not needed and can cause issues with older versions of kube Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-05-22 12:53:15 +01:00
jetstack-bot	529497f150	Merge pull request #6034 from gdvalle/patch-1 apis/acme/v1: ACMEIssuer: set omitempty on optional field	2023-05-18 11:14:39 +01:00
jetstack-bot	022292832f	Merge pull request #6032 from inteon/fix_acme_bugs Fix small bugs and make small improvements in ACME code	2023-05-12 15:19:41 +01:00
Tim Ramlot	9606f4d5fe	make KeyUsage and BasicConstraints Critical extensions Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-11 10:29:02 +02:00
Tim Ramlot	e7530880ce	use Version 3 for all Certificates and Version 0 for all CertificateRequests Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-11 10:21:55 +02:00
Tim Ramlot	20599d1d35	remove CertificateTemplateAddKeyUsages Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-10 19:22:49 +02:00
Tim Ramlot	0cf0f80b40	switch to non-deprecated functions in source code Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-10 19:22:49 +02:00
Tim Ramlot	1c2662af82	cleanup CSR & CertificateTemplate util code Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-10 19:22:49 +02:00
jetstack-bot	308c1472aa	Merge pull request #6031 from inteon/remove_deprecated_3 Replace deprecated wait.PollUntil and wait.Poll	2023-05-10 17:52:54 +01:00
Ashley Davis	209c252005	Move webhook testing package to core module This package was used by at least one external importer [1] and so the change to make the webhook live in a separate package caused an issue which @irbekrm reported on slack. [2] This PR moves the webhook testing code into the core cert-manager module so it'll be importable anywhere (albeit under a new name). This change also requires moving the webhook options into the core cert-manager module since they're required by the webhook testing logic. [1] `268cd2fdba/test/env/env.go (L25)` [2] https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1683650224483169 Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>	2023-05-09 18:40:03 +01:00
Tim Ramlot	e08a13496d	replace deprecated wait.PollUntil() and wait.Poll() Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-09 17:47:53 +02:00
Tim Ramlot	7d0178f27d	fix small bugs and make small improvements Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-09 15:22:21 +02:00
Greg	662900a1d3	apis/acme/v1: ACMEIssuer: set omitempty on optional field This field is marked optional in the API docs, but is required when serializing JSON. Make it optional to match. Signed-off-by: Greg <gdvalle@users.noreply.github.com>	2023-05-07 09:52:13 -05:00
Tim Ramlot	d656b2d9da	replace deprecated PollImmediateUntil with PollUntilContextCancel Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-07 10:15:46 +02:00
Tim Ramlot	dc12a5d0a0	revert setting flags for logging tests Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-05 18:08:29 +02:00
Tim Ramlot	8747adf629	fix feedback Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-05 18:08:29 +02:00
Tim Ramlot	f0871eb6b8	further standardise logging across components Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-05 18:08:29 +02:00
Tim Ramlot	5091a3bff4	use same logging flags for every cli and simplify flag logic Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-05 18:08:29 +02:00
Michael Malov	99e23d5e93	Add support for json logging format Signed-off-by: Michael Malov <14035243+malovme@users.noreply.github.com>	2023-05-05 18:01:16 +02:00
irbekrm	df974120ab	Ensures that acmesolver implements SingularNameProvider Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-05-05 16:32:25 +01:00
irbekrm	3d1134a975	Update cainjector inejctable setup To work with latest controller runtime Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-05-05 16:32:25 +01:00
Luca Comellini	1bfc131e6a	Bump sigs.k8s.io/controller-tools to v0.12.0 Signed-off-by: Luca Comellini <luca.com@gmail.com>	2023-05-05 16:32:25 +01:00
Luca Comellini	df6ec95cd1	Update OnAdd Signed-off-by: Luca Comellini <luca.com@gmail.com>	2023-05-05 16:32:25 +01:00
Luca Comellini	a57c4abb14	Bump k8s.io dependencies Signed-off-by: Luca Comellini <luca.com@gmail.com>	2023-05-05 16:32:25 +01:00
jetstack-bot	ab4415837c	Merge pull request #6022 from wallrj/fix-flaky-leader-election-healthz-tests Fix flaky leader election healthz tests	2023-05-05 16:26:07 +01:00
Richard Wall	83ce550c4c	Simulate a remote leader that always updates its lease Fixes test flakes caused by the local node taking over leadership, because it did not observe any change in the leader election record held by the remote node. Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2023-05-05 15:56:18 +01:00
jetstack-bot	a64088792d	Merge pull request #5991 from inteon/pr/JoshVanL/4810 Server Side Apply: Adds support for CA Injector controller	2023-05-05 14:21:07 +01:00
Tim Ramlot	a3dbd22752	only apply patch if patch is != nil Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-05 15:01:57 +02:00
jetstack-bot	5035dda25e	Merge pull request #6006 from vidarno/cache-private-key-hash-on-issuer-status Cache private key hash on issuer status	2023-05-05 08:05:07 +01:00
jetstack-bot	09e71c37d4	Merge pull request #5972 from vinzent/bugfix/issue-5755 Check JKS/PKCS12 truststore in Secrets only if issuer provides the CA	2023-05-04 11:04:37 +01:00
vidarno	616a41ac8f	Test TestRegistry_AddClient_UpdatesClientPKChecksum must compare private key with a checksum Signed-off-by: vidarno <>	2023-05-03 22:17:03 +02:00
Tim Ramlot	bce882b477	use cainjector feature flags Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-03 19:52:13 +02:00
Tim Ramlot	4d81f1877a	resolve feedback Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-03 11:18:10 +02:00
jetstack-bot	694d3d1bd2	Merge pull request #5747 from inteon/request_matches_spec BUGFIX: if a LiteralSubject is set, the RequestMatchesSpec function does skip too many checks	2023-05-02 11:23:27 +01:00
vidarno	a1f156c2b6	Merge branch 'cert-manager:master' into cache-private-key-hash-on-issuer-status Signed-off-by: vidarno <>	2023-05-02 11:58:18 +02:00
vidarno	f7390903be	Update tests after adding new LastPrivateKeyHash field in status of issuer CRDs Signed-off-by: vidarno <>	2023-04-29 09:14:07 +02:00
vidarno	92da674e9a	Update logic in function IsKeyCheckSumCached to compare private key with hash in status field of CRD instead of from Secret Signed-off-by: vidarno <>	2023-04-29 09:13:54 +02:00
vidarno	4934183927	Extend CRDs and structs to include LastPrivateKeyHash field Signed-off-by: vidarno <>	2023-04-29 09:12:56 +02:00
Thomas Müller	12483d3d54	Check JKS/PKCS12 truststores only if issuer provides the CA The current policy check for keystores in Secrets creates a loop because the truststore.jks or truststore.p12 will never exist when the issuer didn't provide the CA certificate. This behaviour was introduced by #5597 The JKS and PKCS12 truststores are only added to the Secret if the CA is provided by the issuer. The CertificateRequest API reference states: > The PEM encoded x509 certificate of the signer, also known > as the CA (Certificate Authority). This is set on a best-effort basis by > different issuers. If not set, the CA is assumed to be unknown/not available. This change will only check the PKCS12/JKS truststores if the CA cert from the issuer exists in the secret. Fixes #5755 Signed-off-by: Thomas Müller <thomas@chaschperli.ch>	2023-04-27 17:09:41 +02:00
jetstack-bot	19104fcb4a	Merge pull request #5962 from wallrj/5670-controller-manager-liveness-probe Report controller-manager as unhealthy if leader election has failed to renew the lease but process is wedged	2023-04-27 15:09:54 +01:00
Tim Ramlot	927cef3c22	switch to SSA for cainjector Co-authored-by: joshvanl <vleeuwenjoshua@gmail.com> Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-04-26 17:04:11 +02:00
Richard Wall	dd34e58b5a	Make it clear that the tests are concerned only with LeaderElection healthz Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2023-04-26 10:50:03 +01:00
Richard Wall	4d182e9c7b	Add /livez endpoint which reports the leaderElection status Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2023-04-26 07:53:26 +01:00
irbekrm	300fe72ff0	Code review Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-04-25 13:45:06 +01:00
irbekrm	0d1d66d900	Fixes tests Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-04-25 06:20:58 +01:00
irbekrm	3d82e94789	Ensures metadata only is cached for pods and services Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-04-25 06:20:58 +01:00
Tobo Atchou	ee638a91ff	cert-manager-webhook to provide logs when handling request Signed-off-by: Tobo Atchou <tobo.atchou@gmail.com>	2023-04-22 10:41:44 +02:00
jetstack-bot	ece30e655f	Merge pull request #5949 from TrilokGeer/key-replace-sha256checksum Fixes status change on privateKey update on acme issuer	2023-04-18 15:04:07 +01:00
jetstack-bot	bfa7eaaf0d	Merge pull request #5766 from irbekrm/cainjector_limit_controllers Cainjector limit controllers	2023-04-18 11:14:21 +01:00
TrilokGeer	bdc0cb7c40	Fixes status change on privateKey update on acme issuer Signed-off-by: TrilokGeer <tgeer@redhat.com>	2023-04-14 21:33:44 +05:30
Tim Ramlot	415da885a1	remove ioutil Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-04-07 11:19:52 +02:00
jetstack-bot	50501d2f64	Merge pull request #5824 from irbekrm/controller_partial_metadata Controller partial metadata	2023-04-06 15:38:02 +01:00
irbekrm	7e6f2be820	Fixes goimports Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-04-05 16:29:41 +01:00
irbekrm	8217ff8714	Adds some extra unit tests Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-04-05 16:28:14 +01:00
irbekrm	e14d17b1b0	Adds a couple comments to ACME call methods Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-04-05 16:28:14 +01:00
irbekrm	dba18119aa	Ensures that key for an ACME challenge is only retrieved from the ACME server once Thus reducing the number of HTTP01ChallengeResponse/DNS01ChallengeResponse calls Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-04-05 16:28:14 +01:00
irbekrm	202d75ffe6	Updates code comment Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-04-05 16:28:14 +01:00
irbekrm	0964d6d03d	Removes extra GET calls for ACME order resource In cases where a synced Order does not require any processing from this controller Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-04-05 16:28:14 +01:00
irbekrm	b2b3eade26	Updates cert.status.lastFailureTime description To match the current behaviour Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-04-05 12:54:14 +01:00
irbekrm	de34694516	Makes some updates to CertificateRequests design The design is out of date in general though Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-27 09:57:44 +01:00
irbekrm	6e294ae359	Certificate-requests controller does not process invalid certificaterequests Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-24 15:38:34 +00:00
irbekrm	f5ea958317	Issuing controller fails issuances for denied/invalid CRs This is not necessarily a breaking change as this appears to have been the current behaviour in most cases due to the race condition that this commit fixes Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-24 15:37:57 +00:00
irbekrm	26563feae1	remove invalid check GVK cannot be reliably checked here, see TODO, this is not expected to cause issues Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-22 09:03:16 +00:00
irbekrm	c3bd14ead7	Uses the filtered informer factory if the SecretsFilteredCaching feature is enabled Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-22 09:03:16 +00:00
irbekrm	7d592a8270	Swap upstream core informers factory with out wrapper This does not actually change how the informers work. This also adds a partial metadata client to root context Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-22 09:03:16 +00:00
irbekrm	a7e2abe5fa	Allows secrets event handler predicate to accept partial metadata This will only be needed by the SecretsFilteredCaching feature, but I cannot think of any harm by adding it to general path Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-22 09:03:16 +00:00
irbekrm	5d7614ddd4	Passes controller context into all NewController funcs Instead of individual arguments. For readability and consistency. Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-22 09:03:16 +00:00
irbekrm	8f3ea9a40d	Update comment on controller.cert-manager.io/fao label key As this PR actually starts using this label to filter secrets Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-22 09:03:16 +00:00
jetstack-bot	0c071f8d2f	Merge pull request #5878 from avi-08/handle-foreground-deletion Skip syncing resources deleted via foreground cascading	2023-03-21 12:01:38 +00:00
Avi Sharma	a62f92e33d	Add testcases for foreground deletion sync Signed-off-by: Avi Sharma <avi.08.sh@gmail.com>	2023-03-21 15:33:53 +05:30
Avi Sharma	e5d9745078	Skip syncing resources deleted via foreground cascading Signed-off-by: Avi Sharma <avi.08.sh@gmail.com>	2023-03-21 15:33:28 +05:30
jetstack-bot	706ad574b9	Merge pull request #5820 from lucacome/bump-k8s.io-deps Bump k8s.io dependencies	2023-03-20 12:13:41 +00:00
Andrew Starr-Bochicchio	70594bd7ca	digitalocean: Pass user agent string to godo client. Signed-off-by: Andrew Starr-Bochicchio <a.starr.b@gmail.com>	2023-03-16 11:20:56 -04:00
Luca Comellini	0f64e055ae	Bump k8s.io dependencies Signed-off-by: Luca Comellini <luca.com@gmail.com>	2023-03-10 14:55:26 -08:00
Maël Valais	f0449ddb3b	ingressClassName: document the "oneOf" contraint for the "name" field Signed-off-by: Maël Valais <mael@vls.dev>	2023-03-09 15:15:39 +01:00
Maël Valais	ca9aaa0440	ingressClassName: let's remove the link placeholder The link itself is way too long to fit in the API reference. Signed-off-by: Maël Valais <mael@vls.dev>	2023-03-09 14:42:21 +01:00
Maël Valais	1b9cd207d3	remove unused test func Signed-off-by: Maël Valais <mael@vls.dev>	2023-03-07 15:06:58 +01:00
Maël Valais	6458ed1543	Move from a flag to the Issuer field "ingressClassName" Signed-off-by: Maël Valais <mael@vls.dev>	2023-03-03 17:50:30 +01:00
Daniel Sonck	44d1467217	Add flag to allow switching ingressClassName specification Adds a flag to allow between using the old class name annotation or the new ingressClassName that is gaining support in more ingress controllers. Signed-off-by: Daniel Sonck <daniel@sonck.nl>	2023-03-03 17:42:43 +01:00
Tim Ramlot	f36c06f10d	move cmd/util/ to internal/cmd/util/, since it is also imported by packages outside of cmd/ Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-02-28 12:38:59 +01:00
Michael Malov	dc621e9306	Add imagePullSecrets for AMCE http01 solver pod Signed-off-by: Michael Malov <mmeemail@gmail.com>	2023-02-13 14:18:50 +03:00
Maël Valais	7a856af843	serviceAccountRef: update tests of the controller-side validation Signed-off-by: Maël Valais <mael@vls.dev>	2023-02-07 13:26:35 +01:00
Maël Valais	c35a245631	serviceAccountRef: fix panicking since serviceAccountRef can now be nil Signed-off-by: Maël Valais <mael@vls.dev>	2023-02-06 18:28:49 +01:00
Maël Valais	ac9791abae	api: explicit the fact that no "oneOf" validation is performed Signed-off-by: Maël Valais <mael@vls.dev>	2023-02-06 18:28:49 +01:00
Maël Valais	f1cfffd06b	serviceAccountRef: detail why secretRef isn't a pointer Signed-off-by: Maël Valais <mael@vls.dev>	2023-02-06 18:28:49 +01:00
Maël Valais	aed8a2ec85	serviceAccountRef: auto-generate "aud" and hardcode "exp" Signed-off-by: Maël Valais <mael@vls.dev>	2023-02-06 18:28:49 +01:00
Maël Valais	bfce543640	serviceAccountRef: remove aud and exp, secretRef now a pointer Changing SecretRef to be a pointer will break people using the package as a library. I disabled the ability to set the audience and expiry time for security reasons: We decided to generate the audience dynamically instead of letting the user configure it, and we also decided to encode the namespace and issuer name into the audience to remediate the risk of hijacking an existing issuer and service account with a malicious issuer. Regarding the expiration duration of the JWT, it doesn't make sense to let the user configure it since cert-manager will authenticate using the JWT and immediately discard it. We thought that 1 minute would be acceptable, although the Kubernetes API server may return a totally different duration. Signed-off-by: Maël Valais <mael@vls.dev>	2023-02-06 18:28:49 +01:00
Maël Valais	76eef68730	serviceAccountRef: the vault issuer can now use bound SA tokens Previously, the Vault issuer was only able to use a Secret in order to use the "Kubernetes authentication" method. The downside to this service account Secret token is that it has the default JWT iss "kubernetes/serviceaccount" (along with the fact that the token is not bound to a particular pod and has no expiry). With the new serviceAccountRef, cert-manager now requests the token on behalf of the pod in order to authenticate with Vault. Signed-off-by: Maël Valais <mael@vls.dev>	2023-02-06 18:28:49 +01:00
Maël Valais	15748767ef	vault: add unit tests around Setup Signed-off-by: Maël Valais <mael@vls.dev>	2023-02-03 16:27:52 +01:00
irbekrm	56cf4dfd3c	Allows to modify configured injectable kinds for cainjector via flags Also changes name of --watch-certs flag to --enable-certificate-data-source Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-02-01 11:43:00 +00:00
irbekrm	0c64cebfc5	Rename injector.go -> injectables.go To reduce the variations of naming Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-02-01 11:43:00 +00:00
irbekrm	767aa39ddb	Simplify injectable logic Reduce the amount of interfaces enclosing the injectable instance from 3 to 1. Also some minor renaming and comments cleanup Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-02-01 11:43:00 +00:00
irbekrm	3e58a442b7	Cleanup reconciler logic Make the file structure and struct naming more intuitive, add some comments Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-02-01 11:43:00 +00:00
jetstack-bot	7ab1461674	Merge pull request #5764 from irbekrm/cainjector_filter_injectables Cainjector: only reconcile annotated injectables	2023-02-01 11:41:49 +00:00
irbekrm	74b258c3be	Code review feedback Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-02-01 08:53:27 +00:00
irbekrm	7e4dea1c2e	Clarify the error message when secret annotation is missing namespace prefix Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-31 11:12:31 +00:00
irbekrm	24040c4989	Ensure that updates to injectables are caught Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-31 10:49:56 +00:00
irbekrm	a174f0faa4	Filter injectables that trigger reconciles Only trigger reconciles for events on injectable types that are annotated, not random unrelated resources Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-30 11:27:15 +00:00
irbekrm	7a5c71a1ed	Cleanup, better comments Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-30 11:26:07 +00:00
Tim Ramlot	eaf8844e6d	BUGFIX: when setting a LiteralSubject, the RequestMatchesSpec function does skip too many checks Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-01-27 15:55:12 +01:00
Richard Wall	e727df6c1d	Disable automountServiceAccountToken in the ACME HTTP01 solver Pod Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2023-01-26 17:22:42 +00:00
jetstack-bot	9f7a4053ab	Merge pull request #5746 from irbekrm/cainjector_remove_duplicate_cache Remove the double cache mechanism for cainjector	2023-01-25 15:05:57 +00:00
Richard Wall	24cbfc7ba8	Revert "automount service account tokens off by default" This reverts commit `954eb0d875`. Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2023-01-24 17:19:52 +00:00
Richard Wall	954eb0d875	automount service account tokens off by default Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2023-01-24 17:00:11 +00:00
irbekrm	3aba8ed32d	Makes cainjector Certificate watch optional Configurable via a flag, true by default Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-24 13:52:45 +00:00
irbekrm	4776597cb4	Remove the double cache mechanism for cainjector Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-23 17:38:46 +00:00
Tim Ramlot	191e7ca305	add (deprecated) stub functions Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-01-23 13:26:37 +01:00
Tim Ramlot	23de5240e9	move utility functions to reduce fragmentation and rename functions for consistency Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-01-23 13:19:39 +01:00
jetstack-bot	1038ca4494	Merge pull request #4502 from ctrought/master support subject and email annotations for ingress/gateway	2023-01-20 14:35:37 +00:00
ctrought	575e3155c2	fix: goimports Signed-off-by: ctrought <k8s@trought.ca>	2023-01-19 14:57:10 -05:00
irbekrm	216b60e98b	RFC2136 solver has an init option to reset secrets lister Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-18 17:41:51 +00:00
irbekrm	1834afaa00	A bunch of comments on webhook solver functionality With the goal of making folks working on these parts of code be aware that this is the one bit that will be imported in external projects Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-18 17:41:02 +00:00
jetstack-bot	aa7fe1130c	Merge pull request #5660 from irbekrm/certificate_labels Ensures that certificate.spec.secretName and temporary private key Secrets are labelled	2023-01-09 10:57:30 +00:00
irbekrm	5e8fd7dc41	Policy check ensures that cert.sepc.secretName secret gets labelled Makes sure that when an unlabelled Secret is encountered at any point (even outside issuance) it will be labelled Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-06 18:31:31 +00:00
irbekrm	213949a590	Keymanager controller ensures that temporary private key Secrets are labelled Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-06 18:30:34 +00:00
irbekrm	c7465fd921	Issuing controller ensures that cert.spec.secretName secrets are labelled Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-06 18:29:51 +00:00
irbekrm	767170d65f	Adds a new label to cert-manager API Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-06 18:28:50 +00:00
jetstack-bot	248eff5bce	Merge pull request #5694 from irbekrm/fix_cainjector_namespace Fix cainjector's namespace flag	2023-01-06 10:43:41 +00:00
irbekrm	ff80030737	Log error if CA source is in a namespace that is not in scope cainjector will still watch cluster-scoped resources such as CRDs, so it can get references to Secrets or Certificates in namespaces that are out of scope Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-06 10:09:36 +00:00
irbekrm	87bef52337	Fix cainjector's namespace flag Ensures that when cainjector has the namespace flag passed, namespaced resource caching is scoped to that namespace Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-05 18:15:19 +00:00
irbekrm	eaf814cffa	Code review feedback- better comment Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-05 17:42:40 +00:00
irbekrm	8ed0faf228	Fix integration tests Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-05 12:07:25 +00:00
irbekrm	036b013942	Ensures that only one secrets cache is created for cert-manager controller Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-01-05 10:11:48 +00:00
jetstack-bot	094b4c763e	Merge pull request #5662 from lucacome/bump-controller-tools Bump sigs.k8s.io deps	2023-01-04 14:02:00 +00:00
Ashley Davis	0225cc9234	avoid logging confusing error messages for external issuers See https://github.com/cert-manager/cert-manager/issues/5601 When referring to external issuers whose kind is not "Issuer" or "ClusterIssuer" we log an error message thanks to a new check added in a previous PR[1] which should only trigger for SelfSigned issuers. The error previously looked like: ```text "error"="invalid value \"x\" for issuerRef.kind. Must be empty, \"Issuer\" or \"ClusterIssuer\"" ``` After this PR, any CR with an issuer whose group or kind doesn't match what's expected for a built-in issuer will be skipped https://github.com/cert-manager/cert-manager/pull/5336 Signed-off-by: Ashley Davis <ashley.davis@jetstack.io> WIP: test other issuer kinds Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>	2023-01-04 12:10:34 +00:00
jetstack-bot	d8a6ec0dcb	Merge pull request #5663 from weisdd/fix/azure-workload-identity-early-reconcilation fix(AzureDNS): prevent early reconciliations for misconfigured Workload Identity	2023-01-03 18:00:10 +00:00
Igor Beliakov	1c01973813	fix(AzureDNS): suppress original message in adal.TokenRefreshError to prevent early CR reconciliations due to unique data (timestamp, Trace ID) that lands to CR status Signed-off-by: Igor Beliakov <demtis.register@gmail.com>	2022-12-22 11:59:37 +01:00
Luca Comellini	dbd6dc9b16	Bump sigs.k8s.io deps Signed-off-by: Luca Comellini <luca.com@gmail.com>	2022-12-21 09:47:41 -08:00

... 3 4 5 6 7 ...

3435 Commits