Previously it wasn't possible to set a custom CA bundle for an ACME
server, leading users to either patch the cert-manager system CA bundle
manually or else use SkipTLSVerify which is a security issue.
This adds CABundle for ACME, similar to what we have for Vault and
Venafi TPP issuers.
Longer term we'd like to have a more fully featured approach. It would
for example make sense to support loading CA bundles from ConfigMaps or
Secrets (similar to what we do for Vault issuers today), but for now this
change is the simplest change.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Clarifies language a little; makes it clearer that the bundle
should be base64 encoded. Previously it was slightly confusing
in that PEM certificates are themselves base64 encoded.
Also makes it clearer what our CABundle validation does and does not do
by adding a standalone validation function and tweaking the error
message for an invalid CA bundle.
Also updates validation to not print CA bundle for Vault issuer when the
bundle is invalid, since it won't help with debugging anything.
Currently the bundle is printed as byte values ("0x32, 0x58, 0x43...")
and in any case printing the whole bundle could be noisy if it's large
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Vault distributions like "Bank Vaults" automatically configure
and provision Vault and provide the CA bundle via a Kubernetes
Secret. Having to hard-code the bundle in the Issuer instead
of dynamically referencing it through the Secret requires
a manual second step when using a GitOps workflow.
Signed-off-by: Nils Mueller <nm@impactful.it>
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.
There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
- includes a run of make update-crds which causes some trivial changes
- updates version of YQ to latest
- makes hack/update-crds.sh just call make
- makes hack/verify-crds.sh just call make
- moves functionality of hack/verify-crds.sh to hack/check-crds.sh,
using the makefile for generating alternative CRDs for comparison
- removes the bazel test associated with CRDs
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Previously, in v1alpha1, an HTTPRoute was matched to a Gateway using
the label selectors present on the Gateways. For example, with the
following Gateway:
apiVersion: networking.x-k8s.io/v1alpha1
kind: Gateway
metadata:
name: acmesolver
spec:
listeners:
- protocol: HTTP
port: 80
routes:
kind: HTTPRoute
selector:
matchLabels:
app: foo
you would have to use the following labels on the HTTPRoute in order to
get the above Gateway to be used:
apiVersion: networking.x-k8s.io/v1alpha1
kind: HTTPRoute
metadata:
labels:
app: foo
With v1alpha2, the label selectors have been dropped. Instead, the
HTTPRoute has to give a direct reference to the Gateway:
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
spec:
parentRefs:
- kind: Gateway
name: acmesolver
namespace: traefik
This means that the "labels" field on the gatewayHTTPRoute solver is now
optional:
apiVersion: cert-manager.io/v1
kind: Issuer
spec:
acme:
solvers:
- http01:
gatewayHTTPRoute:
labels: | This field is
app: test | now optional.
parentRefs:
- kind: Gateway
name: acmesolver
Signed-off-by: Maël Valais <mael@vls.dev>
DER Format to create key.der binary format of the private key.
CombinedPEM Format to create tls-combined.pem containing tls.key + tls.crt.
Added Unit and e2e tests for secret with Additional output format.
Feature flag AdditionalCertificateOutputFormats to enable feature.
Signed-off-by: Thierry Sallé <seuf76@gmail.com>
