weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
7,454 Commits 45 Branches 0 Tags 96 MiB
74b258c3be
Commit Graph

1331 Commits

Author SHA1 Message Date
irbekrm
74b258c3be Code review feedback 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-02-01 08:53:27 +00:00
irbekrm
7e4dea1c2e Clarify the error message when secret annotation is missing namespace prefix 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-31 11:12:31 +00:00
irbekrm
24040c4989 Ensure that updates to injectables are caught 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-31 10:49:56 +00:00
irbekrm
a174f0faa4 Filter injectables that trigger reconciles 
Only trigger reconciles for events on injectable types that are annotated, not random unrelated resources

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-30 11:27:15 +00:00
irbekrm
7a5c71a1ed Cleanup, better comments 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-30 11:26:07 +00:00
jetstack-bot
9f7a4053ab
Merge pull request #5746 from irbekrm/cainjector_remove_duplicate_cache 
Remove the double cache mechanism for cainjector
 2023-01-25 15:05:57 +00:00
irbekrm
3aba8ed32d Makes cainjector Certificate watch optional 
Configurable via a flag, true by default

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-24 13:52:45 +00:00
irbekrm
4776597cb4 Remove the double cache mechanism for cainjector 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-23 17:38:46 +00:00
Tim Ramlot
191e7ca305
add (deprecated) stub functions 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-01-23 13:26:37 +01:00
Tim Ramlot
23de5240e9
move utility functions to reduce fragmentation and rename functions for consistency 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-01-23 13:19:39 +01:00
jetstack-bot
1038ca4494
Merge pull request #4502 from ctrought/master 
support subject and email annotations for ingress/gateway
 2023-01-20 14:35:37 +00:00
ctrought
575e3155c2 fix: goimports 
Signed-off-by: ctrought <k8s@trought.ca>
 2023-01-19 14:57:10 -05:00
jetstack-bot
aa7fe1130c
Merge pull request #5660 from irbekrm/certificate_labels 
Ensures that certificate.spec.secretName and temporary private key Secrets are labelled
 2023-01-09 10:57:30 +00:00
irbekrm
5e8fd7dc41 Policy check ensures that cert.sepc.secretName secret gets labelled 
Makes sure that when an unlabelled Secret is encountered at any point (even outside issuance) it will be labelled

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-06 18:31:31 +00:00
irbekrm
213949a590 Keymanager controller ensures that temporary private key Secrets are labelled 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-06 18:30:34 +00:00
irbekrm
c7465fd921 Issuing controller ensures that cert.spec.secretName secrets are labelled 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-06 18:29:51 +00:00
irbekrm
ff80030737 Log error if CA source is in a namespace that is not in scope 
cainjector will still watch cluster-scoped resources such as CRDs, so it can get references to Secrets or Certificates in namespaces that are out of scope

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-06 10:09:36 +00:00
irbekrm
87bef52337 Fix cainjector's namespace flag 
Ensures that when cainjector has the namespace flag passed, namespaced resource caching is scoped to that namespace

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-05 18:15:19 +00:00
Ashley Davis
0225cc9234
avoid logging confusing error messages for external issuers 
See https://github.com/cert-manager/cert-manager/issues/5601

When referring to external issuers whose kind is not "Issuer" or
"ClusterIssuer" we log an error message thanks to a new check added in
a previous PR[1] which should only trigger for SelfSigned issuers.

The error previously looked like:

```text
"error"="invalid value \"x\" for issuerRef.kind. Must
be empty, \"Issuer\" or \"ClusterIssuer\""
```

After this PR, any CR with an issuer whose group or kind doesn't
match what's expected for a built-in issuer will be skipped

https://github.com/cert-manager/cert-manager/pull/5336

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>

WIP: test other issuer kinds

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2023-01-04 12:10:34 +00:00
Sathyanarayanan Saravanamuthu
f719247d2b Addressing review comments 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
Sathyanarayanan Saravanamuthu
94fa9eeee6 Addressing review comments 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
Sathyanarayanan Saravanamuthu
42ae76ae30 Refreshing secrets when the keystore fields change 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
jetstack-bot
6ec8da3366
Merge pull request #5583 from lvyanru8200/uodateGwVerison 
feature: update gateway api to v1beta1
 2022-12-05 14:52:48 +00:00
lv
a13c76d312 feature: update gateway api to v1beta1 
Signed-off-by: lvyanru <yanru.lv@daocloud.io>

feature: update gateway api to v1beta1

Signed-off-by: lvyanru <1113706590@qq.com>
 2022-12-05 14:03:21 +00:00
Martín Montes
f884dac555 Return error when Gateway has a cross-namespace secret ref 
Signed-off-by: Martín Montes <martin11lrx@gmail.com>
 2022-12-01 12:46:33 +01:00
Corey McGalliard
7e6e0940a2 updating to match feedback and adjust the RunAsNonRoot options for http01 solver to be more descriptive 
Signed-off-by: Corey McGalliard <cmcgalliard@redventures.com>
 2022-11-16 11:20:36 -05:00
Tim Ramlot
b999749854
improve gen.CSR and use it everywhere 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-11-10 09:21:31 +01:00
joshvanl
e804431dba Fire event for informational purposes when the CertificateRequest has not yet been approved. 
Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-10-23 18:04:58 +01:00
jetstack-bot
277bcfc305
Merge pull request #5504 from sathyanarays/nit_fix 
[NIT] Changing variable name to denote right type
 2022-10-14 17:17:30 +01:00
jetstack-bot
da3265115b
Merge pull request #5387 from Tolsto/vault-ca-bundle-secret-ref 
Add option to load Vault CA bundle from Kubernetes Secret
 2022-10-13 09:55:09 +01:00
Sathyanarayanan Saravanamuthu
1bc773cbcf [NIT] Changing variable name to denote right type 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-12 13:41:23 +05:30
Sathyanarayanan Saravanamuthu
204fa78dd8 [NIT] Changing variable name to denote right type 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-12 13:37:35 +05:30
Sathyanarayanan Saravanamuthu
2969202fe2 Addressing review comments 
Co-authored-by: Cody W Eilar <ecody@vmware.com>

Signed-off-by: Cody W Eilar <ecody@vmware.com>
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-11 17:22:38 +05:30
Sathyanarayanan Saravanamuthu
40947b0ef4 Generate Certificate Request with predictable name 
Co-authored-by: Cody W Eilar <ecody@vmware.com>

Signed-off-by: Cody W Eilar <ecody@vmware.com>
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-11 17:01:26 +05:30
Tim Ramlot
e917e4a103
log more information on why the get CertificateRequest request failed 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-10-05 18:53:53 +02:00
Tim Ramlot
39fa9f51b4 upgrade dependencies 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-09-26 11:43:12 +02:00
Renato Costa
162777aab2 Fix incorrect uses of loop variable 
This fixes two instances where loop variables were being incorrectly
used:

- using a loop variable in a closure passed to `ginkgo.It()` is
incorrect, as the capture happens by reference and only the last test
case will be executed (multiple times).
- a similar issue happens in the context of a goroutine; specifically,
we need to create a copy of the `runDurationFunc` before calling it in
a goroutine as done by the controller's `Run` function.

With regards to the second issue, I believe it never came to the
surface because, in production code, only one `runDurationFunc` is
passed; tests don't exercise the multiple funcs path either.

Issues were automatically found with the `loopvarcapture` linter.

Signed-off-by: Renato Costa <renato@cockroachlabs.com>
 2022-08-26 15:08:30 -04:00
jetstack-bot
12f98dbc7e
Merge pull request #5376 from inteon/upgrade_gateway_api 
Upgrade gateway api to v0.5.0
 2022-08-25 16:08:10 +01:00
jetstack-bot
d1a8f7f52d
Merge pull request #5336 from JoshVanL/controllers-certificaterequests-secrets-informer 
CertificateRequest: re-sync SelfSigned CertificateRequest when target Secret is informed.
 2022-08-23 16:46:23 +01:00
ctrought
6fa81fe8be fix merge conflict 
Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com>
 2022-08-22 12:27:54 -04:00
ctrought
4413e837e9 escape subject util cleanup 
Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com>
 2022-08-22 11:01:22 -04:00
ctrought
d9a8047f9c ingress subject annotations & helper tests 
Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com>
 2022-08-22 11:01:18 -04:00
ctrought
8f597dae1d subject street tests 
Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com>
 2022-08-22 10:55:36 -04:00
ctrought
3d3e2777a3 handle subject escaped csv 
Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com>
 2022-08-22 10:50:20 -04:00
Nils
81e6c24293 fixup! Add option to load Vault CA bundle from Kubernetes Secret 
Co-authored-by: Josh van Leeuwen <joshua.vanleeuwen@jetstack.io>
Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-21 07:41:15 +03:00
joshvanl
7b168cc059 Updates selfsigned CertificateSigningRequest controller with new Secret 
informer, and no longer mark the request as Failed when the private key
Secret is malformed. This behaviour matches the CertificateRequest
self signed controller.

Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-08-09 11:16:10 +01:00
joshvanl
fc9554a617 Adds secret handler function for selfsigned CertificateSigningRequest 
controller, which re-syncs requests which reference the Secret via the
`experimental.cert-manager.io/private-key-secret-name` annotation.

Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-08-09 11:14:22 +01:00
joshvanl
b03e6f11f5 Updates ACME CertificateSigningRequest for new informer registration 
format

Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-08-09 11:13:29 +01:00
joshvanl
dfd1e512d8 Update CertificateSigningRequest controller to accept a list of 
RegisterExtraInformerFn, which control the extra informers.

Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-08-09 11:12:41 +01:00
joshvanl
ccf579cf31 Adds extra informer for the CertificateRequest SelfSigned controller, 
so that CertificateRequets will be re-synced on informed Secrets which
are referenced with "cert-manager.io/private-key-secret-name"

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-08-09 08:39:50 +01:00