weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
8,470 Commits 45 Branches 0 Tags 96 MiB
75d1449903
Commit Graph

920 Commits

Author SHA1 Message Date
Rouke Broersma
659c95e202
Allow maxUnavailable in cainjector pdb 
Signed-off-by: Rouke Broersma <mobrockers@gmail.com>
 2023-07-14 16:16:32 +02:00
Ben Gelens
4adead4dfd fix the whitespace issue 
Signed-off-by: Ben Gelens <ben@bgelens.nl>
 2023-07-10 14:42:52 +02:00
jetstack-bot
8eb032a95a
Merge pull request #6110 from jkroepke/serviceMonitor 
[helm] Add prometheus.servicemonitor.endpointAdditionalProperties
 2023-06-26 11:29:55 +02:00
jetstack-bot
f9ffb76c5c
Merge pull request #6129 from cert-manager/remove_name_selector_admission_webhook 
Remove unused 'name' namespaceSelector
 2023-06-21 14:01:19 +02:00
kahirokunn
c2c0209acd chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. 
https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy

> For Pods running with hostNetwork, you should explicitly set its DNS policy to "ClusterFirstWithHostNet".

Signed-off-by: kahirokunn <okinakahiro@gmail.com>
 2023-06-15 11:17:30 +09:00
schrodit
a3c6261c38 disable service links on status api job 
Signed-off-by: schrodit <mail@timschrodi.tech>
 2023-06-12 14:09:36 +02:00
schrodit
c70be0a28b Disable service links in helm charts 
Signed-off-by: schrodit <mail@timschrodi.tech>
 2023-06-12 13:33:55 +02:00
Tim Ramlot
a945ab3378
remove unused 'name' namespaceSelector 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-03 09:54:33 +02:00
Jan-Otto Kröpke
d62eb71460
[helm] Add prometheus.servicemonitor.endpointAdditionalProperties 
Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>
 2023-05-26 16:50:28 +02:00
Tim Ramlot
55ebaa31b5
fix typo 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-05-24 12:19:22 +02:00
irbekrm
acf07419f5 Fix a bug in helm chart where webhook had controller feature gates passed 
This will break anyone who relied on featureGates field to pass feature gates to webhook- they will need to use the new webhook.featureGates field

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-05-23 12:44:31 +01:00
jetstack-bot
a64088792d
Merge pull request #5991 from inteon/pr/JoshVanL/4810 
Server Side Apply: Adds support for CA Injector controller
 2023-05-05 14:21:07 +01:00
jetstack-bot
5035dda25e
Merge pull request #6006 from vidarno/cache-private-key-hash-on-issuer-status 
Cache private key hash on issuer status
 2023-05-05 08:05:07 +01:00
jetstack-bot
09e71c37d4
Merge pull request #5972 from vinzent/bugfix/issue-5755 
Check JKS/PKCS12 truststore in Secrets only if issuer provides the CA
 2023-05-04 11:04:37 +01:00
vidarno
a1f156c2b6 Merge branch 'cert-manager:master' into cache-private-key-hash-on-issuer-status 
Signed-off-by: vidarno <>
 2023-05-02 11:58:18 +02:00
vidarno
4934183927 Extend CRDs and structs to include LastPrivateKeyHash field 
Signed-off-by: vidarno <>
 2023-04-29 09:12:56 +02:00
Ashley Davis
40d8c0e4ec
fix broken links in values.yaml 
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2023-04-27 16:32:34 +01:00
Thomas Müller
12483d3d54 Check JKS/PKCS12 truststores only if issuer provides the CA 
The current policy check for keystores in Secrets creates a loop because
the truststore.jks or truststore.p12 will never exist when the issuer didn't
provide the CA certificate. This behaviour was introduced by #5597

The JKS and PKCS12 truststores are only added to the Secret
if the CA is provided by the issuer. The CertificateRequest API
reference states:

> The PEM encoded x509 certificate of the signer, also known
> as the CA (Certificate Authority). This is set on a best-effort basis by
> different issuers. If not set, the CA is assumed to be unknown/not available.

This change will only check the PKCS12/JKS truststores if the CA cert from the
issuer exists in the secret.

Fixes #5755

Signed-off-by: Thomas Müller <thomas@chaschperli.ch>
 2023-04-27 17:09:41 +02:00
jetstack-bot
19104fcb4a
Merge pull request #5962 from wallrj/5670-controller-manager-liveness-probe 
Report controller-manager as unhealthy if leader election has failed to renew the lease but process is wedged
 2023-04-27 15:09:54 +01:00
Richard Wall
300d89a6cd Disable the controller liveness probe by default 
And allow configuration via Helm chart values

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2023-04-27 13:34:25 +01:00
Tim Ramlot
927cef3c22
switch to SSA for cainjector 
Co-authored-by: joshvanl <vleeuwenjoshua@gmail.com>
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-04-26 17:04:11 +02:00
Richard Wall
b92482e041 Use a named port 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2023-04-26 13:04:52 +01:00
Richard Wall
4288fc02e8 Don't specify the livenessprobe host 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2023-04-26 12:42:34 +01:00
Richard Wall
4d182e9c7b Add /livez endpoint which reports the leaderElection status 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2023-04-26 07:53:26 +01:00
irbekrm
c4d6231dfa Bump min kube version requirement 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-24 08:49:49 +01:00
jetstack-bot
e96ad41462
Merge pull request #3931 from e96wic/pdbs 
Added PodDisruptionBudgets to helm chart
 2023-04-08 11:30:21 +01:00
irbekrm
b2b3eade26 Updates cert.status.lastFailureTime description 
To match the current behaviour

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 12:54:14 +01:00
Ole Furseth
f5eff1f318 Remove obsolete bazel documentation 
Signed-off-by: Ole Furseth <ole.furseth@bekk.no>
 2023-03-17 11:44:15 +01:00
Maël Valais
f0449ddb3b ingressClassName: document the "oneOf" contraint for the "name" field 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-09 15:15:39 +01:00
Maël Valais
ca9aaa0440 ingressClassName: let's remove the link placeholder 
The link itself is way too long to fit in the API reference.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-09 14:42:21 +01:00
Tim Ramlot
d93f26df28
fix Helm errors and simplify 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-03-07 10:04:32 +01:00
Eike Wichern
1c24345092
Adjusted to code-review comments 
Signed-off-by: Eike Wichern <13048266+e96wic@users.noreply.github.com>
 2023-03-07 10:04:32 +01:00
Eike Wichern
f96dba6f2f
Migrated to policy/v1 
Signed-off-by: Eike Wichern <13048266+e96wic@users.noreply.github.com>
 2023-03-07 10:04:32 +01:00
Eike Wichern
629deb14b0
PDBs can be edited per service; extended readme 
Signed-off-by: Eike Wichern <13048266+e96wic@users.noreply.github.com>
 2023-03-07 10:04:32 +01:00
Eike Wichern
9c16cdd711
Added PodDisruptionBudgets to helm chart 
Signed-off-by: Eike Wichern <13048266+e96wic@users.noreply.github.com>
 2023-03-07 10:04:32 +01:00
Maël Valais
6458ed1543 Move from a flag to the Issuer field "ingressClassName" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-03 17:50:30 +01:00
jetstack-bot
4a7fa90710
Merge pull request #5801 from malovme/solver-image-pull-secret 
Add imagePullSecrets for AMCE http01 solver pod
 2023-02-14 08:55:51 +00:00
jetstack-bot
55b8153643
Merge pull request #5788 from ExNG/dev/jbh/add-kubernetes-api-to-egress 
Add 6443/TCP to webhook egress NetworkPolicy
 2023-02-13 15:20:40 +00:00
Michael Malov
dc621e9306 Add imagePullSecrets for AMCE http01 solver pod 
Signed-off-by: Michael Malov <mmeemail@gmail.com>
 2023-02-13 14:18:50 +03:00
Johann Behr
ea5c7b3bfd
Update deploy/charts/cert-manager/values.yaml 
Co-authored-by: Maël Valais <mael@vls.dev>
Signed-off-by: Johann Behr <24767736+ExNG@users.noreply.github.com>
 2023-02-10 14:43:06 +01:00
Johann Behr
d9a68bee40
Add 6443/TCP to webhook egress NetworkPolicy 
Signed-off-by: Johann Behr <j.behr@avm.de>
 2023-02-09 11:46:15 +01:00
Maël Valais
bfce543640 serviceAccountRef: remove aud and exp, secretRef now a pointer 
Changing SecretRef to be a pointer will break people using the package as
a library.

I disabled the ability to set the audience and expiry time for security
reasons:

We decided to generate the audience dynamically instead of letting the
user configure it, and we also decided to encode the namespace and
issuer name into the audience to remediate the risk of hijacking an
existing issuer and service account with a malicious issuer.

Regarding the expiration duration of the JWT, it doesn't make sense to
let the user configure it since cert-manager will authenticate using the
JWT and immediately discard it. We thought that 1 minute would be
acceptable, although the Kubernetes API server may return a totally
different duration.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
76eef68730 serviceAccountRef: the vault issuer can now use bound SA tokens 
Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).

With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Tim Ramlot
3978597320
Cleaning up a checks 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-01-24 09:50:56 +01:00
Aaron Aichlmayr
1d7e360ea4
Cleaning up a check 
Co-authored-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
Signed-off-by: Aaron Aichlmayr <waterfoul@gmail.com>
 2023-01-23 16:36:01 -06:00
Aaron Aichlmayr
b967232e7b
Fixed a few indents 
Signed-off-by: Aaron Aichlmayr <aaichlmayr@conquestcyber.com>
 2023-01-16 10:29:11 -06:00
Aaron Aichlmayr
0ce3553e7f
Adding the ability to set volumes and volumeMounts to all pods 
Signed-off-by: Aaron Aichlmayr <aaichlmayr@conquestcyber.com>
 2023-01-16 10:29:11 -06:00
Jan-Otto Kröpke
b952058775
[helm] expose enable-certificate-owner-ref and -dns01-recursive-nameservers as helm value 
Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>
 2023-01-14 15:16:16 +01:00
Ashley Davis
264ebe6d29
move custom acmesolver image above extraArgs 
since the acmesolver image has defaults (i.e. the repository is set by
default[1]), the helm chart changes introduced in #5554 will always set
the `--acme-http01-solver-image` parameter.

This can break users who previously had this parameter set via the
extraArgs Helm option, which was found and reported on Slack[2].

This commit moves the new Helm value added in #5554 above extraArgs,
so that if extraArgs is set it will take precedence and nothing should
change as users upgrade.

[1] a5d67d3a21/deploy/charts/cert-manager/values.yaml (L504-L516)
[2] https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1672925692339849

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2023-01-05 16:42:57 +00:00
jetstack-bot
094b4c763e
Merge pull request #5662 from lucacome/bump-controller-tools 
Bump sigs.k8s.io deps
 2023-01-04 14:02:00 +00:00
jetstack-bot
2a7fabd5ca
Merge pull request #5554 from camptocamp/helm-add-acme-http01-solver-image-override-option 
helm: add option to override ACME HTTP-01 solver image
 2022-12-22 10:10:13 +00:00
Yann Soubeyrand
ea0bea9db0 helm: add option to override ACME HTTP-01 solver image 
Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
 2022-12-21 19:48:11 +01:00
Luca Comellini
dbd6dc9b16
Bump sigs.k8s.io deps 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2022-12-21 09:47:41 -08:00
Ashley Davis
1a63cba52a
Bump supported versions of k8s mentioned in the helm chart 
This reflects the latest supported releases as of an update on
2022-12-16

See https://github.com/cert-manager/website/pull/1131

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-12-21 17:17:21 +00:00
Ashley Davis
c5924f54a1
add + use CABundle field for ACME servers in issuers 
Previously it wasn't possible to set a custom CA bundle for an ACME
server, leading users to either patch the cert-manager system CA bundle
manually or else use SkipTLSVerify which is a security issue.

This adds CABundle for ACME, similar to what we have for Vault and
Venafi TPP issuers.

Longer term we'd like to have a more fully featured approach. It would
for example make sense to support loading CA bundles from ConfigMaps or
Secrets (similar to what we do for Vault issuers today), but for now this
change is the simplest change.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-12-15 16:21:07 +00:00
Ashley Davis
f68693bb6a
change wording on descriptions for Vault and TPP 'CABundle' fields 
Clarifies language a little; makes it clearer that the bundle
should be base64 encoded. Previously it was slightly confusing
in that PEM certificates are themselves base64 encoded.

Also makes it clearer what our CABundle validation does and does not do
by adding a standalone validation function and tweaking the error
message for an invalid CA bundle.

Also updates validation to not print CA bundle for Vault issuer when the
bundle is invalid, since it won't help with debugging anything.
Currently the bundle is printed as byte values ("0x32, 0x58, 0x43...")
and in any case printing the whole bundle could be noisy if it's large

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-12-15 16:21:02 +00:00
lv
2f0d492036 feat: Add max-concurrent-challenges parameter to helm 
Set the max-concurrent-challenges value with -set maxConcurrentChallenges=value when deploying with helm

Fixes: https://github.com/cert-manager/cert-manager/issues/5627
Signed-off-by: lvyanru <yanru.lv@daocloud.io>
 2022-12-13 18:15:16 +08:00
Yannic Kilcher
5ce5129a3c
Fixed a typo in helm chart values 
Signed-off-by: Yannic Kilcher <yk@users.noreply.github.com>
 2022-12-09 11:55:33 +01:00
Sathyanarayanan Saravanamuthu
5aabf62585 Updating CRDs 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
irbekrm
486c72f122 Update reference to HTTPRoute docs 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-12-05 15:04:18 +00:00
lv
bf2db73f71 fix: featureGates add webhook deployment in chart yaml 
Signed-off-by: lvyanru <1113706590@qq.com>
 2022-11-17 22:11:57 +08:00
Mary Thibault
7bb666742c
feat: add commonLabels to webhook configmap 
Signed-off-by: Mary Thibault <mary.thibault2@gmail.com>
 2022-11-04 09:24:04 +01:00
jetstack-bot
da3265115b
Merge pull request #5387 from Tolsto/vault-ca-bundle-secret-ref 
Add option to load Vault CA bundle from Kubernetes Secret
 2022-10-13 09:55:09 +01:00
Martin Schimandl
a080ac8970 Update Chart kubeVersion to >=1.20.0-0 
Signed-off-by: Martin Schimandl <martin.schimandl@gmail.com>
 2022-10-01 13:56:29 +01:00
Tim Ramlot
39fa9f51b4 upgrade dependencies 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-09-26 11:43:12 +02:00
jetstack-bot
0f627cdfb7
Merge pull request #5417 from mjudeikis/master 
helm: Add NetworkPolicy support
 2022-09-23 12:57:57 +01:00
Mangirdas Judeikis
1efea1787a helm: Add NetworkPolicy support 
Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
 2022-09-20 11:50:20 +03:00
Tim Ramlot
23b8bf5118 improve Helm values.yaml comment 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-09-16 18:15:30 +02:00
Thibault
1d21f3f30c
feat: merge master branch 
Signed-off-by: Thibault <mary.thibault2@gmail.com>
 2022-09-15 13:40:05 +02:00
Rui Lopes
d66755acd1 to help troubleshooting make the helm chart container names unique 
closes #5355

Signed-off-by: Rui Lopes <rgl@ruilopes.com>
 2022-08-28 12:07:57 +01:00
jetstack-bot
2821157f69
Merge pull request #5401 from sathieu/servicemonitor_annotations 
Add annotations for ServiceMonitor in helm chart
 2022-08-26 17:50:19 +01:00
jetstack-bot
b1d96755f2
Merge pull request #5395 from stek29/fix-5149 
Add topologySpreadConstraints to helm chart
 2022-08-26 16:13:20 +01:00
Mathieu Parent
ffd802d750 Add annotations for ServiceMonitor in helm chart 
Signed-off-by: Mathieu Parent <mathieu.parent@insee.fr>
 2022-08-26 16:46:31 +02:00
jetstack-bot
12f98dbc7e
Merge pull request #5376 from inteon/upgrade_gateway_api 
Upgrade gateway api to v0.5.0
 2022-08-25 16:08:10 +01:00
Flaagada
5ac8387d50
Add: support common labels for all resources 
Usefull when we have a policies manager as Kyverno.

Signed-off-by: Flaagada <mary.thibault2@gmail.com>
 2022-08-22 11:10:02 +02:00
Viktor Oreshkin
de24b860ae Add topologySpreadConstraints to helm chart (fix #5149) 
Signed-off-by: Viktor Oreshkin <imselfish@stek29.rocks>
 2022-08-22 06:24:16 +03:00
jetstack-bot
96dd8849ca
Merge pull request #5311 from EugenFo/add-port-to-container-spec 
added healthcheck to containers port spec
 2022-08-19 10:58:11 +01:00
Nils Mueller
2f6fa9dddf fixup! Add option to load Vault CA bundle from Kubernetes Secret 
Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-16 02:57:43 +03:00
Nils Mueller
00a20097b6 Add option to load Vault CA bundle from Kubernetes Secret 
Vault distributions like "Bank Vaults" automatically configure
and provision Vault and provide the CA bundle via a Kubernetes
Secret. Having to hard-code the bundle in the Issuer instead
of dynamically referencing it through the Secret requires
a manual second step when using a GitOps workflow.

Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-15 03:10:51 +03:00
jetstack-bot
34ea128fd3
Merge pull request #5368 from hawksight/pf/lease 
docs: Correct reference to lease not config map
 2022-08-09 17:04:05 +01:00
jetstack-bot
58b226e06c
Merge pull request #5163 from james-callahan/webhook-dynamic-serving-dns-names 
Webhook dynamic serving dns names
 2022-08-08 13:57:50 +01:00
Tim Ramlot
836793e7e3 upgrade gateway api to v0.5.0 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-08 08:52:59 +00:00
Peter Fiddes
9b8d279193
docs: Change values.yaml wording to reference correct resource 
Signed-off-by: Peter Fiddes <peter.fiddes@gmail.com>
 2022-08-04 15:11:32 +01:00
Tim Ramlot
93caba980e apply go fmt for go1.19 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-04 09:51:57 +00:00
Ashley Davis
fb231ab641
Remove bazel 🎉 
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.

There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-07-26 11:38:50 +01:00
Eugen Fohlenweider
fb788c7703 added healthcheck to containers port spec 
Signed-off-by: Eugen Fohlenweider <eugen.fohlenweider@hotmail.com>
 2022-07-18 08:42:55 +02:00
Joe Bowbeer
455001e34a
Kubernetes 1.20+ 
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>

Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
 2022-07-07 17:15:28 -07:00
Joe Bowbeer
2a569341d7 refer to Default Security Contexts 
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
 2022-07-07 15:14:58 -07:00
Joe Bowbeer
db4fd285a7
Update helm README file 
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>

Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
 2022-07-07 03:44:35 -07:00
Joe Bowbeer
cbb476929e strengthen securityContexts 
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
 2022-07-06 10:47:26 -07:00
jetstack-bot
b84ea96d73
Merge pull request #5194 from Compy/master 
Support secrets for Route53 Access Key IDs
 2022-07-05 12:33:21 +01:00
joshvanl
f1d7c43276 Updates wording for aws rout53 dns CRD field comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-07-04 17:06:40 +01:00
Luca Comellini
aaa513de00
Bump k8s.io dependencies 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2022-06-30 15:16:14 -07:00
Ashley Davis
eccde015ac
add CRD generation to makefile, replacing bazel 
- includes a run of make update-crds which causes some trivial changes
- updates version of YQ to latest
- makes hack/update-crds.sh just call make
- makes hack/verify-crds.sh just call make
- moves functionality of hack/verify-crds.sh to hack/check-crds.sh,
  using the makefile for generating alternative CRDs for comparison
- removes the bazel test associated with CRDs

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-06-27 13:25:18 +01:00
James Callahan
5fff1e6ee7
Avoid hard-coding release namespace in helm chart 
This improves compatibility with kustomize

Signed-off-by: James Callahan <jamescallahan@bitgo.com>
 2022-06-14 16:25:40 +10:00
James Callahan
6bd1c179b8
Use multiple --dynamic-serving-dns-names arguments 
This allows for cleaner debugging by adding/removing a line at a time.

The pflag library used allows multiple arguments like this, see
85dd5c8bc6/string_slice.go (L132-L135)

Signed-off-by: James Callahan <jamescallahan@bitgo.com>
 2022-06-14 16:25:07 +10:00
Compy
561103934d Updating and regenerating CRDs to make SecretAccessKeyID field usage more clear 
Signed-off-by: Compy <hello@86pixels.com>
 2022-06-11 10:48:10 -05:00
Compy
b9500d4364 Update CRD documentation to be a bit clearer 
Signed-off-by: Compy <hello@86pixels.com>
 2022-06-11 09:42:15 -05:00
irbekrm
6fcb3aacb2 Reverts additional check for ServiceMonitor. 
Reverts a check for whether Prometheus monitoring api resources have been
deployed before creating a ServiceMonitor as enforces dependency order
which does not fit installation model using GitOps tools as discussed in
https://github.com/cert-manager/cert-manager/pull/4844

This reverts commit f2f771fc93.

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-06-10 11:51:47 +01:00
Compy
153e5420cf Add support for pulling Route53/AWS access key IDs out of secrets 
Signed-off-by: Compy <hello@86pixels.com>
 2022-06-08 16:33:00 -05:00
Alessandro Vermeulen
1da01211ee Feature gated support for using literal subjects in Certificates 
Signed-off-by: Alessandro Vermeulen <alessandro.vermeulen@ing.com>
 2022-06-08 20:50:00 +02:00
jetstack-bot
18cb322403
Merge pull request #5141 from andrewgkew/deployment-namespace-override 
Adding a namespace override for k8s resources
 2022-06-08 14:51:08 +01:00
Andrew Kew
bbdb043510 Adding new line to the end helpers file 
Signed-off-by: Andrew Kew <andrew@quadcorps.co.uk>
 2022-06-07 16:25:33 +01:00
Ashley Davis
32b448c5ea
add URL for cert-manager website to chart, update logo URL 
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-05-30 17:28:24 +01:00
Andrew Kew
e19ae66017 Adding link to the problem that has been identified in helm around sub charts and setting of namespaces 
Signed-off-by: Andrew Kew <andrew@quadcorps.co.uk>
 2022-05-20 16:11:56 +01:00
Andrew Kew
b7700289f0 Refactored the namespace override and moved it into helper script so it can be updated in single place, then found more files that needed the value updated 
Signed-off-by: Andrew Kew <andrew@quadcorps.co.uk>
 2022-05-20 12:39:44 +01:00
Andrew Kew
488b015b8d Added a namespace override so that the namespace where the services are deployed into can be set. Helpful when using this chart as a dependency (sub chart) 
Signed-off-by: Andrew Kew <andrew@quadcorps.co.uk>
 2022-05-19 17:31:55 +01:00
Craig Minihan
8748abde93 Set the startupapicheck nodeSelector to linux 
Signed-off-by: Craig Minihan <craig@ripcordsoftware.com>
 2022-05-17 17:41:31 +01:00
irbekrm
db8c6999a8 Remove leftover cainjector annotations from our CRDs 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-05-09 17:24:30 +01:00
Dean Coakley
5e4e66e3d9 Update minimum version constraint to be 1.19.0-0 
Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com>
 2022-04-29 17:28:40 +01:00
Dean Coakley
894643fe88 Add minimum kubernetes version constraint to chart 
Ref: https://cert-manager.io/docs/installation/supported-releases/
Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com>
 2022-04-29 17:25:08 +01:00
jetstack-bot
3897556ccc
Merge pull request #4721 from Dean-Coakley/remove-securityContext-enabled 
Remove `securityContext.enabled` from helm chart
 2022-04-28 17:39:24 +01:00
jetstack-bot
fb3f6829bd
Merge pull request #5018 from SgtCoDFish/imgloc 
Fix old logo location in helm chart
 2022-04-08 10:11:37 +01:00
jetstack-bot
d212165c8d
Merge pull request #5016 from sveba/master 
explicitly mount service-account-token in deployment
 2022-04-05 22:15:48 +01:00
Ashley Davis
248e2cce66
fix old logo location in helm chart 
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-04-05 20:26:08 +01:00
Svetoslav Batchovski
d843a25202 Explicitly mount service-account-token in deployment 
Signed-off-by: Svetoslav Batchovski <svetoslav@batchovski.de>
 2022-04-05 19:16:12 +02:00
Jake Sanders
0d88032850
Remove OWNERS from helm chart 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-04-05 16:46:57 +01:00
joshvanl
67afcb2d6c Add patch permissions to challenges/status 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-04-01 11:53:44 +01:00
jetstack-bot
86ad9962a3
Merge pull request #4967 from maelvls/gwapi-v1alpha2-optional-labels 
Gateway API: with v1alpha2, the labels have become optional
 2022-03-30 15:11:33 +01:00
jetstack-bot
00938dfa4c
Merge pull request #3605 from mikebryant/3601-default-nodeselector-linux 
fix: Set default nodeSelector to linux
 2022-03-30 13:38:33 +01:00
Jake Sanders
b72db63761
Change label description for HTTP-01 Gateway API solver and fix tests 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-03-30 12:52:34 +01:00
jetstack-bot
e116d416f3
Merge pull request #4799 from JoshVanL/controllers-server-side-apply-orders 
Server Side Apply: Adds support for Order controllers to use SSA with Feature Gate
 2022-03-28 13:11:31 +01:00
jetstack-bot
be15ce2279
Merge pull request #4953 from ajvn/feature/allow-privilege-escalation 
update: Setting allowPrivilegeEscalation to false
 2022-03-22 11:01:47 +00:00
jetstack-bot
ca32961253
Merge pull request #4772 from irbekrm/exp_backoff 
Exponential backoff for retrying failed certificate issuances
 2022-03-21 20:31:23 +00:00
Maël Valais
4b3af946db gateway-api: with v1alpha2, the labels have become optional 
Previously, in v1alpha1, an HTTPRoute was matched to a Gateway using
the label selectors present on the Gateways. For example, with the
following Gateway:

  apiVersion: networking.x-k8s.io/v1alpha1
  kind: Gateway
  metadata:
    name: acmesolver
  spec:
    listeners:
      - protocol: HTTP
        port: 80
        routes:
          kind: HTTPRoute
          selector:
            matchLabels:
              app: foo

you would have to use the following labels on the HTTPRoute in order to
get the above Gateway to be used:

  apiVersion: networking.x-k8s.io/v1alpha1
  kind: HTTPRoute
  metadata:
    labels:
      app: foo

With v1alpha2, the label selectors have been dropped. Instead, the
HTTPRoute has to give a direct reference to the Gateway:

    apiVersion: gateway.networking.k8s.io/v1alpha2
    kind: HTTPRoute
    spec:
      parentRefs:
        - kind: Gateway
          name: acmesolver
          namespace: traefik

This means that the "labels" field on the gatewayHTTPRoute solver is now
optional:

    apiVersion: cert-manager.io/v1
    kind: Issuer
    spec:
      acme:
        solvers:
          - http01:
              gatewayHTTPRoute:
                labels:              | This field is
                  app: test          | now optional.
                parentRefs:
                  - kind: Gateway
                    name: acmesolver

Signed-off-by: Maël Valais <mael@vls.dev>
 2022-03-21 17:39:10 +01:00
Ivan
5c857d3737 update: Setting allowPrivilegeEscalation to false for controller, cainjector, webhook containers and for startupapicheck job 
Signed-off-by: Ivan <ivans@vaskir.co>
 2022-03-21 17:17:28 +01:00
Andrea Decorte
f6d8c4fb5b Add permissions to update certificates/status to allow namespace admins to renew manually a Certificate. Fixes #4954 
Signed-off-by: Andrea Decorte <adecorte@gmail.com>
 2022-03-21 12:08:11 +01:00
jetstack-bot
3266d13578
Merge pull request #4937 from illrill/feature/optional-rbac-aggregation 
Make aggregation to user-facing ClusterRoles optional
 2022-03-21 09:00:23 +00:00
irbekrm
dbad3d98f3 Rename issuanceAttempts -> failedIssuanceAttempts 
In an attempt to convey the meaning of the field better

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:33:51 +00:00
irbekrm
affb5e86ef Adds IssuanceAttempts field to Certificate's status 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:33:51 +00:00
Erik Godding Boye
94d1149760 docs: improve featureGates Helm chart value documentation 
Signed-off-by: Erik Godding Boye <egboye@gmail.com>
 2022-03-15 21:28:46 +01:00
jetstack-bot
8179f68050
Merge pull request #4932 from 4molybdenum2/service-account-labels-helm 
support serviceAccount.Labels in Helm chart
 2022-03-15 17:44:50 +00:00
Tathagata Paul
7161870cea minor commenting fixes 
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
 2022-03-15 17:42:47 +05:30
Tathagata Paul
67ed2ffd26 added optional labels for webhook, startupapicheck and cainjector service accounts 
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
 2022-03-11 22:00:25 +05:30
jetstack-bot
8ebd63c7e9
Merge pull request #4913 from jahrlin/validate-privatekey-rotationpolicy 
add validation for certificate.spec.privateKey.rotationPolicy
 2022-03-11 13:28:35 +00:00
Richard Johansson
edf38b66c2 Make aggregation to user-facing ClusterRoles optional 
Signed-off-by: Richard Johansson <richard.jimmy.johansson@gmail.com>
 2022-03-10 15:50:32 +01:00
David Bond
4a4dd03245
Switch leader election to use Lease objects 
Previously, cert-manager supported both ConfigMap & Lease objects for leader election. This commit modifies
the leader-election code to now solely use Lease objects in both the controller & ca-injector. The related
RBAC for ConfigMap resources has also been removed.

This change means that you cannot upgrade to the version containing this commit from cert-manager 1.3.

Related to #3766

Signed-off-by: David Bond <davidsbond93@gmail.com>
 2022-03-10 12:38:50 +00:00
Tathagata Paul
25d2def9b6 support serviceAccount.Labels in Helm chart 
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
 2022-03-10 15:16:53 +05:30
Joakim Ahrlin
f5275cf1cc add enum for rotationPolicy 
Signed-off-by: Joakim Ahrlin <joakim.ahrlin@gmail.com>
 2022-03-03 16:31:23 +01:00
Jake Sanders
cfb1406742
Update RBAC for the new gateway API's apiGroup 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-03-01 15:05:24 +00:00
Joakim Ahrlin
eb64e6494c
update deps and BUILD files 
Signed-off-by: Joakim Ahrlin <joakim.ahrlin@gmail.com>
 2022-03-01 15:05:18 +00:00
jetstack-bot
10c5d72279
Merge pull request #4792 from JoshVanL/controllers-server-side-apply-certificaterequests 
Server Side Apply: Adds support for CertificateRequests controller to use SSA with Feature Gate
 2022-02-16 10:57:37 +00:00
joshvanl
b5ff61e02b Adds patch permissions to order/status for cert-manager controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-16 10:33:48 +00:00
jetstack-bot
56d9423744
Merge pull request #4798 from JoshVanL/controllers-server-side-apply-certificatesigningrequests 
Server Side Apply: Adds support for CertificateSigningRequest controllers to use SSA with Feature Gate
 2022-02-16 10:20:37 +00:00
jetstack-bot
9887baac33
Merge pull request #4844 from batazor/chart-servicemonitor 
Add additional check for servicemonitor
 2022-02-15 20:43:36 +00:00
jetstack-bot
0860a4141b
Merge pull request #4847 from akamac/patch-1 
add name to the exposed metrics port
 2022-02-14 14:02:52 +00:00
jetstack-bot
ad4264b6ec
Merge pull request #4841 from irbekrm/remove_annotation 
Removes cainjector annotations from CRDs
 2022-02-14 10:48:52 +00:00
jetstack-bot
12a2148df3
Merge pull request #4794 from JoshVanL/controllers-server-side-apply-issuers 
Server Side Apply: Adds support for [Cluster]Issuer controller to use SSA with Feature Gate
 2022-02-11 19:37:01 +00:00
joshvanl
3e23b6fd8a Adds patch permissions to cert-manager controller for issuers and 
clusterissuers

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:26:56 +00:00
joshvanl
49108a0278 Adds list map type to Conditions for both Issuers and Cluster Issuers 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:26:56 +00:00