weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
8,470 Commits 45 Branches 0 Tags 96 MiB
75d1449903
Commit Graph

920 Commits

Author SHA1 Message Date
jetstack-bot
2a7fabd5ca
Merge pull request #5554 from camptocamp/helm-add-acme-http01-solver-image-override-option 
helm: add option to override ACME HTTP-01 solver image
 2022-12-22 10:10:13 +00:00
Yann Soubeyrand
ea0bea9db0 helm: add option to override ACME HTTP-01 solver image 
Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
 2022-12-21 19:48:11 +01:00
Luca Comellini
dbd6dc9b16
Bump sigs.k8s.io deps 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2022-12-21 09:47:41 -08:00
Ashley Davis
1a63cba52a
Bump supported versions of k8s mentioned in the helm chart 
This reflects the latest supported releases as of an update on
2022-12-16

See https://github.com/cert-manager/website/pull/1131

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-12-21 17:17:21 +00:00
Ashley Davis
c5924f54a1
add + use CABundle field for ACME servers in issuers 
Previously it wasn't possible to set a custom CA bundle for an ACME
server, leading users to either patch the cert-manager system CA bundle
manually or else use SkipTLSVerify which is a security issue.

This adds CABundle for ACME, similar to what we have for Vault and
Venafi TPP issuers.

Longer term we'd like to have a more fully featured approach. It would
for example make sense to support loading CA bundles from ConfigMaps or
Secrets (similar to what we do for Vault issuers today), but for now this
change is the simplest change.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-12-15 16:21:07 +00:00
Ashley Davis
f68693bb6a
change wording on descriptions for Vault and TPP 'CABundle' fields 
Clarifies language a little; makes it clearer that the bundle
should be base64 encoded. Previously it was slightly confusing
in that PEM certificates are themselves base64 encoded.

Also makes it clearer what our CABundle validation does and does not do
by adding a standalone validation function and tweaking the error
message for an invalid CA bundle.

Also updates validation to not print CA bundle for Vault issuer when the
bundle is invalid, since it won't help with debugging anything.
Currently the bundle is printed as byte values ("0x32, 0x58, 0x43...")
and in any case printing the whole bundle could be noisy if it's large

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-12-15 16:21:02 +00:00
lv
2f0d492036 feat: Add max-concurrent-challenges parameter to helm 
Set the max-concurrent-challenges value with -set maxConcurrentChallenges=value when deploying with helm

Fixes: https://github.com/cert-manager/cert-manager/issues/5627
Signed-off-by: lvyanru <yanru.lv@daocloud.io>
 2022-12-13 18:15:16 +08:00
Yannic Kilcher
5ce5129a3c
Fixed a typo in helm chart values 
Signed-off-by: Yannic Kilcher <yk@users.noreply.github.com>
 2022-12-09 11:55:33 +01:00
Sathyanarayanan Saravanamuthu
5aabf62585 Updating CRDs 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
irbekrm
486c72f122 Update reference to HTTPRoute docs 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-12-05 15:04:18 +00:00
lv
bf2db73f71 fix: featureGates add webhook deployment in chart yaml 
Signed-off-by: lvyanru <1113706590@qq.com>
 2022-11-17 22:11:57 +08:00
Mary Thibault
7bb666742c
feat: add commonLabels to webhook configmap 
Signed-off-by: Mary Thibault <mary.thibault2@gmail.com>
 2022-11-04 09:24:04 +01:00
jetstack-bot
da3265115b
Merge pull request #5387 from Tolsto/vault-ca-bundle-secret-ref 
Add option to load Vault CA bundle from Kubernetes Secret
 2022-10-13 09:55:09 +01:00
Martin Schimandl
a080ac8970 Update Chart kubeVersion to >=1.20.0-0 
Signed-off-by: Martin Schimandl <martin.schimandl@gmail.com>
 2022-10-01 13:56:29 +01:00
Tim Ramlot
39fa9f51b4 upgrade dependencies 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-09-26 11:43:12 +02:00
jetstack-bot
0f627cdfb7
Merge pull request #5417 from mjudeikis/master 
helm: Add NetworkPolicy support
 2022-09-23 12:57:57 +01:00
Mangirdas Judeikis
1efea1787a helm: Add NetworkPolicy support 
Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
 2022-09-20 11:50:20 +03:00
Tim Ramlot
23b8bf5118 improve Helm values.yaml comment 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-09-16 18:15:30 +02:00
Thibault
1d21f3f30c
feat: merge master branch 
Signed-off-by: Thibault <mary.thibault2@gmail.com>
 2022-09-15 13:40:05 +02:00
Rui Lopes
d66755acd1 to help troubleshooting make the helm chart container names unique 
closes #5355

Signed-off-by: Rui Lopes <rgl@ruilopes.com>
 2022-08-28 12:07:57 +01:00
jetstack-bot
2821157f69
Merge pull request #5401 from sathieu/servicemonitor_annotations 
Add annotations for ServiceMonitor in helm chart
 2022-08-26 17:50:19 +01:00
jetstack-bot
b1d96755f2
Merge pull request #5395 from stek29/fix-5149 
Add topologySpreadConstraints to helm chart
 2022-08-26 16:13:20 +01:00
Mathieu Parent
ffd802d750 Add annotations for ServiceMonitor in helm chart 
Signed-off-by: Mathieu Parent <mathieu.parent@insee.fr>
 2022-08-26 16:46:31 +02:00
jetstack-bot
12f98dbc7e
Merge pull request #5376 from inteon/upgrade_gateway_api 
Upgrade gateway api to v0.5.0
 2022-08-25 16:08:10 +01:00
Flaagada
5ac8387d50
Add: support common labels for all resources 
Usefull when we have a policies manager as Kyverno.

Signed-off-by: Flaagada <mary.thibault2@gmail.com>
 2022-08-22 11:10:02 +02:00
Viktor Oreshkin
de24b860ae Add topologySpreadConstraints to helm chart (fix #5149) 
Signed-off-by: Viktor Oreshkin <imselfish@stek29.rocks>
 2022-08-22 06:24:16 +03:00
jetstack-bot
96dd8849ca
Merge pull request #5311 from EugenFo/add-port-to-container-spec 
added healthcheck to containers port spec
 2022-08-19 10:58:11 +01:00
Nils Mueller
2f6fa9dddf fixup! Add option to load Vault CA bundle from Kubernetes Secret 
Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-16 02:57:43 +03:00
Nils Mueller
00a20097b6 Add option to load Vault CA bundle from Kubernetes Secret 
Vault distributions like "Bank Vaults" automatically configure
and provision Vault and provide the CA bundle via a Kubernetes
Secret. Having to hard-code the bundle in the Issuer instead
of dynamically referencing it through the Secret requires
a manual second step when using a GitOps workflow.

Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-15 03:10:51 +03:00
jetstack-bot
34ea128fd3
Merge pull request #5368 from hawksight/pf/lease 
docs: Correct reference to lease not config map
 2022-08-09 17:04:05 +01:00
jetstack-bot
58b226e06c
Merge pull request #5163 from james-callahan/webhook-dynamic-serving-dns-names 
Webhook dynamic serving dns names
 2022-08-08 13:57:50 +01:00
Tim Ramlot
836793e7e3 upgrade gateway api to v0.5.0 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-08 08:52:59 +00:00
Peter Fiddes
9b8d279193
docs: Change values.yaml wording to reference correct resource 
Signed-off-by: Peter Fiddes <peter.fiddes@gmail.com>
 2022-08-04 15:11:32 +01:00
Tim Ramlot
93caba980e apply go fmt for go1.19 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-04 09:51:57 +00:00
Ashley Davis
fb231ab641
Remove bazel 🎉 
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.

There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-07-26 11:38:50 +01:00
Eugen Fohlenweider
fb788c7703 added healthcheck to containers port spec 
Signed-off-by: Eugen Fohlenweider <eugen.fohlenweider@hotmail.com>
 2022-07-18 08:42:55 +02:00
Joe Bowbeer
455001e34a
Kubernetes 1.20+ 
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>

Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
 2022-07-07 17:15:28 -07:00
Joe Bowbeer
2a569341d7 refer to Default Security Contexts 
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
 2022-07-07 15:14:58 -07:00
Joe Bowbeer
db4fd285a7
Update helm README file 
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>

Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
 2022-07-07 03:44:35 -07:00
Joe Bowbeer
cbb476929e strengthen securityContexts 
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
 2022-07-06 10:47:26 -07:00
jetstack-bot
b84ea96d73
Merge pull request #5194 from Compy/master 
Support secrets for Route53 Access Key IDs
 2022-07-05 12:33:21 +01:00
joshvanl
f1d7c43276 Updates wording for aws rout53 dns CRD field comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-07-04 17:06:40 +01:00
Luca Comellini
aaa513de00
Bump k8s.io dependencies 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2022-06-30 15:16:14 -07:00
Ashley Davis
eccde015ac
add CRD generation to makefile, replacing bazel 
- includes a run of make update-crds which causes some trivial changes
- updates version of YQ to latest
- makes hack/update-crds.sh just call make
- makes hack/verify-crds.sh just call make
- moves functionality of hack/verify-crds.sh to hack/check-crds.sh,
  using the makefile for generating alternative CRDs for comparison
- removes the bazel test associated with CRDs

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-06-27 13:25:18 +01:00
James Callahan
5fff1e6ee7
Avoid hard-coding release namespace in helm chart 
This improves compatibility with kustomize

Signed-off-by: James Callahan <jamescallahan@bitgo.com>
 2022-06-14 16:25:40 +10:00
James Callahan
6bd1c179b8
Use multiple --dynamic-serving-dns-names arguments 
This allows for cleaner debugging by adding/removing a line at a time.

The pflag library used allows multiple arguments like this, see
85dd5c8bc6/string_slice.go (L132-L135)

Signed-off-by: James Callahan <jamescallahan@bitgo.com>
 2022-06-14 16:25:07 +10:00
Compy
561103934d Updating and regenerating CRDs to make SecretAccessKeyID field usage more clear 
Signed-off-by: Compy <hello@86pixels.com>
 2022-06-11 10:48:10 -05:00
Compy
b9500d4364 Update CRD documentation to be a bit clearer 
Signed-off-by: Compy <hello@86pixels.com>
 2022-06-11 09:42:15 -05:00
irbekrm
6fcb3aacb2 Reverts additional check for ServiceMonitor. 
Reverts a check for whether Prometheus monitoring api resources have been
deployed before creating a ServiceMonitor as enforces dependency order
which does not fit installation model using GitOps tools as discussed in
https://github.com/cert-manager/cert-manager/pull/4844

This reverts commit f2f771fc93.

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-06-10 11:51:47 +01:00
Compy
153e5420cf Add support for pulling Route53/AWS access key IDs out of secrets 
Signed-off-by: Compy <hello@86pixels.com>
 2022-06-08 16:33:00 -05:00
Alessandro Vermeulen
1da01211ee Feature gated support for using literal subjects in Certificates 
Signed-off-by: Alessandro Vermeulen <alessandro.vermeulen@ing.com>
 2022-06-08 20:50:00 +02:00
jetstack-bot
18cb322403
Merge pull request #5141 from andrewgkew/deployment-namespace-override 
Adding a namespace override for k8s resources
 2022-06-08 14:51:08 +01:00
Andrew Kew
bbdb043510 Adding new line to the end helpers file 
Signed-off-by: Andrew Kew <andrew@quadcorps.co.uk>
 2022-06-07 16:25:33 +01:00
Ashley Davis
32b448c5ea
add URL for cert-manager website to chart, update logo URL 
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-05-30 17:28:24 +01:00
Andrew Kew
e19ae66017 Adding link to the problem that has been identified in helm around sub charts and setting of namespaces 
Signed-off-by: Andrew Kew <andrew@quadcorps.co.uk>
 2022-05-20 16:11:56 +01:00
Andrew Kew
b7700289f0 Refactored the namespace override and moved it into helper script so it can be updated in single place, then found more files that needed the value updated 
Signed-off-by: Andrew Kew <andrew@quadcorps.co.uk>
 2022-05-20 12:39:44 +01:00
Andrew Kew
488b015b8d Added a namespace override so that the namespace where the services are deployed into can be set. Helpful when using this chart as a dependency (sub chart) 
Signed-off-by: Andrew Kew <andrew@quadcorps.co.uk>
 2022-05-19 17:31:55 +01:00
Craig Minihan
8748abde93 Set the startupapicheck nodeSelector to linux 
Signed-off-by: Craig Minihan <craig@ripcordsoftware.com>
 2022-05-17 17:41:31 +01:00
irbekrm
db8c6999a8 Remove leftover cainjector annotations from our CRDs 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-05-09 17:24:30 +01:00
Dean Coakley
5e4e66e3d9 Update minimum version constraint to be 1.19.0-0 
Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com>
 2022-04-29 17:28:40 +01:00
Dean Coakley
894643fe88 Add minimum kubernetes version constraint to chart 
Ref: https://cert-manager.io/docs/installation/supported-releases/
Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com>
 2022-04-29 17:25:08 +01:00
jetstack-bot
3897556ccc
Merge pull request #4721 from Dean-Coakley/remove-securityContext-enabled 
Remove `securityContext.enabled` from helm chart
 2022-04-28 17:39:24 +01:00
jetstack-bot
fb3f6829bd
Merge pull request #5018 from SgtCoDFish/imgloc 
Fix old logo location in helm chart
 2022-04-08 10:11:37 +01:00
jetstack-bot
d212165c8d
Merge pull request #5016 from sveba/master 
explicitly mount service-account-token in deployment
 2022-04-05 22:15:48 +01:00
Ashley Davis
248e2cce66
fix old logo location in helm chart 
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-04-05 20:26:08 +01:00
Svetoslav Batchovski
d843a25202 Explicitly mount service-account-token in deployment 
Signed-off-by: Svetoslav Batchovski <svetoslav@batchovski.de>
 2022-04-05 19:16:12 +02:00
Jake Sanders
0d88032850
Remove OWNERS from helm chart 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-04-05 16:46:57 +01:00
joshvanl
67afcb2d6c Add patch permissions to challenges/status 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-04-01 11:53:44 +01:00
jetstack-bot
86ad9962a3
Merge pull request #4967 from maelvls/gwapi-v1alpha2-optional-labels 
Gateway API: with v1alpha2, the labels have become optional
 2022-03-30 15:11:33 +01:00
jetstack-bot
00938dfa4c
Merge pull request #3605 from mikebryant/3601-default-nodeselector-linux 
fix: Set default nodeSelector to linux
 2022-03-30 13:38:33 +01:00
Jake Sanders
b72db63761
Change label description for HTTP-01 Gateway API solver and fix tests 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-03-30 12:52:34 +01:00
jetstack-bot
e116d416f3
Merge pull request #4799 from JoshVanL/controllers-server-side-apply-orders 
Server Side Apply: Adds support for Order controllers to use SSA with Feature Gate
 2022-03-28 13:11:31 +01:00
jetstack-bot
be15ce2279
Merge pull request #4953 from ajvn/feature/allow-privilege-escalation 
update: Setting allowPrivilegeEscalation to false
 2022-03-22 11:01:47 +00:00
jetstack-bot
ca32961253
Merge pull request #4772 from irbekrm/exp_backoff 
Exponential backoff for retrying failed certificate issuances
 2022-03-21 20:31:23 +00:00
Maël Valais
4b3af946db gateway-api: with v1alpha2, the labels have become optional 
Previously, in v1alpha1, an HTTPRoute was matched to a Gateway using
the label selectors present on the Gateways. For example, with the
following Gateway:

  apiVersion: networking.x-k8s.io/v1alpha1
  kind: Gateway
  metadata:
    name: acmesolver
  spec:
    listeners:
      - protocol: HTTP
        port: 80
        routes:
          kind: HTTPRoute
          selector:
            matchLabels:
              app: foo

you would have to use the following labels on the HTTPRoute in order to
get the above Gateway to be used:

  apiVersion: networking.x-k8s.io/v1alpha1
  kind: HTTPRoute
  metadata:
    labels:
      app: foo

With v1alpha2, the label selectors have been dropped. Instead, the
HTTPRoute has to give a direct reference to the Gateway:

    apiVersion: gateway.networking.k8s.io/v1alpha2
    kind: HTTPRoute
    spec:
      parentRefs:
        - kind: Gateway
          name: acmesolver
          namespace: traefik

This means that the "labels" field on the gatewayHTTPRoute solver is now
optional:

    apiVersion: cert-manager.io/v1
    kind: Issuer
    spec:
      acme:
        solvers:
          - http01:
              gatewayHTTPRoute:
                labels:              | This field is
                  app: test          | now optional.
                parentRefs:
                  - kind: Gateway
                    name: acmesolver

Signed-off-by: Maël Valais <mael@vls.dev>
 2022-03-21 17:39:10 +01:00
Ivan
5c857d3737 update: Setting allowPrivilegeEscalation to false for controller, cainjector, webhook containers and for startupapicheck job 
Signed-off-by: Ivan <ivans@vaskir.co>
 2022-03-21 17:17:28 +01:00
Andrea Decorte
f6d8c4fb5b Add permissions to update certificates/status to allow namespace admins to renew manually a Certificate. Fixes #4954 
Signed-off-by: Andrea Decorte <adecorte@gmail.com>
 2022-03-21 12:08:11 +01:00
jetstack-bot
3266d13578
Merge pull request #4937 from illrill/feature/optional-rbac-aggregation 
Make aggregation to user-facing ClusterRoles optional
 2022-03-21 09:00:23 +00:00
irbekrm
dbad3d98f3 Rename issuanceAttempts -> failedIssuanceAttempts 
In an attempt to convey the meaning of the field better

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:33:51 +00:00
irbekrm
affb5e86ef Adds IssuanceAttempts field to Certificate's status 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:33:51 +00:00
Erik Godding Boye
94d1149760 docs: improve featureGates Helm chart value documentation 
Signed-off-by: Erik Godding Boye <egboye@gmail.com>
 2022-03-15 21:28:46 +01:00
jetstack-bot
8179f68050
Merge pull request #4932 from 4molybdenum2/service-account-labels-helm 
support serviceAccount.Labels in Helm chart
 2022-03-15 17:44:50 +00:00
Tathagata Paul
7161870cea minor commenting fixes 
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
 2022-03-15 17:42:47 +05:30
Tathagata Paul
67ed2ffd26 added optional labels for webhook, startupapicheck and cainjector service accounts 
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
 2022-03-11 22:00:25 +05:30
jetstack-bot
8ebd63c7e9
Merge pull request #4913 from jahrlin/validate-privatekey-rotationpolicy 
add validation for certificate.spec.privateKey.rotationPolicy
 2022-03-11 13:28:35 +00:00
Richard Johansson
edf38b66c2 Make aggregation to user-facing ClusterRoles optional 
Signed-off-by: Richard Johansson <richard.jimmy.johansson@gmail.com>
 2022-03-10 15:50:32 +01:00
David Bond
4a4dd03245
Switch leader election to use Lease objects 
Previously, cert-manager supported both ConfigMap & Lease objects for leader election. This commit modifies
the leader-election code to now solely use Lease objects in both the controller & ca-injector. The related
RBAC for ConfigMap resources has also been removed.

This change means that you cannot upgrade to the version containing this commit from cert-manager 1.3.

Related to #3766

Signed-off-by: David Bond <davidsbond93@gmail.com>
 2022-03-10 12:38:50 +00:00
Tathagata Paul
25d2def9b6 support serviceAccount.Labels in Helm chart 
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
 2022-03-10 15:16:53 +05:30
Joakim Ahrlin
f5275cf1cc add enum for rotationPolicy 
Signed-off-by: Joakim Ahrlin <joakim.ahrlin@gmail.com>
 2022-03-03 16:31:23 +01:00
Jake Sanders
cfb1406742
Update RBAC for the new gateway API's apiGroup 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-03-01 15:05:24 +00:00
Joakim Ahrlin
eb64e6494c
update deps and BUILD files 
Signed-off-by: Joakim Ahrlin <joakim.ahrlin@gmail.com>
 2022-03-01 15:05:18 +00:00
jetstack-bot
10c5d72279
Merge pull request #4792 from JoshVanL/controllers-server-side-apply-certificaterequests 
Server Side Apply: Adds support for CertificateRequests controller to use SSA with Feature Gate
 2022-02-16 10:57:37 +00:00
joshvanl
b5ff61e02b Adds patch permissions to order/status for cert-manager controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-16 10:33:48 +00:00
jetstack-bot
56d9423744
Merge pull request #4798 from JoshVanL/controllers-server-side-apply-certificatesigningrequests 
Server Side Apply: Adds support for CertificateSigningRequest controllers to use SSA with Feature Gate
 2022-02-16 10:20:37 +00:00
jetstack-bot
9887baac33
Merge pull request #4844 from batazor/chart-servicemonitor 
Add additional check for servicemonitor
 2022-02-15 20:43:36 +00:00
jetstack-bot
0860a4141b
Merge pull request #4847 from akamac/patch-1 
add name to the exposed metrics port
 2022-02-14 14:02:52 +00:00
jetstack-bot
ad4264b6ec
Merge pull request #4841 from irbekrm/remove_annotation 
Removes cainjector annotations from CRDs
 2022-02-14 10:48:52 +00:00
jetstack-bot
12a2148df3
Merge pull request #4794 from JoshVanL/controllers-server-side-apply-issuers 
Server Side Apply: Adds support for [Cluster]Issuer controller to use SSA with Feature Gate
 2022-02-11 19:37:01 +00:00
joshvanl
3e23b6fd8a Adds patch permissions to cert-manager controller for issuers and 
clusterissuers

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:26:56 +00:00
joshvanl
49108a0278 Adds list map type to Conditions for both Issuers and Cluster Issuers 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:26:56 +00:00
joshvanl
fc21252e14 Adds patch permissions to cert-manager controller for 
certificaterequests

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:22:33 +00:00
joshvanl
a4588c3401 Adds condition_list_type_test integration test for CertificateRequest object 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:22:33 +00:00
joshvanl
23ba58b008 Update CRD for field labels. Adds patch rbac to Certificates for 
cert-manager controller

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:14:31 +00:00
Alexey Miasoedov
c37e0b9b93 add name to the exposed metrics port 
Signed-off-by: Alexey Miasoedov <alexey.miasoedov@gmail.com>
 2022-02-11 18:37:09 +03:00
jetstack-bot
9ff7568f4e
Merge pull request #4809 from JoshVanL/ca-injector-remove-auditsinks-permissions 
Remove auditsinks permissions from ca-injector as it is no longer supported
 2022-02-11 13:56:01 +00:00
Victor Login
f2f771fc93
Update servicemonitor.yaml 
Signed-off-by: Login Victor <batazor111@gmail.com>
 2022-02-11 08:57:07 +03:00
irbekrm
5fd80d6ad3 Removes cainjector annotations from CRDs 
As we're no longer using cainjector to inject CA bundles to those CRDs

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-02-10 13:43:06 +00:00
joshvanl
391dea4f60 Adds patch to certificatesigningrequest permissions for controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-07 14:18:14 +00:00
Ashley Davis
3a055cc2f5
rename all uses of github.com/jetstack/cert-manager 
This was done by running the following command twice:

 ```bash
 grep -Ri "github.com/jetstack/cert-manager" . | \
 cut -d":" -f1 | \
 sort | \
 uniq | \
 xargs sed -i
 "s/github.com\/jetstack\/cert-manager/github.com\/cert-manager\/cert-manager/"
 ```

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-02-02 09:08:31 +00:00
joshvanl
35fba365bf Update AdditionalOutputFormats comment to reflect addition of feature to 
webhook set.

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-01 17:04:55 +00:00
joshvanl
83f738d665 Remove auditsinks permissions from ca-injector as it is no longer 
supported

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-31 18:46:52 +00:00
irbekrm
4b3239e8fb Removes duplicated service annotations from Helm chart 
These were added by merging multiple PRs that add similar functionality

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-01-25 10:26:25 +00:00
joshvanl
5019aaacfc Update SecretTemplate API comments to highlight that annotations are 
appended to base annotations

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-17 11:40:13 +00:00
joshvanl
162519869e Updates CRD with new secret template comment 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-17 11:24:45 +00:00
joshvanl
d6fb5138f2 Re-add crd-certificates.yaml 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-17 11:24:45 +00:00
joshvanl
81ec7d9665 Update controller rbac to allow it to patch Secrets 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-17 11:24:45 +00:00
joshvanl
685dd79c0c Makes some minor API naming changes, and clears up some docs around the 
Certifcate's additional output formats.

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-14 20:00:26 +00:00
Thierry Sallé
7f8641dd94 [additionalOutputFormats] Update comments and add more tests 
Signed-off-by: Thierry Sallé <seuf76@gmail.com>
 2022-01-14 11:10:32 +01:00
Thierry
81f308221b Add certifcate additionalOutputFormats parameter 
DER Format to create key.der binary format of the private key.

CombinedPEM Format to create tls-combined.pem containing tls.key + tls.crt.

Added Unit and e2e tests for secret with Additional output format.

Feature flag AdditionalCertificateOutputFormats to enable feature.

Signed-off-by: Thierry Sallé <seuf76@gmail.com>
 2022-01-14 11:10:32 +01:00
Dean Coakley
17efd74753 Clean up template 
Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com>
 2022-01-08 08:26:48 +00:00
Dean Coakley
c17b11fa01 Remove securityContext.enabled from helm chart 
`securityContext.enabled` was deprecated and has already been replaced by
`securityContext` which supports arbitrary yaml.

Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com>
 2022-01-08 08:26:44 +00:00
jetstack-bot
3c9510b782
Merge pull request #4329 from jwenz723/patch-1 
[Helm Chart] Add optional service annotations
 2022-01-05 12:46:45 +00:00
irbekrm
f9a9326483 Add comments on how to view all available flags for cert-manager binaries 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-12-31 09:15:14 +00:00
irbekrm
e500109bea Removes example setting of --cluster-resource-namespace flag from extra args 
As there is already a top level clusterResourceNamespace key in Helm values that sets the same flag

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-12-31 09:04:05 +00:00
jetstack-bot
52bba1dcdb
Merge pull request #4656 from TerryHowe/helm-ignore 
Minor clean-up to helm chart
 2021-12-17 12:21:13 +00:00
jetstack-bot
0b8eba629c
Merge pull request #4554 from SgtCoDFish/maker 
Makefile flow
 2021-12-17 10:37:13 +00:00
jetstack-bot
b5fbabdc6f
Merge pull request #4635 from wallrj/remove-deprecated-apis-crds 
Remove deprecated APIs from the CRD templates
 2021-12-15 13:31:33 +00:00
Ashley Davis
32d716654a
Add a makefile flow for building artifacts 
Includes targets for:

- all "server" binaries, for all arches
- all containers for all server binaries for all arches
- all client binaries (kubectl plugin / cmctl) for all arches
- the cert-manager helm chart + signature
- the cert-manager static manifests + CRDs
- tools which bazel would download, with checksum verification
- (commented out) a signed SHA256SUM file for client binaries

Upgrades from the bazel flow include that:

- we use OS-specific base images rather than just using amd64 everywhere
- we easily add support for signing artifacts at build time
- we add ".exe" to the end of windows executables
- we add a zip file for windows executables, for easier consumption
- we concatenate YAML files more robustly
- staging a full release should be much faster
- hopefully, it's easier to change things!
- licenses are trimmed down to reduce bloat in images (the license
  bundle was 1.4MB in size alone)

Changes from the bazel flow include:

- containers no longer have a symlink to the binary at an unusual
  path, but instead just have the binary at a more predictable path
  (e.g. /app/cmd/webhook/webhook instead of
  /app/cmd/webhook/webhook.runfiles/com_github_jetstack_cert_manager/cmd/webhook/webhook_/webhook)

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-12-15 09:54:15 +00:00
Richard Wall
d80c53dc16 Remove conversion webhook configurations 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-12-14 17:42:54 +00:00
jetstack-bot
5894ed989a
Merge pull request #4546 from munnerz/webhook-config-api 
Support loading webhook config from versioned file
 2021-12-14 10:09:02 +00:00
Terry Howe
3263a4c1fb Minor clean-up to helm chart 
Signed-off-by: Terry Howe <tlhowe@amazon.com>
 2021-12-12 05:58:44 -07:00
James Munnelly
cfbd574e75 Remove deprecation notice on webhook.securePort 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2021-12-10 12:53:00 +00:00
jetstack-bot
7166f32320
Merge pull request #4608 from ninech/add_honor_labels 
allow to honor the labels of cert-manager on conflicts
 2021-12-10 10:48:51 +00:00
James Munnelly
838a8dc153 Allow specifying minTLSVersion and cipherSuites without explicit tlsConfig 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2021-12-03 13:03:57 +00:00
James Munnelly
17d6a19ba2 Fix apiVersion of example config 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2021-12-03 12:56:34 +00:00
James Munnelly
d4beef13b8 Support configuring securePort in webhook service 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2021-12-03 12:56:26 +00:00
joshvanl
6d83e3111d Removes v1beta1 from webhook's admissionReviewVersions as we no longer 
support Kubernetes v1.16

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-12-02 10:40:44 +00:00
James Munnelly
1a96d9f32d config.cert-manager.io -> webhook.config.cert-manager.io 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2021-12-01 12:57:08 +00:00
Richard Wall
704fe73b4b Remove deprectated APIs from the CRD templates 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-11-30 13:33:59 +00:00
nick
4755fccb63 improve option description 
Signed-off-by: Sebastian Nickel <nick@nine.ch>
 2021-11-26 16:27:16 +01:00
James Munnelly
553e1e0536 Add ability to configure WebhookConfiguration via the Helm chart 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2021-11-26 14:17:34 +00:00
nick
3c5e5ee05e allow to honor the labels of cert-manager 
With setting honorLabels to "true" one can get rid of the "exported_namespace" label in scraped cert-manager metrics.

Signed-off-by: Sebastian Nickel <nick@nine.ch>
 2021-11-19 15:44:23 +01:00
Ashley Davis
115b70cfef
update link to k8s security context spec 
the old link was for 1.16 and actually led to a site with a certificate error

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-11-19 13:55:02 +00:00
Ashley Davis
0e9c9e3481
bump supported k8s version in helm chart readme 
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-11-19 13:54:22 +00:00
jetstack-bot
0236f0836e
Merge pull request #4556 from inteon/helm_template_cleanup 
Cleanup helm templates & fix empty 'resources' in deployment
 2021-11-15 14:27:06 +00:00
jetstack-bot
4291d207b7
Merge pull request #3883 from james-callahan/omit-servicemonitor-namespaceSelector 
No need to specify namespaceSelector when in same namespace
 2021-11-05 13:02:28 +00:00
Inteon
4a9bbce297
add spaces 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-11-01 11:45:42 +01:00
Inteon
b1445d687e
cleanup helm templates & better support for empty 'resources' in values.yaml 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-11-01 11:37:50 +01:00
Richard Wall
c6896b2f93 Set all non-v1 CRD versions as not-served 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-09-29 12:17:32 +01:00
Trey Dockendorf
3b860993c5
Allow setting Helm chart service annotations 
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
 2021-09-20 12:33:39 -04:00
jetstack-bot
5ec37819e8
Merge pull request #4433 from wallrj/4431-cleanup-failed-install-hook-resources 
Cleanup hook resources from previous failed installs
 2021-09-06 11:06:28 +01:00
jetstack-bot
8f0225189e
Merge pull request #4332 from tomasfreund/feature/azure-dns-msi-id 
Add option to specify managed identity id when using azure dns
 2021-09-03 17:17:22 +01:00
Richard Wall
31821e7fd8 Cleanup hook resources from previous failed installs 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-09-03 16:36:13 +01:00
Nicolas Degory
d2209df85a Apply suggestions from code review 
Co-authored-by: Richard Wall <wallrj@users.noreply.github.com>
Signed-off-by: Nicolas Degory <nicolas.degory@gmail.com>
 2021-08-29 09:24:59 -07:00
Nicolas Degory
6549344e47 PR review 
Signed-off-by: Nicolas Degory <nicolas.degory@gmail.com>
 2021-08-29 09:21:47 -07:00
Nicolas Degory
9ce9c7d2bd add startup API check job PSP 
Signed-off-by: Nicolas Degory <nicolas.degory@gmail.com>
 2021-08-29 09:21:47 -07:00
irbekrm
38ce9fc4b1 Adds a warning about sidecar proxy for startup check job 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-08-27 12:18:44 +01:00
Jake Sanders
5df1dd4932
Update Docs on solver type to reflect default service type 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-19 14:55:50 +01:00
jetstack-bot
c5a4cb9fbf
Merge pull request #4384 from jakexks/en_GB 
finalisers -> finalizers
 2021-08-18 17:23:35 +01:00
Jake Sanders
e0ecc9938a
finalisers -> finalizers 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-18 15:33:27 +01:00
irbekrm
7d30a6452c Removes status fields from CRD definitions 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-08-18 10:17:34 +01:00
jetstack-bot
30c40f8f15
Merge pull request #4348 from inteon/upgrade_deps_v0.22.0 
Upgrade deps (kube v0.22.0)
 2021-08-14 01:07:12 +02:00
Inteon
b13eb0483b
upgrade deps to latest version (kube v0.22.0) 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-08-13 23:38:59 +02:00
Tomáš Freund
8e737dd1b7 move azure managed identity config to nested struct, improve validation 
Signed-off-by: Tomáš Freund <tomas.freund@datamole.cz>
 2021-08-13 16:17:08 +02:00
Ashley Davis
e0e5a50f31
fix mistakenly changed CRDs for v1beta1 (#4352) 
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-08-13 13:44:05 +01:00
jwenz723
71c376c935
Add webhook service annotations: 
Signed-off-by: Jeff Wenzbauer <jwenz723@gmail.com>
 2021-08-09 16:26:03 -06:00
Jeff Wenzbauer
01635752ea
Add documentation of serviceAnnotations 
Signed-off-by: Jeff Wenzbauer <jwenz723@gmail.com>
 2021-08-09 16:14:19 -06:00
Jeff Wenzbauer
9201d5de5b
Add use of .Values.serviceAnnotations in Service 
Signed-off-by: Jeff Wenzbauer <jwenz723@gmail.com>
 2021-08-09 16:13:47 -06:00
jetstack-bot
17a5066400
Merge pull request #4308 from Dean-Coakley/fix-chart-readme 
Fix chart readme install command
 2021-08-09 09:33:49 +01:00
Dean Coakley
19eae6e81b Fix chart prerequisites Kubernetes version 
Ref: https://cert-manager.io/docs/installation/supported-releases/

Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com>
 2021-08-05 13:20:19 +01:00
Dean Coakley
b42a566d4f Fix helm install commands for helm 3.x clients 
Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com>
 2021-08-05 13:14:35 +01:00
Dean Coakley
c76ae73b00 Fix chart install command to include version 
Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com>
 2021-08-05 13:12:03 +01:00
jetstack-bot
34cb511980
Merge pull request #4050 from longkai/fix-ssa 
explicitly specify port protocol field to allow server side apply
 2021-08-04 11:40:23 +01:00
jetstack-bot
d647e543e3
Merge pull request #4276 from jakexks/gateway-http01 
Experimental Gateway API support for ACME HTTP-01 Solving
 2021-08-03 18:51:49 +01:00
jetstack-bot
b5f80c428e
Merge pull request #4234 from inteon/add_startupapicheck 
Add startup api check Job
 2021-08-03 17:41:49 +01:00
Jake Sanders
23e1acdd5c
Update Gateway HTTPRoute Label doc string 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-03 15:26:40 +01:00
Jake Sanders
c2d7a98192
Remove PodTemplate from Gateway Solver, rename to GatewayHTTPRoute 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-03 14:26:45 +01:00
jetstack-bot
c333ace179
Merge pull request #4072 from Marfeel/master 
Add a name to Prometheus scraping service port for Istio compatibillity
 2021-08-03 11:43:19 +01:00
Fran Sanjuán
21bbdaced6 Set fixed port name 
Signed-off-by: Fran Sanjuán <francesc.sanjuan@marfeel.com>
 2021-08-03 11:55:38 +02:00
Jonathan Prates
50bb91a032 feat: update object description explaning the current behaviour 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 09:26:23 +01:00
Jonathan Prates
9f36f8984b feat: copy SecretTemplate api to v1alpha2 v1alpha3 and v1beta1 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
0569997ede feat: update crds 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jake Sanders
b38869b551
Gateway HTTP01: Make docs better, only enable gateway solver if gateway API is found 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-02 14:06:23 +01:00
Jake Sanders
34a844b150
Fix validation test, add RBAC for gateway API 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-02 14:06:21 +01:00
Jake Sanders
deb9ccc5a9
HTTP01 solver support for the Gateway API 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-02 14:06:16 +01:00
Jake Sanders
6f6213c5fd
APIs and validation 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-02 14:06:09 +01:00
Inteon
06e2ac2d41
change weight of hook resources and only delete after all hooks have finished 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-30 17:31:25 +02:00
jetstack-bot
b04e42c437
Merge pull request #4253 from JoshVanL/apiextensions-v1beta1-v1 
Conversion: Apiextensions v1beta1 -> v1
 2021-07-30 15:49:49 +01:00
Inteon
0eabaec743
change startupapicheck to helm post-install hook 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-30 16:04:55 +02:00
joshvanl
29514ff09d Adds v1beta1 as a supported admissionReviewVersion with a note as to 
why it is listed even though we don't support it

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-29 11:10:25 +01:00
joshvanl
fbfe48cad8 Change webhook manifests for mutation and validation to only accept v1 
in admissionReviewVersions

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-29 11:10:25 +01:00
joshvanl
6c5a4897b6 Adds note as to why v1beta1 is still an accepted 
`conversionReviewVersion`

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-28 15:49:50 +01:00
Inteon
e73f3bed12
update README.template.md, add startupapicheck flags 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-28 16:47:31 +02:00
joshvanl
b3ece6708a Adds v1beta1 as a conversionReviewVersion but don't actually support 
it

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-28 15:36:58 +01:00
mortega
d525001f80 Adding webhook.serviceLabels to README template 
Signed-off-by: Marco Ortega <mortega@brightcove.com>
 2021-07-27 10:24:29 -05:00
Inteon
9092bf8bb6
use correct component name in comments & add --wait-for-jobs flag 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-27 15:54:00 +02:00
mortega
feee2fd76c Enabling serviceLabels for webhook service. 
Signed-off-by: Marco Ortega <mortega@brightcove.com>
 2021-07-27 07:03:16 -05:00
joshvanl
5680bfd4b3 Change all CRDs to no longer accept v1beta1 conversionReviewVersions 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-26 17:05:58 +01:00
Inteon
411452809c
add startup api check Job 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-20 19:40:53 +02:00
Maël Valais
30f9c123d3 gateway-shim: add the gateway-shim controller 
Note that the gateway-shim is only half the work for supporting the
Gateway API in cert-manager. The other half is the HTTP01 solver
support, which is still worked on.

The Gateway API in cert-manager is releases as an experimental feature
and needs to be enabled manually with the following flag:

  --controllers=*,gateway-shim

All the annotations supported by ingress-shim are also supported by
gateway-shim, with some exceptions:

  "acme.cert-manager.io/http01-ingress-class"

This annotation is not supported on the Gateway resource. Although the
Gateway resource also has a "gatewayClass" field, we will need to add
another field instead of "ingress-class" to avoid confusion with the
ingress-shim.

  "acme.cert-manager.io/http01-edit-in-place"

This annotation is not supported because it is specific to some ingress
controllers like ingress-gce.

  "kubernetes.io/tls-acme"

This annotation is not supported because it is a behavior inherited from
kube-lego and we chose not to keep this behavior with the Gateway API.

Unlike the ingress-shim, you can reuse the same Secret name in multiple
TLS configurations on the same Gateway resource.

The ingress-shim now shows the exact location of the duplicate
secretName when the user gives the same secretName in two separate TLS
blocks.

Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-15 20:34:55 +02:00