* Ensure Vault URL can be parsed
* Separate generic http errors from vault specific errors when checking
health endpoint
Signed-off-by: Vincent Sabatini <vincent.sabatini@gmail.com>
and add support for add DontAllowInsecureCSRUsageDefinition featuregate
to use old behavior in controller
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
This does not actually change how the informers work. This also adds a partial metadata client to root context
Signed-off-by: irbekrm <irbekrm@gmail.com>
This will only be needed by the SecretsFilteredCaching feature, but I cannot think of any harm by adding it to general path
Signed-off-by: irbekrm <irbekrm@gmail.com>
Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).
With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.
Signed-off-by: Maël Valais <mael@vls.dev>
See https://github.com/cert-manager/cert-manager/issues/5601
When referring to external issuers whose kind is not "Issuer" or
"ClusterIssuer" we log an error message thanks to a new check added in
a previous PR[1] which should only trigger for SelfSigned issuers.
The error previously looked like:
```text
"error"="invalid value \"x\" for issuerRef.kind. Must
be empty, \"Issuer\" or \"ClusterIssuer\""
```
After this PR, any CR with an issuer whose group or kind doesn't
match what's expected for a built-in issuer will be skipped
https://github.com/cert-manager/cert-manager/pull/5336
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
WIP: test other issuer kinds
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
so that CertificateRequets will be re-synced on informed Secrets which
are referenced with "cert-manager.io/private-key-secret-name"
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.
There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
In Go 1.17 x509.CreateCertificate fails if public key doesn't match private key https://golang.org/doc/go1.17
Signed-off-by: irbekrm <irbekrm@gmail.com>
fixes the following issues:
pkg/controller/acmeorders/util.go:84:6 deadcode `hashChallenge` is unused
pkg/controller/certificaterequests/approver/approver.go:72:14 staticcheck SA4021: x = append(y) is equivalent to x = y
pkg/controller/certificaterequests/vault/vault_test.go:535:21 errcheck Error return value of `controller.Register` is not checked
pkg/controller/certificates/trigger/policies/policies.go:121:26 gosimple S1039: unnecessary use of fmt.Sprintf
pkg/controller/clusterissuers/sync_test.go:55:12 errcheck Error return value of `c.Register` is not checked
pkg/controller/ingress-shim/sync.go:301:2 gosimple S1005: unnecessary assignment to the blank identifier
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
