weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
6,951 Commits 45 Branches 0 Tags 96 MiB
7930ee3d4b
Commit Graph

2879 Commits

Author SHA1 Message Date
Luca Comellini
091549620b
Bump Go to 1.18 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2022-06-02 15:50:13 -07:00
Cody W. Eilar
2da5974fb4 Improve logging output for webhook cert renewal 
- Make "cert-manager certificate" explicit in log output
- Include DNSNames for context

Signed-off-by: Cody W. Eilar <ecody@vmware.com>
 2022-05-24 12:48:45 -07:00
irbekrm
df3bb59af5 Ensure that Venafi client for CSRs gets initialized with metrics 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-05-16 17:23:33 +01:00
Richard Wall
1ade01f819 Addressed code review feedback and simplified the unit-tests 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-05-14 14:24:13 +01:00
Richard Wall
557d14a0cd Refactor the update and updateStatus to a single deferred function 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-05-12 16:51:30 +01:00
jetstack-bot
4ec33298a2
Merge pull request #5081 from wallrj/3640-cleanup 
Challenge cleanup improvements
 2022-05-05 11:19:28 +01:00
Irbe Krumina
1d917ef311 Revert "Use Apply instead of Update to modify resources in tests" 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-05-03 11:31:47 +01:00
Richard Wall
6a4fffbedc Test that the cleanup is performed 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-04-29 17:51:34 +01:00
Richard Wall
5f867bff37 Use a more reliable check for deletion 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-04-29 16:49:23 +01:00
jetstack-bot
eb76f331ad
Merge pull request #5077 from irbekrm/tests_apply 
Use Apply instead of Update to modify resources in tests
 2022-04-29 13:23:00 +01:00
jetstack-bot
31d0c3ab41
Merge pull request #5051 from wallrj/3640-set-and-consume-challenge-finalizer-in-one-place 
Set the challenge cleanup finalizer in the Sync function
 2022-04-28 15:43:24 +01:00
irbekrm
54a487f1fb certificates.Apply returns the patched certificate 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-28 14:41:22 +01:00
irbekrm
c91372a96e Mark venafi_client_request_duration_seconds metric as alpha 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-28 11:52:48 +01:00
irbekrm
591fb3cfc9 Code review feedback 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-28 10:12:16 +01:00
Richard Wall
ee8c1cf738 Remove finalizer duties from the scheduling function and update and expand the tests 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-04-27 10:34:22 +01:00
Richard Wall
dd4fe97928 Set the finalizer as part of the Challenge Sync function 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-04-27 10:34:22 +01:00
irbekrm
ccdb30e16b Cleanup 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-20 12:26:35 +01:00
irbekrm
cb0c8ba3e3 Log Venafi API calls 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-20 10:32:02 +01:00
irbekrm
99edfcfbfc Adds Venafi metrics 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-20 08:48:41 +01:00
Ashley Davis
76cdab0c82
remove pkg/util/coverage 
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-04-08 16:56:24 +01:00
lonelyCZ
53d8a07397 Add a unit test for challenges reScheduler 
Signed-off-by: lonelyCZ <531187475@qq.com>
 2022-04-08 14:35:41 +08:00
lonelyCZ
57a6d931a1 Fix the error is reported to null when it happens 
Signed-off-by: lonelyCZ <531187475@qq.com>
 2022-04-07 16:10:14 +08:00
irbekrm
0f74fc10fb Removes unnecesary check for finalizer diff in challenge sync 
No changes are made to finalizers in this function

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-01 11:53:44 +01:00
irbekrm
9a9ca2006a Adds a challenge finalizer in challenges controller 
This was previously applied in orders controller, which was causing issues when trying to remove it in challenges controller via server side apply

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-01 11:53:44 +01:00
joshvanl
82c068f0fd Updates ACME challenge controllers to use apply 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-04-01 11:53:44 +01:00
jetstack-bot
86ad9962a3
Merge pull request #4967 from maelvls/gwapi-v1alpha2-optional-labels 
Gateway API: with v1alpha2, the labels have become optional
 2022-03-30 15:11:33 +01:00
jetstack-bot
00938dfa4c
Merge pull request #3605 from mikebryant/3601-default-nodeselector-linux 
fix: Set default nodeSelector to linux
 2022-03-30 13:38:33 +01:00
Jake Sanders
b72db63761
Change label description for HTTP-01 Gateway API solver and fix tests 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-03-30 12:52:34 +01:00
jetstack-bot
e2266d7a8b
Merge pull request #4987 from wikimedia/issue-4956 
Add controller_requeue_count metric
 2022-03-29 19:53:53 +01:00
jayme-github
63e3b7a0a8 Add controller_sync_error_count metric 
Introducing a new metric controller_sync_error_count counting the
number of errors during sync() of a controller.

This adds more visibility to potential issues ranging from things like
connection problems to the API or webhooks to possible hard errors.

For context, please see #4956

Signed-off-by: Janis Meybohm <jmeybohm@wikimedia.org>
 2022-03-29 16:02:49 +02:00
joshvanl
6ee59fb9e8 Wires up new post issuance checks for issuing controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-03-29 13:54:27 +01:00
jetstack-bot
bfcc204c2b
Merge pull request #4811 from JoshVanL/controllers-server-side-apply-certificates-shim 
Server Side Apply: Adds support for certificate-shim controllers to use SSA with Feature Gate
 2022-03-28 14:33:31 +01:00
jetstack-bot
e116d416f3
Merge pull request #4799 from JoshVanL/controllers-server-side-apply-orders 
Server Side Apply: Adds support for Order controllers to use SSA with Feature Gate
 2022-03-28 13:11:31 +01:00
joshvanl
c1c2d2d081 Add roundtrip test to Certificate serializing. Add field manager to 
certificates-shim Create API call

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-03-28 12:40:29 +01:00
joshvanl
9d0b2590a8 Optionally Apply certificates, instead of update, in certificate-shim 
when Server-Side apply is enabled

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-03-28 12:40:28 +01:00
jetstack-bot
c30cfa1610
Merge pull request #4973 from irbekrm/restrict_duration 
Enforce minimum value of experimental.cert-manager.io/request-duration to 600s
 2022-03-28 12:34:31 +01:00
jetstack-bot
d8fee10ad8
Merge pull request #4962 from fvlaicu/fix-route53-dns-challenge 
Route53 challenges: upsert records instead of create
 2022-03-23 17:29:20 +00:00
irbekrm
2656cc18c3 Fix test failures 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-23 09:57:34 +00:00
irbekrm
09d8cb9cf8 Adds some more test cases 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-23 09:20:21 +00:00
irbekrm
661abb133f Set CSR as failed if annotation duration is not a valid time 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-22 18:04:21 +00:00
irbekrm
d384aef754 Enforce minimum value of experimental.cert-manager.io/request-duration to 600s 
To ensure compatibility with CSR's spec.expirationSeconds

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-22 18:04:21 +00:00
jetstack-bot
0631806082
Merge pull request #4974 from irbekrm/fix_csr_events 
Use client-go scheme with core types added as event recorder scheme
 2022-03-22 17:49:51 +00:00
irbekrm
a5ed48a324 Adds a unit test for certificatesigningrequests sync function 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-22 15:09:33 +00:00
jetstack-bot
dc24503939
Merge pull request #4958 from irbekrm/tsig_provider 
Use our own implementation of miekg/dns.TsigProvider interface
 2022-03-22 12:18:51 +00:00
jetstack-bot
be15ce2279
Merge pull request #4953 from ajvn/feature/allow-privilege-escalation 
update: Setting allowPrivilegeEscalation to false
 2022-03-22 11:01:47 +00:00
irbekrm
cec0a6cde8 Use client-go scheme with core types added as event recorder scheme 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-22 09:47:46 +00:00
jetstack-bot
ca32961253
Merge pull request #4772 from irbekrm/exp_backoff 
Exponential backoff for retrying failed certificate issuances
 2022-03-21 20:31:23 +00:00
Maël Valais
4b3af946db gateway-api: with v1alpha2, the labels have become optional 
Previously, in v1alpha1, an HTTPRoute was matched to a Gateway using
the label selectors present on the Gateways. For example, with the
following Gateway:

  apiVersion: networking.x-k8s.io/v1alpha1
  kind: Gateway
  metadata:
    name: acmesolver
  spec:
    listeners:
      - protocol: HTTP
        port: 80
        routes:
          kind: HTTPRoute
          selector:
            matchLabels:
              app: foo

you would have to use the following labels on the HTTPRoute in order to
get the above Gateway to be used:

  apiVersion: networking.x-k8s.io/v1alpha1
  kind: HTTPRoute
  metadata:
    labels:
      app: foo

With v1alpha2, the label selectors have been dropped. Instead, the
HTTPRoute has to give a direct reference to the Gateway:

    apiVersion: gateway.networking.k8s.io/v1alpha2
    kind: HTTPRoute
    spec:
      parentRefs:
        - kind: Gateway
          name: acmesolver
          namespace: traefik

This means that the "labels" field on the gatewayHTTPRoute solver is now
optional:

    apiVersion: cert-manager.io/v1
    kind: Issuer
    spec:
      acme:
        solvers:
          - http01:
              gatewayHTTPRoute:
                labels:              | This field is
                  app: test          | now optional.
                parentRefs:
                  - kind: Gateway
                    name: acmesolver

Signed-off-by: Maël Valais <mael@vls.dev>
 2022-03-21 17:39:10 +01:00
Monis Khan
2a33c7a5c2
Use Kubernetes CSR spec.expirationSeconds to express cert duration 
This change adds the ability to express certificate duration using
the Kubernetes CSR spec.expirationSeconds field alongside the existing
approach of using the experimental.cert-manager.io/request-duration
annotation.  Both approaches are supported as the expirationSeconds
field requires Kubernetes v1.22+.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-03-21 09:40:32 -04:00
irbekrm
dbad3d98f3 Rename issuanceAttempts -> failedIssuanceAttempts 
In an attempt to convey the meaning of the field better

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:33:51 +00:00