weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
6,371 Commits 45 Branches 0 Tags 96 MiB
7f8641dd94
Commit Graph

1148 Commits

Author SHA1 Message Date
Thierry Sallé
7f8641dd94 [additionalOutputFormats] Update comments and add more tests 
Signed-off-by: Thierry Sallé <seuf76@gmail.com>
 2022-01-14 11:10:32 +01:00
Thierry
81f308221b Add certifcate additionalOutputFormats parameter 
DER Format to create key.der binary format of the private key.

CombinedPEM Format to create tls-combined.pem containing tls.key + tls.crt.

Added Unit and e2e tests for secret with Additional output format.

Feature flag AdditionalCertificateOutputFormats to enable feature.

Signed-off-by: Thierry Sallé <seuf76@gmail.com>
 2022-01-14 11:10:32 +01:00
jetstack-bot
778be75841
Merge pull request #4697 from irbekrm/valid_orders_update 
Don't fail an order that has been finalized, but the status has not been synced to Order CR
 2022-01-12 08:10:03 +00:00
irbekrm
e7cc37ef71 Code review feedback 
Signed-off-by: irbekrm <irbekrm@gmail.com>

Co-authored-by: Maël Valais <mael@vls.dev>
 2022-01-11 18:09:44 +00:00
jetstack-bot
fa321b6a4b
Merge pull request #4287 from linka-cloud/acme-http-challenge-cutomer-dns 
Acme http challenge custom dns
 2022-01-11 11:24:03 +00:00
irbekrm
24866544b8 Ensures that if alternate cert chain is specified, it is retrieved 
Ensures that if the cert is retrieved in a reconcile following the one that finalized the ACME order, the alternate cert chain is still respected, if specified by user

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-01-11 10:51:14 +00:00
irbekrm
de8aa2583e Ensures that ACME orders controller does not create new order if it failed to update old order's status to valid 
Check the status of the ACME order if finalizing order failed to catch edge cases where the order is already finalized, but the updating of Order CR's status has failed

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-01-11 10:51:14 +00:00
jetstack-bot
2e465fbf34
Merge pull request #4628 from irbekrm/sync_cleanup 
Order sync cleanup
 2022-01-10 20:27:04 +00:00
James Munnelly
9c04a04c7c Move feature package into internal/controller 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-01-07 12:17:36 +00:00
Adphi
3375fa0609
http01: add custom nameservers support (#4286) 
Signed-off-by: Adphi <philippe.adrien.nousse@gmail.com>
 2022-01-06 21:02:46 +01:00
jetstack-bot
019d64edcf
Merge pull request #4688 from irbekrm/renew_failed 
Fixes a bug where a previous failed CertificateRequest was picked up during next issuance
 2022-01-04 15:08:31 +00:00
irbekrm
0a4617e582 Fix staticcheck error 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-01-04 10:11:04 +00:00
irbekrm
fac6622f5e Delete CertificateRequest that failed during previous issuance if we are re-issuing for the same revision 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-12-22 14:54:55 +00:00
irbekrm
ff67b2a9a0 Ignore failed CRs for previous issuance in certificates-issuing controller 
Issuing controller should only look at 'current' CertificateRequests

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-12-22 14:51:25 +00:00
James Munnelly
81f22fd49c Upgrade k8s.io dependencies to v0.23.1 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2021-12-17 16:27:47 +00:00
joshvanl
d5503c2ed2 Change certificates controller to no longer error for a Certificate that 
no longer exists

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-11-30 15:13:14 +00:00
irbekrm
e48846132b Add a couple new test cases for order finalization 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-11-26 16:32:02 +00:00
irbekrm
4aee0a4acd Reduce a few calls to ACME server 
Ensure that when updating cert-manager Order CR's status from an existing ACME Order only one call will be made to retrieve the ACME Order

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-11-26 16:31:27 +00:00
irbekrm
e66c6a04d4 Fixes a typo in finalizeOrders 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-11-26 16:30:25 +00:00
irbekrm
7739497f22 Don't process Order CRs that have failed 
Ensure that cert-manager does not attempt to create new ACME Orders for cert-manager Order CRs that are in failed (errored, invalid or expired) state. If the CertificateRequest was created from a Certificate, the issuance will be retried after 1 hour

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-11-23 15:34:35 +00:00
Krzysztof Ostrowski
e35cb361c8
add comments to satisfy linter 
Signed-off-by: Krzysztof Ostrowski <kostrows@redhat.com>
Co-authored-by: Irbe Krumina <irbekrm@gmail.com>
 2021-11-04 18:15:46 +01:00
Igor Zibarev
f9ceb8a73e Fix some lint issues regarding comments 
References issue #4457

Signed-off-by: Igor Zibarev <zibarev.i@gmail.com>
 2021-11-02 13:57:20 +03:00
Jake Sanders
486fc49545
Add fuzzing unit tests for JKS passwords 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-10-29 15:12:51 +01:00
James Munnelly
e7dea9f2a2 Replace all references to pkg/internal with internal 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2021-10-21 12:27:04 +01:00
irbekrm
598ed35e4a Uses go/crypto ListCertAlternates function to fetch alternative certificate chains 
This allows us to use upstream go/crypto again instead of our own fork

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-10-07 15:21:26 +01:00
Richard Wall
5d91f0a3c4 Fix flaky test by using EqualUnsorted to compare Events 
Supplants https://github.com/jetstack/cert-manager/pull/4297

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-10-01 12:41:15 +01:00
irbekrm
7e9753c92e Fix CertificateRequest test 
In Go 1.17 x509.CreateCertificate fails if public key doesn't match private key https://golang.org/doc/go1.17

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-09-30 10:08:40 +01:00
joshvanl
f21a947523 Adds comment as to why the GetAuthorization is called instead of 
GetChallenge

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-09-16 14:44:38 +01:00
joshvanl
f83f02cc8b Replace GetChallenge call in acmechallenge controller to 
GetAuthorization

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-09-15 16:05:37 +01:00
George Moldoveanu
b94b678f6d
reinstated keystore.go comment 
Signed-off-by: George Moldoveanu <mol.george@gmail.com>
 2021-09-10 13:33:46 +01:00
George Moldoveanu
563aeb1789
fixed keystore.go and keystore_test.go modules imports 
Signed-off-by: George Moldoveanu <mol.george@gmail.com>
 2021-09-10 13:28:45 +01:00
George Moldoveanu
0463681244
updates go deps and bazel files 
Signed-off-by: George Moldoveanu <mol.george@gmail.com>
 2021-09-02 23:45:11 +01:00
George Moldoveanu
d0151f7175
fixed TestEncodeJKSKeystore tests to work with upgraded keystore-go api (v4) 
Signed-off-by: George Moldoveanu <mol.george@gmail.com>
 2021-09-02 23:33:45 +01:00
George Moldoveanu
155e90d175
upgraded keystore-go to v4 and fixed code to use v4 api 
Signed-off-by: George Moldoveanu <mol.george@gmail.com>
 2021-09-02 23:24:06 +01:00
jetstack-bot
e5cc0be04b
Merge pull request #4399 from irbekrm/fix_renewal_issue 
Fix renewalTime skew issue
 2021-08-23 16:36:50 +01:00
irbekrm
ec1bdc4983 Adds a test case for renewal time skew and a comment 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-08-23 15:00:57 +01:00
Eng Zer Jun
54e70d2cc4
refactor: move from io/ioutil to io and os package 
The io/ioutil package has been deprecated in Go 1.16. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 2021-08-23 19:50:42 +08:00
irbekrm
50e90dfe6e Fix renewalTime skew issue 
Ensure the time returned by RenewalTime function is the same time as that which will be read from Certificate's status

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-08-20 17:57:35 +01:00
Ashley Davis
68f5ceb3b4
Fix manually specified Certificate and CertificateRequest versions 
Basically all modern X.509 certs are version 3, but confusingly to
specify "version 3" in an encoded cert, the version number is actually
2.

For PKCS#10 CSRs, the only valid version is 1, which again
confusingly has the value "0" when encoded.

This was incorrect in many places, including one place in which the
version number on a CSR was used as a certificate's version number,
when the two are entirely unrelated.

Go ignores these values, so there's no functional changes here; still,
it's better to be accurate.

Go ignoring CSR version and specifying 0:
https://cs.opensource.google/go/go/+/refs/tags/go1.17:src/crypto/x509/x509.go;l=1958

Go ignoring Certificate version and specifying 2:
https://cs.opensource.google/go/go/+/refs/tags/go1.17:src/crypto/x509/x509.go;l=1534

PKCS#10 CSR specification in RFC 2986 section 4.1:
https://datatracker.ietf.org/doc/html/rfc2986#section-4

X.509 Cert specification in RFC 5280 section 4.1.2.1:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.1

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-08-19 14:48:12 +01:00
irbekrm
904d4e3c15 Don't error if owner not found in cache 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-08-17 08:31:49 +01:00
jetstack-bot
d647e543e3
Merge pull request #4276 from jakexks/gateway-http01 
Experimental Gateway API support for ACME HTTP-01 Solving
 2021-08-03 18:51:49 +01:00
jetstack-bot
be8079b504
Merge pull request #4293 from maelvls/fix-nil-pointer 
Nil pointer exception: certificateRef and TLS can now be left empty
 2021-08-03 16:04:49 +01:00
Maël Valais
30af205777 nil pointer: the Gateway API is full of pointers 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-08-03 15:43:16 +02:00
Jonathan Prates
50bb91a032 feat: update object description explaning the current behaviour 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 09:26:23 +01:00
Jonathan Prates
12363f91e2 fix: move secretTemplate validations to validation package 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
6e8f74b4f8 tests: add Labels map to the expected secret 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
e1034c219e feat: add validation for annotations and labels 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
c5e81b13f6 fix: labels cannot be shown if no labels were changed 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
811069cac7 fix: do not create secret labels if template is empty 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
936ad33539 fix: ensure secret annotations and labels will be copied if updated in the cert 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00