cert-manager

Author	SHA1	Message	Date
Tim Ramlot	4d7f6281d0	use pki validation code for CSR validation Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-07-10 12:48:12 +02:00
jetstack-bot	843deed22f	Merge pull request #6199 from inteon/add_validation_to_pki Add validation to pki CertificateTemplate functions	2023-07-07 09:32:14 +02:00
Tim Ramlot	5ba29272c0	add validation to pki CertificateTemplate function and add support for add DontAllowInsecureCSRUsageDefinition featuregate to use old behavior in controller Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-07-05 13:04:21 +02:00
jetstack-bot	914944c020	Merge pull request #6176 from inteon/reconcile_managed_annotations_and_labels Reconcile when managed annotations/ labels are out-of-sync	2023-07-04 11:55:29 +02:00
Tim Ramlot	bfa61c7804	add comments explaining what the label and annotation checks do Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-29 18:50:28 +02:00
Tim Ramlot	c16a34e0b1	use .Delete() Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-29 18:50:24 +02:00
Tim Ramlot	1649730a0d	Update internal/controller/certificates/policies/checks.go Co-authored-by: Richard Wall <wallrj@users.noreply.github.com> Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-29 12:54:20 +01:00
Tim Ramlot	2f56c3c89a	add DontAllowInsecureCSRUsageDefinition feature gate to disable the strict CSR validation Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-28 11:11:32 +02:00
Tim Ramlot	63387015d0	make CertificateRequest webhook validation more strict (the Usages array should always be the source of truth) Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-26 10:08:13 +02:00
Tim Ramlot	a9339849e5	improve label and annotation checks Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-23 17:05:42 +02:00
Tim Ramlot	229f99c197	update testcase based on feedback Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-23 09:14:38 +02:00
Tim Ramlot	19377b43b1	fix feedback from @wallrj Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-21 15:31:20 +02:00
Tim Ramlot	d310d8597c	improve comments Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-20 16:48:56 +02:00
Tim Ramlot	22440e8710	add SecretPublicKeysDiffersFromCurrentCertificateRequest check Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-20 16:48:50 +02:00
Tim Ramlot	9c9e833c5a	add TODO comment that explains that we don't understand the reason for the current behaviour Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-14 14:51:07 +02:00
Tim Ramlot	3aa7b82e43	Update internal/controller/certificates/policies/checks.go Co-authored-by: EDDIE-DAV <136573637+EDDIE-DAV@users.noreply.github.com> Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-14 10:19:52 +01:00
Tim Ramlot	8ddf016b00	fix a bug that caused the issuer-ref and certificate-name annotations on Secrets to be correct when being updated. Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-06-13 16:54:32 +02:00
cui fliter	4723347260	fix function name in comments Signed-off-by: cui fliter <imcusg@gmail.com>	2023-06-07 17:17:07 +08:00
jetstack-bot	c5e6bf39d6	Merge pull request #6054 from inteon/correct_versions Use Version 3 for *x509.Certificate	2023-05-26 13:57:32 +01:00
irbekrm	8a34cbc0a0	Adds some warnings for folks to not import feature gates into shared code Really we should restructure this to remove the possibility of accidentally overwriting other component's feature gates Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-05-23 12:02:55 +01:00
Tim Ramlot	e7530880ce	use Version 3 for all Certificates and Version 0 for all CertificateRequests Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-11 10:21:55 +02:00
Tim Ramlot	0cf0f80b40	switch to non-deprecated functions in source code Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-10 19:22:49 +02:00
jetstack-bot	a64088792d	Merge pull request #5991 from inteon/pr/JoshVanL/4810 Server Side Apply: Adds support for CA Injector controller	2023-05-05 14:21:07 +01:00
jetstack-bot	5035dda25e	Merge pull request #6006 from vidarno/cache-private-key-hash-on-issuer-status Cache private key hash on issuer status	2023-05-05 08:05:07 +01:00
Tim Ramlot	bce882b477	use cainjector feature flags Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-05-03 19:52:13 +02:00
vidarno	4934183927	Extend CRDs and structs to include LastPrivateKeyHash field Signed-off-by: vidarno <>	2023-04-29 09:12:56 +02:00
Thomas Müller	12483d3d54	Check JKS/PKCS12 truststores only if issuer provides the CA The current policy check for keystores in Secrets creates a loop because the truststore.jks or truststore.p12 will never exist when the issuer didn't provide the CA certificate. This behaviour was introduced by #5597 The JKS and PKCS12 truststores are only added to the Secret if the CA is provided by the issuer. The CertificateRequest API reference states: > The PEM encoded x509 certificate of the signer, also known > as the CA (Certificate Authority). This is set on a best-effort basis by > different issuers. If not set, the CA is assumed to be unknown/not available. This change will only check the PKCS12/JKS truststores if the CA cert from the issuer exists in the secret. Fixes #5755 Signed-off-by: Thomas Müller <thomas@chaschperli.ch>	2023-04-27 17:09:41 +02:00
irbekrm	3d82e94789	Ensures metadata only is cached for pods and services Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-04-25 06:20:58 +01:00
jetstack-bot	4f02c5c405	Merge pull request #5967 from avi-08/validate-secretName Validate certificate.spec.secretName is a valid k8s resource name	2023-04-20 17:52:58 +01:00
Avi Sharma	5ad23ae756	Validate certificate.spec.secretName is a valid k8s resource name Signed-off-by: Avi Sharma <avi.08.sh@gmail.com>	2023-04-20 17:41:05 +05:30
irbekrm	a6dc42201c	Ensures that partial meta secrets are cleaned up before caching Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-04-20 10:15:44 +01:00
jetstack-bot	e53f32d377	Merge pull request #5874 from inteon/webhook_approval_cleanup Cleanup certificate request approval webhook	2023-04-11 10:34:17 +01:00
irbekrm	85c766a082	Code review feedback Signed-off-by: irbekrm <irbekrm@gmail.com> Co-authored-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-04-06 10:48:20 +01:00
irbekrm	729d358cd2	Cleanup Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-22 09:21:13 +00:00
irbekrm	2370e1be62	Adds unit tests Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-22 09:03:16 +00:00
irbekrm	d8dcf0b5e5	Adds fakes for listers and secrets client To enable unit testing Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-22 09:03:16 +00:00
irbekrm	16d9863743	Adds a core informer factory with a filtered secrets informer The new core informer factory wraps a typed and a partial metadata factory Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-22 09:03:16 +00:00
irbekrm	7d592a8270	Swap upstream core informers factory with out wrapper This does not actually change how the informers work. This also adds a partial metadata client to root context Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-22 09:03:16 +00:00
irbekrm	1612d7548d	Adds custom informer interfaces and implementation To enable swapping core informers for custom implementations Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-22 09:03:16 +00:00
irbekrm	53918b5d6c	Adds SecretsFilteredCaching alpha feature Signed-off-by: irbekrm <irbekrm@gmail.com>	2023-03-22 09:03:16 +00:00
Tim Ramlot	fc83eece01	cleanup certificate request approval webhook Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-03-20 13:19:41 +01:00
Maël Valais	f0449ddb3b	ingressClassName: document the "oneOf" contraint for the "name" field Signed-off-by: Maël Valais <mael@vls.dev>	2023-03-09 15:15:39 +01:00
Maël Valais	ca9aaa0440	ingressClassName: let's remove the link placeholder The link itself is way too long to fit in the API reference. Signed-off-by: Maël Valais <mael@vls.dev>	2023-03-09 14:42:21 +01:00
Maël Valais	6458ed1543	Move from a flag to the Issuer field "ingressClassName" Signed-off-by: Maël Valais <mael@vls.dev>	2023-03-03 17:50:30 +01:00
jetstack-bot	4e889b702b	Merge pull request #5834 from inteon/remove_unused_parameter Removed unused NewCertManagerWebhookServer function argument	2023-02-28 13:04:33 +00:00
Tim Ramlot	f36c06f10d	move cmd/util/ to internal/cmd/util/, since it is also imported by packages outside of cmd/ Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-02-28 12:38:59 +01:00
Tim Ramlot	82beacaee2	removed unused NewCertManagerWebhookServer function argument Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>	2023-02-28 12:30:44 +01:00
Michael Malov	dc621e9306	Add imagePullSecrets for AMCE http01 solver pod Signed-off-by: Michael Malov <mmeemail@gmail.com>	2023-02-13 14:18:50 +03:00
Maël Valais	5083b3e36c	removed the unused "addVaultNamespaceToRequest" I had mistakenly re-added this function in `76eef68730`. It had been removed in `6e05f43f8e`. Signed-off-by: Maël Valais <mael@vls.dev>	2023-02-07 18:18:40 +01:00
Maël Valais	7a856af843	serviceAccountRef: update tests of the controller-side validation Signed-off-by: Maël Valais <mael@vls.dev>	2023-02-07 13:26:35 +01:00

1 2 3 4 5

233 Commits