This will break anyone who relied on featureGates field to pass feature gates to webhook- they will need to use the new webhook.featureGates field
Signed-off-by: irbekrm <irbekrm@gmail.com>
The current policy check for keystores in Secrets creates a loop because
the truststore.jks or truststore.p12 will never exist when the issuer didn't
provide the CA certificate. This behaviour was introduced by #5597
The JKS and PKCS12 truststores are only added to the Secret
if the CA is provided by the issuer. The CertificateRequest API
reference states:
> The PEM encoded x509 certificate of the signer, also known
> as the CA (Certificate Authority). This is set on a best-effort basis by
> different issuers. If not set, the CA is assumed to be unknown/not available.
This change will only check the PKCS12/JKS truststores if the CA cert from the
issuer exists in the secret.
Fixes#5755
Signed-off-by: Thomas Müller <thomas@chaschperli.ch>
Changing SecretRef to be a pointer will break people using the package as
a library.
I disabled the ability to set the audience and expiry time for security
reasons:
We decided to generate the audience dynamically instead of letting the
user configure it, and we also decided to encode the namespace and
issuer name into the audience to remediate the risk of hijacking an
existing issuer and service account with a malicious issuer.
Regarding the expiration duration of the JWT, it doesn't make sense to
let the user configure it since cert-manager will authenticate using the
JWT and immediately discard it. We thought that 1 minute would be
acceptable, although the Kubernetes API server may return a totally
different duration.
Signed-off-by: Maël Valais <mael@vls.dev>
Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).
With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.
Signed-off-by: Maël Valais <mael@vls.dev>
since the acmesolver image has defaults (i.e. the repository is set by
default[1]), the helm chart changes introduced in #5554 will always set
the `--acme-http01-solver-image` parameter.
This can break users who previously had this parameter set via the
extraArgs Helm option, which was found and reported on Slack[2].
This commit moves the new Helm value added in #5554 above extraArgs,
so that if extraArgs is set it will take precedence and nothing should
change as users upgrade.
[1] a5d67d3a21/deploy/charts/cert-manager/values.yaml (L504-L516)
[2] https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1672925692339849
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
