weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
7,404 Commits 45 Branches 0 Tags 96 MiB
8c4f6cda42
Commit Graph

1150 Commits

Author SHA1 Message Date
irbekrm
8ed0faf228 Fix integration tests 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-05 12:07:25 +00:00
Ashley Davis
f68693bb6a
change wording on descriptions for Vault and TPP 'CABundle' fields 
Clarifies language a little; makes it clearer that the bundle
should be base64 encoded. Previously it was slightly confusing
in that PEM certificates are themselves base64 encoded.

Also makes it clearer what our CABundle validation does and does not do
by adding a standalone validation function and tweaking the error
message for an invalid CA bundle.

Also updates validation to not print CA bundle for Vault issuer when the
bundle is invalid, since it won't help with debugging anything.
Currently the bundle is printed as byte values ("0x32, 0x58, 0x43...")
and in any case printing the whole bundle could be noisy if it's large

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-12-15 16:21:02 +00:00
Tim Ramlot
26d04f3d8a
add WithLegacy function to our fake discovery client 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2022-12-14 21:53:42 -08:00
jetstack-bot
a1391d6995
Merge pull request #5604 from maelvls/upgrade-vault-in-e2e 
End-to-end tests: use Vault 1.12.1 instead of the outdated Vault 1.2.3
 2022-12-13 14:50:30 +00:00
irbekrm
0c8aa75b18 Corrects test Gateway resources 
TLS block is only valid for TLS listeners

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-12-05 15:05:45 +00:00
jetstack-bot
6ec8da3366
Merge pull request #5583 from lvyanru8200/uodateGwVerison 
feature: update gateway api to v1beta1
 2022-12-05 14:52:48 +00:00
lv
a13c76d312 feature: update gateway api to v1beta1 
Signed-off-by: lvyanru <yanru.lv@daocloud.io>

feature: update gateway api to v1beta1

Signed-off-by: lvyanru <1113706590@qq.com>
 2022-12-05 14:03:21 +00:00
Maël Valais
f4f72c16e6 e2e: use Vault 1.12.1 instead of the outdated 1.2.3 
The main reason for bumping Vault's version is because 1.2.3 is not
compatible with the config parameter `disable_iss_validation`, which is
needed for accommodating the future tests [1] that rely on bound tokens
and static tokens.

For context, Vault 1.2.3 was released on Sep 9, 2019 [2] but
`disable_iss_validation` was only added on July 21st, 2020 in Vault
1.5.0.

Due to a breaking change that happened in Vault 1.5.0 [3] in which Vault
started loading the pod's token instead of using the same token (to be
reviewed) for authenticating. An alternative solution could have been to
prevent the service account from being mounted to the pod, but I figured
that having the two service accounts separated is a better practice.

[1]: https://github.com/cert-manager/cert-manager/pull/5502
[2]: https://github.com/hashicorp/vault/commit/c14bd9a2
[3]: https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#150

Signed-off-by: Maël Valais <mael@vls.dev>
 2022-12-02 16:36:16 +01:00
Houssem El Fekih
d56c51092a Add boilerplate comment 
Signed-off-by: SpectralHiss  <houssem.elfekih@jetstack.io>
 2022-11-29 14:47:50 +00:00
Houssem El Fekih
182275ed44 Add error case + list all supported OIDs in cannonical order 
Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2022-11-29 14:38:24 +00:00
Houssem El Fekih
410ac12c02 Make test assertion more specific to slice, need to verify ordering of rdns 
Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2022-11-29 09:55:19 +00:00
Houssem El Fekih
c7952fd054 e2e test confirming LDAP rdn literalsubject in generated certificate 
* Enabled feature flag for literalsubject in e2e test runner
* Added "happy path" test

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2022-11-28 21:56:00 +00:00
Tim Ramlot
c0dc705c24
fail in case of invalid IP address 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-11-14 09:11:23 +01:00
Tim Ramlot
b999749854
improve gen.CSR and use it everywhere 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-11-10 09:21:31 +01:00
jetstack-bot
1137f9964c
Merge pull request #5478 from Git-Jiro/use_hashicorp_vault_helmchart 
Migrate Vault helm chart in e2e tests from ad-hoc version to official chart from hashicorp
 2022-11-04 10:34:06 +00:00
Tim Ramlot
fd6032fc45
re-order Helm parameters & move some values to constants 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-11-04 11:02:04 +01:00
Martin Schimandl
a00306083a Remove the old Helm chart for Vault 
Signed-off-by: Martin Schimandl <martin.schimandl@gmail.com>
 2022-10-16 07:57:49 +01:00
jetstack-bot
da3265115b
Merge pull request #5387 from Tolsto/vault-ca-bundle-secret-ref 
Add option to load Vault CA bundle from Kubernetes Secret
 2022-10-13 09:55:09 +01:00
joshvanl
684430e26b Fix string match e2e test on vault issuer caBundle 
Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-10-12 14:34:04 +01:00
joshvanl
702a2cb857 Use lowercase "specified" in vault e2e test case 
Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-10-12 12:33:47 +01:00
Sathyanarayanan Saravanamuthu
40947b0ef4 Generate Certificate Request with predictable name 
Co-authored-by: Cody W Eilar <ecody@vmware.com>

Signed-off-by: Cody W Eilar <ecody@vmware.com>
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-11 17:01:26 +05:30
Martin Schimandl
9071eac950 use Vault Helm Chart provied by Hashicorp 
Signed-off-by: Martin Schimandl <martin.schimandl@gmail.com>
 2022-10-08 09:45:52 +01:00
Danny Kulchinsky
81c85ee15c add issuer_{group|name|kind} labels to prom metrics 
Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>
 2022-09-28 10:21:36 -04:00
jetstack-bot
5c82440729
Merge pull request #5410 from rgl/rgl-unique-container-names 
to help troubleshooting make the helm chart container names unique
 2022-08-30 11:50:31 +01:00
Tim Ramlot
6debee4a54 update container names in ytt overlays 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-28 21:40:35 +02:00
Tim Ramlot
5d17098322 fix broken test 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-28 21:17:08 +02:00
Renato Costa
162777aab2 Fix incorrect uses of loop variable 
This fixes two instances where loop variables were being incorrectly
used:

- using a loop variable in a closure passed to `ginkgo.It()` is
incorrect, as the capture happens by reference and only the last test
case will be executed (multiple times).
- a similar issue happens in the context of a goroutine; specifically,
we need to create a copy of the `runDurationFunc` before calling it in
a goroutine as done by the controller's `Run` function.

With regards to the second issue, I believe it never came to the
surface because, in production code, only one `runDurationFunc` is
passed; tests don't exercise the multiple funcs path either.

Issues were automatically found with the `loopvarcapture` linter.

Signed-off-by: Renato Costa <renato@cockroachlabs.com>
 2022-08-26 15:08:30 -04:00
Tim Ramlot
5802b3a963 use variables for binaries 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-26 07:43:17 +00:00
jetstack-bot
12f98dbc7e
Merge pull request #5376 from inteon/upgrade_gateway_api 
Upgrade gateway api to v0.5.0
 2022-08-25 16:08:10 +01:00
joshvanl
e16baf4706 Updates CertificateSigningRequest SelfSigned e2e tests to require 
needing the CertificateSigningRequest Feature Gate to be enabled.

Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-08-25 10:41:31 +01:00
jetstack-bot
d1a8f7f52d
Merge pull request #5336 from JoshVanL/controllers-certificaterequests-secrets-informer 
CertificateRequest: re-sync SelfSigned CertificateRequest when target Secret is informed.
 2022-08-23 16:46:23 +01:00
Nils
81e6c24293 fixup! Add option to load Vault CA bundle from Kubernetes Secret 
Co-authored-by: Josh van Leeuwen <joshua.vanleeuwen@jetstack.io>
Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-21 07:41:15 +03:00
jetstack-bot
10c4b7cde9
Merge pull request #5379 from JoshVanL/controllers-certificatesigningrequests-secrets-informer 
CertificateSigningRequest: re-sync SelfSigned CertificateSigningRequest when target Secret is informed
 2022-08-19 15:50:12 +01:00
Nils Mueller
2f6fa9dddf fixup! Add option to load Vault CA bundle from Kubernetes Secret 
Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-16 02:57:43 +03:00
Nils Mueller
00a20097b6 Add option to load Vault CA bundle from Kubernetes Secret 
Vault distributions like "Bank Vaults" automatically configure
and provision Vault and provide the CA bundle via a Kubernetes
Secret. Having to hard-code the bundle in the Issuer instead
of dynamically referencing it through the Secret requires
a manual second step when using a GitOps workflow.

Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-15 03:10:51 +03:00
Joakim Ahrlin
1501449e3e use GenerateName instead 
Signed-off-by: Joakim Ahrlin <joakim.ahrlin@gmail.com>
 2022-08-09 12:41:31 +02:00
joshvanl
8b2dc2a746 Update ginkgo import path to use /v2 
Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-08-09 11:25:41 +01:00
joshvanl
52787eabd2 Adds e2e tests for the new SelfSigned CertificateSigningRequest Secret 
informer

Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-08-09 11:17:44 +01:00
joshvanl
0b2cdf5a40 Adds e2e tests for CertificateRequest self signing controller; focussing 
on requests being re-synced when the target Secret is up

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-08-09 08:40:05 +01:00
Joakim Ahrlin
de0f39e553 add random suffix to webhooks in CA Injector e2e tests 
Signed-off-by: Joakim Ahrlin <joakim.ahrlin@gmail.com>
 2022-08-08 12:52:52 +02:00
Tim Ramlot
836793e7e3 upgrade gateway api to v0.5.0 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-08 08:52:59 +00:00
jetstack-bot
07677c57bc
Merge pull request #5366 from munnerz/privatekey-regen-test 
Ensures CertificateRequests marked as 'InvalidRequest' are properly handled as failures & retried
 2022-08-05 16:23:30 +01:00
James Munnelly
ddc19a1c57 Fix comment 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-08-05 15:52:52 +01:00
jetstack-bot
88bda66693
Merge pull request #5345 from inteon/ginkgo_v2 
Upgrade to Ginkgo v2
 2022-08-04 21:06:15 +01:00
James Munnelly
2de5135e18 Fix test flake 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-08-04 14:15:49 +01:00
James Munnelly
e62bfaf367 Add test to check InvalidRequest handling for certificates 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-08-04 12:21:41 +01:00
James Munnelly
51014e5752 Add integration test for regenerating private key for each CR upon failure 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-08-04 12:21:41 +01:00
James Munnelly
099a52ffe3 integration framework: add StartInformersAndControllers 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-08-04 12:21:41 +01:00
Tim Ramlot
a8743628a4 only print Helm install output on error 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-04 10:21:27 +00:00
Tim Ramlot
501277bb62 bugfix ginkgo: make tests deterministic, don't use maps to define testCases 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-04 10:16:29 +00:00