cert-manager

Author	SHA1	Message	Date
James Munnelly	2b663eb9a9	Update ACME DNS solver to use Challenge resources Signed-off-by: James Munnelly <james@munnelly.eu>	2018-10-12 12:40:37 +01:00
James Munnelly	f8b1e653f3	Refactor ACME Issuer to create and manage Order resources Signed-off-by: James Munnelly <james@munnelly.eu>	2018-10-12 12:40:37 +01:00
James Munnelly	4fcfbb44ef	Add IsFinalState and IsErrorState functions Signed-off-by: James Munnelly <james@munnelly.eu>	2018-10-12 12:40:37 +01:00
James Munnelly	2eb785655c	Run //hack:update-codegen Signed-off-by: James Munnelly <james@munnelly.eu>	2018-10-12 12:40:37 +01:00
James Munnelly	f3991c6edf	run //hack:update-bazel Signed-off-by: James Munnelly <james@munnelly.eu>	2018-10-12 12:40:37 +01:00
Vincent Desjardins	4e89b611cf	missing omitempty for CABundle field in Vault issuer Signed-off-by: Vincent Desjardins <vdesjardins@gmail.com>	2018-10-12 11:14:08 +00:00
James Munnelly	bfd8ac7eab	Add Order and Challenge API types Signed-off-by: James Munnelly <james@munnelly.eu>	2018-10-12 11:08:51 +01:00
Vincent Desjardins	7b01a8aa0d	update code review #2 Signed-off-by: Vincent Desjardins <vdesjardins@gmail.com>	2018-10-11 02:19:55 +00:00
Vincent Desjardins	92ac7a7c08	code review updates Signed-off-by: Vincent Desjardins <vdesjardins@gmail.com>	2018-10-11 01:22:05 +00:00
Vincent Desjardins	7c1ff275f0	vault ca bundle support Signed-off-by: Vincent Desjardins <vdesjardins@gmail.com>	2018-10-11 01:22:05 +00:00
jetstack-bot	620395511a	Merge pull request #924 from arnoldbechtoldt/useClusterIPsvc Make http01 solver serviceType configurable	2018-10-10 13:42:11 +01:00
jetstack-bot	5ea95b6cc1	Merge pull request #923 from arnoldbechtoldt/issue892 make http01 solver pod resource request/limits configurable, refs #892	2018-10-10 13:06:11 +01:00
Arnold Bechtoldt	ce1dd5e8b5	update API docs Signed-off-by: Arnold Bechtoldt <arnold.bechtoldt@inovex.de>	2018-10-10 13:31:07 +02:00
Arnold Bechtoldt	1587741820	rename setting and update docs regarding solver service type Signed-off-by: Arnold Bechtoldt <arnold.bechtoldt@inovex.de>	2018-10-08 15:24:17 +02:00
jetstack-bot	912c7672bd	Merge pull request #848 from Queuecumber/ca-nginx Include CA Certificate In Secrets	2018-10-08 13:04:37 +01:00
acoshift	3e9085f376	remove key algor validation in ACME issuer Signed-off-by: Thanatat Tamtan <acoshift@gmail.com>	2018-10-08 17:47:31 +07:00
Arnold Bechtoldt	d261e1f3f1	make serviceType configurable, fixes #928 Signed-off-by: Arnold Bechtoldt <arnold.bechtoldt@inovex.de>	2018-10-08 10:55:56 +02:00
acoshift	fc7711967e	allow ecdsa for acme Signed-off-by: Thanatat Tamtan <acoshift@gmail.com>	2018-10-07 20:22:41 +07:00
Arnold Bechtoldt	845eb7f57c	make http01 solver pod resource request/limits configurable, refs #892 Signed-off-by: Arnold Bechtoldt <arnold.bechtoldt@inovex.de>	2018-09-26 14:39:06 +02:00
splashx	4e9af51629	fix rfc2136 provider missing port error, plumb dnsNameserver01 Signed-off-by: splashx <splash@gmail.com>	2018-09-17 17:38:09 +02:00
Max Ehrlich	5eaf89ba4a	Simplify getting the ca cert bytes from the ca chain Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-15 17:41:17 -04:00
Max Ehrlich	f81f499d3d	Rerun gofmt Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-15 17:18:40 -04:00
Max Ehrlich	06fb0cefc7	Manually generate pem from cachain field since the vault api does not expose it Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-15 17:06:41 -04:00
Max Ehrlich	d63fbbab49	Fix go-fmt Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-13 18:54:30 -04:00
Max Ehrlich	48653e07f9	Return CA for vault certs, this uses the issuing_ca field from the vault api response, see (https://www.vaultproject.io/api/secret/pki/index.html#sign-certificate ) for details Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-13 18:47:44 -04:00
Max Ehrlich	25e86d5588	For now, the vault issuer will also not store it's CA certificate Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-13 17:07:15 -04:00
Max Ehrlich	ab450c7463	Set the CA field if a non-nil ca cert is passed Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-13 17:07:15 -04:00
Max Ehrlich	213d5ec6b5	Self-signed issuers return a copy of the same certificate that was issued as the CA Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-13 17:07:14 -04:00
Max Ehrlich	511650ca82	ACME issuers currently will not support getting the CA certificate Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-13 17:07:14 -04:00
Max Ehrlich	58efbc068c	Update CA issuer to return the CA cert pem Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-13 17:07:14 -04:00
Max Ehrlich	280382e6ce	Issue and renew should now return the bytes of the CA certificate that was used to issue the certs. This should be set to nil if not applicable Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-13 17:07:14 -04:00
Max Ehrlich	41c7def791	Helper function to get PEM encoded bytes of x509 certs Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-13 17:07:14 -04:00
Max Ehrlich	e347572541	Change key name constant to better match its function Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-13 17:07:14 -04:00
Max Ehrlich	2524335f3a	Set the "ca.crt" field for certificates issued with isCA so that nginx can properly identify them for client authentication Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-13 17:07:13 -04:00
James Munnelly	48ecee9cfb	run //hack:update-gofmt Signed-off-by: James Munnelly <james@munnelly.eu>	2018-09-13 11:25:04 +01:00
James Munnelly	b1f145625e	Set up Bazel workspace with git status and pass ldflags Signed-off-by: James Munnelly <james@munnelly.eu>	2018-09-13 11:24:52 +01:00
James Munnelly	c4e11e110f	run //hack:update-codegen Signed-off-by: James Munnelly <james@munnelly.eu>	2018-09-13 11:24:52 +01:00
James Munnelly	db65d6a170	run //hack:update-bazel Signed-off-by: James Munnelly <james@munnelly.eu>	2018-09-13 11:24:48 +01:00
jetstack-bot	140f9e7a4c	Merge pull request #891 from munnerz/metaauth-validation Relax resource validation for CloudDNS service account credentials	2018-09-12 09:34:48 +01:00
jetstack-bot	feb589feb5	Merge pull request #661 from splashx/master [ACME] Add RFC2136 DNS Provider (2nd attempt)	2018-09-12 09:11:48 +01:00
James Munnelly	01ab38e5ff	Relax resource validation for CloudDNS service account credentials Signed-off-by: James Munnelly <james@munnelly.eu>	2018-09-12 08:44:06 +01:00
Evan Anderson	265c9610ff	Add an error check for AzureDNS failure to create a solver. Add documentation comments for public methods (caught by 'go lint'). Signed-off-by: Evan Anderson <evan.k.anderson@gmail.com>	2018-09-11 01:20:44 -07:00
splashx	3761c6c3a4	fix panic, wrong logic Signed-off-by: splashx <splash@gmail.com>	2018-09-10 21:40:40 +02:00
splashx	51a8a57221	add tests for nameserver, tsigsecret and tsigname Signed-off-by: splashx <splash@gmail.com>	2018-09-10 20:03:32 +02:00
jetstack-bot	8d6701de0b	Merge pull request #838 from Queuecumber/ca-org-days Set Organization in Certificates	2018-09-10 17:56:17 +01:00
Max Ehrlich	10526f404a	Validate that vault certificates do not set the organization field Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-10 10:33:53 -04:00
jetstack-bot	d55cd7ffe5	Merge pull request #664 from kiwigrid/enable-clouddns-meta-auth enable clouddns meta auth	2018-09-10 13:49:17 +01:00
James Munnelly	ac08365928	Fix up test failure Signed-off-by: James Munnelly <james@munnelly.eu>	2018-09-10 13:25:33 +01:00
James Munnelly	8c5c402d1e	Fix up bug preventing saBytes being used. Add comments. Signed-off-by: James Munnelly <james@munnelly.eu>	2018-09-10 13:21:51 +01:00
Max Ehrlich	fc8167581f	Update tests to support multiple orgs Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-08 16:21:13 -04:00
Max Ehrlich	6a9f1d2348	Update code to allow setting multiple organizations Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-08 16:21:13 -04:00
Max Ehrlich	a3f5f7b7e9	Add test for successful cert with organization set Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-08 16:21:13 -04:00
Max Ehrlich	54b567e734	Add test case that should fail acme validation Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-08 16:21:13 -04:00
Max Ehrlich	340d2725e7	Generate certificates with the new organization field Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-08 16:21:12 -04:00
Max Ehrlich	b3e9e33e9d	Validation for acme issuers Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-08 16:21:12 -04:00
Max Ehrlich	986a7af74f	Add the organization field to the certificate spec Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-09-08 16:21:12 -04:00
James Munnelly	9d3ea5649a	Fix acme.privateKeySecretRef validation message Signed-off-by: James Munnelly <james@munnelly.eu>	2018-09-08 18:17:11 +01:00
James Munnelly	a48b60581b	Run gofmt with go 1.11 Signed-off-by: James Munnelly <james@munnelly.eu>	2018-09-08 03:19:00 +01:00
splashx	41111f7879	patch with rfc2136 Signed-off-by: splashx <splash@gmail.com>	2018-09-07 00:56:00 +02:00
jetstack-bot	834fda15a1	Merge pull request #478 from munnerz/webhooks Add validating webhook and webhook tls autoconfiguration	2018-09-05 13:00:50 +01:00
JuanJo Ciarlante	1266f4116b	minor cleanups Signed-off-by: JuanJo Ciarlante <juanjosec@gmail.com>	2018-08-28 22:23:57 -03:00
JuanJo Ciarlante	225a37ce7c	augment acmedns unit testing Signed-off-by: JuanJo Ciarlante <juanjosec@gmail.com>	2018-08-28 22:20:31 -03:00
JuanJo Ciarlante	ef2924c26a	[jjo] fix panic from acmedns.go constructor failure Signed-off-by: JuanJo Ciarlante <juanjosec@gmail.com>	2018-08-27 19:36:13 -03:00
rico.pahlisch	3b270623fd	enable clouddns meta auth Signed-off-by: Rico Pahlisch <rico.pahlisch@kiwigrid.com>	2018-08-27 09:13:05 +02:00
Frank Hamand	8b28b5adce	Fix cloudflare provider failing on cleanup if no record is found It's possible for cert-manager to get in a bad state where it thinks there's something to cleanup, but repeatedly fails to clean it up. Not finding the record should not be an error when we're trying to delete the record anyway. Signed-off-by: Frank Hamand <frankhamand@gmail.com>	2018-08-21 09:59:37 +01:00
James Munnelly	91bec0909c	Add validation webhook Signed-off-by: James Munnelly <james.munnelly@jetstack.io>	2018-08-20 12:34:05 +01:00
jetstack-bot	972f86704d	Merge pull request #787 from Queuecumber/master Add ACME-DNS as a DNS-01 Provider	2018-08-17 13:33:57 +01:00
Max Ehrlich	65e6a65143	Update the test to support nameservers Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-14 14:57:21 -04:00
Max Ehrlich	96a037fc23	Fix go fmt failing Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-14 14:48:51 -04:00
jetstack-bot	dba15aabe6	Merge pull request #658 from munnerz/is-ca Add 'isCA' field to Certificate spec	2018-08-14 12:35:53 +01:00
James Munnelly	8d3d095a29	Add 'isCA' field to Certificate spec Signed-off-by: James Munnelly <james.munnelly@jetstack.io>	2018-08-14 10:32:48 +01:00
James Munnelly	22f5d8c816	Fix issue causing existing ingresses to not be cleaned up properly Signed-off-by: James Munnelly <james.munnelly@jetstack.io>	2018-08-14 10:23:29 +01:00
James Munnelly	974fc9e1bb	Add unit test for cleaning up existing ingress Signed-off-by: James Munnelly <james.munnelly@jetstack.io>	2018-08-14 10:23:28 +01:00
Max Ehrlich	f7b1d413fb	Fix test for acme-dns provider Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 14:04:19 -04:00
Max Ehrlich	465bdc51d1	Boilerplate header Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:37:44 -04:00
Max Ehrlich	8d7baed20a	Support DNS01Nameservers field Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:37:03 -04:00
Max Ehrlich	b1eadabf42	Change wording from "accounts" to "account" Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:32:14 -04:00
Max Ehrlich	e791680a88	Namespace was moved from a class variable to a local Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:32:14 -04:00
Max Ehrlich	dab8a47ec6	Function signature for DNS01Record was changed to return an error, handle that Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:32:13 -04:00
Max Ehrlich	0209938c94	Add validation logic Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:32:13 -04:00
Max Ehrlich	d12fbc161f	Ensure key is good enough for acme-dns to accept Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:32:13 -04:00
Max Ehrlich	240828b272	Read test host from env variable Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:32:13 -04:00
Max Ehrlich	80a9e7bf03	Make sure names are consistent Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:32:13 -04:00
Max Ehrlich	9d1f233729	Fix env variable names in unit test Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:32:12 -04:00
Max Ehrlich	992602b472	Add unit test to dns testing Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:32:12 -04:00
Max Ehrlich	310a6f8689	Add unit test for acmedns Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:31:43 -04:00
Max Ehrlich	f369d691fe	Keeping names consistent again Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:31:42 -04:00
Max Ehrlich	2d41d79d3c	Include acme-dns into the generic dns challenge interface Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:31:42 -04:00
Max Ehrlich	795b472e8d	Flesh out acme-dns implementation, registration must occur before using cert-manager Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:30:34 -04:00
Max Ehrlich	5695b867f6	Keep naming consistent Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:30:34 -04:00
Max Ehrlich	f7a42fb9fd	Add acme-dns issuer config to the issuer definition and update docs Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:30:33 -04:00
Max Ehrlich	8251d96c21	Add acme-dns issuer to provider configuration Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:30:33 -04:00
Max Ehrlich	9902845c82	Add acmedns constructor to dns interface Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:30:33 -04:00
Max Ehrlich	40ce2d8e86	Basic parts of implementation of acme dns, missing registration and credential retrieval Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:25:43 -04:00
Max Ehrlich	110a9443e8	Stubs for acmedns and its test Signed-off-by: Max Ehrlich <max.ehr@gmail.com>	2018-08-13 13:25:43 -04:00
jetstack-bot	abfbb36a48	Merge pull request #825 from ocadotechnology/820-plumb-dns-servers-more fix: plumb dns servers into more areas	2018-08-13 17:48:30 +01:00
stuart.warren	4f80dca9d5	fix: plumb dns servers into more areas fixes: #820 Signed-off-by: stuart.warren <stuart.warren@ocado.com>	2018-08-13 16:21:37 +01:00
James Munnelly	813996b07d	Update third_party files with skip license headers Signed-off-by: James Munnelly <james.munnelly@jetstack.io>	2018-08-13 16:06:07 +01:00
James Munnelly	51195e4c5f	Update license header and add header to every file Signed-off-by: James Munnelly <james.munnelly@jetstack.io>	2018-08-13 15:53:37 +01:00
jetstack-bot	7d581d60c2	Merge pull request #816 from kragniz/catch-dns-error Catch and return dns query error in DNS01Record	2018-08-10 12:16:03 +01:00
Louis Taylor	cc9a18a872	Handle error cases	2018-08-10 11:12:15 +01:00
jetstack-bot	d0002f6c71	Merge pull request #811 from jetstack/selfsigned-ca-bundle Don't bundle the CA certificate when selfsigned	2018-08-10 11:07:12 +01:00
Louis Taylor	69f6a234c7	Catch and return dns query error in DNS01Record	2018-08-10 11:04:48 +01:00
James Munnelly	2110aacc3b	Don't bundle the CA certificate when selfsigned	2018-08-09 16:32:10 +01:00
James Munnelly	c169a1ffc1	Catch edge case where the CN and DNSNames on a Certificate have been reordered	2018-08-08 20:19:16 +01:00
James Munnelly	503186c2d2	Add unit test for PublicKeyMatchesCertificate	2018-08-08 13:39:34 +01:00
James Munnelly	0dd3155fb2	Add logic to handle ready vs valid ACME orders	2018-08-08 13:39:34 +01:00
James Munnelly	1ed6855bde	Expose GetCertificate function	2018-08-08 13:39:30 +01:00
James Munnelly	fa0bc9998e	Add RenewBeforeDuration option to controller context	2018-08-08 13:34:30 +01:00
James Munnelly	071d1c6c88	Fix resourceNamespace	2018-08-07 16:13:46 +01:00
James Munnelly	3781c2d1be	Update references to resourceNamespace	2018-08-07 16:13:46 +01:00
James Munnelly	3a69dd1cbf	Update unit test fixture to produce mock Contexts	2018-08-07 16:13:46 +01:00
James Munnelly	38c62357f7	Update ACME issuer for new context	2018-08-07 16:13:46 +01:00
James Munnelly	f4170cbbf0	Update http01 challenge solver	2018-08-07 16:13:46 +01:00
James Munnelly	370a7a1460	Update DNS01 solver	2018-08-07 16:13:46 +01:00
James Munnelly	2fcbee05b7	Update ACME issuer	2018-08-07 16:13:46 +01:00
James Munnelly	e9285c6bdb	Update selfsigned issuer	2018-08-07 16:13:46 +01:00
James Munnelly	3f325d1659	Update CA issuer	2018-08-07 16:13:46 +01:00
James Munnelly	7ee345f88c	Update Vault issuer	2018-08-07 16:13:46 +01:00
James Munnelly	a46774fe44	Update Issuers controller	2018-08-07 16:13:46 +01:00
James Munnelly	59880abd43	Update ClusterIssuer controller	2018-08-07 16:13:46 +01:00
James Munnelly	9cc07eefe5	Update Certificate controller	2018-08-07 16:13:46 +01:00
James Munnelly	61a27d3b6c	Update validation to use consts moved into pkg/controller	2018-08-07 16:13:46 +01:00
James Munnelly	9dc20d3c35	Remove dedicated issuer context and move issuer registration into controller pkg	2018-08-07 16:13:46 +01:00
James Munnelly	36f9f356cd	Refactor ACME client construction into dedicated ACME package	2018-08-07 15:22:53 +01:00
James Munnelly	7346240830	Update codebase for refactored API type names	2018-08-07 14:16:53 +01:00
James Munnelly	3e95b9410c	Update generated files	2018-08-07 14:16:49 +01:00
James Munnelly	f46f99a1cb	Rename API types (keeping API surface identical)	2018-08-07 14:08:31 +01:00
James Munnelly	29eb04adfe	Move API types into separate files	2018-08-07 11:48:38 +01:00
James Munnelly	fcf812c654	Add OWNERS files to auto-label PRs. Mark apis directory as requiring a review by @munnerz.	2018-07-26 13:01:58 +01:00
jetstack-bot	317e6e829c	Merge pull request #761 from kragniz/runtime-validation Add base of issuer-specific validation to certificates at runtime	2018-07-26 11:20:29 +01:00
Louis Taylor	791488e2ed	Better test coverage	2018-07-26 10:50:28 +01:00
James Munnelly	686e9159e5	Wait for ACME Orders to be in 'ready' state before attempting finalization	2018-07-25 18:05:45 +01:00
Louis Taylor	474c8ed27f	Add extra testcase	2018-07-25 17:41:05 +01:00
Louis Taylor	db5383051e	Remove duplicated check	2018-07-25 15:55:19 +01:00
Louis Taylor	c5cf376c5e	Run ValidateCertificateForIssuer during sync	2018-07-25 15:45:37 +01:00
Louis Taylor	d23bad8c2f	nameForIssuer -> NameForIssuer	2018-07-25 15:45:13 +01:00
Louis Taylor	aa60a41591	Add tests	2018-07-25 15:44:25 +01:00
Louis Taylor	cdae8cbce8	Add base issuer validation	2018-07-25 15:44:06 +01:00
Louis Taylor	bcf135c7ae	clouddns: use fqdn for challenge cleanup This is the same as the problem fixed in #750, but for cleanup.	2018-07-22 20:17:11 +01:00
jetstack-bot	398e1560a3	Merge pull request #670 from gurvindersingh/master add support CNAME for dns-01 challenge	2018-07-20 19:36:06 +01:00
jetstack-bot	b15a18be98	Merge pull request #746 from euank/route53-invalid-change-batch issuer/route53: fix delete for 'NotExist' errors	2018-07-20 18:36:59 +01:00
Euan Kemp	ea84532a5c	issuer/route53: log ignored InvalidChangeBatch err	2018-07-20 10:10:02 -07:00
Louis Taylor	082f815773	clouddns: find hosted zone for challenge record Previously this would fail if you use a CNAME for the _acme-challenge record.	2018-07-20 16:53:12 +01:00
Euan Kemp	15d497b4ca	issuer/route53: fix delete for 'NotExist' errors Fixes #736. Prior to this change, it was quite possible to end up with a queue of cleanup tasks that would never succeed.	2018-07-19 10:20:27 -07:00
jetstack-bot	6348c6ffca	Merge pull request #722 from autonomic-ai/support-ec-keys Add keyAlgorithm and keySize fields to Certificates, and support ECDSA keys	2018-07-18 10:00:36 +01:00
Afolabi Badmos	445e522432	Add support for EC keys - This PR adds two fields to CertificateSpec: - `keyAlgorithm`, denotes which algorithm to use when generating a private key. Can be either `rsa` or `ecdsa`. When not set, the default algorithm used `rsa`. - `keySize`, denotes the key size of the private key being generated. For `rsa`, minimum key size is 2048 and maximum is 8192. For `ecdsa`, sizes 224, 256, 384 & 521 are supported. See https://golang.org/pkg/crypto/elliptic - `keySize` can be set without being explicit about `keyAlgorithm`. - If `keySize` is specified and `keyAlgorithm` is not provided, `rsa` will be used as the key algorithm. - `keyAlgorithm` can be set without being explicit about `keySize`. - If `keyAlgorithm` is specified and `keySize` is not provided, key size key size of `256` will be used for `ecdsa` key algorithm and key size of `2048` will be used for `rsa` key algorithm. - helper functions in `pki` package now return crypto.PrivateKey	2018-07-17 12:42:07 -04:00
Louis Taylor	969c4530a0	Add Contains util function	2018-07-12 10:27:05 +01:00
jetstack-bot	a162a5bb8e	Merge pull request #612 from vdesjardins/custom-approle-path Vault: configurable appRole authentication path	2018-07-11 17:53:33 +01:00
jetstack-bot	c08cd80730	Merge pull request #622 from munnerz/istio-annotation Add auth.istio.io annotation to ACME HTTP01 service	2018-07-11 17:18:33 +01:00
Vincent Desjardins	7fae0fccf1	code review fixes	2018-07-11 16:00:39 +00:00
Vincent Desjardins	ca3b909cb7	code review modifications	2018-07-11 16:00:39 +00:00
Vincent Desjardins	2995cc90a3	Vault: configurable appRole authentication path	2018-07-11 16:00:39 +00:00
jetstack-bot	bd7f15d5f4	Merge pull request #710 from kragniz/dns-flag Add flag for setting nameservers for DNS01 check	2018-07-11 14:26:33 +01:00
jetstack-bot	1c167c302d	Merge pull request #720 from zegl/route53-managed-by-certmanager route53: update managed by DNS record comment	2018-07-11 13:37:49 +01:00
Gustav Westling	641b497242	route53: update managed by DNS record comment	2018-07-08 12:09:00 +02:00
Louis Taylor	d60f4b447e	Apply cert name label to created secrets	2018-07-06 18:02:13 +01:00
jetstack-bot	c48a38ae17	Merge pull request #644 from munnerz/ref-docs Add script for generating reference docs	2018-07-05 15:12:41 +01:00
James Munnelly	2014183a57	Add script for generating reference docs	2018-07-05 14:47:32 +01:00
Louis Taylor	cbc61ef7f9	Fix tests	2018-07-05 12:41:33 +01:00
Louis Taylor	3eaca6a318	Add flag for custom dns01 nameservers	2018-07-05 12:40:53 +01:00
James Munnelly	d61838d901	Prevent panics in v1alpha1 helpers.go	2018-07-05 11:43:19 +01:00
André Cruz	936e2b98ee	Support the new "ready" order status	2018-07-03 15:31:14 +01:00
jetstack-bot	e7a2a0c618	Merge pull request #686 from kragniz/acme-config-update Update spec.acme.config field when ingress changes	2018-06-29 10:11:06 +01:00
James Munnelly	86685369aa	Add test for a non-acme certificate being appropriately updated	2018-06-29 09:46:04 +01:00
Louis Taylor	25311a57c5	Add better check for nil spec.acme	2018-06-27 14:37:53 +01:00
Louis Taylor	bc9181a925	Update spec.acme.config field when ingress changes Fixes #619.	2018-06-27 10:52:00 +01:00
James Munnelly	c55e7661b2	Add unit tests for resource validation	2018-06-26 14:59:48 +01:00
James Munnelly	951b72bba0	Add basic resource validation at start of sync loops	2018-06-26 14:59:48 +01:00
James Munnelly	bbb65baa38	Run go fmt	2018-06-26 01:24:52 +01:00
Guilherme Blanco	8d69e1e811	Added annotation to pod to prevent istio-sidecar-injector to add an envoy-proxy	2018-06-26 01:24:52 +01:00
James Munnelly	65b6ae2643	Add auth.istio.io annotation to ACME HTTP01 service	2018-06-26 01:24:52 +01:00
jetstack-bot	7ef053cf3e	Merge pull request #667 from euank/scheduler-mock pkg/scheduler: fix minor race; use mocks in scheduler tests	2018-06-25 20:37:29 +01:00
Euan Kemp	b7d4470f81	pkg/scheduler: fix minor race While unlikely, it was possible before for the scheduler to race in such a way that concurrent 'Add' calls would result in "leaking" a timer, thus making an unstoppable invocation of that event. This includes a test which fails without the small bugfix in scheduler.go	2018-06-25 12:01:51 -07:00
James Munnelly	fe5e748170	Don't return invalid/expired orders in shouldAttemptValidation	2018-06-25 10:46:10 +01:00
Gurvinder Singh	bfde429b8e	add support CNAME for dns-01 challenge Domain for which certificate is asked for can have a CNAME, so we should check it. If domain has a CNAME, create the challange TXT record in the alias domain. This is useful in the scenario where a company like us is using some DNS provider which is not supported dynamically. We can then create a CNAME for records like _acme-challenge.example.com -> example.aws.hosted.com So this will allow us getting cert for *.example.com with creating txt record in route53 for above exxample.	2018-06-21 21:48:16 +02:00
Euan Kemp	bb1fe81834	pkg/scheduler: use mock timer for tests This speeds up the unit tests from taking about 12s to taking around .01s	2018-06-19 17:48:16 -07:00
James Munnelly	592bfc7edc	issuers: Skip triggering API update if status has not changed	2018-06-18 01:55:45 +01:00
jetstack-bot	61729fb96a	Merge pull request #637 from munnerz/selfsigned Add self signed Issuer type	2018-06-15 14:31:33 +01:00
jetstack-bot	cb107f3b89	Merge pull request #652 from euank/r53-owner issuer/dns/route53: add myself as owner	2018-06-14 12:32:36 +01:00
jetstack-bot	12d603f511	Merge pull request #629 from groner/check-acme-issuer-challenge-type Check the acme issuer has the challenge type configured.	2018-06-14 11:54:37 +01:00
Euan Kemp	27b5e49732	issuer/dns/route53: add myself as owner	2018-06-12 18:32:49 -07:00
jetstack-bot	df4b493b38	Merge pull request #582 from ThatWasBrilliant/master FindZoneByFqdn fixes from lego	2018-06-12 16:25:41 +01:00
James Munnelly	00e558a9e7	Fix package naming	2018-06-08 17:49:26 +01:00
James Munnelly	0c05e15024	Run hack/update-codegen.sh	2018-06-08 15:48:30 +01:00
James Munnelly	6cfdc62f6b	Add self signed Issuer type	2018-06-08 15:48:30 +01:00
James Munnelly	1fd8cdf13e	Create common GenerateCSR and GenerateTemplate methods for creating Certificate/CertificateRequest	2018-06-08 15:15:27 +01:00
Kai Groner	b7a8c4c623	Check the acme issuer has the challenge type configured.	2018-06-06 10:19:22 -04:00
jetstack-bot	3cafdd9401	Merge pull request #598 from euank/log-namespaces issuer/acme/*: log namespaces for resources	2018-06-06 09:52:53 +01:00
jetstack-bot	c61f392163	Merge pull request #555 from paultiplady/debug/gcloud-errors Improve logs for CloudDNS service account errors	2018-06-06 01:40:39 +01:00
Euan Kemp	a09e9037de	issuer/acme/http: log namespaces for resources It's useful to know what namespace is being operated on, so log namespaces all over the place!	2018-05-30 20:10:17 -07:00
Euan Kemp	09a5846412	issuer/acme/http: remove unused test code ¯\_(ツ)_/¯	2018-05-30 20:03:00 -07:00
Euan Kemp	36b57ba475	issuer/acme/dns: log namespace for secret errors If we can't find the secret, the user should probably also know what namespace we looked in. xref #540 for a case where this might help with debugging	2018-05-30 20:00:21 -07:00
Euan Kemp	910a9e8859	issuer/acme/dns: remove redundant 'Error' calls	2018-05-30 19:57:44 -07:00
jetstack-bot	e51edb398e	Merge pull request #587 from vdesjardins/fix-vault-panic-on-sealed vault: fix panic when vault is sealed or uninitialized	2018-05-29 12:13:15 +01:00
Vincent Desjardins	37db332b46	vault: fix panic when vault is sealed or uninitialized	2018-05-29 01:36:00 +00:00
Anders Petersson	6d5b199d74	Fixed a typo in error msg.	2018-05-27 19:52:05 +02:00
Brian Hardy	e52aefb34a	FindZoneByFqdn fixes from lego	2018-05-25 14:00:29 -05:00
Paul Tiplady	1089667ceb	Make CloudDNS service account errors debuggable Improve logging in the case where the Service Account Secret is loaded, but the Key is not found. Previous behaviour was to fail without giving much help as to why. New behaviour confirms the key name and namespace/secret-name. FIXES: 539	2018-05-11 08:56:09 -07:00
Krzysztof Nazarewski	dfe0a5ebd4	typo fix	2018-05-10 12:49:48 +02:00
jetstack-bot	0bb19e9453	Merge pull request #546 from munnerz/cloudflare-idempotent Update Cloudflare provider to be idempotent when calling Present	2018-05-09 16:18:19 +01:00
James Munnelly	707a113870	Update Cloudflare provider to be idempotent when calling Present	2018-05-09 14:45:11 +01:00
jetstack-bot	8d1cad422e	Merge pull request #545 from munnerz/acme-v01-warning Set Issuer ready condition to false if ACMEv1 endpoints are used	2018-05-09 14:40:19 +01:00
James Munnelly	3fc74f7f86	Set Issuer ready condition to false if ACMEv1 endpoints are used	2018-05-09 14:17:20 +01:00
jetstack-bot	f78feb6e68	Merge pull request #530 from vdesjardins/fix-vault-approle rename fields in Vault appRole credentials	2018-05-09 14:15:19 +01:00
James Munnelly	a597c02701	Fix panic in shouldAttemptValidation	2018-05-09 12:11:41 +01:00
Vincent Desjardins	b256e02a98	rename fields in Vault appRole credentials	2018-05-03 03:30:43 +00:00
Vincent Desjardins	b35343786e	Vault issuer support vault remove duration	2018-05-02 00:45:55 +00:00
James Munnelly	e2a2e32e28	Fix ingress-shim tests	2018-04-26 12:44:41 +01:00
James Munnelly	fdb8f2bf40	Link ingress-shim into main controller binary	2018-04-26 12:44:40 +01:00
James Munnelly	944ed571fc	Ensure challenge list gets updated after attempting authzs	2018-04-25 19:02:15 +01:00
James Munnelly	50a4bcfde2	Perform full validation flow for each challenge before checking next one	2018-04-25 19:02:15 +01:00
James Munnelly	d573e30878	Only perform one validation per identifier for a single order at a time	2018-04-25 19:02:15 +01:00
James Munnelly	4be42080eb	Add ACMESolverConfigurationForAuthorization test	2018-04-25 18:17:01 +01:00
James Munnelly	c6e6b39fd2	Require asterisk denoted wildcard in acme solver config for wildcard certs	2018-04-25 17:34:21 +01:00
Tim	54067d5446	Add Key Encipherment bit to Key Usage extension Google Chrome rejects the certificate for SSL connections if the Key Usage extension does not include the keyEncipherment purpose.	2018-04-17 16:25:10 -07:00
James Munnelly	5679f6257f	Fix up self check failure error message	2018-04-12 19:31:29 +01:00
James Munnelly	611f1f3e0d	Absorb HTTP client errors in acme http self check	2018-04-12 19:00:24 +01:00
James Munnelly	acd927dd41	Use rate limiter when queueing (Cluster)Issuers	2018-04-12 16:51:02 +01:00
James Munnelly	0a960d46b2	Fix bug in issue method preventing cert issuance	2018-04-12 16:50:03 +01:00
James Munnelly	1975c524b9	Call AddRateLimited in QueuingEventHandler	2018-04-12 15:23:27 +01:00
James Munnelly	70dde521a1	Set status conditions on validation success. Call WaitOrder instead of GetOrder in issue.	2018-04-11 23:30:54 +01:00
James Munnelly	336d01ac4a	Update dns util tests	2018-04-11 19:39:36 +01:00
James Munnelly	ef51483cbc	Merge pull request #5 from redbaron/acmev2-upstream Fixes for ACME client http transport	2018-04-11 14:30:28 +01:00
James Munnelly	4a79203633	Run gofmt	2018-04-11 13:22:10 +01:00
James Munnelly	967499331e	Merge pull request #6 from redbaron/errors-format-fix Fix error formatting	2018-04-11 13:18:45 +01:00
Maxim Ivanov	c44a7552ea	Check challenge before presenting it With async challenge Check, it is often happens, that solver.Check() fails on first run after solver.Present() Cert-manager then tries again, but starts with solver.Present(), which not being idempotent right now fails on certain DNS providers. This change swaps order of solver.Check() and solver.Present(). Check is not returning error if propagation not happened, it then allows Present() to run. In the current form, Present() will be spamming with errors, but this doesn't stop Check from happening on every attempt, so eventually Challenge can be verified and accepted. In the future, Present() should be made idempotent.	2018-04-11 11:27:23 +01:00
Maxim Ivanov	8cbb75f9ba	Fix error formatting	2018-04-10 15:46:43 +01:00
James Munnelly	43373cd766	Adjust exponential backoff base value	2018-04-10 01:50:44 +01:00
James Munnelly	b9813b13db	Requeue Certificate if target secret is deleted	2018-04-10 01:31:09 +01:00
James Munnelly	add2c76923	Don't trigger resync if ingresses or secrets change	2018-04-10 01:27:18 +01:00
James Munnelly	c05d255675	Use AddRateLimited for the scheduled work queue	2018-04-10 01:05:37 +01:00
James Munnelly	ce441d604f	Enable DNS01 provider tests using cloudflare	2018-04-10 00:27:52 +01:00
James Munnelly	857420fbd3	Use adler32 hash for acme http01 resource labels	2018-04-09 23:27:16 +01:00
James Munnelly	c83b479b2f	Remove extra CreateOrder event	2018-04-09 21:29:31 +01:00
James Munnelly	1d52cbeec7	Remove unused strings and standardise event reasons	2018-04-09 21:26:38 +01:00
James Munnelly	d197817fa7	Improve error reporting and use of status conditions	2018-04-09 21:17:51 +01:00
James Munnelly	e8e6785e9a	Immediately create a new order if old one has expired	2018-04-09 20:08:18 +01:00
James Munnelly	1485546ed5	Clear ACME order URL if FinalizeOrder fails with 4xx error	2018-04-09 20:02:26 +01:00
James Munnelly	9aa3bb52a3	Fix invalid json tags	2018-04-09 19:44:16 +01:00
James Munnelly	801d882c4b	Only manually remove challenges on successful validation	2018-04-09 19:29:02 +01:00
James Munnelly	8f2bab6f05	Fix infinite loop in logger middleware	2018-04-09 19:09:46 +01:00
James Munnelly	5a434865ad	Add acme client logger middleware	2018-04-09 19:06:41 +01:00
James Munnelly	47465d645b	Use item based exponential backoff rate limiter	2018-04-09 18:33:36 +01:00
James Munnelly	ae3b4836b5	Clean up successful validations. Fix up failed validation handling.	2018-04-09 18:16:02 +01:00
James Munnelly	99d7a7b99a	Fix ACME DNS provider unit tests	2018-04-09 17:57:33 +01:00
Maxim Ivanov	bd84b7c29c	Make acme client transport to be closer to DefaultTransport Helps with things such as HTTP_PROXY env var handling	2018-04-09 17:46:29 +01:00
James Munnelly	32cab11676	Fix rebase issues	2018-04-09 17:18:34 +01:00
James Munnelly	6f974ee5ad	Run hack/update-codegen.sh	2018-04-09 17:17:01 +01:00
James Munnelly	b934852775	Merge branch 'master' into acmev2	2018-04-09 16:52:34 +01:00

... 3 4 5 6 7 ...

739 Commits