weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
1,826 Commits 45 Branches 0 Tags 96 MiB
948a2cf77c
Commit Graph

739 Commits

Author SHA1 Message Date
Max Ehrlich
6a9f1d2348
Update code to allow setting multiple organizations 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-09-08 16:21:13 -04:00
Max Ehrlich
a3f5f7b7e9
Add test for successful cert with organization set 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-09-08 16:21:13 -04:00
Max Ehrlich
54b567e734
Add test case that should fail acme validation 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-09-08 16:21:13 -04:00
Max Ehrlich
340d2725e7
Generate certificates with the new organization field 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-09-08 16:21:12 -04:00
Max Ehrlich
b3e9e33e9d
Validation for acme issuers 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-09-08 16:21:12 -04:00
Max Ehrlich
986a7af74f
Add the organization field to the certificate spec 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-09-08 16:21:12 -04:00
James Munnelly
9d3ea5649a Fix acme.privateKeySecretRef validation message 
Signed-off-by: James Munnelly <james@munnelly.eu>
 2018-09-08 18:17:11 +01:00
James Munnelly
a48b60581b Run gofmt with go 1.11 
Signed-off-by: James Munnelly <james@munnelly.eu>
 2018-09-08 03:19:00 +01:00
splashx
41111f7879
patch with rfc2136 
Signed-off-by: splashx <splash@gmail.com>
 2018-09-07 00:56:00 +02:00
jetstack-bot
834fda15a1
Merge pull request #478 from munnerz/webhooks 
Add validating webhook and webhook tls autoconfiguration
 2018-09-05 13:00:50 +01:00
JuanJo Ciarlante
1266f4116b
minor cleanups 
Signed-off-by: JuanJo Ciarlante <juanjosec@gmail.com>
 2018-08-28 22:23:57 -03:00
JuanJo Ciarlante
225a37ce7c
augment acmedns unit testing 
Signed-off-by: JuanJo Ciarlante <juanjosec@gmail.com>
 2018-08-28 22:20:31 -03:00
JuanJo Ciarlante
ef2924c26a
[jjo] fix panic from acmedns.go constructor failure 
Signed-off-by: JuanJo Ciarlante <juanjosec@gmail.com>
 2018-08-27 19:36:13 -03:00
rico.pahlisch
3b270623fd enable clouddns meta auth 
Signed-off-by: Rico Pahlisch <rico.pahlisch@kiwigrid.com>
 2018-08-27 09:13:05 +02:00
Frank Hamand
8b28b5adce Fix cloudflare provider failing on cleanup if no record is found 
It's possible for cert-manager to get in a bad state where it thinks there's something to cleanup, but repeatedly fails to clean it up.

Not finding the record should not be an error when we're trying to delete the record anyway.

Signed-off-by: Frank Hamand <frankhamand@gmail.com>
 2018-08-21 09:59:37 +01:00
James Munnelly
91bec0909c Add validation webhook 
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
 2018-08-20 12:34:05 +01:00
jetstack-bot
972f86704d
Merge pull request #787 from Queuecumber/master 
Add ACME-DNS as a DNS-01 Provider
 2018-08-17 13:33:57 +01:00
Max Ehrlich
65e6a65143
Update the test to support nameservers 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-14 14:57:21 -04:00
Max Ehrlich
96a037fc23
Fix go fmt failing 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-14 14:48:51 -04:00
jetstack-bot
dba15aabe6
Merge pull request #658 from munnerz/is-ca 
Add 'isCA' field to Certificate spec
 2018-08-14 12:35:53 +01:00
James Munnelly
8d3d095a29 Add 'isCA' field to Certificate spec 
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
 2018-08-14 10:32:48 +01:00
James Munnelly
22f5d8c816 Fix issue causing existing ingresses to not be cleaned up properly 
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
 2018-08-14 10:23:29 +01:00
James Munnelly
974fc9e1bb Add unit test for cleaning up existing ingress 
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
 2018-08-14 10:23:28 +01:00
Max Ehrlich
f7b1d413fb
Fix test for acme-dns provider 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 14:04:19 -04:00
Max Ehrlich
465bdc51d1
Boilerplate header 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:37:44 -04:00
Max Ehrlich
8d7baed20a
Support DNS01Nameservers field 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:37:03 -04:00
Max Ehrlich
b1eadabf42
Change wording from "accounts" to "account" 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:32:14 -04:00
Max Ehrlich
e791680a88
Namespace was moved from a class variable to a local 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:32:14 -04:00
Max Ehrlich
dab8a47ec6
Function signature for DNS01Record was changed to return an error, handle that 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:32:13 -04:00
Max Ehrlich
0209938c94
Add validation logic 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:32:13 -04:00
Max Ehrlich
d12fbc161f
Ensure key is good enough for acme-dns to accept 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:32:13 -04:00
Max Ehrlich
240828b272
Read test host from env variable 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:32:13 -04:00
Max Ehrlich
80a9e7bf03
Make sure names are consistent 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:32:13 -04:00
Max Ehrlich
9d1f233729
Fix env variable names in unit test 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:32:12 -04:00
Max Ehrlich
992602b472
Add unit test to dns testing 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:32:12 -04:00
Max Ehrlich
310a6f8689
Add unit test for acmedns 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:31:43 -04:00
Max Ehrlich
f369d691fe
Keeping names consistent again 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:31:42 -04:00
Max Ehrlich
2d41d79d3c
Include acme-dns into the generic dns challenge interface 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:31:42 -04:00
Max Ehrlich
795b472e8d
Flesh out acme-dns implementation, registration must occur before using cert-manager 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:30:34 -04:00
Max Ehrlich
5695b867f6
Keep naming consistent 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:30:34 -04:00
Max Ehrlich
f7a42fb9fd
Add acme-dns issuer config to the issuer definition and update docs 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:30:33 -04:00
Max Ehrlich
8251d96c21
Add acme-dns issuer to provider configuration 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:30:33 -04:00
Max Ehrlich
9902845c82
Add acmedns constructor to dns interface 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:30:33 -04:00
Max Ehrlich
40ce2d8e86
Basic parts of implementation of acme dns, missing registration and credential retrieval 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:25:43 -04:00
Max Ehrlich
110a9443e8
Stubs for acmedns and its test 
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
 2018-08-13 13:25:43 -04:00
jetstack-bot
abfbb36a48
Merge pull request #825 from ocadotechnology/820-plumb-dns-servers-more 
fix: plumb dns servers into more areas
 2018-08-13 17:48:30 +01:00
stuart.warren
4f80dca9d5 fix: plumb dns servers into more areas 
fixes: #820
Signed-off-by: stuart.warren <stuart.warren@ocado.com>
 2018-08-13 16:21:37 +01:00
James Munnelly
813996b07d Update third_party files with skip license headers 
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
 2018-08-13 16:06:07 +01:00
James Munnelly
51195e4c5f Update license header and add header to every file 
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
 2018-08-13 15:53:37 +01:00
jetstack-bot
7d581d60c2
Merge pull request #816 from kragniz/catch-dns-error 
Catch and return dns query error in DNS01Record
 2018-08-10 12:16:03 +01:00
Louis Taylor
cc9a18a872
Handle error cases 2018-08-10 11:12:15 +01:00
jetstack-bot
d0002f6c71
Merge pull request #811 from jetstack/selfsigned-ca-bundle 
Don't bundle the CA certificate when selfsigned
 2018-08-10 11:07:12 +01:00
Louis Taylor
69f6a234c7
Catch and return dns query error in DNS01Record 2018-08-10 11:04:48 +01:00
James Munnelly
2110aacc3b
Don't bundle the CA certificate when selfsigned 2018-08-09 16:32:10 +01:00
James Munnelly
c169a1ffc1 Catch edge case where the CN and DNSNames on a Certificate have been reordered 2018-08-08 20:19:16 +01:00
James Munnelly
503186c2d2 Add unit test for PublicKeyMatchesCertificate 2018-08-08 13:39:34 +01:00
James Munnelly
0dd3155fb2 Add logic to handle ready vs valid ACME orders 2018-08-08 13:39:34 +01:00
James Munnelly
1ed6855bde Expose GetCertificate function 2018-08-08 13:39:30 +01:00
James Munnelly
fa0bc9998e Add RenewBeforeDuration option to controller context 2018-08-08 13:34:30 +01:00
James Munnelly
071d1c6c88 Fix resourceNamespace 2018-08-07 16:13:46 +01:00
James Munnelly
3781c2d1be Update references to resourceNamespace 2018-08-07 16:13:46 +01:00
James Munnelly
3a69dd1cbf Update unit test fixture to produce mock Contexts 2018-08-07 16:13:46 +01:00
James Munnelly
38c62357f7 Update ACME issuer for new context 2018-08-07 16:13:46 +01:00
James Munnelly
f4170cbbf0 Update http01 challenge solver 2018-08-07 16:13:46 +01:00
James Munnelly
370a7a1460 Update DNS01 solver 2018-08-07 16:13:46 +01:00
James Munnelly
2fcbee05b7 Update ACME issuer 2018-08-07 16:13:46 +01:00
James Munnelly
e9285c6bdb Update selfsigned issuer 2018-08-07 16:13:46 +01:00
James Munnelly
3f325d1659 Update CA issuer 2018-08-07 16:13:46 +01:00
James Munnelly
7ee345f88c Update Vault issuer 2018-08-07 16:13:46 +01:00
James Munnelly
a46774fe44 Update Issuers controller 2018-08-07 16:13:46 +01:00
James Munnelly
59880abd43 Update ClusterIssuer controller 2018-08-07 16:13:46 +01:00
James Munnelly
9cc07eefe5 Update Certificate controller 2018-08-07 16:13:46 +01:00
James Munnelly
61a27d3b6c Update validation to use consts moved into pkg/controller 2018-08-07 16:13:46 +01:00
James Munnelly
9dc20d3c35 Remove dedicated issuer context and move issuer registration into controller pkg 2018-08-07 16:13:46 +01:00
James Munnelly
36f9f356cd Refactor ACME client construction into dedicated ACME package 2018-08-07 15:22:53 +01:00
James Munnelly
7346240830 Update codebase for refactored API type names 2018-08-07 14:16:53 +01:00
James Munnelly
3e95b9410c Update generated files 2018-08-07 14:16:49 +01:00
James Munnelly
f46f99a1cb Rename API types (keeping API surface identical) 2018-08-07 14:08:31 +01:00
James Munnelly
29eb04adfe Move API types into separate files 2018-08-07 11:48:38 +01:00
James Munnelly
fcf812c654 Add OWNERS files to auto-label PRs. Mark apis directory as requiring a review by @munnerz. 2018-07-26 13:01:58 +01:00
jetstack-bot
317e6e829c
Merge pull request #761 from kragniz/runtime-validation 
Add base of issuer-specific validation to certificates at runtime
 2018-07-26 11:20:29 +01:00
Louis Taylor
791488e2ed
Better test coverage 2018-07-26 10:50:28 +01:00
James Munnelly
686e9159e5 Wait for ACME Orders to be in 'ready' state before attempting finalization 2018-07-25 18:05:45 +01:00
Louis Taylor
474c8ed27f
Add extra testcase 2018-07-25 17:41:05 +01:00
Louis Taylor
db5383051e
Remove duplicated check 2018-07-25 15:55:19 +01:00
Louis Taylor
c5cf376c5e
Run ValidateCertificateForIssuer during sync 2018-07-25 15:45:37 +01:00
Louis Taylor
d23bad8c2f
nameForIssuer -> NameForIssuer 2018-07-25 15:45:13 +01:00
Louis Taylor
aa60a41591
Add tests 2018-07-25 15:44:25 +01:00
Louis Taylor
cdae8cbce8
Add base issuer validation 2018-07-25 15:44:06 +01:00
Louis Taylor
bcf135c7ae
clouddns: use fqdn for challenge cleanup 
This is the same as the problem fixed in #750, but for cleanup.
 2018-07-22 20:17:11 +01:00
jetstack-bot
398e1560a3
Merge pull request #670 from gurvindersingh/master 
add support CNAME for dns-01 challenge
 2018-07-20 19:36:06 +01:00
jetstack-bot
b15a18be98
Merge pull request #746 from euank/route53-invalid-change-batch 
issuer/route53: fix delete for 'NotExist' errors
 2018-07-20 18:36:59 +01:00
Euan Kemp
ea84532a5c issuer/route53: log ignored InvalidChangeBatch err 2018-07-20 10:10:02 -07:00
Louis Taylor
082f815773
clouddns: find hosted zone for challenge record 
Previously this would fail if you use a CNAME for the _acme-challenge
record.
 2018-07-20 16:53:12 +01:00
Euan Kemp
15d497b4ca issuer/route53: fix delete for 'NotExist' errors 
Fixes #736.

Prior to this change, it was quite possible to end up with a queue of
cleanup tasks that would never succeed.
 2018-07-19 10:20:27 -07:00
jetstack-bot
6348c6ffca
Merge pull request #722 from autonomic-ai/support-ec-keys 
Add keyAlgorithm and keySize fields to Certificates, and support ECDSA keys
 2018-07-18 10:00:36 +01:00
Afolabi Badmos
445e522432 Add support for EC keys 
- This PR adds two fields to CertificateSpec:
  - `keyAlgorithm`, denotes which algorithm to use when generating
    a private key. Can be either `rsa` or `ecdsa`. When not set, the
    default algorithm used `rsa`.
  - `keySize`, denotes the key size of the private key being generated.
    For `rsa`, minimum key size is 2048 and maximum is 8192.
    For `ecdsa`, sizes 224, 256, 384 & 521 are supported.
    See https://golang.org/pkg/crypto/elliptic

- `keySize` can be set without being explicit about `keyAlgorithm`.
  - If `keySize` is specified and `keyAlgorithm` is not provided, `rsa` will
    be used as the key algorithm.

- `keyAlgorithm` can be set without being explicit about `keySize`.
  - If `keyAlgorithm` is specified and `keySize` is not provided, key size
    key size of `256` will be used for `ecdsa` key algorithm and
    key size of `2048` will be used for `rsa` key algorithm.

- helper functions in `pki` package now return crypto.PrivateKey
 2018-07-17 12:42:07 -04:00
Louis Taylor
969c4530a0
Add Contains util function 2018-07-12 10:27:05 +01:00
jetstack-bot
a162a5bb8e
Merge pull request #612 from vdesjardins/custom-approle-path 
Vault: configurable appRole authentication path
 2018-07-11 17:53:33 +01:00
jetstack-bot
c08cd80730
Merge pull request #622 from munnerz/istio-annotation 
Add auth.istio.io annotation to ACME HTTP01 service
 2018-07-11 17:18:33 +01:00
Vincent Desjardins
7fae0fccf1 code review fixes 2018-07-11 16:00:39 +00:00
Vincent Desjardins
ca3b909cb7 code review modifications 2018-07-11 16:00:39 +00:00
Vincent Desjardins
2995cc90a3 Vault: configurable appRole authentication path 2018-07-11 16:00:39 +00:00
jetstack-bot
bd7f15d5f4
Merge pull request #710 from kragniz/dns-flag 
Add flag for setting nameservers for DNS01 check
 2018-07-11 14:26:33 +01:00
jetstack-bot
1c167c302d
Merge pull request #720 from zegl/route53-managed-by-certmanager 
route53: update managed by DNS record comment
 2018-07-11 13:37:49 +01:00
Gustav Westling
641b497242 route53: update managed by DNS record comment 2018-07-08 12:09:00 +02:00
Louis Taylor
d60f4b447e
Apply cert name label to created secrets 2018-07-06 18:02:13 +01:00
jetstack-bot
c48a38ae17
Merge pull request #644 from munnerz/ref-docs 
Add script for generating reference docs
 2018-07-05 15:12:41 +01:00
James Munnelly
2014183a57 Add script for generating reference docs 2018-07-05 14:47:32 +01:00
Louis Taylor
cbc61ef7f9
Fix tests 2018-07-05 12:41:33 +01:00
Louis Taylor
3eaca6a318
Add flag for custom dns01 nameservers 2018-07-05 12:40:53 +01:00
James Munnelly
d61838d901 Prevent panics in v1alpha1 helpers.go 2018-07-05 11:43:19 +01:00
André Cruz
936e2b98ee Support the new "ready" order status 2018-07-03 15:31:14 +01:00
jetstack-bot
e7a2a0c618
Merge pull request #686 from kragniz/acme-config-update 
Update spec.acme.config field when ingress changes
 2018-06-29 10:11:06 +01:00
James Munnelly
86685369aa Add test for a non-acme certificate being appropriately updated 2018-06-29 09:46:04 +01:00
Louis Taylor
25311a57c5
Add better check for nil spec.acme 2018-06-27 14:37:53 +01:00
Louis Taylor
bc9181a925
Update spec.acme.config field when ingress changes 
Fixes #619.
 2018-06-27 10:52:00 +01:00
James Munnelly
c55e7661b2 Add unit tests for resource validation 2018-06-26 14:59:48 +01:00
James Munnelly
951b72bba0 Add basic resource validation at start of sync loops 2018-06-26 14:59:48 +01:00
James Munnelly
bbb65baa38 Run go fmt 2018-06-26 01:24:52 +01:00
Guilherme Blanco
8d69e1e811 Added annotation to pod to prevent istio-sidecar-injector to add an envoy-proxy 2018-06-26 01:24:52 +01:00
James Munnelly
65b6ae2643 Add auth.istio.io annotation to ACME HTTP01 service 2018-06-26 01:24:52 +01:00
jetstack-bot
7ef053cf3e
Merge pull request #667 from euank/scheduler-mock 
pkg/scheduler: fix minor race; use mocks in scheduler tests
 2018-06-25 20:37:29 +01:00
Euan Kemp
b7d4470f81 pkg/scheduler: fix minor race 
While unlikely, it was possible before for the scheduler to race in such
a way that concurrent 'Add' calls would result in "leaking" a timer,
thus making an unstoppable invocation of that event.

This includes a test which fails without the small bugfix in
scheduler.go
 2018-06-25 12:01:51 -07:00
James Munnelly
fe5e748170 Don't return invalid/expired orders in shouldAttemptValidation 2018-06-25 10:46:10 +01:00
Gurvinder Singh
bfde429b8e add support CNAME for dns-01 challenge 
Domain for which certificate is asked for can have a CNAME, so we should check it.
If domain has a CNAME, create the challange TXT record in the alias domain.

This is useful in the scenario where a company like us is using some DNS provider
which is not supported dynamically. We can then create a CNAME for records like

_acme-challenge.example.com -> example.aws.hosted.com

So this will allow us getting cert for *.example.com with creating txt record in route53 for above exxample.
 2018-06-21 21:48:16 +02:00
Euan Kemp
bb1fe81834 pkg/scheduler: use mock timer for tests 
This speeds up the unit tests from taking about 12s to taking around
.01s
 2018-06-19 17:48:16 -07:00
James Munnelly
592bfc7edc issuers: Skip triggering API update if status has not changed 2018-06-18 01:55:45 +01:00
jetstack-bot
61729fb96a
Merge pull request #637 from munnerz/selfsigned 
Add self signed Issuer type
 2018-06-15 14:31:33 +01:00
jetstack-bot
cb107f3b89
Merge pull request #652 from euank/r53-owner 
issuer/dns/route53: add myself as owner
 2018-06-14 12:32:36 +01:00
jetstack-bot
12d603f511
Merge pull request #629 from groner/check-acme-issuer-challenge-type 
Check the acme issuer has the challenge type configured.
 2018-06-14 11:54:37 +01:00
Euan Kemp
27b5e49732 issuer/dns/route53: add myself as owner 2018-06-12 18:32:49 -07:00
jetstack-bot
df4b493b38
Merge pull request #582 from ThatWasBrilliant/master 
FindZoneByFqdn fixes from lego
 2018-06-12 16:25:41 +01:00
James Munnelly
00e558a9e7 Fix package naming 2018-06-08 17:49:26 +01:00
James Munnelly
0c05e15024 Run hack/update-codegen.sh 2018-06-08 15:48:30 +01:00
James Munnelly
6cfdc62f6b Add self signed Issuer type 2018-06-08 15:48:30 +01:00
James Munnelly
1fd8cdf13e Create common GenerateCSR and GenerateTemplate methods for creating Certificate/CertificateRequest 2018-06-08 15:15:27 +01:00
Kai Groner
b7a8c4c623 Check the acme issuer has the challenge type configured. 2018-06-06 10:19:22 -04:00
jetstack-bot
3cafdd9401
Merge pull request #598 from euank/log-namespaces 
issuer/acme/*: log namespaces for resources
 2018-06-06 09:52:53 +01:00
jetstack-bot
c61f392163
Merge pull request #555 from paultiplady/debug/gcloud-errors 
Improve logs for CloudDNS service account errors
 2018-06-06 01:40:39 +01:00
Euan Kemp
a09e9037de issuer/acme/http: log namespaces for resources 
It's useful to know what namespace is being operated on, so log
namespaces all over the place!
 2018-05-30 20:10:17 -07:00
Euan Kemp
09a5846412 issuer/acme/http: remove unused test code 
¯\_(ツ)_/¯
 2018-05-30 20:03:00 -07:00
Euan Kemp
36b57ba475 issuer/acme/dns: log namespace for secret errors 
If we can't find the secret, the user should probably also know what
namespace we looked in.

xref #540 for a case where this might help with debugging
 2018-05-30 20:00:21 -07:00
Euan Kemp
910a9e8859 issuer/acme/dns: remove redundant 'Error' calls 2018-05-30 19:57:44 -07:00
jetstack-bot
e51edb398e
Merge pull request #587 from vdesjardins/fix-vault-panic-on-sealed 
vault: fix panic when vault is sealed or uninitialized
 2018-05-29 12:13:15 +01:00
Vincent Desjardins
37db332b46 vault: fix panic when vault is sealed or uninitialized 2018-05-29 01:36:00 +00:00
Anders Petersson
6d5b199d74
Fixed a typo in error msg. 2018-05-27 19:52:05 +02:00
Brian Hardy
e52aefb34a FindZoneByFqdn fixes from lego 2018-05-25 14:00:29 -05:00
Paul Tiplady
1089667ceb Make CloudDNS service account errors debuggable 
Improve logging in the case where the Service Account Secret is
loaded, but the Key is not found.

Previous behaviour was to fail without giving much help as to
why.

New behaviour confirms the key name and namespace/secret-name.

FIXES: 539
 2018-05-11 08:56:09 -07:00
Krzysztof Nazarewski
dfe0a5ebd4
typo fix 2018-05-10 12:49:48 +02:00
jetstack-bot
0bb19e9453
Merge pull request #546 from munnerz/cloudflare-idempotent 
Update Cloudflare provider to be idempotent when calling Present
 2018-05-09 16:18:19 +01:00
James Munnelly
707a113870 Update Cloudflare provider to be idempotent when calling Present 2018-05-09 14:45:11 +01:00
jetstack-bot
8d1cad422e
Merge pull request #545 from munnerz/acme-v01-warning 
Set Issuer ready condition to false if ACMEv1 endpoints are used
 2018-05-09 14:40:19 +01:00
James Munnelly
3fc74f7f86 Set Issuer ready condition to false if ACMEv1 endpoints are used 2018-05-09 14:17:20 +01:00
jetstack-bot
f78feb6e68
Merge pull request #530 from vdesjardins/fix-vault-approle 
rename fields in Vault appRole credentials
 2018-05-09 14:15:19 +01:00
James Munnelly
a597c02701 Fix panic in shouldAttemptValidation 2018-05-09 12:11:41 +01:00
Vincent Desjardins
b256e02a98 rename fields in Vault appRole credentials 2018-05-03 03:30:43 +00:00
Vincent Desjardins
b35343786e Vault issuer support 
vault remove duration
 2018-05-02 00:45:55 +00:00
James Munnelly
e2a2e32e28 Fix ingress-shim tests 2018-04-26 12:44:41 +01:00
James Munnelly
fdb8f2bf40 Link ingress-shim into main controller binary 2018-04-26 12:44:40 +01:00
James Munnelly
944ed571fc Ensure challenge list gets updated after attempting authzs 2018-04-25 19:02:15 +01:00
James Munnelly
50a4bcfde2 Perform full validation flow for each challenge before checking next one 2018-04-25 19:02:15 +01:00
James Munnelly
d573e30878 Only perform one validation per identifier for a single order at a time 2018-04-25 19:02:15 +01:00
James Munnelly
4be42080eb Add ACMESolverConfigurationForAuthorization test 2018-04-25 18:17:01 +01:00
James Munnelly
c6e6b39fd2 Require asterisk denoted wildcard in acme solver config for wildcard certs 2018-04-25 17:34:21 +01:00
Tim
54067d5446
Add Key Encipherment bit to Key Usage extension 
Google Chrome rejects the certificate for SSL connections if the Key Usage extension does not include the keyEncipherment purpose.
 2018-04-17 16:25:10 -07:00
James Munnelly
5679f6257f Fix up self check failure error message 2018-04-12 19:31:29 +01:00
James Munnelly
611f1f3e0d Absorb HTTP client errors in acme http self check 2018-04-12 19:00:24 +01:00
James Munnelly
acd927dd41 Use rate limiter when queueing (Cluster)Issuers 2018-04-12 16:51:02 +01:00
James Munnelly
0a960d46b2 Fix bug in issue method preventing cert issuance 2018-04-12 16:50:03 +01:00
James Munnelly
1975c524b9 Call AddRateLimited in QueuingEventHandler 2018-04-12 15:23:27 +01:00
James Munnelly
70dde521a1 Set status conditions on validation success. Call WaitOrder instead of GetOrder in issue. 2018-04-11 23:30:54 +01:00
James Munnelly
336d01ac4a Update dns util tests 2018-04-11 19:39:36 +01:00
James Munnelly
ef51483cbc
Merge pull request #5 from redbaron/acmev2-upstream 
Fixes for ACME client http transport
 2018-04-11 14:30:28 +01:00
James Munnelly
4a79203633 Run gofmt 2018-04-11 13:22:10 +01:00
James Munnelly
967499331e
Merge pull request #6 from redbaron/errors-format-fix 
Fix error formatting
 2018-04-11 13:18:45 +01:00
Maxim Ivanov
c44a7552ea Check challenge before presenting it 
With async challenge Check, it is often happens,
that solver.Check() fails on first run after solver.Present()

Cert-manager then tries again, but starts with solver.Present(),
which not being idempotent right now fails on certain DNS providers.

This change swaps order of solver.Check() and solver.Present().
Check is not returning error if propagation not happened, it then
allows Present() to run.

In the current form, Present() will be spamming with errors,
but this doesn't stop Check from happening on every attempt,
so eventually Challenge can be verified and accepted. In the future,
Present() should be made idempotent.
 2018-04-11 11:27:23 +01:00
Maxim Ivanov
8cbb75f9ba Fix error formatting 2018-04-10 15:46:43 +01:00
James Munnelly
43373cd766 Adjust exponential backoff base value 2018-04-10 01:50:44 +01:00
James Munnelly
b9813b13db Requeue Certificate if target secret is deleted 2018-04-10 01:31:09 +01:00
James Munnelly
add2c76923 Don't trigger resync if ingresses or secrets change 2018-04-10 01:27:18 +01:00
James Munnelly
c05d255675 Use AddRateLimited for the scheduled work queue 2018-04-10 01:05:37 +01:00
James Munnelly
ce441d604f Enable DNS01 provider tests using cloudflare 2018-04-10 00:27:52 +01:00
James Munnelly
857420fbd3 Use adler32 hash for acme http01 resource labels 2018-04-09 23:27:16 +01:00
James Munnelly
c83b479b2f Remove extra CreateOrder event 2018-04-09 21:29:31 +01:00
James Munnelly
1d52cbeec7 Remove unused strings and standardise event reasons 2018-04-09 21:26:38 +01:00
James Munnelly
d197817fa7 Improve error reporting and use of status conditions 2018-04-09 21:17:51 +01:00
James Munnelly
e8e6785e9a Immediately create a new order if old one has expired 2018-04-09 20:08:18 +01:00
James Munnelly
1485546ed5 Clear ACME order URL if FinalizeOrder fails with 4xx error 2018-04-09 20:02:26 +01:00
James Munnelly
9aa3bb52a3 Fix invalid json tags 2018-04-09 19:44:16 +01:00
James Munnelly
801d882c4b Only manually remove challenges on successful validation 2018-04-09 19:29:02 +01:00
James Munnelly
8f2bab6f05 Fix infinite loop in logger middleware 2018-04-09 19:09:46 +01:00
James Munnelly
5a434865ad Add acme client logger middleware 2018-04-09 19:06:41 +01:00
James Munnelly
47465d645b Use item based exponential backoff rate limiter 2018-04-09 18:33:36 +01:00
James Munnelly
ae3b4836b5 Clean up successful validations. Fix up failed validation handling. 2018-04-09 18:16:02 +01:00
James Munnelly
99d7a7b99a Fix ACME DNS provider unit tests 2018-04-09 17:57:33 +01:00
Maxim Ivanov
bd84b7c29c Make acme client transport to be closer to DefaultTransport 
Helps with things such as HTTP_PROXY env var handling
 2018-04-09 17:46:29 +01:00
James Munnelly
32cab11676 Fix rebase issues 2018-04-09 17:18:34 +01:00
James Munnelly
6f974ee5ad Run hack/update-codegen.sh 2018-04-09 17:17:01 +01:00
James Munnelly
b934852775 Merge branch 'master' into acmev2 2018-04-09 16:52:34 +01:00
James Munnelly
f1b3b4b962 Update CA issuer witih changes to UpdateStatusCondition 2018-04-09 15:43:26 +01:00
James Munnelly
4b361348ef Rewrite ACME issuer to use new ACMEOrderChallenge struct 2018-04-09 15:40:32 +01:00
James Munnelly
d3706ae33c Add ACMEOrderChallenge struct 2018-04-09 15:39:43 +01:00
James Munnelly
3bde815cf2 Update DNS and HTTP provider to use challenge structs 2018-04-09 15:38:43 +01:00
jetstack-bot
9021767cb7
Merge pull request #432 from euank/jetstack/user-agent 
Plumb a user-agent through pretty much everywhere
 2018-04-09 11:14:31 +01:00
jetstack-bot
8d80bb7492
Merge pull request #433 from kragniz/remove-namespace-flag 
Remove --namespace flag
 2018-04-09 11:14:25 +01:00
Euan Kemp
6b4e33a483 util/useragent: use more verbose version 2018-04-06 18:09:52 -07:00
Euan Kemp
4e5a2d1646 issuer/dns/route53: append our user-agent 2018-04-06 18:09:17 -07:00
Euan Kemp
9c3b4e83b4 pkg/util/kube: set user-agent 
This should make it slightly easier to filter api-server logs for
cert-manager activity
 2018-04-06 18:09:17 -07:00
Euan Kemp
4d9b0e836e issuer/dns/akamai: set user-agent 2018-04-06 18:09:17 -07:00
Euan Kemp
34391f0726 issuer/dns/cloudflare: set user-agent 2018-04-06 18:09:17 -07:00
Euan Kemp
f122c9c9c2 issuer/acme: add a timeout to the http client 2018-04-06 18:09:17 -07:00
Euan Kemp
7f12fb346c issuer/acme: move 'user-agent' logic to util 
This logic should be shared by things like the aws client as well.
 2018-04-06 18:09:11 -07:00
Louis Taylor
0961e24174
Remove namespace from more places 2018-04-06 11:20:24 +01:00
jetstack-bot
7f04c1cd6e
Merge pull request #388 from kragniz/secret-annotations 
Annotate created secrets with cert information
 2018-04-06 10:44:28 +01:00
James Munnelly
76f9f14357 Add TODO about cleaning up old authorization attempts 2018-04-05 00:17:03 +01:00
James Munnelly
838be2f54d Add getOrCreateOrder tests 2018-04-04 23:41:14 +01:00
James Munnelly
178a3a5eea Fix up bugs in unit testing framework 2018-04-04 23:40:44 +01:00
James Munnelly
b866b8cdf4 Fix bug in EqualUnsorted when comparing lists of the same length 2018-04-04 23:40:08 +01:00
James Munnelly
8d3c2f2b25 Create 'getOrCreateOrder' function 2018-04-04 23:39:34 +01:00
James Munnelly
fde0a0010c Add missing GetOrder function to FakeACME 2018-04-04 23:38:19 +01:00
James Munnelly
211c60b449 Fix panic when an error occurs while creating an order 2018-04-04 23:38:03 +01:00
James Munnelly
f2ddd1d111 Change DNSNames/CommonNameForCertificate function to not return an error 2018-04-04 23:37:37 +01:00
jetstack-bot
acfc2f78d1
Merge pull request #322 from yieldlab/akamai-support 
Add ACME DNS-01 provider for Akamai FastDNS
 2018-04-04 18:26:22 +01:00
James Munnelly
6f71a8de57 Update comments 2018-04-04 18:16:01 +01:00
James Munnelly
7e663971fd Fix typo 2018-04-04 17:39:11 +01:00
James Munnelly
e87ff94458 Fix import paths and use util.AppVersion for user agent version 2018-04-04 12:42:21 +01:00
James Munnelly
798a07b0c8 Set a custom User-Agent on acme client 2018-04-04 12:39:44 +01:00
James Munnelly
da0d45e3f4 Use DialContext in ACMEClient round tripper 2018-04-04 12:30:33 +01:00
James Munnelly
bd58bd8bc6 Fix acme test fixture 2018-04-04 11:32:06 +01:00
James Munnelly
b0e65f84c7 Add TODO for domain label values 2018-04-04 11:30:15 +01:00
James Munnelly
01efbca114 Merge branch 'master' into acmev2 2018-04-04 11:27:37 +01:00
Jacob Hoffman-Andrews
8baac71058 Add a meaningful User-Agent. 2018-03-30 14:18:38 -07:00
jetstack-bot
95883c47dd
Merge pull request #363 from euank/nonstatic-aws-creds 
Allow non-static AWS credentials for Route 53, gated by "ambient credentials" flags
 2018-03-26 12:35:18 +01:00
jetstack-bot
977b038d2b
Merge pull request #408 from kragniz/resource-limits 
Add limits to http validation pod
 2018-03-26 10:47:51 +01:00
Euan Kemp
faac0701ab issuer/route53: respect 'ambient' flag for region 
This notably results in the region being a required field if the
'ambient' option is not set for a given issuer.
 2018-03-24 14:16:33 -07:00
Louis Taylor
e8d6861d31
Increase memory limits 2018-03-24 00:24:51 +00:00
Euan Kemp
dd48f4aa05 issuer/acme/dns: add ambient=false unit test 2018-03-23 14:30:43 -07:00
Euan Kemp
971ef4f198 issuer/route53: remove unused integ test 
I'm convinced this test was never run and also did not provide any
significant value in this project.
 2018-03-23 14:30:43 -07:00
Euan Kemp
0d39da5174 issuer/route53: improve logging hosted zone errs 2018-03-23 14:30:43 -07:00
Euan Kemp
0fb787eae7 controller: add ambient issuer flags and feature 
This implements ambient credential support for AWS, gated behind flags
for issuers and cluster issuers.

This adds the pair of flags discussed in
https://github.com/jetstack/cert-manager/issues/308.

It provides an implementation for those flag's effects for the route53
solver.
 2018-03-23 14:30:43 -07:00
Euan Kemp
0e6ca80a70 issuer/route53: remove zone-id env test 
The zone id is never read from the environment; this test tests
functionality which doesn't exist in the actual software, so there's no
point in having it.
 2018-03-23 14:30:43 -07:00
Matt Moyer
14c109af46 Drop unused NewDNSProvider() method. 
Signed-off-by: Matt Moyer <moyer@heptio.com>
 2018-03-23 14:30:42 -07:00
Matt Moyer
1236a93d1e Allow non-static AWS credentials for Route 53. 
This change maintains backwards compatibility, but makes the `accessKeyID` and `secretAccessKeySecretRef` fields of the `route53` DNS provider optional.
If not provided, AWS credentials will be loaded from `AWS_*` environment variables or the EC2 metadata service.
This should also work for things that impersonate the EC2 metadata service, such as [kube2iam](https://github.com/jtblin/kube2iam) and [kail](https://github.com/uswitch/kiam).

Signed-off-by: Matt Moyer <moyer@heptio.com>
 2018-03-23 14:30:42 -07:00
James Munnelly
e786e47d73 Add ensurePod and ensureService tests 2018-03-23 18:50:46 +00:00
James Munnelly
0d945e86f5 Add 5s acme client connect timeout 2018-03-23 18:50:46 +00:00
James Munnelly
8d48e75d6e Use GetAccount to check if acme account is already registered 2018-03-23 18:50:46 +00:00
James Munnelly
e91dfc40af Fix ACME CSR generation 2018-03-23 18:50:46 +00:00
James Munnelly
cb042e886f Fix buildOrder function 2018-03-23 18:50:46 +00:00
James Munnelly
8ad26f6378 Fix log message print formatting 2018-03-23 18:50:46 +00:00
James Munnelly
d4b07ab0bb Add log messages throughout ACME Present process 2018-03-23 18:50:46 +00:00
James Munnelly
8eaf63cf29 Fix testReachability 2018-03-23 18:50:46 +00:00
James Munnelly
9cb346313c Fix panic in http solver 2018-03-23 18:50:46 +00:00
James Munnelly
02f1b37caf Add correct HasSynced func 2018-03-23 18:50:46 +00:00
James Munnelly
649fdecdd2 Add comment explaining new HasSynced usages 2018-03-23 18:50:46 +00:00
James Munnelly
0a7cefecf4 Call Pod & Service lister HasSynced method in Cert controller construction 2018-03-23 18:50:46 +00:00
James Munnelly
06f9d6e40d Fix listing existing pods/services/ingresses in http solver 2018-03-23 18:50:46 +00:00
James Munnelly
e10affd765 Add comments to test fixture 2018-03-23 18:50:46 +00:00
James Munnelly
48edcd2f96 Run gofmt 2018-03-23 18:50:45 +00:00
James Munnelly
bf3570af0d Add OwnerReferences to HTTP solver resources 2018-03-23 18:50:45 +00:00
James Munnelly
cfc11f324b Fix bugs in http challenge solver 2018-03-23 18:50:45 +00:00
James Munnelly
36c825fa48 Set order.URL in createOrder 2018-03-23 18:50:45 +00:00
James Munnelly
d617bec346 Don't use order URL as a pod label. Cleanup existing resources if multiple exist. 2018-03-23 18:50:45 +00:00
James Munnelly
393e146543 Fix arguments to ensureIngress 2018-03-23 18:50:45 +00:00
James Munnelly
c9dfd408b7 Run gofmt 2018-03-23 18:50:45 +00:00
James Munnelly
42c5599305 Rename integration test framework to unit 2018-03-23 18:50:45 +00:00
James Munnelly
0a0747dac7 Move OrderURL into OrderStatus struct and fix up http solver 2018-03-23 18:50:45 +00:00
James Munnelly
7a44cb3e0e Make HTTP challenge solver async 2018-03-23 18:50:45 +00:00
James Munnelly
de59fc70ee Add pick challenge type unit test 2018-03-23 18:50:45 +00:00
James Munnelly
eccc3d5a8e Change log level of useful messages 2018-03-23 18:50:45 +00:00
James Munnelly
d0d30a0fc2 Disable check for acme account being valid 2018-03-23 18:50:45 +00:00
James Munnelly
e25f832033 Replace calls to acme.GetAccount with acme.CreateAccount 2018-03-23 18:50:45 +00:00
James Munnelly
13e2584ff3 Log events when creating orders 2018-03-23 18:50:45 +00:00
James Munnelly
8de002a697 Never overwrite an acme private key 2018-03-23 18:50:45 +00:00
James Munnelly
8542e1c3a4 Use order finalize url when finalizing 2018-03-23 18:50:45 +00:00
James Munnelly
058387cd44 Fix bug causing skipTLSVerify to be ignore during acme registration 2018-03-23 18:50:45 +00:00
James Munnelly
599fa90f57 Agree to terms of service when registering acme account 2018-03-23 18:50:45 +00:00
James Munnelly
a2ad31c849 Fix acme http test and remove old acme prepare test 2018-03-23 18:50:45 +00:00
James Munnelly
23f694cf0d Add skipTLSVerify field to ACME issuer spec 2018-03-23 18:50:45 +00:00
James Munnelly
32b6e9cbef Fix http_test.go 2018-03-23 18:50:44 +00:00
James Munnelly
0de2866e33 Add OrderURL api field 2018-03-23 18:50:44 +00:00
James Munnelly
7dc50cdea6 Rewrite acme issuer for acme v2 2018-03-23 18:50:44 +00:00
James Munnelly
34ae73615b Run hack/update-codegen.sh 2018-03-23 18:30:49 +00:00
Louis Taylor
d6c7244028
Add limits to http validation pod 2018-03-23 16:30:34 +00:00
Louis Taylor
545bd9104a
Add comment 2018-03-23 12:21:37 +00:00
Euan Kemp
78b1b8d69d issuer/acme/dns: refactor provider construction 
Previously, each provider's package-level 'New' function was being
called.

That made mocking it out for a different function that records data or
returns different output quite difficult.

This PR introduces an additional layer of abstraction in the form of
effectively a vtable struct for the dns providers. It's defaulted to the
same package-level constructors as before, but unit tests in the dns
package can easily override it.

A new test for the previously-introduced route53 trimming behavior is
also added.
 2018-03-14 01:25:15 -07:00
Euan Kemp
8aefbb1470 Trim aws credentials for acme dns route53 provider 
AWS credentials don't contain whitespace, and it's very easy to
accidentally include spaces or newlines at the end of secrets.
 2018-03-14 01:09:25 -07:00
Louis Taylor
1669611908
Use defaulting functions 
And also move annotation keys to v1alpha1
 2018-03-12 21:06:23 +00:00
Louis Taylor
f6210c12c6
Annotate created secrets with cert information 2018-03-12 15:06:50 +00:00
jetstack-ci-bot
ce9e5ede2b
Merge pull request #351 from jonboulle/master 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix various typos in spelling of Certificate
 2018-03-12 10:14:09 +00:00
Adarsh J
c4a93bcff5 Use Google's DNS IPs instead of domain 
If /etc/resolv.conf does not have any entries, then its unlikely
that the domain name representation of google's DNS would get
resolved too. Hence using IP address directly makes sense.
 2018-02-28 02:06:02 +05:30
Jonathan Boulle
526d31bbc0 Fix various typos in spelling of Certificate 2018-02-26 20:07:06 +01:00
jetstack-ci-bot
7533e0e329
Merge pull request #332 from munnerz/err-prefixed-events 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Rename Event types to be prefixed 'Err' instead of 'Error' for brevity

**What this PR does / why we need it**:

Shortens the event type names we use to be prefixed 'Err' instead of 'Error'

**Special notes for your reviewer**:

This brings us in-line with the issuer and cluster issuer controllers, and other controllers in Kubernetes.

**Release note**:
```release-note
Rename Event types to be prefixed 'Err' instead of 'Error' for brevity
```
 2018-02-22 10:21:22 +00:00
Tom Wieczorek
f681f5a6b1
Add ACME DNS-01 provider for Akamai FastDNS 2018-02-22 09:50:11 +01:00
James Munnelly
ce0384a196 Rename Event types to be prefixed 'Err' instead of 'Error' for brevity 2018-02-22 07:53:51 +00:00
James Munnelly
70e7c5265b Make existing TLS certificate check emit a Normal event instead of Warning when the existing certificate is invalid 2018-02-22 07:48:58 +00:00
jetstack-ci-bot
058a259f7a
Merge pull request #321 from twz123/fix-log-warning 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Log potential errors while waiting for DNS record propagation

**What this PR does / why we need it**:
This helps debugging, e.g. if there are network problems.

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
```
 2018-02-21 13:39:28 +00:00
jetstack-ci-bot
b18acf1d7e
Merge pull request #246 from mwieczorek/azure-dns 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Added Azure DNS support for DNS01 challange 

**What this PR does / why we need it**:
Adds another provider (Azure DNS) for DNS01 challange

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #230 

**Special notes for your reviewer**:

**Release note**:

```release-note
ACME DNS-01 challenge mechanism for Azure DNS
```
 2018-02-21 13:20:30 +00:00
Tom Wieczorek
822500c439
Log potential errors while waiting for DNS record propagation 
This helps debugging, e.g. if there are network problems.
 2018-02-21 10:19:36 +01:00
William Johansson
6ff1746898 Bundle the CA public key in issued certificate 
If the CA used is only an intermediate CA, and the root CA is trusted by
the client, the client needs help verifying the certificate chain.
 2018-02-18 21:28:22 +01:00