weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
8,326 Commits 45 Branches 0 Tags 96 MiB
968cefe02f
Commit Graph

892 Commits

Author SHA1 Message Date
Tim Ramlot
9e2c6ae08a
run 'make update-crds' 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-03 16:18:35 +01:00
Tim Ramlot
41404a7fd7
rename UseCertificateRequestNameConstraints to NameConstraints 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-03 15:49:18 +01:00
jetstack-bot
cc8925ae9f
Merge pull request #6404 from SpectralHiss/hef/otherNameSANs 
Other name sans support in Certificates
 2024-01-03 14:16:23 +00:00
jetstack-bot
4af78fe98a
Merge pull request #6548 from snorwin/modern-pkcs12 
New option to specify encryption and MAC algorithms for PKCS#12 keystores.
 2024-01-03 12:54:22 +00:00
Tim Ramlot
8223df9e91
rename Algorithms to Profile 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-03 13:45:02 +01:00
jetstack-bot
9b90f50be8
Merge pull request #6549 from SgtCoDFish/standalone-apicheck 
Add separate startupapicheck binary
 2024-01-03 11:12:22 +00:00
Tim Ramlot
646a0698b6
undo docs change 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-03 10:56:18 +01:00
Tim Ramlot
2882d4a0c7
make fix more general (eg. support levels > 5) 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-03 10:52:59 +01:00
ChrisDevo
449fb81595
Fix comment about allowed logLevel values (see: pkg/logs/logs.go#L44-49) 
Signed-off-by: ChrisDevo <chris.devine@berkeley.edu>
 2024-01-03 10:39:02 +01:00
ChrisDevo
519197b511
Improve parsing of helm global.logLevel (only accept integers 0-5, inclusive) 
Signed-off-by: ChrisDevo <chris.devine@berkeley.edu>
 2024-01-03 10:39:02 +01:00
Ashley Davis
b3b14fda41
add separate startupapicheck binary 
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
 2024-01-02 17:17:50 +00:00
dylanhitt
751ca52626 docs: declare updated kube version in artifact hub doc 
Signed-off-by: Dylan Hitt <dylan.hitt1@gmail.com>
 2023-12-28 22:44:46 -05:00
Tim Ramlot
24794feac0
update API comments 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-20 11:26:52 +01:00
SpectralHiss
e7f29f8bb3 UTF8Value -> utf8Value in CRD JSON schema 
* Still following Go standard with UTF8Value for struct field name

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-20 08:30:54 +00:00
SpectralHiss
c87a2f6691 Add early feedback validation for otherName syntax and tests 
* Fixed warning

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-19 20:02:02 +00:00
Adam Talbot
247a034116 feat: update gateway api to v1 
Signed-off-by: Adam Talbot <adam.talbot@venafi.com>
 2023-12-18 21:00:42 +00:00
Norwin Schnyder
ebf58b9967 apply PR feedback 
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
 2023-12-15 10:52:57 +01:00
SpectralHiss
4bdee5f010 Rename otherNameSANs to otherNames 
* Improve the CRD godoc comments

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-13 16:21:56 +00:00
Norwin Schnyder
b8ad8a3704 apply PR feedback 
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
 2023-12-13 12:00:39 +00:00
Tim Ramlot
721f71ed60 Refactor the solution 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-13 09:37:21 +00:00
Tim Ramlot
bfd9a65160 Add OtherNameSANs field to Certificates 
* Added an otherName SAN extension mechanism
* Can take any otherName OID with String (UTF-8) like value
* cf [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280) p 37 for
  more info
* otherName is only a subset of GeneralName, our specific need for for
  UserPrincipalName used in Microsoft AD/ LDAP
* We treat UPN special but we might remove this in a later commit

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-13 09:12:23 +00:00
Norwin Schnyder
b79e73f484 fix controller-gen errors 
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
 2023-12-12 18:25:15 +01:00
Norwin Schnyder
c583278ce8 generate manifests 
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
 2023-12-12 14:27:41 +00:00
tanujd11
28ca4312b3 fix: additional review comments 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:30:31 +05:30
tanujd11
84d7dd4aed Addressed review comments 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:30:31 +05:30
tanujd11
d1b3e5ca83 Move critical from NameConstraintItem to NameConstraint and remove validateNameConstraints 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:30:29 +05:30
tanujd11
50d84c1bbc nits: added new line at EOF and comment fix 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:27:42 +05:30
tanujd11
589030dec1 feature: added name constraints 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:27:31 +05:30
Avi Sharma
c72fc28773 Fix controller feautregates config in helm 
Signed-off-by: Avi Sharma <avi.08.sh@gmail.com>
 2023-11-17 21:38:44 +05:30
Richard Wall
a2ca3c714f Enable verbose logging in startupapicheck by default 
So that if it fails, users can know exactly what caused the failure.

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-11-17 09:09:41 +00:00
Jeremy Campbell
dc876fef16
Add x509 v3 CA Issuers Extension 
Signed-off-by: Jeremy Campbell <jeremy.campbell@okta.com>
 2023-11-16 12:45:16 -06:00
jetstack-bot
b0ed333413
Merge pull request #6459 from shlomitubul/master 
feat(helm) Add support for PodMonitor
 2023-11-16 14:45:00 +01:00
Richard Wall
a0e5afc0f4 Increase the webhook timeout to its maximum value 
Users sometimes report that the connection between the K8S API server and the
cert-manager webhook server times out.

But the error message is often only "context deadline exceeded",
which doesn't help the user know what phase of the HTTPS connection timed out.

It could be during DNS resolution, TCP connection, TLS negotiation, HTTP channel
negotiation, or slow HTTP response from the webhook server.

So this change increases the context timeout to its maximum value
so that the underlying timeout error message has more chance of being returned to the end user.

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-11-15 17:54:43 +00:00
Richard Wall
8eb547d9cb Remove redundant / misleading runAsNonRoot examples from values.yaml 
`runAsNonRoot` is already set to true in the *Pod*SecurityContext,
so there isn't really any reason to set it at the Container SecurityContext too.

Having it in the example values.yaml file gives the misleading impression that
runAsNonRoot is not the default.

 * https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#podsecuritycontext-v1-core

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-31 11:08:54 +00:00
jetstack-bot
32418051c3
Merge pull request #6460 from erikgb/helm-ca-injector-feature-gates 
feat(helm): allow configuration of cainjector feature gates
 2023-10-31 11:39:20 +01:00
Richard Wall
6d206795c7 Enable readOnlyRootFilesystem by default 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-31 09:55:23 +00:00
Erik Godding Boye
af3e88c6da
feat(helm): allow configuration of cainjector feature gates 
Signed-off-by: Erik Godding Boye <egboye@gmail.com>
 2023-10-31 10:54:17 +01:00
ShlomiTubul
0a16c4ecd2 feat(helm) Add support for PodMonitor 
Signed-off-by: ShlomiTubul <shlomi.tubul@placer.ai>
 2023-10-30 22:38:09 +02:00
ABWassim
5ab8a6b71c fix(helm): templating of required value in controller and webhook configmaps 
Signed-off-by: ABWassim <wassim.belkacem99@gmail.com>
 2023-10-23 09:23:51 +02:00
Zois Pagoulatos
c4986a93c8
Fix typo in values.yml 
Affinty -> Affinity

Signed-off-by: Zois Pagoulatos <zpagoulatos@hotmail.com>
 2023-10-14 16:10:07 +02:00
Ashley Davis
c56a2fb8a1
Merge pull request #6345 from inteon/config_cainjector 
Introduce config file for cainjector options
 2023-10-05 13:44:47 +01:00
Arin
5235391917 closes #6346 
Signed-off-by: Arin <136636751+asapekia@users.noreply.github.com>
 2023-10-01 00:04:37 +05:30
Tim Ramlot
919f809325
add config option in Helm chart 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-09-28 12:56:11 +02:00
jetstack-bot
8aafddb974
Merge pull request #6328 from inteon/add_clock_health 
Add health probe that detects skew between system clock and monotonic go process clock
 2023-09-27 11:37:11 +02:00
jetstack-bot
8c0462bc35
Merge pull request #6360 from ABWassim/helm-improvement-webhook-configmap 
improvement(helm): fixed empty webhook configmap + refactored
 2023-09-25 20:18:47 +02:00
ABWassim
16191e6bcc improvement(helm): fixed empty webhook configmap + refactored 
Signed-off-by: ABWassim <wassim.belkacem99@gmail.com>
 2023-09-25 16:54:13 +02:00
ABWassim
77fcb7d2a6 improvement(helm): fixed empty controller configmap + refactored 
Signed-off-by: ABWassim <wassim.belkacem99@gmail.com>
 2023-09-25 12:09:18 +02:00
Tim Ramlot
5d876c5b91
improvements based on PR feedback 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-09-20 18:23:13 +02:00
jetstack-bot
666e073040
Merge pull request #6330 from inteon/helm_image_options 
HELM: add options for configuring image
 2023-09-19 19:06:48 +02:00
Tim Ramlot
8d75a003e9
add health probe that detects skew between 'real' system clock and 'monotonic' internal clock 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-09-14 13:55:44 +02:00