Lots of new users don't realize:
(a) They need to create a Issuer/ClusterIssuer themselves
(b) They need to tell `ingress-shim` the name via `extra-args`
(Ideally the `helm` would create an ClusterIssuer for you by default, and set these options, if you specify and email address to use with LE.)
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Verify helm chart version is bumped when a chart is changed
**What this PR does / why we need it**:
Verifies that the Helm chart version is bumped when a file in the chart is changed.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Document the minimum necessary permissions for using cert-manager with Route53
**What this PR does / why we need it**: Necessary permissions previously not documented.
**Release note**:
```release-note
Document the minimum necessary permissions for using cert-manager with Route53
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Use Google's DNS IPs instead of domain
**What this PR does / why we need it**:
If /etc/resolv.conf does not have any entries, then its unlikely
that the domain name representation of google's DNS would get
resolved too. Hence using IP address directly makes sense.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#360
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove old deployment manifests. Update RBAC disable advice.
**What this PR does / why we need it**:
Since #352 merged, we now use the k/charts chart in the deployment guide. This PR updates our deploying docs to reflect the options on the upstream k/charts chart.
It also removes some old and unused deployment files to reduce confusion for new users.
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign
If /etc/resolv.conf does not have any entries, then its unlikely
that the domain name representation of google's DNS would get
resolved too. Hence using IP address directly makes sense.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update guides to use official Charts repository
**What this PR does / why we need it**:
Updates docs to use Chart from kubernetes/charts in the installation/migration guides. This makes it less confusing which Chart to use. There was a short discussion about this with @ahmetb and @munnerz on Slack https://kubernetes.slack.com/archives/C4NV3DWUC/p1519675336000598
**Which issue this PR fixes**
No issue filed.
**Special notes for your reviewer**:
None.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
docs: fix value name that disables rbac
**What this PR does / why we need it**:
Proper documentation for deploying cert-manager for k8s clusters without rbac enabled (happens to be the default for cdk on localhost).
**Which issue this PR fixes**
No issue per se, a follow-up on #256.
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add Endpoints back into the cert-manager RBAC policy
**What this PR does / why we need it**:
Adds permission to CRUD Endpoints resources back into the cert-manager RBAC role. This is to prevent deployments using the 'master' version of the Helm chart failing when deploying a pre-0.3 (unreleased) release of cert-manager.
We will remove this in 0.4. This is in order to reduce friction for new users if they forget/decide not to use a tagged release of the Helm chart.
**Release note**:
```release-note
NONE
```
/cc @davecheney @mikebryant
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Set default cluster resource namespace to current pod namespace
**What this PR does / why we need it**:
Changes the default cluster resource namespace from kube-system to the current namespace of the cert-manager deployment.
**Which issue this PR fixes**: fixes#103
**Release note**:
```release-note
Supporting resources for ClusterIssuer's (e.g. signing CA certificates, or ACME account private keys) will now be stored in the same namespace as cert-manager, instead of kube-system in previous versions. Action required: you will need to ensure to properly manually migrate these referenced resources across into the deployment namespace of cert-manager, else cert-manager may not be able to find account private keys or signing CA certificates.
```
/cc @mikebryant
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Create a Namespace resource as part of the static manifest bundle
**What this PR does / why we need it**:
Create a Namespace resource as part of the static deployment manifests bundle, to make it easier for users to deploy cert-manager without a Helm chart
**Release note**:
```release-note
NONE
```
/cc @davecheney @wallrj
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update default deployment namespace to be 'cert-manager'
**What this PR does / why we need it**:
Previously, our deployment manifests deployed into the 'default' namespace. This changes them to deploy into 'cert-manager' instead.
**Release note**:
```release-note
The static deployment manifests now automatically deploy into the 'cert-manager' namespace by default
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Rename Event types to be prefixed 'Err' instead of 'Error' for brevity
**What this PR does / why we need it**:
Shortens the event type names we use to be prefixed 'Err' instead of 'Error'
**Special notes for your reviewer**:
This brings us in-line with the issuer and cluster issuer controllers, and other controllers in Kubernetes.
**Release note**:
```release-note
Rename Event types to be prefixed 'Err' instead of 'Error' for brevity
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Make existing TLS certificate check emit a Normal event instead of Warning when the existing certificate is invalid
**What this PR does / why we need it**:
Previously, when requesting a certificate for the first time, the following events are logged:
```
Warning ErrorCheckCertificate 1m cert-manager-controller Error checking existing TLS certificate: secret "httpbin" not found
Normal PrepareCertificate 1m cert-manager-controller Preparing certificate with issuer
```
This has caused confusion for users when they see a Warning/Error being logged. This PR changes that to be:
```
Normal ErrorCheckCertificate 1m cert-manager-controller Error checking existing TLS certificate, will re-issue: secret "httpbin" not found
Normal PrepareCertificate 1m cert-manager-controller Preparing certificate with issuer
```
**Release note**:
```release-note
Clearer event logging when issuing a certificate for the first time
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add default shortNames to certificates CRD
Defaults to `[cert, certs]` and is configurable with `certificateCRDShortNames` parameter.
**What this PR does / why we need it**:
Simplifies manual certificate management with kubectl.
Fixes#311
<div name="review-notes" />
**Special notes for your reviewer**:
Instead of a boolean switch do/dont include the shortNames, the value defines the aliases. This may be handy if anybody prefers `[crt, crts]` instead.
I'm not too keen on the `certificateCRDShortNames` variable name. It might be better to use `Resource` instead of `CRD` to be consistent with the `createCustomResource` var.
Other CRDs are probably ok without an alias, but other people workflows may differ. Should these also be configurable? In that case, the variables could be `shortNames: {certificates: [], …}`.
**Release note**:
```release-note
Add Certificate CRD shortnames `cert` and `certs`. This is configurable in the Helm Chart with `certificateResourceShortNames`.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix: Use ConfigMaps for leaderelection
**What this PR does / why we need it**:
Use ConfigMaps for leader election. Improves scalability by not modifying Endpoints, which are watched by kube-proxy.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#293
**Special notes for your reviewer**:
**Release note**:
```release-note
action required: Before upgrading, scale the cert-manager Deployment to 0, to avoid two controllers attempting to operate on the same resources
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Check the value of the tls-acme annotation, not just its existence
**What this PR does / why we need it**: Previously the ingress-shim would sync an Ingress resource if it simply contained the `kubernetes.io/tls-acme` annotation, regardless of the value; now it will only do so if the annotation value is truthy (e.g., "true", "t", "1", so forth).
**Special notes for your reviewer**: This could probably be done in a way that doesn't disrupt the function's aesthetics so much. Open to all suggestions.
**Release note**:
```release-note
ingress-shim will only sync Ingress resources with `kubernetes.io/tls-acme` annotation if the value of that annotation is true.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Install Helm during .gitlab-ci.yml release build
Install Helm during .gitlab-ci.yml script
(in future, this file will go away altogether once we have set up a 'trusted' build cluster to push releases)
**Release note**:
```release-note
NONE
```
/assign
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Log potential errors while waiting for DNS record propagation
**What this PR does / why we need it**:
This helps debugging, e.g. if there are network problems.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Added Azure DNS support for DNS01 challange
**What this PR does / why we need it**:
Adds another provider (Azure DNS) for DNS01 challange
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#230
**Special notes for your reviewer**:
**Release note**:
```release-note
ACME DNS-01 challenge mechanism for Azure DNS
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Bundle the CA public key in issued certificate
**What this PR does / why we need it**:
If the CA used is only an intermediate CA, and the root CA is trusted by the client, the client needs help verifying the certificate chain.
This also makes the CA present in the certificate even if it's the root CA.
**Which issue this PR fixes**:
Trusting certs issued by intermediate CAs used by cert-manager.
**Special notes for your reviewer**:
I have tested this locally with my own intermediate CA used by cert-manager, issued by my own root CA trusted by my macOS client. The whole certificate chain is now presented in the browser.
The idea to just append the certificates is based on cfssl's mkbundle:
https://github.com/cloudflare/cfssl/blob/1.3.0/cmd/mkbundle/mkbundle.go#L97
**Release note**:
```release-note
CA Issuer: bundle CA certificate with issued certificates
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Ensure certificate is valid for given domains during e2e tests
**What this PR does / why we need it**:
Updates our e2e tests to ensure the certificate being tested is valid for the domains requested on the certificate under test
**Release note**:
```release-note
NONE
```
