weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
8,145 Commits 45 Branches 0 Tags 96 MiB
a2ca3c714f
Commit Graph

8145 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Richard Wall
a2ca3c714f Enable verbose logging in startupapicheck by default 
So that if it fails, users can know exactly what caused the failure.

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-11-17 09:09:41 +00:00
jetstack-bot
c4aa1ec50b
Merge pull request #6486 from jeremycampbell-okta/caissuers-extension 
Add x509 v3 CA Issuers Extension
 2023-11-17 09:06:46 +01:00
Jeremy Campbell
dc876fef16
Add x509 v3 CA Issuers Extension 
Signed-off-by: Jeremy Campbell <jeremy.campbell@okta.com>
 2023-11-16 12:45:16 -06:00
jetstack-bot
b0ed333413
Merge pull request #6459 from shlomitubul/master 
feat(helm) Add support for PodMonitor
 2023-11-16 14:45:00 +01:00
jetstack-bot
b4c3b313d4
Merge pull request #6488 from wallrj/increase-default-webhook-timeout 
Increase the default webhook timeout to its maximum value of 30 seconds
 2023-11-16 11:44:00 +01:00
jetstack-bot
8c7615f896
Merge pull request #6490 from inteon/fix_cve_alert 
Bump docker to fix cve alert
 2023-11-16 09:46:00 +01:00
Tim Ramlot
aa23a7e973
bump docker to fix cve alert 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-11-15 22:29:04 +01:00
Richard Wall
a0e5afc0f4 Increase the webhook timeout to its maximum value 
Users sometimes report that the connection between the K8S API server and the
cert-manager webhook server times out.

But the error message is often only "context deadline exceeded",
which doesn't help the user know what phase of the HTTPS connection timed out.

It could be during DNS resolution, TCP connection, TLS negotiation, HTTP channel
negotiation, or slow HTTP response from the webhook server.

So this change increases the context timeout to its maximum value
so that the underlying timeout error message has more chance of being returned to the end user.

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-11-15 17:54:43 +00:00
jetstack-bot
3938a8c2c1
Merge pull request #6487 from inteon/fix_cve_alert 
Fix CVE alert
 2023-11-15 15:34:08 +01:00
Tim Ramlot
c953e48b7e
fix CVE alert 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-11-15 15:04:59 +01:00
jetstack-bot
6fddbe538f
Merge pull request #6433 from vinny-sabatini/issue-5782 
fix error message when setting up vault issuer
 2023-11-14 16:30:01 +01:00
jetstack-bot
ac88b3e330
Merge pull request #6479 from SgtCoDFish/distroless 
Use explicit debian version for base images
 2023-11-14 16:20:01 +01:00
jetstack-bot
943cbfdfda
Merge pull request #6477 from SgtCoDFish/bumpcerts 
Regenerate hardcoded certs
 2023-11-14 15:44:31 +01:00
Ashley Davis
f7937c7372
Use explicit debian version for base images 
Fixes #6478

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
 2023-11-14 14:30:45 +00:00
Ashley Davis
96e081fbd3
regenerate hardcoded certs 
fixes #6476

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
 2023-11-14 13:26:24 +00:00
jetstack-bot
d2f6bbe579
Merge pull request #6028 from inteon/fix_scheme_errors 
Stop using global runtime.Scheme variables
 2023-11-06 22:57:09 +01:00
Tim Ramlot
4c94f3ef10
create ad-hoc schemes instead of sharing global ones 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-11-06 21:58:24 +01:00
jetstack-bot
7373e1f386
Merge pull request #6467 from inteon/cainjector_cleanup 
cainjector: Use controller-runtime manager to manage goroutine instead of errorgroup.
 2023-11-05 21:05:59 +01:00
Tim Ramlot
80e3960f91
Use controller-runtime manager instead of errorgroup. 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-11-02 13:29:05 +01:00
jetstack-bot
5141dddf2c
Merge pull request #6462 from wallrj/policy-compliant-acme-solver-pod 
Ensure ACME solver Pod complies with Pod Security Standards
 2023-10-31 17:01:21 +01:00
Richard Wall
80896bce36 Update documentation of the Kyverno policies Kustomization file 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-31 15:44:10 +00:00
Richard Wall
9b5dd86084 Configure HTTP01 solver Pod with readOnlyRootFilesystem 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-31 14:47:24 +00:00
Richard Wall
c8640908e7 Apply Kyverno policies to E2E test namespaces too 
By using ClusterPolicy with exlusion rules for the namespaces of non-compliant E2E test tools.

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-31 14:11:41 +00:00
jetstack-bot
2f6e9f484b
Merge pull request #6461 from wallrj/run-as-non-root 
Remove redundant / misleading runAsNonRoot examples from values.yaml
 2023-10-31 13:46:20 +01:00
Richard Wall
8eb547d9cb Remove redundant / misleading runAsNonRoot examples from values.yaml 
`runAsNonRoot` is already set to true in the *Pod*SecurityContext,
so there isn't really any reason to set it at the Container SecurityContext too.

Having it in the example values.yaml file gives the misleading impression that
runAsNonRoot is not the default.

 * https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#podsecuritycontext-v1-core

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-31 11:08:54 +00:00
jetstack-bot
32418051c3
Merge pull request #6460 from erikgb/helm-ca-injector-feature-gates 
feat(helm): allow configuration of cainjector feature gates
 2023-10-31 11:39:20 +01:00
jetstack-bot
dd3fe1fe02
Merge pull request #6453 from wallrj/read-only-root-filesystem 
Enable readOnlyRootFilesystem by default
 2023-10-31 11:27:20 +01:00
Richard Wall
6d206795c7 Enable readOnlyRootFilesystem by default 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-31 09:55:23 +00:00
Erik Godding Boye
af3e88c6da
feat(helm): allow configuration of cainjector feature gates 
Signed-off-by: Erik Godding Boye <egboye@gmail.com>
 2023-10-31 10:54:17 +01:00
ShlomiTubul
0a16c4ecd2 feat(helm) Add support for PodMonitor 
Signed-off-by: ShlomiTubul <shlomi.tubul@placer.ai>
 2023-10-30 22:38:09 +02:00
jetstack-bot
a8813c5f43
Merge pull request #6452 from wallrj/upgrade-bestpractice-values-url 
Use latest version of the best-practice Helm values
 2023-10-30 14:50:41 +01:00
Richard Wall
9dfb7c3ecf Enable readOnlyRootFilesystem policy in Kyverno 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-27 16:03:17 +01:00
Richard Wall
c3a8144da8 Update the Kyverno policy file 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-27 15:58:11 +01:00
Richard Wall
2264de13f3 Use latest version of the bestpractice Helm values 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-27 14:33:47 +01:00
Ashley Davis
16e70c57cd
Merge pull request #6449 from inteon/bump_grpc 
Bump gRPC library version to fix CVE alert
 2023-10-27 14:02:48 +01:00
Tim Ramlot
d756311b2e
bump grpc library version to fix CVE alert 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-10-27 13:14:02 +02:00
jetstack-bot
6554815469
Merge pull request #6447 from wallrj/fix-kindest-image-digests 
Fix kindest image digests
 2023-10-26 17:46:03 +02:00
Richard Wall
1329c71f27 Add a dedicated rule for kindest node 
And explain why

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-26 16:00:18 +01:00
Richard Wall
c08e34cab1 ./hack/latest-kind-images.sh 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-26 14:43:11 +01:00
Richard Wall
c8801e997a Use the official multi-arch digest for K8S 1.28 on Kind 0.20.0 
https://github.com/kubernetes-sigs/kind/releases/tag/v0.20.0

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-26 14:34:04 +01:00
jetstack-bot
446f133690
Merge pull request #6440 from wallrj/fix-image-digest-check 
Fix image checksum validation and upgrade ingress NGINX to demonstrate the problem
 2023-10-24 18:40:30 +02:00
Vinny Sabatini
d15e55a16c
Update pkg/issuer/vault/setup.go 
Co-authored-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
Signed-off-by: Vinny Sabatini <vincent.sabatini@gmail.com>
 2023-10-24 09:52:52 -05:00
Richard Wall
4d2a227794 Remove the multi-arch variant 
Because it was also broken and was being supplied with digests of
single-architecture images rather than multi-arch manifests

Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-24 14:52:10 +01:00
Richard Wall
c34bddace7 Update ingress-nginx image checksums 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-24 14:19:30 +01:00
jetstack-bot
d660f5b20c
Merge pull request #6439 from wallrj/sample-external-issuer-0.4.0 
Use sample-external-issuer v0.4.0
 2023-10-24 14:56:30 +02:00
Richard Wall
5db745b103 Fix the digest check for single-arch images 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-24 13:52:50 +01:00
Richard Wall
ecada9c30f Upgrade ingress NGINX 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-24 13:16:13 +01:00
Richard Wall
a1164b9c4f Use sample-external-issuer v0.4.0 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2023-10-24 11:16:35 +01:00
jetstack-bot
04056f7bf6
Merge pull request #6435 from ABWassim/fix/templating-config-controllers 
fix(helm): templating of required value in controller and webhook configmaps
 2023-10-23 10:00:16 +02:00
ABWassim
5ab8a6b71c fix(helm): templating of required value in controller and webhook configmaps 
Signed-off-by: ABWassim <wassim.belkacem99@gmail.com>
 2023-10-23 09:23:51 +02:00