note that cert-manager is not actually vulnerable to CVE-2022-23471
since the affected code is not used
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Makes sure that when an unlabelled Secret is encountered at any point (even outside issuance) it will be labelled
Signed-off-by: irbekrm <irbekrm@gmail.com>
cainjector will still watch cluster-scoped resources such as CRDs, so it can get references to Secrets or Certificates in namespaces that are out of scope
Signed-off-by: irbekrm <irbekrm@gmail.com>
Ensures that when cainjector has the namespace flag passed, namespaced resource caching is scoped to that namespace
Signed-off-by: irbekrm <irbekrm@gmail.com>
since the acmesolver image has defaults (i.e. the repository is set by
default[1]), the helm chart changes introduced in #5554 will always set
the `--acme-http01-solver-image` parameter.
This can break users who previously had this parameter set via the
extraArgs Helm option, which was found and reported on Slack[2].
This commit moves the new Helm value added in #5554 above extraArgs,
so that if extraArgs is set it will take precedence and nothing should
change as users upgrade.
[1] a5d67d3a21/deploy/charts/cert-manager/values.yaml (L504-L516)
[2] https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1672925692339849
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
See https://github.com/cert-manager/cert-manager/issues/5601
When referring to external issuers whose kind is not "Issuer" or
"ClusterIssuer" we log an error message thanks to a new check added in
a previous PR[1] which should only trigger for SelfSigned issuers.
The error previously looked like:
```text
"error"="invalid value \"x\" for issuerRef.kind. Must
be empty, \"Issuer\" or \"ClusterIssuer\""
```
After this PR, any CR with an issuer whose group or kind doesn't
match what's expected for a built-in issuer will be skipped
https://github.com/cert-manager/cert-manager/pull/5336
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
WIP: test other issuer kinds
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Due to a bug in controller-gen[1] certain paths are incorrectly split
and part of these paths can be interpreted as a numeric literal, which
will cause controller-gen to fail. We observe this as occasional test
flakes in the "verify-crds" target, when the tmpdir starts with a zero,
such as in "/tmp/tmp.0PFqFSHBID"
This commit attempts to avoid this bug by specifying a template for the
tmpdir we generate when verifying CRDs which doesn't include any "."
characters, which seem to be being split incorrectly.
[1] https://github.com/kubernetes-sigs/controller-tools/issues/734
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
cert-manager was not able to retry failed TPP certificates due to the
fact that TPP will not reset a given certificate that has a failed
enrollment status from a previous enrollment. More specifically,
cert-manager was getting stuck with either:
WebSDK CertRequest Module Requested Certificate
or
This certificate cannot be processed while it is in an error state.
Fix any errors, and then click Retry.
With vcert v4.23.0, a call to "reset" is made when one of these two
messages are found while polling for the certificate (i.e., while
calling vcert's RetrieveCertificate function).
Signed-off-by: Maël Valais <mael@vls.dev>
