weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
7,113 Commits 45 Branches 0 Tags 96 MiB
aeae4b35fc
Commit Graph

2915 Commits

Author SHA1 Message Date
Richard Wall
ee8c1cf738 Remove finalizer duties from the scheduling function and update and expand the tests 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-04-27 10:34:22 +01:00
Richard Wall
dd4fe97928 Set the finalizer as part of the Challenge Sync function 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-04-27 10:34:22 +01:00
irbekrm
ccdb30e16b Cleanup 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-20 12:26:35 +01:00
irbekrm
cb0c8ba3e3 Log Venafi API calls 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-20 10:32:02 +01:00
irbekrm
99edfcfbfc Adds Venafi metrics 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-20 08:48:41 +01:00
Ashley Davis
76cdab0c82
remove pkg/util/coverage 
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-04-08 16:56:24 +01:00
lonelyCZ
53d8a07397 Add a unit test for challenges reScheduler 
Signed-off-by: lonelyCZ <531187475@qq.com>
 2022-04-08 14:35:41 +08:00
lonelyCZ
57a6d931a1 Fix the error is reported to null when it happens 
Signed-off-by: lonelyCZ <531187475@qq.com>
 2022-04-07 16:10:14 +08:00
irbekrm
0f74fc10fb Removes unnecesary check for finalizer diff in challenge sync 
No changes are made to finalizers in this function

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-01 11:53:44 +01:00
irbekrm
9a9ca2006a Adds a challenge finalizer in challenges controller 
This was previously applied in orders controller, which was causing issues when trying to remove it in challenges controller via server side apply

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-01 11:53:44 +01:00
joshvanl
82c068f0fd Updates ACME challenge controllers to use apply 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-04-01 11:53:44 +01:00
jetstack-bot
86ad9962a3
Merge pull request #4967 from maelvls/gwapi-v1alpha2-optional-labels 
Gateway API: with v1alpha2, the labels have become optional
 2022-03-30 15:11:33 +01:00
jetstack-bot
00938dfa4c
Merge pull request #3605 from mikebryant/3601-default-nodeselector-linux 
fix: Set default nodeSelector to linux
 2022-03-30 13:38:33 +01:00
Jake Sanders
b72db63761
Change label description for HTTP-01 Gateway API solver and fix tests 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-03-30 12:52:34 +01:00
jetstack-bot
e2266d7a8b
Merge pull request #4987 from wikimedia/issue-4956 
Add controller_requeue_count metric
 2022-03-29 19:53:53 +01:00
jayme-github
63e3b7a0a8 Add controller_sync_error_count metric 
Introducing a new metric controller_sync_error_count counting the
number of errors during sync() of a controller.

This adds more visibility to potential issues ranging from things like
connection problems to the API or webhooks to possible hard errors.

For context, please see #4956

Signed-off-by: Janis Meybohm <jmeybohm@wikimedia.org>
 2022-03-29 16:02:49 +02:00
joshvanl
6ee59fb9e8 Wires up new post issuance checks for issuing controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-03-29 13:54:27 +01:00
jetstack-bot
bfcc204c2b
Merge pull request #4811 from JoshVanL/controllers-server-side-apply-certificates-shim 
Server Side Apply: Adds support for certificate-shim controllers to use SSA with Feature Gate
 2022-03-28 14:33:31 +01:00
jetstack-bot
e116d416f3
Merge pull request #4799 from JoshVanL/controllers-server-side-apply-orders 
Server Side Apply: Adds support for Order controllers to use SSA with Feature Gate
 2022-03-28 13:11:31 +01:00
joshvanl
c1c2d2d081 Add roundtrip test to Certificate serializing. Add field manager to 
certificates-shim Create API call

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-03-28 12:40:29 +01:00
joshvanl
9d0b2590a8 Optionally Apply certificates, instead of update, in certificate-shim 
when Server-Side apply is enabled

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-03-28 12:40:28 +01:00
jetstack-bot
c30cfa1610
Merge pull request #4973 from irbekrm/restrict_duration 
Enforce minimum value of experimental.cert-manager.io/request-duration to 600s
 2022-03-28 12:34:31 +01:00
jetstack-bot
d8fee10ad8
Merge pull request #4962 from fvlaicu/fix-route53-dns-challenge 
Route53 challenges: upsert records instead of create
 2022-03-23 17:29:20 +00:00
irbekrm
2656cc18c3 Fix test failures 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-23 09:57:34 +00:00
irbekrm
09d8cb9cf8 Adds some more test cases 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-23 09:20:21 +00:00
irbekrm
661abb133f Set CSR as failed if annotation duration is not a valid time 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-22 18:04:21 +00:00
irbekrm
d384aef754 Enforce minimum value of experimental.cert-manager.io/request-duration to 600s 
To ensure compatibility with CSR's spec.expirationSeconds

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-22 18:04:21 +00:00
jetstack-bot
0631806082
Merge pull request #4974 from irbekrm/fix_csr_events 
Use client-go scheme with core types added as event recorder scheme
 2022-03-22 17:49:51 +00:00
irbekrm
a5ed48a324 Adds a unit test for certificatesigningrequests sync function 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-22 15:09:33 +00:00
jetstack-bot
dc24503939
Merge pull request #4958 from irbekrm/tsig_provider 
Use our own implementation of miekg/dns.TsigProvider interface
 2022-03-22 12:18:51 +00:00
jetstack-bot
be15ce2279
Merge pull request #4953 from ajvn/feature/allow-privilege-escalation 
update: Setting allowPrivilegeEscalation to false
 2022-03-22 11:01:47 +00:00
irbekrm
cec0a6cde8 Use client-go scheme with core types added as event recorder scheme 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-22 09:47:46 +00:00
jetstack-bot
ca32961253
Merge pull request #4772 from irbekrm/exp_backoff 
Exponential backoff for retrying failed certificate issuances
 2022-03-21 20:31:23 +00:00
Maël Valais
4b3af946db gateway-api: with v1alpha2, the labels have become optional 
Previously, in v1alpha1, an HTTPRoute was matched to a Gateway using
the label selectors present on the Gateways. For example, with the
following Gateway:

  apiVersion: networking.x-k8s.io/v1alpha1
  kind: Gateway
  metadata:
    name: acmesolver
  spec:
    listeners:
      - protocol: HTTP
        port: 80
        routes:
          kind: HTTPRoute
          selector:
            matchLabels:
              app: foo

you would have to use the following labels on the HTTPRoute in order to
get the above Gateway to be used:

  apiVersion: networking.x-k8s.io/v1alpha1
  kind: HTTPRoute
  metadata:
    labels:
      app: foo

With v1alpha2, the label selectors have been dropped. Instead, the
HTTPRoute has to give a direct reference to the Gateway:

    apiVersion: gateway.networking.k8s.io/v1alpha2
    kind: HTTPRoute
    spec:
      parentRefs:
        - kind: Gateway
          name: acmesolver
          namespace: traefik

This means that the "labels" field on the gatewayHTTPRoute solver is now
optional:

    apiVersion: cert-manager.io/v1
    kind: Issuer
    spec:
      acme:
        solvers:
          - http01:
              gatewayHTTPRoute:
                labels:              | This field is
                  app: test          | now optional.
                parentRefs:
                  - kind: Gateway
                    name: acmesolver

Signed-off-by: Maël Valais <mael@vls.dev>
 2022-03-21 17:39:10 +01:00
Monis Khan
2a33c7a5c2
Use Kubernetes CSR spec.expirationSeconds to express cert duration 
This change adds the ability to express certificate duration using
the Kubernetes CSR spec.expirationSeconds field alongside the existing
approach of using the experimental.cert-manager.io/request-duration
annotation.  Both approaches are supported as the expirationSeconds
field requires Kubernetes v1.22+.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-03-21 09:40:32 -04:00
irbekrm
dbad3d98f3 Rename issuanceAttempts -> failedIssuanceAttempts 
In an attempt to convey the meaning of the field better

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:33:51 +00:00
irbekrm
4c901aefab Code review comments 
Adds test conditions to certs via patch API call instead of update to avoid conflicts

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:33:51 +00:00
irbekrm
739c3298e8 Trigger controller backs off from issuance with an exponential backoff 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:33:51 +00:00
irbekrm
9824ab0949 certificates-issuing controller sets status.issuanceAttempts when certificate issuance has failed 
This field tracks the number of continuous failures and is used to implement exponential backoff

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:33:51 +00:00
irbekrm
affb5e86ef Adds IssuanceAttempts field to Certificate's status 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:33:51 +00:00
irbekrm
2722e635dd Code review comments 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:09:29 +00:00
irbekrm
5c241ec9ef Adds a basic unit test 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:09:29 +00:00
irbekrm
0b754489d2 Cleanup of the adopted code 
Don't swallow an error, don't use naked return

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:09:29 +00:00
irbekrm
3a21f961ca Use our own implementation of github.com/miekg/dns.TsigProvider interface 
To allow us to both upgrade the upstream library and keep supporting HMACMD5 as RFC2136 TSIG algorithm although it was deprecated in the upstream library

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:09:29 +00:00
Florin Vlaicu
8621b09aab It seems ther is a need to perfrom upsert instead of a simple create. 
Signed-off-by: Florin Vlaicu <19238716+fvlaicu@users.noreply.github.com>
 2022-03-18 18:46:23 +02:00
irbekrm
587e02cee9 Replaces dns v0.41 -> v0.34 
This is so as to avoid dropping support for HMacMD5 value for issuer.spec.acme.solvers.dns01.rfc2136.tsigAlgorithm

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-17 20:14:55 +00:00
Ivan
d397aa5462 update: Setting allowPrivilegeEscalation to false 
Signed-off-by: Ivan <ivans@vaskir.co>
 2022-03-17 11:05:46 +01:00
jetstack-bot
14578120ed
Merge pull request #4789 from UKHomeOffice/whitelist-annotation-override 
Allow whitelist-source-range ingress annotation to be overridden
 2022-03-11 14:44:35 +00:00
Joakim Ahrlin
f5275cf1cc add enum for rotationPolicy 
Signed-off-by: Joakim Ahrlin <joakim.ahrlin@gmail.com>
 2022-03-03 16:31:23 +01:00
Jake Sanders
09bbd541ef
update gateway-shim controller unit tests 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-03-01 15:05:21 +00:00
Jake Sanders
457fa3ca2c
Fix unit tests for Gateways 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-03-01 15:05:20 +00:00
Jake Sanders
c08f46711a
Add contour, weed out some more references to v1alpha1 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-03-01 15:05:19 +00:00
Joakim Ahrlin
eb64e6494c
update deps and BUILD files 
Signed-off-by: Joakim Ahrlin <joakim.ahrlin@gmail.com>
 2022-03-01 15:05:18 +00:00
Jake Sanders
c96d91d586
Update the sig-network Gateway API support to v1alpha2 
Co-authored-by: Joakim Ahrlin <joakim.ahrlin@gmail.com>
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-03-01 15:05:17 +00:00
joshvanl
944f9d4103 Change controller context rate limiter test to ensure they are the same 
pointer

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-22 09:15:10 +00:00
Ashley Davis
6420aa4bfa
fix imports in a few files 
this is according to our policy on organizing imports, see:
https://cert-manager.io/docs/contributing/coding-conventions/#organizing-imports

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-02-18 17:42:45 +00:00
joshvanl
810820f914 Remove duplicate fieldManager variable 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-16 11:59:24 +00:00
DiptoChakrabarty
ee069f2c45 fix comments to reduce golint issues 
Signed-off-by: DiptoChakrabarty <diptochuck123@gmail.com>
 2022-02-16 17:28:08 +05:30
jetstack-bot
10c5d72279
Merge pull request #4792 from JoshVanL/controllers-server-side-apply-certificaterequests 
Server Side Apply: Adds support for CertificateRequests controller to use SSA with Feature Gate
 2022-02-16 10:57:37 +00:00
joshvanl
e5a30240e7 Set field manager string to acmeorders controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-16 10:33:48 +00:00
joshvanl
8fd5641305 Set FieldManager in Create Orders API calls 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-16 10:33:48 +00:00
joshvanl
0802489f4e Updates Order controller to support apply call when feature gate it 
enabled

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-16 10:33:48 +00:00
jetstack-bot
56d9423744
Merge pull request #4798 from JoshVanL/controllers-server-side-apply-certificatesigningrequests 
Server Side Apply: Adds support for CertificateSigningRequest controllers to use SSA with Feature Gate
 2022-02-16 10:20:37 +00:00
jetstack-bot
12a2148df3
Merge pull request #4794 from JoshVanL/controllers-server-side-apply-issuers 
Server Side Apply: Adds support for [Cluster]Issuer controller to use SSA with Feature Gate
 2022-02-11 19:37:01 +00:00
joshvanl
085b2bf34b Updates issuer and cluster issuer controllers to optionally user server 
side apply

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:26:56 +00:00
joshvanl
49108a0278 Adds list map type to Conditions for both Issuers and Cluster Issuers 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:26:56 +00:00
joshvanl
da67eb2b65 Adds explicit field manager to requestsmanager controller Create call 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:22:33 +00:00
joshvanl
38ce8b3bcf Always user Create operation when creating new CertificateRequest 
object

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:22:33 +00:00
joshvanl
b2cc1b38cb Use optional apply for requestmanager 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:22:04 +00:00
joshvanl
99fd5f3412 Use optional Apply and Apply status to CertificateRequests 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:22:04 +00:00
joshvanl
26c26c7ce2 Adds list type map to CR Conditions field 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:21:19 +00:00
joshvanl
4dc6c957d4 Adds review comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:15:57 +00:00
joshvanl
37775615ff Use ApplyStatus in all Certificates controllers. When ServerSideApply 
enabled, set Issuing condition to False instead of removing it

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:15:57 +00:00
joshvanl
bdb4954c25 Adds updateOrApply to certificates controllers to optionally Apply 
certificate based on feature gate

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:14:31 +00:00
joshvanl
279a8ede99 Adds listType=map and listMapKey=type to Certificate Status Conditions 
field

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:14:31 +00:00
Ashley Davis
89bb5481cb
Increase margin of error in an otherwise unsound test 
This test can easily fail on a heavily loaded machine, such as one
running many tests in parallel.

1. The afterFunc could be delayed _massively_ on a heavily loaded
   machine, such as one running a lot of tests in parallel.
2. Requiring an accuracy of 1ms seems like a flake waiting to happen
   (as it was in this case)
3. When we write code which uses this scheduler, we can't even
   safely assume the afterFunc will _ever_ be run, let alone run
   within a 1% margin of time error. As such I don't think this
   test is providing any value beyond a general sanity check.

By increasing the allowable delta massively, we keep this test as a
sanity check but basically remove the chance of a flake. The test
essentially becomes "does afterFunc work, generally?".

Also adds a check that the elapsed time is greater than the expected
time.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-02-11 10:14:34 +00:00
joshvanl
9ca869c2cf Add tests to secret manager for additional output formats 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-07 14:41:45 +00:00
joshvanl
57c33446bc Change import paths jetstack/cert-manager -> 
`cert-manager/cert-manager`

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-07 14:23:29 +00:00
joshvanl
b426b5acf7 Use UpdateOrApplyStatus in CertificateSigningRequest controllers 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-07 14:18:14 +00:00
joshvanl
565b639ba7 Adds UpdateOrApplyStatus to CSR controllers 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-07 14:18:14 +00:00
jetstack-bot
b1180c59ad
Merge pull request #4587 from SgtCoDFish/bigrename 
Rename import path
 2022-02-03 11:56:12 +00:00
jetstack-bot
3c8eee34ae
Merge pull request #4815 from JoshVanL/controllers-certificates-issuing-secrets-manager-always-force 
Always Force apply in issuing controller's secret manager
 2022-02-02 15:40:40 +00:00
jetstack-bot
d16a79db13
Merge pull request #4793 from fvlaicu/change-route53-acme-challenge-record-creation 
Use multivalue records instead of simple records
 2022-02-02 12:18:39 +00:00
Ashley Davis
b084e5804c
fix violations of our coding conventions on import ordering 
this is exposed by the rename when cert-manager internal imports are mixed in with
external imports

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-02-02 11:53:39 +00:00
Ashley Davis
3a055cc2f5
rename all uses of github.com/jetstack/cert-manager 
This was done by running the following command twice:

 ```bash
 grep -Ri "github.com/jetstack/cert-manager" . | \
 cut -d":" -f1 | \
 sort | \
 uniq | \
 xargs sed -i
 "s/github.com\/jetstack\/cert-manager/github.com\/cert-manager\/cert-manager/"
 ```

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-02-02 09:08:31 +00:00
joshvanl
c737c3d9c6 Update secret manager test to no longer expect a non-force apply 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-01 18:04:42 +00:00
joshvanl
e5e3cf1fa2 Always Force apply in issuing controller's secret manager 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-01 17:57:22 +00:00
joshvanl
35fba365bf Update AdditionalOutputFormats comment to reflect addition of feature to 
webhook set.

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-01 17:04:55 +00:00
joshvanl
4445f85d62 Update bazel deps 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-31 13:44:43 +00:00
joshvanl
364c02d36e Ensure RateLimiter is preserved across all built Contexts 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-31 13:38:45 +00:00
joshvanl
834e6bcb04 Set RESTConfig burst and QPS inside context factory so all clients 
inherit these values

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-31 11:34:09 +00:00
Florin Vlaicu
ff6b627401 use multivalue records instead of simple records to allow having multiple txt records for a domain. 
Signed-off-by: Florin Vlaicu <19238716+fvlaicu@users.noreply.github.com>
 2022-01-28 18:05:48 +02:00
joshvanl
fb6e0b9f00 Pass FieldManager down to issuing controller->secrets manager 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-27 13:56:29 +00:00
joshvanl
07d8d4ee3c Pipes user agent down to acme clients 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-27 12:51:49 +00:00
joshvanl
a220be5bc5 Adds user agent pipethrough for acme accounts 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-27 12:51:49 +00:00
joshvanl
8f0c79396f Adds rest config builder to include new user agent 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-27 12:51:49 +00:00
joshvanl
d89c3e71dc Update rest of controllers with ControllerFactory 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-27 12:51:49 +00:00
joshvanl
fb391a26e5 Update CertificateSigningRequest controller to use new ContextFactory 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-27 12:51:49 +00:00
joshvanl
bd18c0ed86 Update CertificateRequest controllers to use new controller factory 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-27 12:51:49 +00:00
joshvanl
c66591cf37 Update certificate controllers with new controller builder 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-27 12:51:48 +00:00