cert-manager

Author	SHA1	Message	Date
irbekrm	06696befdb	Installs v1 ingress-nginx for e2e tests against kube 1.23 Also bumps the versions of ingress dependency used in tests Signed-off-by: irbekrm <irbekrm@gmail.com>	2021-11-29 10:14:58 +00:00
jetstack-bot	0236f0836e	Merge pull request #4556 from inteon/helm_template_cleanup Cleanup helm templates & fix empty 'resources' in deployment	2021-11-15 14:27:06 +00:00
Ashley Davis	0955aa4531	bump version of haproxy ingress to latest and limit connections this works around a limit on file descriptors which we encounter in kind in CI. newer kind images impose a limit of 1024 file descriptors which isn't trivial to change; haproxy seems to try to request just over 2*n file descriptors where n is the max number of connections; as such, if we limit max-connections to 250 we should be comfortably within the limit Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>	2021-11-10 17:38:49 +00:00
Richard Wall	050c360204	Fix the kyvernopre image name Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2021-11-08 14:23:23 +00:00
Inteon	b1445d687e	cleanup helm templates & better support for empty 'resources' in values.yaml Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>	2021-11-01 11:37:50 +01:00
Richard Wall	f436f0e025	Test kubectl cert-manager version by running it after install Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2021-10-09 10:05:32 +01:00
irbekrm	81bdabf67a	Code review feedback Signed-off-by: irbekrm <irbekrm@gmail.com>	2021-09-30 17:23:42 +01:00
irbekrm	3fa237cd5b	Allows for Ingresses without class field set to be watched by Ingress controller Because we need to support different versions and configurations Signed-off-by: irbekrm <irbekrm@gmail.com>	2021-09-30 10:14:39 +01:00
irbekrm	7319d3392a	Load kyverno image with Bazel So that we don't pull the same image for each test run. Also run helm install with --debug so that it outputs more information. Signed-off-by: irbekrm <irbekrm@gmail.com>	2021-09-30 10:14:26 +01:00
irbekrm	8370b08bd3	Bumps Bazel deps and ingress-nginx test image version Signed-off-by: irbekrm <irbekrm@gmail.com>	2021-09-30 10:14:05 +01:00
irbekrm	25303b79c9	Use yq instead of jq Because yq releases builds for darwin/arm Signed-off-by: irbekrm <irbekrm@gmail.com>	2021-08-23 07:08:51 +01:00
Inteon	3cad738b1e	escape commas Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>	2021-08-06 22:21:08 +02:00
Inteon	347cd6c25d	add better logging Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>	2021-08-06 19:16:33 +02:00
Jake Sanders	d4c8aea472	Helm --set requires commas to be escaped, so double escape in bash Signed-off-by: Jake Sanders <i@am.so-aweso.me>	2021-08-05 15:12:41 +01:00
Jake Sanders	36aa9e2501	The gateway-api support is now gated behind --feature-gate=ExperimentalGatewayAPISupport=true Signed-off-by: Jake Sanders <i@am.so-aweso.me>	2021-08-05 14:37:54 +01:00
jetstack-bot	d647e543e3	Merge pull request #4276 from jakexks/gateway-http01 Experimental Gateway API support for ACME HTTP-01 Solving	2021-08-03 18:51:49 +01:00
jetstack-bot	b5f80c428e	Merge pull request #4234 from inteon/add_startupapicheck Add startup api check Job	2021-08-03 17:41:49 +01:00
Maël Valais	f96f91029d	addons: Traefik requires --gateway-httproute-labels=acme=solver-traefik To run the end-to-end test in question: go test ./test/e2e/ -ginkgo.focus 'Certificates with issuer type ACME HTTP01 Issuer $Gateway$' -test.v \ --repo-root $PWD/devel/lib/../.. \ --report-dir $PWD/devel/lib/../../_artifacts \ --gateway-domain=traefik.http01.example.com \ --gateway-httproute-labels=acme=solver-traefik Signed-off-by: Maël Valais <mael@vls.dev>	2021-08-02 19:30:56 +02:00
Maël Valais	345ace666f	addons: add Traefik to be used for HTTP-01 HTTPRoute solving Signed-off-by: Maël Valais <mael@vls.dev>	2021-08-02 17:17:44 +02:00
Jake Sanders	90e4324c7a	e2e tests for Gateway HTTP01 Solver Signed-off-by: Jake Sanders <i@am.so-aweso.me>	2021-08-02 14:12:30 +01:00
Jake Sanders	ff41812471	Add HAProxy to addons HAProxy is the most minimal implementation of the Gateway API - can be used in e2e tests Signed-off-by: Jake Sanders <i@am.so-aweso.me>	2021-08-02 14:06:18 +01:00
Inteon	0eabaec743	change startupapicheck to helm post-install hook Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>	2021-07-30 16:04:55 +02:00
Inteon	7f19db0faa	update scripts with new image Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>	2021-07-27 18:38:33 +02:00
Inteon	9092bf8bb6	use correct component name in comments & add --wait-for-jobs flag Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>	2021-07-27 15:54:00 +02:00
joshvanl	78e77f99db	Use correct import for apiextensions in same webhook Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>	2021-07-26 17:46:36 +01:00
joshvanl	be2ad9ed15	Update sample ACME webhook to use apiextensions v1beta1 -> v1 Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>	2021-07-26 17:04:35 +01:00
irbekrm	5edad74e8a	Ensure jq is available Signed-off-by: irbekrm <irbekrm@gmail.com>	2021-07-22 20:53:39 +01:00
Maël Valais	62bc854467	e2e: sample-external-issuer v0.1.0 -> v0.1.1 (1.22 compatibility) Signed-off-by: Maël Valais <mael@vls.dev>	2021-07-22 21:13:39 +02:00
irbekrm	63873ab8a9	Bump e2e test NGINX ingress Helm chart version Signed-off-by: irbekrm <irbekrm@gmail.com>	2021-07-22 20:08:05 +01:00
irbekrm	5e83e35b7c	Allow for ./setup-e2e-deps.sh script to be run locally against k8s v1.22 Without specifying Kubernetes version Signed-off-by: irbekrm <irbekrm@gmail.com>	2021-07-22 20:07:37 +01:00
irbekrm	84f653f01f	e2e test setup installs a different version of Ingress depending on k8s version This is needed because there are no NGINX ingress release that would support work both on k8s v1.16-v1.18 as well as v1.22 Signed-off-by: irbekrm <irbekrm@gmail.com>	2021-07-22 19:35:57 +01:00
irbekrm	00542dd7f6	Bump apiregistration API version to v1 Signed-off-by: irbekrm <irbekrm@gmail.com>	2021-07-22 17:19:27 +01:00
Inteon	411452809c	add startup api check Job Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>	2021-07-20 19:40:53 +02:00
jetstack-bot	88e85d0725	Merge pull request #4205 from inteon/kubectl_check_api Add kubectl 'cert-manager check api' command	2021-07-16 14:43:15 +01:00
Inteon	21bc98979e	improved ux Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>	2021-07-16 13:11:40 +02:00
Maël Valais	30f9c123d3	gateway-shim: add the gateway-shim controller Note that the gateway-shim is only half the work for supporting the Gateway API in cert-manager. The other half is the HTTP01 solver support, which is still worked on. The Gateway API in cert-manager is releases as an experimental feature and needs to be enabled manually with the following flag: --controllers=*,gateway-shim All the annotations supported by ingress-shim are also supported by gateway-shim, with some exceptions: "acme.cert-manager.io/http01-ingress-class" This annotation is not supported on the Gateway resource. Although the Gateway resource also has a "gatewayClass" field, we will need to add another field instead of "ingress-class" to avoid confusion with the ingress-shim. "acme.cert-manager.io/http01-edit-in-place" This annotation is not supported because it is specific to some ingress controllers like ingress-gce. "kubernetes.io/tls-acme" This annotation is not supported because it is a behavior inherited from kube-lego and we chose not to keep this behavior with the Gateway API. Unlike the ingress-shim, you can reuse the same Secret name in multiple TLS configurations on the same Gateway resource. The ingress-shim now shows the exact location of the duplicate secretName when the user gives the same secretName in two separate TLS blocks. Signed-off-by: Maël Valais <mael@vls.dev> Co-authored-by: Jake Sanders <i@am.so-aweso.me>	2021-07-15 20:34:55 +02:00
Maël Valais	a496dd3216	addons: add gateway-api to the addons Signed-off-by: Maël Valais <mael@vls.dev>	2021-07-15 20:21:49 +02:00
Inteon	ac7775bdb4	made errors human readable, added unit tests, added check api to e2e, fixed os.Exit(1) Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>	2021-07-15 16:50:31 +02:00
joshvanl	590e01f3d0	Add ExperimentalCertificateSigningRequestControllers=true as default experimental controller to enable in devel/addon/cert-manager/install.md Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>	2021-06-07 17:34:39 +01:00
jetstack-bot	c7dade0fc5	Merge pull request #4036 from wallrj/3875-pod-security Enable runAsNonRoot by default	2021-05-21 18:53:26 +01:00
Richard Wall	6873aa73e8	Hard code the Kyverno version Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2021-05-21 17:18:23 +01:00
Richard Wall	767b281d8a	Use a cert-manager NS specific Kyverno policy Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2021-05-21 17:18:23 +01:00
Richard Wall	7254659317	Remove obsolete comment The NET_BIND_SERVICE privilege is only needed when binding to privileged ports. Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2021-05-21 15:11:21 +01:00
Richard Wall	a28bff3d63	Add comments explaining why we configure Kyverno to ignore certain E2E test namespaces Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2021-05-21 15:07:00 +01:00
Richard Wall	194714fd75	Clarify the Kyverno install script documentation Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2021-05-21 15:07:00 +01:00
Richard Wall	4d94b57cb1	Remove unused Bazel import in the Kyverno BUILD file Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2021-05-21 15:07:00 +01:00
Richard Wall	72f6d4b68d	Remove unused Kustomization.yaml patches Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2021-05-21 15:07:00 +01:00
Richard Wall	98757aa850	Configure Kyverno to ignore resources in E2E test namespaces Because I couldn't quite get the Vault server running as non-root Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2021-05-21 15:05:18 +01:00
Richard Wall	8cca467e75	Configure Kyverno to ignore some E2E components which cant be configured non-root Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2021-05-21 15:05:18 +01:00
Richard Wall	63b7d7f453	Upgrade ingress-nginx Helm Chart and Docker image Signed-off-by: Richard Wall <richard.wall@jetstack.io>	2021-05-21 15:01:34 +01:00

1 2

91 Commits