Using the value from copied-annotation-prefixes flag, where by default kubectl, fluxcd, argocd annotations are excluded
Signed-off-by: irbekrm <irbekrm@gmail.com>
Kubernetes is removing support for the v1beta1 Ingress type in 1.22: https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/#api-changes
However, we still wish to support k8s v1.16 until mid 2022 when Openshift 3 becomes out of support.
cert-manager will now use v1 Ingress if available by using the discovery API.
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
Note that the gateway-shim is only half the work for supporting the
Gateway API in cert-manager. The other half is the HTTP01 solver
support, which is still worked on.
The Gateway API in cert-manager is releases as an experimental feature
and needs to be enabled manually with the following flag:
--controllers=*,gateway-shim
All the annotations supported by ingress-shim are also supported by
gateway-shim, with some exceptions:
"acme.cert-manager.io/http01-ingress-class"
This annotation is not supported on the Gateway resource. Although the
Gateway resource also has a "gatewayClass" field, we will need to add
another field instead of "ingress-class" to avoid confusion with the
ingress-shim.
"acme.cert-manager.io/http01-edit-in-place"
This annotation is not supported because it is specific to some ingress
controllers like ingress-gce.
"kubernetes.io/tls-acme"
This annotation is not supported because it is a behavior inherited from
kube-lego and we chose not to keep this behavior with the Gateway API.
Unlike the ingress-shim, you can reuse the same Secret name in multiple
TLS configurations on the same Gateway resource.
The ingress-shim now shows the exact location of the duplicate
secretName when the user gives the same secretName in two separate TLS
blocks.
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Jake Sanders <i@am.so-aweso.me>
This implements a CA injector controller using controller-runtime.
It looks at admission webhooks and APIServices with a particular
annotation, and injects the CA data from certificates.
Signed-off-by: Solly Ross <sollyross@google.com>
* Configurable issuer duration and renewBefore [1/3]
This is part one of (probably) three parts manually moving the changes from commit 723015174a167d746323f506ab3575cfb243d8bd to the new master. This commit moves the basic functionality of configurable duration while skipping e2e tests and docs. It does not include new work.
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Configurable issuer duration and renewBefore [2/3]
This commit moves over most of the e2e testing updates, some things are intentionally left out as they may be obsolete
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Configurable issuer duration and renewBefore [3/3]
This commit moves the documentation changes, completely the migration of the original code to the latest master
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerunning all hack scripts with since the massive bazel update
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add missing boilerplate headers
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerun codegen hack
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerunning update-docs hack
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix failing unit tests
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix build errors in e2e tests
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerun update-deps
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Don't recreate the CA issuer, it already exists
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Need to create new issuers for the duration and renew time tests because those fields are set in the issuer, so make sure they are named uniquely
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add duration e2e tests for self-signed issuer
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add duration e2e tests for vault w/ custom mount path
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add validation to disallow acme certificates with duration and renewBefore set and update unit tests to verify
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update docs to mention duration/renew for self-signed issuer and fix potential parsing errors with rst formatting
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Self-signed issuer was missing duration validation
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix a bug causing certificates with a short enough renew-before w.r.t their duration to be renewed instantly and forever
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Print the exact time until renewal
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Move duration and renwal validation to the issuer validation
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update e2e tests to work with new validation
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add e2e test for the self-signed issuer
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Redo cert duration and renew before to appear as part of the CSR and not the issuer
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Updating tests to match new duration/renewbefore format
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update e2e tests to match new format
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update docs to reflect changing the field from issuers to certificates
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove event firing and replace with a TODO as of discussion on PR
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Run hack scripts
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove the sync unit test since without events there is no way to catch the warnings that it was testing
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Use IssuerOptions RenewBeforeExpiryDuration if certificates dont set a renewBefore value for immediate renewal checks
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Delete check on certificate data length in e2e test for certificate duration as there is no reason it should be there
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update e2e tests since certificate creation will never generate an event
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerunning hack scripts after big rebase
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix a few problems that slipped through during the rebase
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix an e2e error that resulted from the rebase
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add unit test for the calculateTimeBeforeExpiry function
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Adding back in a bunch of missing error checks
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove unused function
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add missing boilerplate
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove unused constant
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Move log constants to function body
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerun hack scripts
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove mistakenly commited file
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove double-import of util package
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix bad function call in e2e vault issuer
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Change duration and renewBefore to be pointer fields as they are optional
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove wrong vault issuer test that got passed the rebase somehow
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Change e2e to use pointer format
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Move e2e cert tests out of issuer test file
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Move e2e self-signed issuer test to new location
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Make sure to check for nil in GenerateTemplate
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add more empty checks to be safe
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerunning hacks after rebase
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix bad function call in new e2e test
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Try not setting duration and renewbefore on acme e2e tests
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Zero checks should really just be replaced by nil tests, zero should be caught as any other too-small value
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fixed a missing nil check that got away
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Change e2e duration test format to use pointer times to better simulate API calls
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix sync unit test to match e2e test format
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix vault e2e test
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Revert changes to Certificate sync function
Signed-off-by: James Munnelly <james@munnelly.eu>
* Remove selfsigned e2e issuer.go
Signed-off-by: James Munnelly <james@munnelly.eu>
* Don't use ACME issuer in duration example and tidy up line endings
Signed-off-by: James Munnelly <james@munnelly.eu>
* Allow renewBefore to be set on ACME certificates
Signed-off-by: James Munnelly <james@munnelly.eu>
* Update renewBefore ACME docs. Remove unused fields.
Signed-off-by: James Munnelly <james@munnelly.eu>
* Rename calculateTimeBeforeExpiry to calculateDurationUntilRenew
Signed-off-by: James Munnelly <james@munnelly.eu>
