weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
6,255 Commits 45 Branches 0 Tags 96 MiB
b5fbabdc6f
Commit Graph

1130 Commits

Author SHA1 Message Date
joshvanl
d5503c2ed2 Change certificates controller to no longer error for a Certificate that 
no longer exists

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-11-30 15:13:14 +00:00
irbekrm
7739497f22 Don't process Order CRs that have failed 
Ensure that cert-manager does not attempt to create new ACME Orders for cert-manager Order CRs that are in failed (errored, invalid or expired) state. If the CertificateRequest was created from a Certificate, the issuance will be retried after 1 hour

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-11-23 15:34:35 +00:00
Krzysztof Ostrowski
e35cb361c8
add comments to satisfy linter 
Signed-off-by: Krzysztof Ostrowski <kostrows@redhat.com>
Co-authored-by: Irbe Krumina <irbekrm@gmail.com>
 2021-11-04 18:15:46 +01:00
Igor Zibarev
f9ceb8a73e Fix some lint issues regarding comments 
References issue #4457

Signed-off-by: Igor Zibarev <zibarev.i@gmail.com>
 2021-11-02 13:57:20 +03:00
Jake Sanders
486fc49545
Add fuzzing unit tests for JKS passwords 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-10-29 15:12:51 +01:00
James Munnelly
e7dea9f2a2 Replace all references to pkg/internal with internal 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2021-10-21 12:27:04 +01:00
irbekrm
598ed35e4a Uses go/crypto ListCertAlternates function to fetch alternative certificate chains 
This allows us to use upstream go/crypto again instead of our own fork

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-10-07 15:21:26 +01:00
Richard Wall
5d91f0a3c4 Fix flaky test by using EqualUnsorted to compare Events 
Supplants https://github.com/jetstack/cert-manager/pull/4297

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-10-01 12:41:15 +01:00
irbekrm
7e9753c92e Fix CertificateRequest test 
In Go 1.17 x509.CreateCertificate fails if public key doesn't match private key https://golang.org/doc/go1.17

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-09-30 10:08:40 +01:00
joshvanl
f21a947523 Adds comment as to why the GetAuthorization is called instead of 
GetChallenge

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-09-16 14:44:38 +01:00
joshvanl
f83f02cc8b Replace GetChallenge call in acmechallenge controller to 
GetAuthorization

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-09-15 16:05:37 +01:00
George Moldoveanu
b94b678f6d
reinstated keystore.go comment 
Signed-off-by: George Moldoveanu <mol.george@gmail.com>
 2021-09-10 13:33:46 +01:00
George Moldoveanu
563aeb1789
fixed keystore.go and keystore_test.go modules imports 
Signed-off-by: George Moldoveanu <mol.george@gmail.com>
 2021-09-10 13:28:45 +01:00
George Moldoveanu
0463681244
updates go deps and bazel files 
Signed-off-by: George Moldoveanu <mol.george@gmail.com>
 2021-09-02 23:45:11 +01:00
George Moldoveanu
d0151f7175
fixed TestEncodeJKSKeystore tests to work with upgraded keystore-go api (v4) 
Signed-off-by: George Moldoveanu <mol.george@gmail.com>
 2021-09-02 23:33:45 +01:00
George Moldoveanu
155e90d175
upgraded keystore-go to v4 and fixed code to use v4 api 
Signed-off-by: George Moldoveanu <mol.george@gmail.com>
 2021-09-02 23:24:06 +01:00
jetstack-bot
e5cc0be04b
Merge pull request #4399 from irbekrm/fix_renewal_issue 
Fix renewalTime skew issue
 2021-08-23 16:36:50 +01:00
irbekrm
ec1bdc4983 Adds a test case for renewal time skew and a comment 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-08-23 15:00:57 +01:00
Eng Zer Jun
54e70d2cc4
refactor: move from io/ioutil to io and os package 
The io/ioutil package has been deprecated in Go 1.16. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 2021-08-23 19:50:42 +08:00
irbekrm
50e90dfe6e Fix renewalTime skew issue 
Ensure the time returned by RenewalTime function is the same time as that which will be read from Certificate's status

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-08-20 17:57:35 +01:00
Ashley Davis
68f5ceb3b4
Fix manually specified Certificate and CertificateRequest versions 
Basically all modern X.509 certs are version 3, but confusingly to
specify "version 3" in an encoded cert, the version number is actually
2.

For PKCS#10 CSRs, the only valid version is 1, which again
confusingly has the value "0" when encoded.

This was incorrect in many places, including one place in which the
version number on a CSR was used as a certificate's version number,
when the two are entirely unrelated.

Go ignores these values, so there's no functional changes here; still,
it's better to be accurate.

Go ignoring CSR version and specifying 0:
https://cs.opensource.google/go/go/+/refs/tags/go1.17:src/crypto/x509/x509.go;l=1958

Go ignoring Certificate version and specifying 2:
https://cs.opensource.google/go/go/+/refs/tags/go1.17:src/crypto/x509/x509.go;l=1534

PKCS#10 CSR specification in RFC 2986 section 4.1:
https://datatracker.ietf.org/doc/html/rfc2986#section-4

X.509 Cert specification in RFC 5280 section 4.1.2.1:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.1

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-08-19 14:48:12 +01:00
irbekrm
904d4e3c15 Don't error if owner not found in cache 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-08-17 08:31:49 +01:00
jetstack-bot
d647e543e3
Merge pull request #4276 from jakexks/gateway-http01 
Experimental Gateway API support for ACME HTTP-01 Solving
 2021-08-03 18:51:49 +01:00
jetstack-bot
be8079b504
Merge pull request #4293 from maelvls/fix-nil-pointer 
Nil pointer exception: certificateRef and TLS can now be left empty
 2021-08-03 16:04:49 +01:00
Maël Valais
30af205777 nil pointer: the Gateway API is full of pointers 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-08-03 15:43:16 +02:00
Jonathan Prates
50bb91a032 feat: update object description explaning the current behaviour 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 09:26:23 +01:00
Jonathan Prates
12363f91e2 fix: move secretTemplate validations to validation package 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
6e8f74b4f8 tests: add Labels map to the expected secret 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
e1034c219e feat: add validation for annotations and labels 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
c5e81b13f6 fix: labels cannot be shown if no labels were changed 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
811069cac7 fix: do not create secret labels if template is empty 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
936ad33539 fix: ensure secret annotations and labels will be copied if updated in the cert 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jonathan Prates
47bc03e7c4 feat: add support to secretTemplates 
Signed-off-by: jonathansp <jonathansimonprates@gmail.com>
 2021-08-03 01:19:11 +01:00
Jake Sanders
deb9ccc5a9
HTTP01 solver support for the Gateway API 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-02 14:06:16 +01:00
Maël Valais
e4f981da66 Revert "memory leak: clean up scheduler goroutine on cert deletion" 
This reverts commit 641960b6. The reason we decided to revert this is
that we are unsure about the implications of adding the
scheduledWorkQueue.Forget call. The new Forget call is left untested,
and it makes us nervous not to know exactly if it works as intended.

The "Forget" memory leak that we are reverting now is the cause of a
tiny fraction of the overall memory leakage that was fixed in the PR
in the scheduler itself.  Reverting this means that some goroutines will
be leaked, but only when a Certificate gets removed and never recreated
with the same name.

Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-28 19:19:39 +02:00
jetstack-bot
d062176777
Merge pull request #4243 from inteon/improved_go_routines 
Cleanup goroutine management
 2021-07-28 15:36:41 +01:00
Inteon
d867fcc44d
remove unnecessary wait.Until 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-27 21:43:54 +02:00
jetstack-bot
3b50d78ae4
Merge pull request #4225 from jakexks/ingressv1 
Feature: Support both v1 and v1beta1 ingresses.
 2021-07-27 20:11:37 +01:00
irbekrm
2ddf6fe637 Allows for annotations passed from CSR to Order to be filtered 
Using the value from copied-annotation-prefixes flag, where by default kubectl, fluxcd, argocd annotations are excluded

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-27 10:55:09 +01:00
Jake Sanders
83857fdc03
Remove stray reference to v1beta1 Ingress 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-26 20:29:35 +01:00
Irbe Krumina
3834a8fc0a Code review feedback 
Co-authored-by: Josh Van Leeuwen <joshua.vanleeuwen@jetstack.io>
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-26 20:00:37 +01:00
irbekrm
143c5ce38d Adds a test for copying the annotations from Certificate 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-26 20:00:24 +01:00
irbekrm
ddf7e130b7 Allow users to specify which annotations should be copied from Certificate to CertificateRequest 
Default to all being copied except for kubectl, fluxcd, argocd annotations

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-26 20:00:10 +01:00
Jake Sanders
87bf05601f
Update pkg/controller/test/context_builder.go 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>

Co-authored-by: Maël Valais <mael@vls.dev>
 2021-07-26 18:29:56 +01:00
Jake Sanders
67c6586161
Addressing code review comments in #4225 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-26 18:29:54 +01:00
Jake Sanders
b2278f8642
nit: imports 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-26 18:29:48 +01:00
Jake Sanders
0d93b93fc5
Feature: Support both v1 and v1beta1 ingresses. 
Kubernetes is removing support for the v1beta1 Ingress type in 1.22: https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/#api-changes
However, we still wish to support k8s v1.16 until mid 2022 when Openshift 3 becomes out of support.

cert-manager will now use v1 Ingress if available by using the discovery API.

Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-26 18:29:42 +01:00
jetstack-bot
ceb9fdf6ac
Merge pull request #4231 from maelvls/fix-concurrent-read-write 
Data race: fix concurrent read and write of secret annotations and certificaterequests
 2021-07-26 13:34:12 +01:00
jetstack-bot
218408a741
Merge pull request #4112 from JoshVanL/certificate-signing-request=acme 
CertificateSigningRequest ACME Controller
 2021-07-26 11:51:12 +01:00
jetstack-bot
1021b58286
Merge pull request #4233 from maelvls/goroutine-leak 
Memory leak: fix the scheduler's goroutine leakage
 2021-07-23 20:34:19 +01:00