weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
6,773 Commits 45 Branches 0 Tags 96 MiB
bfcc204c2b
Commit Graph

232 Commits

Author SHA1 Message Date
Monis Khan
2a33c7a5c2
Use Kubernetes CSR spec.expirationSeconds to express cert duration 
This change adds the ability to express certificate duration using
the Kubernetes CSR spec.expirationSeconds field alongside the existing
approach of using the experimental.cert-manager.io/request-duration
annotation.  Both approaches are supported as the expirationSeconds
field requires Kubernetes v1.22+.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-03-21 09:40:32 -04:00
Ashley Davis
3a055cc2f5
rename all uses of github.com/jetstack/cert-manager 
This was done by running the following command twice:

 ```bash
 grep -Ri "github.com/jetstack/cert-manager" . | \
 cut -d":" -f1 | \
 sort | \
 uniq | \
 xargs sed -i
 "s/github.com\/jetstack\/cert-manager/github.com\/cert-manager\/cert-manager/"
 ```

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-02-02 09:08:31 +00:00
joshvanl
8f0c79396f Adds rest config builder to include new user agent 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-27 12:51:49 +00:00
jetstack-bot
051a763ee5
Merge pull request #4638 from JoshVanL/controllers-certificates-secret-template 
SecretTemplate reconciliation. SecretManager Apply
 2022-01-18 13:28:57 +00:00
jetstack-bot
e2aede44c7
Merge pull request #4731 from DiptoChakrabarty/lint 
add go linters fixes within codebase
 2022-01-18 12:52:57 +00:00
joshvanl
7a4be1edfd Copy across an existing secret type in secrets manager since that field 
is immutable.

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-17 11:24:45 +00:00
joshvanl
af360ee9b3 Fix some test func names and some comments. Replaces DeDuplicate in 
SecretTemplate controller to use sets.Strings. Removes DeDuplicate func

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-17 11:24:45 +00:00
joshvanl
e3141f9ad1 Adds PrefixForUserAgent and DeDuplicate util functions 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-17 11:24:45 +00:00
DiptoChakrabarty
e7c75832af few more fixes 
Signed-off-by: DiptoChakrabarty <diptochuck123@gmail.com>
 2022-01-13 19:47:11 +05:30
Ashley Davis
93f868b3bc
move versionchecker tests to test/integration 
Since this test requires setup before it can successfully run,
we define it as an integration test and move it here so that on a
fresh checkout a user can always run `go test ./pkg/...` and expect that
it would succeed.

Also involves:

- Exporting the VersionChecker and adding NewWithConfig to enable
  testing
- Some comment changes
- A change to the type returned by New(); see
  https://github.com/golang/go/wiki/CodeReviewComments#interfaces

Ideally I'd not add `NewFromClient` but I think it's the most minimal
change and is preferable to publicly exporting `VersionChecker.client`.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-01-12 14:21:53 +00:00
John Chadwick
d094e20611 Only consider running pods when checking version 
Some clusters may have failed pods that are not garbage collected. These
pods should not be considered when determining version numbers.

Signed-off-by: John Chadwick <86682572+johnwchadwick@users.noreply.github.com>
 2021-11-23 11:32:10 -05:00
Richard Wall
41ef0e3f2b A note about testing the handling of errors relating to the ValidatingWebhook 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-09-29 13:05:53 +01:00
Richard Wall
b71eb11fd1 A note about the relevance of conversion webhook unit-tests 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-09-29 13:02:44 +01:00
Richard Wall
969ca6d91a Use the v1 API rather than v1alpha2 in the API checker 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-09-29 12:54:42 +01:00
Ashley Davis
68f5ceb3b4
Fix manually specified Certificate and CertificateRequest versions 
Basically all modern X.509 certs are version 3, but confusingly to
specify "version 3" in an encoded cert, the version number is actually
2.

For PKCS#10 CSRs, the only valid version is 1, which again
confusingly has the value "0" when encoded.

This was incorrect in many places, including one place in which the
version number on a CSR was used as a certificate's version number,
when the two are entirely unrelated.

Go ignores these values, so there's no functional changes here; still,
it's better to be accurate.

Go ignoring CSR version and specifying 0:
https://cs.opensource.google/go/go/+/refs/tags/go1.17:src/crypto/x509/x509.go;l=1958

Go ignoring Certificate version and specifying 2:
https://cs.opensource.google/go/go/+/refs/tags/go1.17:src/crypto/x509/x509.go;l=1534

PKCS#10 CSR specification in RFC 2986 section 4.1:
https://datatracker.ietf.org/doc/html/rfc2986#section-4

X.509 Cert specification in RFC 5280 section 4.1.2.1:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.1

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-08-19 14:48:12 +01:00
Inteon
e439749e92
rerun git tags command when //:version changes 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-08-13 22:59:38 +02:00
jetstack-bot
d0f4c82baf
Merge pull request #4226 from inteon/simple_kubectl_check_version 
add 'kubectl cert-manager version'
 2021-08-03 12:36:19 +01:00
Inteon
85710579dd
Apply suggestions from code review 
Co-authored-by: Richard Wall <wallrj@users.noreply.github.com>
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-30 17:00:27 +02:00
Inteon
644db10b92
don't early-stop, instead return all versions 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-29 15:06:31 +02:00
Ashley Davis
2ee4abeb24
handle individual certs in ParseSingleCertificateChain 
roots are handled differently because they're their own CAs

also adds test cases for each of:

- a lone leaf
- a lone intermediate
- a lone root

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-07-28 14:06:57 +01:00
Wilson Júnior
18235e3624
Improve ParseSingleCertificateChain when no root is present 
Fixes when the certificate chain does not have a root CA,
in which case the chain should contain all available intermediates
and ca.crt should contain the rootmost certificate.

Co-authored-by: Josh Van Leeuwen <joshua.vanleeuwen@jetstack.io>
Signed-off-by: Wilson Júnior <wilsonpjunior@gmail.com>
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-07-28 14:05:19 +01:00
Inteon
fa36a5bc87
add version check for current version 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-27 18:11:24 +02:00
Inteon
6545064fcf
align flags and behaviour to 'kubectl version' 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-27 18:02:21 +02:00
jetstack-bot
9ad9e220f3
Merge pull request #4230 from inteon/fix_exit_codes 
set correct exit codes
 2021-07-23 13:06:09 +01:00
Inteon
d6cd6f457d
set correct exit codes when exiting 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-22 12:57:08 +02:00
Ashley Davis
17ec9ea8e7
fix check for self-signed certs in EncodeX509Chain 
see also https://github.com/jetstack/cert-manager/issues/4142

EncodeX509Chain checked for self-signed certs by comparing the subject
and issuer of the cert in question, which is invalid since it's
perfectly fine for those to match.

the correct behavior is to use cert.CheckSignatureFrom(cert). this bug
was exposed in 1.4 when ParseSingleCertificateChain started using
EncodeX509Chain in the critical path of several issuers; when end-users
had leaf certificates with subjects matching their issuer's subject, the
bug was triggered.

includes newly written tests for EncodeX509Chain and a test for
ParseSingleCertificateChain

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-07-21 16:45:48 +01:00
Inteon
21bc98979e
improved ux 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-16 13:11:40 +02:00
Inteon
ac7775bdb4
made errors human readable, added unit tests, added check api to e2e, fixed os.Exit(1) 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-15 16:50:31 +02:00
Inteon
5458173739
Add kubectl 'cert-manager check api' command 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-15 16:50:31 +02:00
Maël Valais
42e65c3694 linter party: duplicate import of k8s.io/api/core/v1 (ST1019) 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-06 12:51:01 +02:00
joshvanl
943f9abdb1 Minor comment and error message changes 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-30 18:09:32 +01:00
joshvanl
b237b5c222 Changes comment for duration annotation parsing 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-29 14:34:30 +01:00
joshvanl
f5b609e446 Adds Vault CertificateSigningRequest Issuer controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-29 09:11:43 +01:00
joshvanl
78a6df1ebd Fix util/pki test which relied on hardcoded CSR common name 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-15 17:58:34 +01:00
Anner J. Bonilla
9546a357a5
Add support for certificates with ed25519 private keys 
Note that using ed25519 on the public internet is not currently
recommended, since it's not widely supported. You'd likely not be able
to use an Ed25519 cert with an ACME issuer today.

Ed25519 certs might be useful for internal PKI, though - an ed25519 CA
issuer, say - or for testing ed25519 certs before they become more
widely available on the public internet. They're not currently
supported by Vault, Venafi or ACME (Letsencrypt) issuers.

Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
Signed-off-by: Anner J. Bonilla <annerjb@gmail.com>
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-06-14 11:17:35 +01:00
joshvanl
acc5431f1b Fix signernames to allow clusterissuers with dots in name 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-28 10:13:00 +01:00
joshvanl
9e1b0342d0 Updates with review comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-27 18:48:50 +01:00
joshvanl
c5c206cace Adds base CertificateSigningRequest cert-manager controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-27 00:23:50 +01:00
joshvanl
b38519fe66 Adds kube certificates v1 API utils 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-27 00:18:29 +01:00
jetstack-bot
96ea5e51d4
Merge pull request #3985 from JoshVanL/parse-certificate-chain-ca 
Parse certificate chain CA Issuer
 2021-05-13 13:23:14 +01:00
jetstack-bot
595d753339
Merge pull request #3982 from JoshVanL/parse-certificate-chain 
Change Vault Issuer to construct the certificate chain to populate the CertificateRequest CA with the root most cert.
 2021-05-12 17:34:13 +01:00
joshvanl
58a25314f7 Changes CR CA controller to use ECDSA keys 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 15:07:25 +01:00
joshvanl
d327d40297 Updates SignCSRTemplate to use ParseCertificateChain 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:22:59 +01:00
joshvanl
9622b664bf Adds SecretTLSKeyPairAndCA to parse a certificate chain and CA from a 
target Secret

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:22:59 +01:00
joshvanl
68aeb330b7 Change ParseCertificateChain to ParseSingleCertificateChain to show 
intention better

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:12:06 +01:00
Jake Sanders
423e82b65b
Revert "Merge pull request #3939 from JoshVanL/istio-api-to-internal-apis" 
This reverts commit f2a74ade5e, reversing
changes made to 7ff54e61e9.

Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-11 14:50:23 +01:00
joshvanl
88693435b8 Change ParseCertificateChain test func to use ECDSA keys to speed up 
runtime

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-10 19:13:31 +01:00
joshvanl
744906ebaf Adds ParseCertificateChain to parse and test a pem bundle to ensure its 
a valid flat chain. Returns a chain and optional CA

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-10 19:06:21 +01:00
Jake Sanders
bb519a59b9
Log a message when test framework fails to parse cover profile flag 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-05 16:40:16 +01:00
Jake Sanders
2390264fd4
staticcheck: package "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" is being imported more than once (ST1019) 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-04 15:05:32 +01:00