weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
5,306 Commits 45 Branches 0 Tags 96 MiB
bffebe2cb6
Commit Graph

2288 Commits

Author SHA1 Message Date
irbekrm
bffebe2cb6 Calls to validating webhook can now return warnings 
Adds warnings to the top level validating functions' signatures

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-04-29 11:45:52 +01:00
joshvanl
b543d103d5 Change optimistic logging to be Info, rather than debug 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-28 14:19:15 +01:00
joshvanl
8da0e25ced Don't log on default log level when an error occurs in optimistic 
locking

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-28 14:16:37 +01:00
jetstack-bot
fca9322c58
Merge pull request #3906 from clatour/more_descriptive 
Add a more descriptive FindZoneByFqdn error message
 2021-04-28 12:53:06 +01:00
Inteon
2d7dfcb462 start DynamicSharedInformerFactory unconditionally; only listen for VirtualServices conditionally 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-04-28 09:20:49 +02:00
Inteon
4d7d08b0bc Update pkg/apis/acme/v1alpha2/types_issuer.go 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-04-28 09:20:49 +02:00
Inteon
2299e8d8a6 Apply suggestions from code review 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-04-28 09:20:49 +02:00
Inteon
30634f154c improve Certificate is Ready test 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-04-28 09:20:47 +02:00
Inteon
624e2b9e69 add ACME HTTP01 Istio support 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-04-28 09:19:53 +02:00
Erik Godding Boye
249ec4fe8b Add unit tests for pki.SignCSRTemplate 
Signed-off-by: Erik Godding Boye <egboye@gmail.com>

Co-authored-by: Maël Valais <mael@vls.dev>
 2021-04-23 15:14:33 +02:00
Erik Godding Boye
b514a74d0a fix #3619: Handle CA issuer working as intermediate correctly 
Signed-off-by: Erik Godding Boye <egboye@gmail.com>
 2021-04-22 18:43:33 +02:00
Ashley Davis
3df1173a22
fix incorrect comparison function for public keys 
also adds/improves doc comments on related functions, and adds tests of
comparisons RSA keys and ECDSA keys. these tests failed as expected
before the function was changed, e.g.:

```text
Executing tests from //pkg/util/pki:go_default_test
---------------------------------------------------
--- FAIL: TestPublicKeysEqualECDSA (0.00s)
  generate_test.go:492: got an incorrect match from different curves:
    pub1 type: "P-256"
    pub2 type: "P-521"
--- FAIL: TestPublicKeysEqualRSA (0.00s)
  generate_test.go:560: got an incorrect match from different RSA keys:
    pub1: &rsa.PublicKey{N:2293...<snip>...8869, E:65537}
    pub2: &rsa.PublicKey{N:2293...<snip>...8869, E:3}
```

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-04-22 16:07:18 +01:00
clatour
440da719a9 fixup! Add a more descriptive FindZoneByFqdn error message 
Signed-off-by: clatour <chandler.latour@gmail.com>
 2021-04-21 17:47:48 +00:00
clatour
40a6c2bb3c fixup! Add a more descriptive FindZoneByFqdn error message 
Signed-off-by: clatour <chandler.latour@gmail.com>
 2021-04-21 17:03:31 +00:00
clatour
2c2fbd483b Add a more descriptive FindZoneByFqdn error message 
Spent a couple of days tracking down bad `SERVFAIL` for some of our
domains, and had a hard time finding where this was coming from. Make
the error slightly more descriptive to help locate it, and more inline
with the terminal error of the function.

Signed-off-by: clatour <chandler.latour@gmail.com>
 2021-04-20 22:06:24 +00:00
jetstack-bot
b95836421f
Merge pull request #3878 from JoshVanL/certificate-request-controller-denied-ready-condition 
Set the Ready condition to False when a CertificateRequest has been denied for all CertificateRequests that reference a cert-manager.io signer
 2021-04-13 17:22:11 +01:00
jetstack-bot
06b68d35e0
Merge pull request #3835 from RinkiyaKeDad/3620_constants_in_eventf 
chore: used constants for string literals when recording new events
 2021-04-13 15:14:11 +01:00
jetstack-bot
b5be5a8730
Merge pull request #3877 from irbekrm/move_crypto_fork 
Use upstream golang/crypto for ACME EAB + move crypto fork to cert-manager org
 2021-04-13 13:28:15 +01:00
RinkiyaKeDad
0b87eeae97 added reason prefix for all 
Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>
 2021-04-13 16:40:56 +05:30
irbekrm
fc9d966a1c Certificate's revision history limit validated by webhook 
To avoid helm upgrade issues, see https://github.com/jetstack/cert-manager/issues/3880

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-04-12 14:59:28 +01:00
irbekrm
d213b4bfdb Standardize deprecation warnings 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-04-12 09:38:49 +01:00
joshvanl
e05adbf06b Remove expected events when Ready Denied condition set 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-09 18:20:07 +01:00
joshvanl
ff3e4bb07d Don't fire an event when the Denied ready condition is set 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-09 18:19:44 +01:00
joshvanl
9a5e36e732 Change Denied CertificateRequest Ready reason to just 'Denied' 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-09 18:19:11 +01:00
joshvanl
50a84eaf1d Sets the Ready condition to False when a request is Denied 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-09 15:34:32 +01:00
joshvanl
1d75fc480e Adds Denied to certificaterequests reporter 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-09 15:26:15 +01:00
joshvanl
b61757187e Adds the RequestDenied Ready condition reason to API 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-09 15:11:28 +01:00
irbekrm
09af959071 Issuer's ACME EAB algorithm can no longer be set 
It is hardcoded to HS256 in golang.org/x/crypto

Also, we now use a fork of golang.org/x/crypto
in cert-manager org.

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-04-09 10:28:19 +01:00
jetstack-bot
805ca33b9e
Merge pull request #3622 from foosinn/fix-letsencrypt-multi 
Fix letsencrypt with rfc2136 and multiple dnsNames
 2021-04-08 15:11:45 +01:00
Maël Valais
88a6fa1315 issuing-controller: explain why we do the Ready + Denied checks 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-08 15:16:36 +02:00
RinkiyaKeDad
bba7c1011d added prefix and made constants public 
Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>
 2021-04-08 12:17:15 +05:30
Maël Valais
f56db9f93d Revert "Handle CA issuer working as intermediate" (#3847) 
As discussed in #3847, I went too fast and /lgtm from my bed. That led
to having a piece of code that could potentially break people's
cert-manager deployments.

Our plan is to have the same PR re-opened so that we can have it
released for v1.4 (due on Friday 11 June 2021 as per our timeline).

Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-07 10:25:31 +02:00
jetstack-bot
79ccab3e69
Merge pull request #3847 from erikgb/fix/3619 
Handle CA issuer working as intermediate correctly
 2021-04-07 07:33:57 +01:00
jetstack-bot
2dd6b6e224
Merge pull request #3795 from JoshVanL/certificates-issuing-retry-denied-requests 
Adds Denied check to CertificateRequests in issuing controller to retry denied requests
 2021-04-06 21:34:57 +01:00
jetstack-bot
10a871dc62
Merge pull request #3444 from maelvls/bug-certificaterequest-not-updated 
Bug: certificaterequest not updated after its certificate is updated
 2021-04-06 20:17:57 +01:00
jetstack-bot
6ad91e0700
Merge pull request #3833 from JoshVanL/controller-issuer-context 
Pass context through to client calls in controllers and acme issuer
 2021-04-06 18:53:57 +01:00
Erik Godding Boye
bbafeeef67 fix #3619: Handle CA issuer working as intermediate correctly 
Signed-off-by: Erik Godding Boye <egboye@gmail.com>
 2021-04-06 19:45:48 +02:00
Maël Valais
8f5a094b0c trigger-controller: PR comment: failure mode -> failure state 
Cf. https://github.com/jetstack/cert-manager/pull/3444#pullrequestreview-629189131

Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 19:14:49 +02:00
Maël Valais
181d4ee281 DataForCertificate: typo certitificate -> certificate 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-06 19:06:21 +02:00
Maël Valais
a7486d5025 DataForCertificate: "Failure" CR condition -> "Failed" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-06 18:58:31 +02:00
Maël Valais
2361f355aa DataForCertificate: PR comment: certificate -> cert-manager certificate 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:44:26 +02:00
Maël Valais
de0de24aad DataForCertificate: PR comment: mode -> state 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:42:17 +02:00
Maël Valais
c875518da1 DataForCertificate: PR comment: mismatch -> does not match 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:34:18 +02:00
Maël Valais
8b41ec1d54 DataForCertificate: PR comment: distinguish X.509 vs. Kubernetes cert 
The cert-manager team tends to use the word "certificate" for two very
different contexts:

1. sometimes, we use the word "certificate" to refer to a X.509
   certificate (a blob of ASN.1-encoded data and then PEM-formated);
2. and sometimes we refer to "certificate" as one item of the Kubernetes
   custom resource /apis/cert-manager.io/v1/certificates.

This commit makes sure the reader understands that we are talking about
the Kubernetes object here.

Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:25:48 +02:00
Maël Valais
a724f1ce31 DataForCertificate: PR comment: mismatches is a noun 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:09:59 +02:00
Maël Valais
c1d722b116 DataForCertificate: fix diagrams' Failed conditions 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-06 18:09:59 +02:00
Maël Valais
6c9477439c trigger-controller: hint people to look at gatherer.go diagrams 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-06 18:09:59 +02:00
Maël Valais
497f561ef7 DataForCertificate: hint people to look at gatherer.go diagrams 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-06 18:09:59 +02:00
Maël Valais
068a1c466f DataForCertificate: better wording for the "error returned" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-06 18:09:59 +02:00
Maël Valais
f588d4138a DataForCertificate: explain what the "current" and "next" CRs are used for 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-06 18:09:47 +02:00