This does not actually change how the informers work. This also adds a partial metadata client to root context
Signed-off-by: irbekrm <irbekrm@gmail.com>
This will only be needed by the SecretsFilteredCaching feature, but I cannot think of any harm by adding it to general path
Signed-off-by: irbekrm <irbekrm@gmail.com>
Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).
With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.
Signed-off-by: Maël Valais <mael@vls.dev>
The documentation [1] mentions that `StdoutPipe` should not be used
along with `Run`:
"Wait will close the pipe after seeing the command exit, so most callers
need not close the pipe themselves. It is thus incorrect to call Wait
before all reads from the pipe have completed. For the same reason, it
is incorrect to call Run when using StdoutPipe. See the example for
idiomatic usage."
It seems we are using `Run`, meaning that the StdoutPipe gets closed
when `Run` returns (because `Run` calls `Wait` and closes the StdoutPipe
before returning).
To reproduce:
git fetch fa4c2cfcad79f0a8a806b71caefbf96b049533c5
git checkout fa4c2cfcad79f0a8a806b71caefbf96b049533c5
go test -tags=e2e_test ./test/e2e -- -test.outputdir=$PWD/_bin/artifacts \
-ginkgo.junit-report=junit__01.xml -ginkgo.flake-attempts=1 \
-test.timeout=24h -ginkgo.v -test.v -ginkgo.randomize-all \
-ginkgo.progress -ginkgo.trace -ginkgo.slow-spec-threshold=300s \
--repo-root=/home/mvalais/code/cert-manager \
--report-dir=/home/mvalais/code/cert-manager/_bin/artifacts \
--acme-dns-server=10.0.0.16 --acme-ingress-ip=10.0.0.15 \
--acme-gateway-ip=10.0.0.14 \
--ingress-controller-domain=ingress-nginx.http01.example.com \
--gateway-domain=gateway.http01.example.com \
--feature-gates="" \
--ginkgo.focus=".*should be ready with a valid serviceAccountRef"
Result:
error install helm chart: cmd.Run: exit status 1: io.Copy: write /dev/stdout: copy_file_range: use of closed file
Signed-off-by: Maël Valais <mael@vls.dev>
The way the tests run (a new kube apiserver with a different client created for the same initialized solver) is not how this solver would actually run
Signed-off-by: irbekrm <irbekrm@gmail.com>
With the goal of making folks working on these parts of code be aware that this is the one bit that will be imported in external projects
Signed-off-by: irbekrm <irbekrm@gmail.com>
Clarifies language a little; makes it clearer that the bundle
should be base64 encoded. Previously it was slightly confusing
in that PEM certificates are themselves base64 encoded.
Also makes it clearer what our CABundle validation does and does not do
by adding a standalone validation function and tweaking the error
message for an invalid CA bundle.
Also updates validation to not print CA bundle for Vault issuer when the
bundle is invalid, since it won't help with debugging anything.
Currently the bundle is printed as byte values ("0x32, 0x58, 0x43...")
and in any case printing the whole bundle could be noisy if it's large
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
