weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
8,335 Commits 45 Branches 0 Tags 96 MiB
c3304feec5
Commit Graph

624 Commits

Author SHA1 Message Date
Tim Ramlot
41404a7fd7
rename UseCertificateRequestNameConstraints to NameConstraints 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-03 15:49:18 +01:00
jetstack-bot
cc8925ae9f
Merge pull request #6404 from SpectralHiss/hef/otherNameSANs 
Other name sans support in Certificates
 2024-01-03 14:16:23 +00:00
jetstack-bot
4af78fe98a
Merge pull request #6548 from snorwin/modern-pkcs12 
New option to specify encryption and MAC algorithms for PKCS#12 keystores.
 2024-01-03 12:54:22 +00:00
Tim Ramlot
8223df9e91
rename Algorithms to Profile 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-03 13:45:02 +01:00
Tim Ramlot
24794feac0
update API comments 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-20 11:26:52 +01:00
SpectralHiss
e7f29f8bb3 UTF8Value -> utf8Value in CRD JSON schema 
* Still following Go standard with UTF8Value for struct field name

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-20 08:30:54 +00:00
Adam Talbot
247a034116 feat: update gateway api to v1 
Signed-off-by: Adam Talbot <adam.talbot@venafi.com>
 2023-12-18 21:00:42 +00:00
Norwin Schnyder
ebf58b9967 apply PR feedback 
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
 2023-12-15 10:52:57 +01:00
Allen Mun
9b09aa87a7 Add flag and field to customize leaf duration on dynamic certificates 
Signed-off-by: Allen Mun <allen.mun@capitalone.com>
 2023-12-13 15:45:52 -05:00
SpectralHiss
95b9345a5d Make UTF8Value godoc comment more clear 
Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-13 17:05:12 +00:00
SpectralHiss
4bdee5f010 Rename otherNameSANs to otherNames 
* Improve the CRD godoc comments

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-13 16:21:56 +00:00
Norwin Schnyder
b8ad8a3704 apply PR feedback 
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
 2023-12-13 12:00:39 +00:00
Tim Ramlot
721f71ed60 Refactor the solution 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-13 09:37:21 +00:00
Tim Ramlot
bfd9a65160 Add OtherNameSANs field to Certificates 
* Added an otherName SAN extension mechanism
* Can take any otherName OID with String (UTF-8) like value
* cf [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280) p 37 for
  more info
* otherName is only a subset of GeneralName, our specific need for for
  UserPrincipalName used in Microsoft AD/ LDAP
* We treat UPN special but we might remove this in a later commit

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-13 09:12:23 +00:00
Norwin Schnyder
b79e73f484 fix controller-gen errors 
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
 2023-12-12 18:25:15 +01:00
Norwin Schnyder
b8f4f3b518 pkcs12 encoding with different algorithms 
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
 2023-12-12 14:27:00 +00:00
tanujd11
a29a5913d0 addressed review comments 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 23:42:35 +05:30
tanujd11
28ca4312b3 fix: additional review comments 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:30:31 +05:30
tanujd11
84d7dd4aed Addressed review comments 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:30:31 +05:30
tanujd11
d1b3e5ca83 Move critical from NameConstraintItem to NameConstraint and remove validateNameConstraints 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:30:29 +05:30
tanujd11
adb9311f56 validate name constraint before signing CSR 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:29:45 +05:30
tanujd11
50d84c1bbc nits: added new line at EOF and comment fix 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:27:42 +05:30
tanujd11
589030dec1 feature: added name constraints 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:27:31 +05:30
Jeremy Campbell
dc876fef16
Add x509 v3 CA Issuers Extension 
Signed-off-by: Jeremy Campbell <jeremy.campbell@okta.com>
 2023-11-16 12:45:16 -06:00
Tim Ramlot
e5f50002e1
introduce configfile for cainjector options 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-09-28 12:56:11 +02:00
Tim Ramlot
b98043f6b8
apply review suggestions 
Co-authored-by: Maël Valais <mael@vls.dev>
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-09-01 12:20:00 +02:00
Tim Ramlot
7c2b4adee7
Rewrite comments in cert-manager API 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-09-01 12:19:35 +02:00
Tim Ramlot
31b5ed6620
Make webhook Logging options configurable using configfile. 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-17 12:00:50 +02:00
Tim Ramlot
e8b5b2e354
Fix bug in ControllerConfiguration's defaulting of logging config, where config would not be correctly defaulted in case a partial logging configuration is provided. 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-17 11:19:16 +02:00
Tim Ramlot
db1fcdabb1
add comment explaining port 0 behavior 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-16 11:08:36 +02:00
Tim Ramlot
b19d11d267
change the types of ports in the WebhookConfiguration: 
internal: *int -> int32
public: *int -> *int32

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-15 20:53:58 +02:00
Tim Ramlot
f50167ce31
restructure the controller configfile 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-10 11:30:33 +02:00
Cody W. Eilar
282a6d58a9 Preserve internal types 
- Needed to add custom conversion functions to handle conversions from
  public facing types to internal ones.

Signed-off-by: Cody W. Eilar <ecody@vmware.com>
 2023-07-27 16:44:38 -07:00
Cody W. Eilar
6212b63e51 Address the non-optional values in internal config 
- This  commit changes the internal config to have fewer number of
  optional parameters.  It changes the types to match the ones that are
  already present in https://github.com/kubernetes/apimachinery/blob/master/pkg/apis/meta/v1/conversion.go
  so that custom converters do not have to be written for types "int"
  and "float32".

Signed-off-by: Cody W. Eilar <ecody@vmware.com>
 2023-07-27 16:44:38 -07:00
Cody W. Eilar
1243fe285b Add to ability to start controller with config file 
Signed-off-by: Cody W. Eilar <ecody@vmware.com>
 2023-07-27 16:44:38 -07:00
irbekrm
f4dc243b77 Document what fao stands for in the controller.cert-manager.io/fao label 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-06-02 13:45:10 +01:00
Greg
662900a1d3
apis/acme/v1: ACMEIssuer: set omitempty on optional field 
This field is marked optional in the API docs, but is required when serializing JSON. Make it optional to match.

Signed-off-by: Greg <gdvalle@users.noreply.github.com>
 2023-05-07 09:52:13 -05:00
jetstack-bot
5035dda25e
Merge pull request #6006 from vidarno/cache-private-key-hash-on-issuer-status 
Cache private key hash on issuer status
 2023-05-05 08:05:07 +01:00
vidarno
4934183927 Extend CRDs and structs to include LastPrivateKeyHash field 
Signed-off-by: vidarno <>
 2023-04-29 09:12:56 +02:00
Thomas Müller
12483d3d54 Check JKS/PKCS12 truststores only if issuer provides the CA 
The current policy check for keystores in Secrets creates a loop because
the truststore.jks or truststore.p12 will never exist when the issuer didn't
provide the CA certificate. This behaviour was introduced by #5597

The JKS and PKCS12 truststores are only added to the Secret
if the CA is provided by the issuer. The CertificateRequest API
reference states:

> The PEM encoded x509 certificate of the signer, also known
> as the CA (Certificate Authority). This is set on a best-effort basis by
> different issuers. If not set, the CA is assumed to be unknown/not available.

This change will only check the PKCS12/JKS truststores if the CA cert from the
issuer exists in the secret.

Fixes #5755

Signed-off-by: Thomas Müller <thomas@chaschperli.ch>
 2023-04-27 17:09:41 +02:00
jetstack-bot
50501d2f64
Merge pull request #5824 from irbekrm/controller_partial_metadata 
Controller partial metadata
 2023-04-06 15:38:02 +01:00
irbekrm
b2b3eade26 Updates cert.status.lastFailureTime description 
To match the current behaviour

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 12:54:14 +01:00
irbekrm
8f3ea9a40d Update comment on controller.cert-manager.io/fao label key 
As this PR actually starts using this label to filter secrets

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
Maël Valais
f0449ddb3b ingressClassName: document the "oneOf" contraint for the "name" field 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-09 15:15:39 +01:00
Maël Valais
ca9aaa0440 ingressClassName: let's remove the link placeholder 
The link itself is way too long to fit in the API reference.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-09 14:42:21 +01:00
Maël Valais
6458ed1543 Move from a flag to the Issuer field "ingressClassName" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-03 17:50:30 +01:00
Michael Malov
dc621e9306 Add imagePullSecrets for AMCE http01 solver pod 
Signed-off-by: Michael Malov <mmeemail@gmail.com>
 2023-02-13 14:18:50 +03:00
Maël Valais
ac9791abae api: explicit the fact that no "oneOf" validation is performed 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
f1cfffd06b serviceAccountRef: detail why secretRef isn't a pointer 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
aed8a2ec85 serviceAccountRef: auto-generate "aud" and hardcode "exp" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00