weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
6,154 Commits 45 Branches 0 Tags 96 MiB
c58b73edeb
Commit Graph

234 Commits

Author SHA1 Message Date
irbekrm
7b6eeff457 Profiler address for controller can now be configured 
Ensures that pprof is configured for controller in the same way as for cainjector

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-10-26 12:20:42 +03:00
joshvanl
64feb85490 Adds bazel to build and release cmctl, along with kubectl-cert_manager 
binary

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-10-14 15:49:46 +01:00
Johan Fleury
ef32714434
Make leader election defaults consistent 
Signed-off-by: Johan Fleury <jfleury@arcaik.net>
 2021-08-13 12:14:40 -04:00
Jake Sanders
ed4ad50b22
Don't start the Gateway Shared Informer Factory if the Gateway API feature is disabled 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-05 15:22:02 +01:00
Jake Sanders
36aa9e2501
The gateway-api support is now gated behind --feature-gate=ExperimentalGatewayAPISupport=true 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-05 14:37:54 +01:00
Jake Sanders
27348a7072
Better error messages when Gateway API CRDs aren't installed 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-03 14:21:02 +01:00
Jake Sanders
b38869b551
Gateway HTTP01: Make docs better, only enable gateway solver if gateway API is found 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-02 14:06:23 +01:00
Jake Sanders
deb9ccc5a9
HTTP01 solver support for the Gateway API 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-02 14:06:16 +01:00
jetstack-bot
d062176777
Merge pull request #4243 from inteon/improved_go_routines 
Cleanup goroutine management
 2021-07-28 15:36:41 +01:00
Inteon
78d13787e6
remove duplicated error messages & cobra help messages on error 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-28 15:55:14 +02:00
Inteon
d430113666
remove os.Exit from cert-manager controller and make sure LeaderElection ReleaseOnCancel works 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-27 21:40:42 +02:00
jetstack-bot
3b50d78ae4
Merge pull request #4225 from jakexks/ingressv1 
Feature: Support both v1 and v1beta1 ingresses.
 2021-07-27 20:11:37 +01:00
Inteon
48e9c2bd16
exit with exit code 0 on cancel & release leader-election on cancel 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-27 19:43:08 +02:00
irbekrm
2ddf6fe637 Allows for annotations passed from CSR to Order to be filtered 
Using the value from copied-annotation-prefixes flag, where by default kubectl, fluxcd, argocd annotations are excluded

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-27 10:55:09 +01:00
Irbe Krumina
3834a8fc0a Code review feedback 
Co-authored-by: Josh Van Leeuwen <joshua.vanleeuwen@jetstack.io>
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-26 20:00:37 +01:00
irbekrm
ddf7e130b7 Allow users to specify which annotations should be copied from Certificate to CertificateRequest 
Default to all being copied except for kubectl, fluxcd, argocd annotations

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-26 20:00:10 +01:00
Jake Sanders
67c6586161
Addressing code review comments in #4225 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-26 18:29:54 +01:00
Jake Sanders
0d93b93fc5
Feature: Support both v1 and v1beta1 ingresses. 
Kubernetes is removing support for the v1beta1 Ingress type in 1.22: https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/#api-changes
However, we still wish to support k8s v1.16 until mid 2022 when Openshift 3 becomes out of support.

cert-manager will now use v1 Ingress if available by using the discovery API.

Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-26 18:29:42 +01:00
joshvanl
b041a8fb3d Wires up ACME CSR controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:00:09 +01:00
Inteon
632459c6d9
resolve bug & cleanup 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-23 15:41:24 +02:00
Inteon
81e216eeba
wait for goroutines to end before exiting 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-23 15:30:26 +02:00
jetstack-bot
9ad9e220f3
Merge pull request #4230 from inteon/fix_exit_codes 
set correct exit codes
 2021-07-23 13:06:09 +01:00
Inteon
d6cd6f457d
set correct exit codes when exiting 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-22 12:57:08 +02:00
joshvanl
65cec6c212 Wires up Venafi CertificateSigningRequest controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-19 15:50:23 +01:00
Maël Valais
e5436df521 gateway-shim: don't crash cert-manager if the Gateway CRD isn't there 
The Gateway CRD has to be installed, meaning that the CRDs may be
installed after cert-manager. We don't want cert-manager to crash in
that case; instead, we let the user know that cert-manager will keep
retrying looking for the CRDs with this message on startup:

  controller.go:181] cert-manager/controller/build-context "msg"="the
  Gateway API CRDs do not seem to be present, cert-manager will keep
  retrying watching for them"

The user then sees the following message printed (using an exponential
back-off):

  reflector.go:167: Failed to watch *v1alpha1.Gateway: failed to list
  *v1alpha1.Gateway: the server could not find the requested resource
  (get gateways.networking.x-k8s.io)

Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-15 20:35:47 +02:00
Maël Valais
b5142f84c0 gateway-shim: only discover the gateway api when gateway-shim is enabled 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-15 20:35:34 +02:00
Maël Valais
30f9c123d3 gateway-shim: add the gateway-shim controller 
Note that the gateway-shim is only half the work for supporting the
Gateway API in cert-manager. The other half is the HTTP01 solver
support, which is still worked on.

The Gateway API in cert-manager is releases as an experimental feature
and needs to be enabled manually with the following flag:

  --controllers=*,gateway-shim

All the annotations supported by ingress-shim are also supported by
gateway-shim, with some exceptions:

  "acme.cert-manager.io/http01-ingress-class"

This annotation is not supported on the Gateway resource. Although the
Gateway resource also has a "gatewayClass" field, we will need to add
another field instead of "ingress-class" to avoid confusion with the
ingress-shim.

  "acme.cert-manager.io/http01-edit-in-place"

This annotation is not supported because it is specific to some ingress
controllers like ingress-gce.

  "kubernetes.io/tls-acme"

This annotation is not supported because it is a behavior inherited from
kube-lego and we chose not to keep this behavior with the Gateway API.

Unlike the ingress-shim, you can reuse the same Secret name in multiple
TLS configurations on the same Gateway resource.

The ingress-shim now shows the exact location of the duplicate
secretName when the user gives the same secretName in two separate TLS
blocks.

Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-15 20:34:55 +02:00
joshvanl
d9be35c299 Wires up Vault CSR controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-29 09:11:43 +01:00
jetstack-bot
fbd2a6d06a
Merge pull request #4105 from kit837/add-clock-time-seconds 
Add clock_time_seconds metric
 2021-06-15 21:00:53 +01:00
kit837
0f97e6d19d pass in clock.Clock for better test 
Signed-off-by: kit837 <66801824+kit837@users.noreply.github.com>
 2021-06-15 17:48:20 +00:00
jetstack-bot
b8a1f3d6fb
Merge pull request #4070 from irbekrm/3969_parameterize_and_document_image_building 
3969 parameterize and document image building
 2021-06-15 16:45:53 +01:00
joshvanl
72800ae0f2 Wires up the SelfSigned CertificateSigningRequest controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-14 10:19:28 +01:00
irbekrm
4413774944 Removes unused Bazel deps 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-06-01 08:49:30 +01:00
irbekrm
d79a058b14 Allow controlling whether cgo is enabled via flags to Bazel 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-06-01 08:47:06 +01:00
joshvanl
9e1b0342d0 Updates with review comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-27 18:48:50 +01:00
joshvanl
60d5974115 Moves CertificateSigningRequest controller to feature gate flag 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-27 12:00:56 +01:00
joshvanl
62dee4783e Adds CertificateSigningRequest CA Issuer controller as optional 
controller

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-27 00:32:24 +01:00
irbekrm
b539cbea89 Use ConfigmapsLeases Multilock for controller's leader election 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-17 18:19:38 +01:00
Jake Sanders
79d8d9cb7b
Revert "Merge pull request #3724 from inteon/istio-virtualservice-for-http01" 
This reverts commit 80f27739b5, reversing
changes made to 96604d02a3.

Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-11 14:50:25 +01:00
Jake Sanders
423e82b65b
Revert "Merge pull request #3939 from JoshVanL/istio-api-to-internal-apis" 
This reverts commit f2a74ade5e, reversing
changes made to 7ff54e61e9.

Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-11 14:50:23 +01:00
joshvanl
01716e2907 Fixes stutter: istio.IsIstioInstalled -> istio.IsInstalled 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-29 11:42:21 +01:00
joshvanl
00ceff3421 Update bazel 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-29 11:36:49 +01:00
joshvanl
3af22cf6c6 Move istio util duncs to pkg/util/istio 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-29 11:35:41 +01:00
Inteon
2d7dfcb462 start DynamicSharedInformerFactory unconditionally; only listen for VirtualServices conditionally 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-04-28 09:20:49 +02:00
Inteon
624e2b9e69 add ACME HTTP01 Istio support 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-04-28 09:19:53 +02:00
joshvanl
8f5b03427c Fix options_test.go boilerplate header 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 11:28:01 +00:00
joshvanl
6ef840972c Change controller options to return a set of enabled controllers, and 
log enabled controllers on start

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 11:28:01 +00:00
joshvanl
5c3e02d7a5 Changes the controllers flag to allow disabling controllers. This is the 
same behaviour as kube-controller-manager

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 11:28:01 +00:00
joshvanl
0382c9d8b2 Adds a cert-manager-controller flag to disable controllers, for example, 
the certificaterequests-approver

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 11:28:01 +00:00
jetstack-bot
a8c75fab1a
Merge pull request #3773 from JoshVanL/certificate-revision-history-limit 
Certificate revision history limit
 2021-03-26 11:13:58 +00:00