Due to a bug in controller-gen[1] certain paths are incorrectly split
and part of these paths can be interpreted as a numeric literal, which
will cause controller-gen to fail. We observe this as occasional test
flakes in the "verify-crds" target, when the tmpdir starts with a zero,
such as in "/tmp/tmp.0PFqFSHBID"
This commit attempts to avoid this bug by specifying a template for the
tmpdir we generate when verifying CRDs which doesn't include any "."
characters, which seem to be being split incorrectly.
[1] https://github.com/kubernetes-sigs/controller-tools/issues/734
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Previously it wasn't possible to set a custom CA bundle for an ACME
server, leading users to either patch the cert-manager system CA bundle
manually or else use SkipTLSVerify which is a security issue.
This adds CABundle for ACME, similar to what we have for Vault and
Venafi TPP issuers.
Longer term we'd like to have a more fully featured approach. It would
for example make sense to support loading CA bundles from ConfigMaps or
Secrets (similar to what we do for Vault issuers today), but for now this
change is the simplest change.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Clarifies language a little; makes it clearer that the bundle
should be base64 encoded. Previously it was slightly confusing
in that PEM certificates are themselves base64 encoded.
Also makes it clearer what our CABundle validation does and does not do
by adding a standalone validation function and tweaking the error
message for an invalid CA bundle.
Also updates validation to not print CA bundle for Vault issuer when the
bundle is invalid, since it won't help with debugging anything.
Currently the bundle is printed as byte values ("0x32, 0x58, 0x43...")
and in any case printing the whole bundle could be noisy if it's large
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
```text
{
"VulnerabilityID": "CVE-2022-41717",
"PkgName": "golang.org/x/net",
"InstalledVersion": "v0.0.0-20220921155015-db77216a4ee9",
"FixedVersion": "0.4.0",
"Layer": {
"DiffID": "sha256:629212d4fb1b47585329d1c630cb91f919ddcd6168031a07121953d6c6dbd438"
},
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-41717",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "An attacker can cause excessive memory growth in a Go server accepting ...",
"Description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"Severity": "UNKNOWN",
"References": [
"https://go.dev/cl/455635",
"https://go.dev/cl/455717",
"https://go.dev/issue/56350",
"https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"https://pkg.go.dev/vuln/GO-2022-1144"
],
"PublishedDate": "2022-12-08T20:15:00Z",
"LastModifiedDate": "2022-12-08T22:30:00Z"
}
```
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
