weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
7,368 Commits 45 Branches 0 Tags 96 MiB
c685efeb03
Commit Graph

2980 Commits

Author SHA1 Message Date
Ashley Davis
c5924f54a1
add + use CABundle field for ACME servers in issuers 
Previously it wasn't possible to set a custom CA bundle for an ACME
server, leading users to either patch the cert-manager system CA bundle
manually or else use SkipTLSVerify which is a security issue.

This adds CABundle for ACME, similar to what we have for Vault and
Venafi TPP issuers.

Longer term we'd like to have a more fully featured approach. It would
for example make sense to support loading CA bundles from ConfigMaps or
Secrets (similar to what we do for Vault issuers today), but for now this
change is the simplest change.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-12-15 16:21:07 +00:00
Ashley Davis
f68693bb6a
change wording on descriptions for Vault and TPP 'CABundle' fields 
Clarifies language a little; makes it clearer that the bundle
should be base64 encoded. Previously it was slightly confusing
in that PEM certificates are themselves base64 encoded.

Also makes it clearer what our CABundle validation does and does not do
by adding a standalone validation function and tweaking the error
message for an invalid CA bundle.

Also updates validation to not print CA bundle for Vault issuer when the
bundle is invalid, since it won't help with debugging anything.
Currently the bundle is printed as byte values ("0x32, 0x58, 0x43...")
and in any case printing the whole bundle could be noisy if it's large

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-12-15 16:21:02 +00:00
Luca Comellini
c99c147059
Bump k8s.io deps to v0.26.0 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2022-12-14 21:53:42 -08:00
Sathyanarayanan Saravanamuthu
f719247d2b Addressing review comments 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
Sathyanarayanan Saravanamuthu
94fa9eeee6 Addressing review comments 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
Sathyanarayanan Saravanamuthu
42ae76ae30 Refreshing secrets when the keystore fields change 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
irbekrm
486c72f122 Update reference to HTTPRoute docs 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-12-05 15:04:18 +00:00
jetstack-bot
6ec8da3366
Merge pull request #5583 from lvyanru8200/uodateGwVerison 
feature: update gateway api to v1beta1
 2022-12-05 14:52:48 +00:00
lv
a13c76d312 feature: update gateway api to v1beta1 
Signed-off-by: lvyanru <yanru.lv@daocloud.io>

feature: update gateway api to v1beta1

Signed-off-by: lvyanru <1113706590@qq.com>
 2022-12-05 14:03:21 +00:00
Martín Montes
f884dac555 Return error when Gateway has a cross-namespace secret ref 
Signed-off-by: Martín Montes <martin11lrx@gmail.com>
 2022-12-01 12:46:33 +01:00
jetstack-bot
77c410f5cb
Merge pull request #5570 from weisdd/feature/azure-workload-identity 
feat(AzureDNS): Add support for Workload Identity
 2022-11-30 18:00:32 +00:00
Igor Beliakov
df20fcd3e4 chore(AzureDNS): added more comments as requested by @wallrj 
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
 2022-11-24 22:42:18 +01:00
Houssem El Fekih
8af2d64f3b Gofmt files 
Signed-off-by: Houssem El Fekih <houssem.elfekih@jetstack.io>
 2022-11-18 10:55:56 +00:00
Houssem El Fekih
f41cf33efe Add support for required LDAP (rfc4514) RDNs in LiteralSubject 
* Add OID translation for mandatory DC component
* Used extensively in LDAP certificates, also required by rfc5280
* Add support for UID, mentioned in LDAP RFC
* solves https://github.com/cert-manager/cert-manager/issues/5582

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2022-11-18 10:22:39 +00:00
Igor Beliakov
964f4bbd8d feat(AzureDNS): add a test for federated SPT 
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
 2022-11-17 17:42:05 +01:00
Corey McGalliard
7e6e0940a2 updating to match feedback and adjust the RunAsNonRoot options for http01 solver to be more descriptive 
Signed-off-by: Corey McGalliard <cmcgalliard@redventures.com>
 2022-11-16 11:20:36 -05:00
jetstack-bot
95dc198cd6
Merge pull request #5571 from inteon/cleanup_csr_generation 
Improve gen.CSR and use it in all tests
 2022-11-15 14:08:44 +00:00
jetstack-bot
4ffd6213e7
Merge pull request #5552 from sathyanarays/isCaFix 
Fixing CA flag in basic constraints extension
 2022-11-10 13:37:47 +00:00
Sathyanarayanan Saravanamuthu
860ba8465a Addressing review comments 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-11-10 14:27:26 +05:30
Tim Ramlot
b999749854
improve gen.CSR and use it everywhere 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-11-10 09:21:31 +01:00
Richard Wall
df42b81326 Fix typos in explanatory comment 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-09 17:50:27 +00:00
Richard Wall
1f1ed47c2a Always initialize tlsClientConfig if the default is nil 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-09 17:45:52 +00:00
Richard Wall
218cdb7e0f Use RenegotiateOnceAsClient and explain why 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-09 17:25:31 +00:00
Igor Beliakov
efae037cec chore(Azure): improve naming, add comments 
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
 2022-11-09 17:33:28 +01:00
Sathyanarayanan Saravanamuthu
d4de98d35b Adding unit tests 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-11-06 09:36:26 +05:30
Sathyanarayanan Saravanamuthu
bb39c5cf79 Fixing CA flag in basic constraints extension 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-11-03 15:34:25 +05:30
Igor Beliakov
741fa3cfb4 feat(Azure): add support for workload identity 
Signed-off-by: Igor Beliakov <demtis.register@gmail.com>
 2022-10-29 15:43:33 +02:00
joshvanl
e804431dba Fire event for informational purposes when the CertificateRequest has not yet been approved. 
Signed-off-by: joshvanl <me@joshvanl.dev>
 2022-10-23 18:04:58 +01:00
jetstack-bot
277bcfc305
Merge pull request #5504 from sathyanarays/nit_fix 
[NIT] Changing variable name to denote right type
 2022-10-14 17:17:30 +01:00
jetstack-bot
da3265115b
Merge pull request #5387 from Tolsto/vault-ca-bundle-secret-ref 
Add option to load Vault CA bundle from Kubernetes Secret
 2022-10-13 09:55:09 +01:00
Sathyanarayanan Saravanamuthu
1bc773cbcf [NIT] Changing variable name to denote right type 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-12 13:41:23 +05:30
Sathyanarayanan Saravanamuthu
204fa78dd8 [NIT] Changing variable name to denote right type 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-12 13:37:35 +05:30
Sathyanarayanan Saravanamuthu
2969202fe2 Addressing review comments 
Co-authored-by: Cody W Eilar <ecody@vmware.com>

Signed-off-by: Cody W Eilar <ecody@vmware.com>
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-11 17:22:38 +05:30
Sathyanarayanan Saravanamuthu
40947b0ef4 Generate Certificate Request with predictable name 
Co-authored-by: Cody W Eilar <ecody@vmware.com>

Signed-off-by: Cody W Eilar <ecody@vmware.com>
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-11 17:01:26 +05:30
jetstack-bot
a624f49386
Merge pull request #5469 from sathyanarays/unit_test_improve 
Increasing unit test coverage for pkg/issuer/acme/setup.go
 2022-10-06 15:23:27 +01:00
Tim Ramlot
e917e4a103
log more information on why the get CertificateRequest request failed 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-10-05 18:53:53 +02:00
Sathyanarayanan Saravanamuthu
401fb2dc34 Improving unit test coverage of pkg/issuer/acme/setup.go 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathya.chozhanaadan@gmail.com>
 2022-10-04 16:59:40 +05:30
Danny Kulchinsky
9074f5a081 refactor RemoveCertificate to use DeletePartialMatch 
Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>
 2022-09-28 10:24:30 -04:00
Danny Kulchinsky
cc1d982b33 fix incorrect func signature in certificate metrics controller 
Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>
 2022-09-28 10:21:36 -04:00
Danny Kulchinsky
ef9030303a fix formatting 
Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>
 2022-09-28 10:21:36 -04:00
Danny Kulchinsky
81c85ee15c add issuer_{group|name|kind} labels to prom metrics 
Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>
 2022-09-28 10:21:36 -04:00
Luca Comellini
4498b7cc47
Bump Go to 1.19 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2022-09-27 11:38:51 -07:00
Tim Ramlot
39fa9f51b4 upgrade dependencies 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-09-26 11:43:12 +02:00
Tim Ramlot
99ed9f3e06 add comment 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-09-23 10:30:32 +02:00
Tristan Deloche
878d84a2fa
Ensure forward-compatibility with k8s.io/apiserver's Storage interface 
Signed-off-by: Tristan Deloche <tde@hey.com>
 2022-09-20 16:10:22 +01:00
jetstack-bot
e82c72cff0
Merge pull request #5413 from Abirdcfly/master 
chore: remove duplicate word in comments
 2022-08-30 13:15:31 +01:00
Abirdcfly
6ac4d89c81
chore: remove duplicate word in comments 
Signed-off-by: Abirdcfly <fp544037857@gmail.com>
 2022-08-30 17:18:31 +08:00
Renato Costa
162777aab2 Fix incorrect uses of loop variable 
This fixes two instances where loop variables were being incorrectly
used:

- using a loop variable in a closure passed to `ginkgo.It()` is
incorrect, as the capture happens by reference and only the last test
case will be executed (multiple times).
- a similar issue happens in the context of a goroutine; specifically,
we need to create a copy of the `runDurationFunc` before calling it in
a goroutine as done by the controller's `Run` function.

With regards to the second issue, I believe it never came to the
surface because, in production code, only one `runDurationFunc` is
passed; tests don't exercise the multiple funcs path either.

Issues were automatically found with the `loopvarcapture` linter.

Signed-off-by: Renato Costa <renato@cockroachlabs.com>
 2022-08-26 15:08:30 -04:00
jetstack-bot
12f98dbc7e
Merge pull request #5376 from inteon/upgrade_gateway_api 
Upgrade gateway api to v0.5.0
 2022-08-25 16:08:10 +01:00
jetstack-bot
d1a8f7f52d
Merge pull request #5336 from JoshVanL/controllers-certificaterequests-secrets-informer 
CertificateRequest: re-sync SelfSigned CertificateRequest when target Secret is informed.
 2022-08-23 16:46:23 +01:00