weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
5,218 Commits 45 Branches 0 Tags 96 MiB
c875518da1
Commit Graph

2236 Commits

Author SHA1 Message Date
Maël Valais
c875518da1 DataForCertificate: PR comment: mismatch -> does not match 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:34:18 +02:00
Maël Valais
8b41ec1d54 DataForCertificate: PR comment: distinguish X.509 vs. Kubernetes cert 
The cert-manager team tends to use the word "certificate" for two very
different contexts:

1. sometimes, we use the word "certificate" to refer to a X.509
   certificate (a blob of ASN.1-encoded data and then PEM-formated);
2. and sometimes we refer to "certificate" as one item of the Kubernetes
   custom resource /apis/cert-manager.io/v1/certificates.

This commit makes sure the reader understands that we are talking about
the Kubernetes object here.

Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:25:48 +02:00
Maël Valais
a724f1ce31 DataForCertificate: PR comment: mismatches is a noun 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:09:59 +02:00
Maël Valais
c1d722b116 DataForCertificate: fix diagrams' Failed conditions 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-06 18:09:59 +02:00
Maël Valais
6c9477439c trigger-controller: hint people to look at gatherer.go diagrams 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-06 18:09:59 +02:00
Maël Valais
497f561ef7 DataForCertificate: hint people to look at gatherer.go diagrams 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-06 18:09:59 +02:00
Maël Valais
068a1c466f DataForCertificate: better wording for the "error returned" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-06 18:09:59 +02:00
Maël Valais
f588d4138a DataForCertificate: explain what the "current" and "next" CRs are used for 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-04-06 18:09:47 +02:00
Maël Valais
a1a43b6784 DataForCertificate: PR comment: explain why we return a "duplicate CR" err 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:09:29 +02:00
Maël Valais
450d27f5d0 trigger-controller: PR comment: and -> if there is 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:09:28 +02:00
Maël Valais
c1bf35f4ed trigger-controller: further comments on shouldBackoffReissuingOnFailure 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Irbe Krumina <irbekrm@gmail.com>
 2021-04-06 18:09:28 +02:00
Maël Valais
a2bbdb7c51 DataForCertificate: explain what is the "next" certificate request 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:09:28 +02:00
Maël Valais
27f258cf3c trigger-controller: PR comment: use a single "fixedClock" 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Irbe Krumina <irbekrm@gmail.com>
 2021-04-06 18:09:28 +02:00
Maël Valais
36c2cc4d3b trigger-controller: PR comment: explain what "if nextCR != nil" is about 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Irbe Krumina <irbekrm@gmail.com>
 2021-04-06 18:09:28 +02:00
Maël Valais
85128f26ce trigger-controller: PR comment: rephrase log about skipping issuance 
The log message:

    multiple CertificateRequests found for the 'next' revision 2,
    skipping issuance until no more duplicate.

can be better phrased as:

    multiple CertificateRequests are found for the 'next' revision 2,
    issuance is skipped until there are no more duplicates.

Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:09:28 +02:00
Maël Valais
05c1fb9fc2 trigger-controller: reissue on mismatch using NextRevisionRequest 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:09:28 +02:00
Maël Valais
eb6d1399fc DataForCertificate: the func now fetches NextRevisionRequest 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:09:27 +02:00
Maël Valais
9305766ff2 trigger-controller: add two unit tests to showcase #3250 
Note that I had initially made createCryptoBundle public since I found
it inconvenient to have to pass a testing.T when we know that we should
never be  failing inside this func (I mean, the failure  zould not be due
to a wrong test case).

After a comment from Maartje, I realize that I could just use an anonymous
function for that purpose.

Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:09:27 +02:00
Maël Valais
747aba056c createCryptoBundle: cert-manager.io/certificate-revision was wrong 
It was set to a pointer value instead of the actual int value.

Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-04-06 18:09:27 +02:00
jetstack-bot
e29a3df86d
Merge pull request #3785 from JoshVanL/approval-subject-access-review 
Approval subject access review
 2021-04-01 08:00:39 +01:00
joshvanl
46f1d853f5 Adds comment about why we convert CRs into internal types when 
validating approval

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-30 15:33:27 +01:00
jetstack-bot
517d211103
Merge pull request #3816 from irbekrm/update_bazel 
Bump versions of Gazelle, go_rules, Kazel, protobuf
 2021-03-30 13:44:38 +01:00
irbekrm
81a8588b91 Bumps versions of Gazelle, go_rules, Kazel, protobuf 
Signed-off-by: irbekrm <irbekrm@gmail.com>

Bumps versions of Gazelle, go_rules, Kazel and protobuf

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-03-29 08:25:12 +01:00
Salman
800d6019bf Replace reflect.DeepEqual with semantic equality check and remove status marshal 
Signed-off-by: salmanahmed404 <salmanahmed404@gmail.com>
 2021-03-27 12:49:14 +05:30
Salman
572bfb9111 Replace reflect.DeepEqual with semantic equality check 
Signed-off-by: salmanahmed404 <salmanahmed404@gmail.com>
 2021-03-27 12:49:14 +05:30
joshvanl
820b8556a3 Fix go linting 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:41:42 +00:00
joshvanl
55e74c3e02 Update bazel build files 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:28:14 +00:00
joshvanl
4be73eaec0 Add plugins to webhook server 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
3ecef47b2a Remove SubjectAccessReview validation registry 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
29a7a90d85 Remove old approval SAR registry 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
8380569470 Move approval validation to new internal webhook admission plugin 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
746cd7460b Updates approval review comment to correctly state cluster scope and 
issuer name

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
d69e798b83 Update validation approved tests for new string 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
ed22fb99f6 Change approved/denied forbidden error to read better for EU 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
13d8cc707f Adds SubjectAccessReview checks in webhook, if ValidateUpdate Succeeds 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
92c6ce88bb Register approval checks with validation init registration 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
53cb1835f7 Adds SubjectAccessReview registry to the validation Registry 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
joshvanl
78aba9c01f Adds approval condition SubjectAccessReview check 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 17:26:28 +00:00
jetstack-bot
bad96f5102
Merge pull request #3582 from lalitadithya/vault_health_check_and_namespace_fix 
Vault health check and namespace fix
 2021-03-26 15:20:58 +00:00
jetstack-bot
19ae739ab7
Merge pull request #3760 from SgtCoDFish/selfsigned-validity-3634 
selfsigned: warn when certs are issued with empty issuer DNs
 2021-03-26 12:30:58 +00:00
Ashley Davis
5e31fa37ff
selfsigned: warn when certs have empty issuer DNs 
as raised in#3634 - RFC 5280 states that the issuer field cannot be
empty, but this could easily happen with selfsigned certs which had
an empty subject (as the issuer matches the subject when the cert is
self signed)

this commit detects when a cert would be issued selfsigned with an
empty subject DN and emits a warning event, allowing cluster operators
to detect the warning and potentially either re-issue to generate a
compliant cert, or else accept the risk.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-03-26 11:51:46 +00:00
jetstack-bot
a8c75fab1a
Merge pull request #3773 from JoshVanL/certificate-revision-history-limit 
Certificate revision history limit
 2021-03-26 11:13:58 +00:00
jetstack-bot
7946df1da7
Merge pull request #3788 from maelvls/refactor-trigger-unit-tests 
Refactor trigger-controller unit tests
 2021-03-25 11:41:36 +00:00
Maël Valais
7e21f730cc PR comment: typo: "the following are" instead of "is" 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Jake Sanders <i@am.so-aweso.me>
 2021-03-25 09:07:45 +01:00
Maël Valais
fe3617a41c PR comment: a sentence starts with a capital letter and ends with a dot 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
 2021-03-24 19:19:34 +01:00
joshvanl
fd78593b59 Fixes Certificates revision manager controller name 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-24 17:32:45 +00:00
Omair Khan
68271f105b Certificate Readiness controller will only try to update the 
certificate status if there is a change.

Signed-off-by: OmairK <omairkhan064@gmail.com>
 2021-03-24 20:45:19 +05:30
jetstack-bot
3a367927dc
Merge pull request #3793 from JoshVanL/dont-log-cr-deleted 
Don't log from multiple controllers when a CertificateRequest is deleted
 2021-03-24 13:27:46 +00:00
jetstack-bot
dffbf391db
Merge pull request #3733 from jakexks/renewBefore 
Clarify the default values for the renewBefore and duration fields
 2021-03-24 10:53:46 +00:00
joshvanl
14d6f0720a Don't log from multiple controllers when a CertificateRequest is deleted 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-23 17:49:52 +00:00