weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
8,096 Commits 45 Branches 0 Tags 96 MiB
d15e55a16c
Commit Graph

923 Commits

Author SHA1 Message Date
Vinny Sabatini
d15e55a16c
Update pkg/issuer/vault/setup.go 
Co-authored-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
Signed-off-by: Vinny Sabatini <vincent.sabatini@gmail.com>
 2023-10-24 09:52:52 -05:00
Vinny Sabatini
ef6ef1f0db additional improvements to vault issuer error messages 
When initializing a Vault issuer:

* Create different error messages depending on if Vault is sealed or not initialized
* Do not explicitly parse the Vault server URL (this is covered when trying to access health endpoint)

Signed-off-by: Vinny Sabatini <vincent.sabatini@kohls.com>
 2023-10-20 16:36:11 -05:00
Vincent Sabatini
298ceb3b2a fix error message when setting up vault issuer 
* Ensure Vault URL can be parsed
* Separate generic http errors from vault specific errors when checking
health endpoint

Signed-off-by: Vincent Sabatini <vincent.sabatini@gmail.com>
 2023-10-19 08:23:04 -05:00
Maël Valais
d1d92b6398 venafi: ResetCertificate wasn't working 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-10-06 16:24:15 +02:00
Tim Ramlot
ef3bd7d3b2
upgrade all dependencies 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-09-28 12:07:27 +02:00
Josh Soref
05117f5f75 Add cluster-autoscaler.kubernetes.io/safe-to-evict 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2023-09-14 12:47:04 -04:00
Eng Zer Jun
c274d7e929
refactor: remove redundant nil check 
From the Go specification:

  "3. If the map is nil, the number of iterations is 0." [1]

Therefore, an additional nil check for before the loop is unnecessary.

[1]: https://go.dev/ref/spec#For_range

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 2023-09-05 19:05:59 +08:00
Tim Ramlot
cf8e37291a
replace k8s.io/utils/pointer with k8s.io/utils/ptr 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-28 09:33:10 +02:00
jetstack-bot
15b2643abf
Merge pull request #6253 from fayvori/master 
Fix messageAppRoleAuthKeyRequired error message
 2023-08-17 19:01:31 +02:00
guiyong.ou
3d76c20f51 cleanup: some redundant code clean up 
Signed-off-by: guiyong.ou <guiyong.ou@daocloud.io>
 2023-08-14 17:36:25 +08:00
Ignat Belousov
17c34eaafa
Returned time to each function 
Signed-off-by: Ignat Belousov <ignat.belousov2000@yahoo.com>
 2023-08-10 10:05:37 +02:00
Ignat Belousov
88f1500843
Fix messageAppRoleAuthKeyRequired error message 
Signed-off-by: Ignat Belousov <ignatbelousov@Ignats-MacBook-Pro.local>
 2023-08-10 10:05:37 +02:00
Ashley Davis
a53bec25e7
Update nameserver lookup test to use upstream targets 
In the long term I don't think this test should be run as a unit test
because it can randomly break due to changes in DNS config we don't
control, which is a pretty poor user experience for someone trying to
change unrelated code.

If we're going to run this kind of check, we should probably run it as a
periodic rather than a presubmit, perhaps with the test being run on
presubmit when the DNS util code is changed.

But that's all more work than I can really do now. Instead, I'll copy
what the upstream go-lego is doing, which should unblock us for now:

07c4daeff3/challenge/dns01/nameserver_test.go

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
 2023-08-09 09:27:30 +01:00
Tim Ramlot
90f84b9c40
remove VCert fork dependency replace statement 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-07-10 11:26:16 +02:00
Tim Ramlot
5ba29272c0
add validation to pki CertificateTemplate function 
and add support for add DontAllowInsecureCSRUsageDefinition featuregate
to use old behavior in controller

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-07-05 13:04:21 +02:00
Richard Boldiš
2b2ada9491 fix: handle multiple cloudflare dns-01 challenges for the same FQDN 
Signed-off-by: Richard Boldiš <richard@boldis.dev>
 2023-06-27 18:13:35 +02:00
Florian Liebhart
b47c5a1361 update documentation on the DNSQuery function 
Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>
 2023-06-20 10:36:27 +02:00
Florian Liebhart
ae27bfb0d6 write some unit tests for CAA Validation 
Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>
 2023-06-19 16:27:00 +02:00
Florian Liebhart
9ddf2bab90 remove HTTPS endpoint for default nameservers; remove DNS-over-TLS 
Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>
 2023-06-19 16:06:39 +02:00
Tim Ramlot
3a29635c66
add support for DoH and DoT 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-19 15:59:40 +02:00
Florian Liebhart
894e1f99d6 fix error for dns endpoint propagation 
Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>
 2023-06-19 15:32:01 +02:00
Florian Liebhart
a934bbf462 Make the DNS-Over-HTTPS Json endpoint configurable 
Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>
 2023-06-19 15:32:01 +02:00
Florian Liebhart
857d0aef9e Add logging for the DNS over HTTPS selfcheck 
Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>
 2023-06-19 15:32:01 +02:00
Florian Liebhart
fa2f063c28 rebase master 
Signed-off-by: Florian Liebhart <flo.liebhart@gmail.com>
 2023-06-19 15:32:01 +02:00
schrodit
53a5a95d9f Add enableServiceLink to test pod definition 
Signed-off-by: schrodit <mail@timschrodi.tech>
 2023-06-12 09:54:37 +02:00
schrodit
c9559882c4 Remove service links from http solver pod 
Signed-off-by: schrodit <mail@timschrodi.tech>
 2023-06-12 09:26:22 +02:00
Hans Arnholm
501581ad06
issuer: acme: clouddns: Only clean up own records 
If running multiple certmanagers they can race against each other

Signed-off-by: Hans Arnholm <hans@arnholm.dk>
 2023-06-01 10:15:54 +02:00
jetstack-bot
022292832f
Merge pull request #6032 from inteon/fix_acme_bugs 
Fix small bugs and make small improvements in ACME code
 2023-05-12 15:19:41 +01:00
Tim Ramlot
0cf0f80b40
switch to non-deprecated functions in source code 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-05-10 19:22:49 +02:00
Tim Ramlot
7d0178f27d
fix small bugs and make small improvements 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-05-09 15:22:21 +02:00
vidarno
f7390903be Update tests after adding new LastPrivateKeyHash field in status of issuer CRDs 
Signed-off-by: vidarno <>
 2023-04-29 09:14:07 +02:00
vidarno
92da674e9a Update logic in function IsKeyCheckSumCached to compare private key with hash in status field of CRD instead of from Secret 
Signed-off-by: vidarno <>
 2023-04-29 09:13:54 +02:00
irbekrm
300fe72ff0 Code review 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-25 13:45:06 +01:00
irbekrm
0d1d66d900 Fixes tests 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-25 06:20:58 +01:00
irbekrm
3d82e94789 Ensures metadata only is cached for pods and services 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-25 06:20:58 +01:00
jetstack-bot
ece30e655f
Merge pull request #5949 from TrilokGeer/key-replace-sha256checksum 
Fixes status change on privateKey update on acme issuer
 2023-04-18 15:04:07 +01:00
TrilokGeer
bdc0cb7c40 Fixes status change on privateKey update on acme issuer 
Signed-off-by: TrilokGeer <tgeer@redhat.com>
 2023-04-14 21:33:44 +05:30
irbekrm
7d592a8270 Swap upstream core informers factory with out wrapper 
This does not actually change how the informers work. This also adds a partial metadata client to root context

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
Andrew Starr-Bochicchio
70594bd7ca digitalocean: Pass user agent string to godo client. 
Signed-off-by: Andrew Starr-Bochicchio <a.starr.b@gmail.com>
 2023-03-16 11:20:56 -04:00
Maël Valais
1b9cd207d3 remove unused test func 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-07 15:06:58 +01:00
Maël Valais
6458ed1543 Move from a flag to the Issuer field "ingressClassName" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-03 17:50:30 +01:00
Daniel Sonck
44d1467217 Add flag to allow switching ingressClassName specification 
Adds a flag to allow between using the old class name annotation or the new
ingressClassName that is gaining support in more ingress controllers.

Signed-off-by: Daniel Sonck <daniel@sonck.nl>
 2023-03-03 17:42:43 +01:00
Michael Malov
dc621e9306 Add imagePullSecrets for AMCE http01 solver pod 
Signed-off-by: Michael Malov <mmeemail@gmail.com>
 2023-02-13 14:18:50 +03:00
Maël Valais
7a856af843 serviceAccountRef: update tests of the controller-side validation 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-07 13:26:35 +01:00
Maël Valais
c35a245631 serviceAccountRef: fix panicking since serviceAccountRef can now be nil 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
76eef68730 serviceAccountRef: the vault issuer can now use bound SA tokens 
Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).

With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
15748767ef vault: add unit tests around Setup 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-03 16:27:52 +01:00
Richard Wall
e727df6c1d Disable automountServiceAccountToken in the ACME HTTP01 solver Pod 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2023-01-26 17:22:42 +00:00
Richard Wall
24cbfc7ba8 Revert "automount service account tokens off by default" 
This reverts commit 954eb0d875.

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2023-01-24 17:19:52 +00:00
Richard Wall
954eb0d875 automount service account tokens off by default 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2023-01-24 17:00:11 +00:00