weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
6,610 Commits 45 Branches 0 Tags 96 MiB
d998e37a44
Commit Graph

252 Commits

Author SHA1 Message Date
joshvanl
99fd5f3412 Use optional Apply and Apply status to CertificateRequests 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:22:04 +00:00
Ashley Davis
3a055cc2f5
rename all uses of github.com/jetstack/cert-manager 
This was done by running the following command twice:

 ```bash
 grep -Ri "github.com/jetstack/cert-manager" . | \
 cut -d":" -f1 | \
 sort | \
 uniq | \
 xargs sed -i
 "s/github.com\/jetstack\/cert-manager/github.com\/cert-manager\/cert-manager/"
 ```

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-02-02 09:08:31 +00:00
joshvanl
bd18c0ed86 Update CertificateRequest controllers to use new controller factory 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-27 12:51:49 +00:00
Krzysztof Ostrowski
e35cb361c8
add comments to satisfy linter 
Signed-off-by: Krzysztof Ostrowski <kostrows@redhat.com>
Co-authored-by: Irbe Krumina <irbekrm@gmail.com>
 2021-11-04 18:15:46 +01:00
Igor Zibarev
f9ceb8a73e Fix some lint issues regarding comments 
References issue #4457

Signed-off-by: Igor Zibarev <zibarev.i@gmail.com>
 2021-11-02 13:57:20 +03:00
James Munnelly
e7dea9f2a2 Replace all references to pkg/internal with internal 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2021-10-21 12:27:04 +01:00
irbekrm
7e9753c92e Fix CertificateRequest test 
In Go 1.17 x509.CreateCertificate fails if public key doesn't match private key https://golang.org/doc/go1.17

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-09-30 10:08:40 +01:00
Ashley Davis
68f5ceb3b4
Fix manually specified Certificate and CertificateRequest versions 
Basically all modern X.509 certs are version 3, but confusingly to
specify "version 3" in an encoded cert, the version number is actually
2.

For PKCS#10 CSRs, the only valid version is 1, which again
confusingly has the value "0" when encoded.

This was incorrect in many places, including one place in which the
version number on a CSR was used as a certificate's version number,
when the two are entirely unrelated.

Go ignores these values, so there's no functional changes here; still,
it's better to be accurate.

Go ignoring CSR version and specifying 0:
https://cs.opensource.google/go/go/+/refs/tags/go1.17:src/crypto/x509/x509.go;l=1958

Go ignoring Certificate version and specifying 2:
https://cs.opensource.google/go/go/+/refs/tags/go1.17:src/crypto/x509/x509.go;l=1534

PKCS#10 CSR specification in RFC 2986 section 4.1:
https://datatracker.ietf.org/doc/html/rfc2986#section-4

X.509 Cert specification in RFC 5280 section 4.1.2.1:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.1

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-08-19 14:48:12 +01:00
irbekrm
ddf7e130b7 Allow users to specify which annotations should be copied from Certificate to CertificateRequest 
Default to all being copied except for kubectl, fluxcd, argocd annotations

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-26 20:00:10 +01:00
Maël Valais
af9a1e434f data race: fix certificate requests in cache being mutated 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-20 19:50:26 +02:00
joshvanl
1678d0833e Reverts ACME issuer from forming a chain bundle and populating the 
ca.crt

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-02 12:21:50 +01:00
jetstack-bot
efd8b7a076
Merge pull request #3866 from jandersen-plaid/jandersen-plaid-make-orders-unique-to-controlling-cr 
Hash orders with the issuing certificate request to ensure unique hash
 2021-05-21 17:34:25 +01:00
jandersen-plaid
b5fe7ecdca Update pkg/controller/certificaterequests/acme/acme.go 
Co-authored-by: Ashley Davis <SgtCoDFish@users.noreply.github.com>
Signed-off-by: Jack Andersen <jandersen@plaid.com>
 2021-05-21 12:08:22 -04:00
jandersen-plaid
cd1d8a2788 Update pkg/controller/certificaterequests/acme/acme_test.go 
Co-authored-by: Ashley Davis <SgtCoDFish@users.noreply.github.com>
Signed-off-by: Jack Andersen <jandersen@plaid.com>
 2021-05-21 12:08:07 -04:00
jandersen-plaid
ed88ce6030 Update pkg/controller/certificaterequests/acme/acme_test.go 
Co-authored-by: Ashley Davis <SgtCoDFish@users.noreply.github.com>
Signed-off-by: Jack Andersen <jandersen@plaid.com>
 2021-05-21 12:07:40 -04:00
Ashley Davis
c67c2c4f47
static analysis: pkg/controller 
fixes the following issues:

pkg/controller/acmeorders/util.go:84:6 deadcode `hashChallenge` is unused
pkg/controller/certificaterequests/approver/approver.go:72:14 staticcheck SA4021: x = append(y) is equivalent to x = y
pkg/controller/certificaterequests/vault/vault_test.go:535:21 errcheck Error return value of `controller.Register` is not checked
pkg/controller/certificates/trigger/policies/policies.go:121:26 gosimple S1039: unnecessary use of fmt.Sprintf
pkg/controller/clusterissuers/sync_test.go:55:12 errcheck Error return value of `c.Register` is not checked
pkg/controller/ingress-shim/sync.go:301:2 gosimple S1005: unnecessary assignment to the blank identifier

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-05-21 12:03:47 +01:00
irbekrm
a42771b7e4 Adds a bunch of comments for exported types 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-19 10:19:43 +01:00
irbekrm
881fb2ddea Make tests fail if controller registration fail 
Part of work towards fixing errors discovered by static analysis tools

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-19 10:16:59 +01:00
Jack Andersen
b48e9664a6 Only use the new hash on certificate request names > 52 chars 
Signed-off-by: Jack Andersen <jandersen@plaid.com>
 2021-05-18 09:08:30 -04:00
jetstack-bot
0ff2b8778c
Merge pull request #3983 from JoshVanL/parse-certificate-chain-venafi 
Parse certificate chain venafi
 2021-05-13 14:21:14 +01:00
jetstack-bot
22ff380f39
Merge pull request #3984 from JoshVanL/parse-certificate-chain-acme 
Parse certificate chain acme
 2021-05-13 13:50:14 +01:00
joshvanl
58a25314f7 Changes CR CA controller to use ECDSA keys 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 15:07:25 +01:00
joshvanl
ea2cfdc3c9 Updates CA issuer to updates SignCSRTemplate and propagate CA 
certificate down

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:22:59 +01:00
joshvanl
e4d3d3f725 Change ParseCertificateChain to ParseSingleCertificateChain 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:17:41 +01:00
joshvanl
33fcf0d082 Uses ParseCertificateChainPEM for ACME Order Response 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:17:02 +01:00
joshvanl
d69a4e1a3c Change ParseCertificateChain to ParseSingleCertificateChain 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:15:54 +01:00
joshvanl
1030bbadb5 Change Venafi Signer to use ParseCertificateChain to populate Status.CA 
correctly

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:14:47 +01:00
jetstack-bot
3434c78188
Merge pull request #3960 from wallrj/538-lint-fixes-richardw 
Fix some linting errors
 2021-05-07 11:50:34 +01:00
Richard Wall
c9eb75c447 Remove unused test-case field 
pkg/controller/certificaterequests/venafi/venafi_test.go:787:2                           structcheck  `issuer` is unused

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-05-07 09:55:09 +01:00
Jake Sanders
eab7c954a2
Use %v to log errors 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-05 16:28:46 +01:00
Jake Sanders
196e42c221
Tidy godoc comments 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-05 16:21:24 +01:00
Jake Sanders
f194d9b732
Add godoc comments 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-05 15:59:02 +01:00
Jake Sanders
bab9efaa8f
staticcheck: package imported more than once 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-04 14:58:23 +01:00
Richard Wall
c15d30742d Remove duplicate import 
pkg/controller/certificaterequests/venafi/venafi_test.go:43:2: package "github.com/jetstack/cert-manager/pkg/controller/test" is being imported more than once (ST1019)
pkg/controller/certificaterequests/venafi/venafi_test.go:44:2: other import of "github.com/jetstack/cert-manager/pkg/controller/test"

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-05-04 14:50:37 +01:00
Jake Sanders
0625249fc7
errcheck: Error return value of controller.Register is not checked 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-04 14:14:48 +01:00
joshvanl
e05adbf06b Remove expected events when Ready Denied condition set 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-09 18:20:07 +01:00
joshvanl
ff3e4bb07d Don't fire an event when the Denied ready condition is set 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-09 18:19:44 +01:00
joshvanl
50a84eaf1d Sets the Ready condition to False when a request is Denied 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-09 15:34:32 +01:00
joshvanl
1d75fc480e Adds Denied to certificaterequests reporter 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-09 15:26:15 +01:00
Jack Andersen
ceab5f1b15 Adjust comment to reflect what the hash applies to 
Signed-off-by: Jack Andersen <jandersen@plaid.com>
 2021-04-07 10:37:11 -04:00
Jack Andersen
6fc20a7055 Hash orders with the issuing certificate request to ensure unique hash 
Signed-off-by: Jack Andersen <jandersen@plaid.com>
 2021-04-07 10:27:47 -04:00
joshvanl
18ae2295f9 Pass context through to client calls in controllers and acme issuer 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-31 20:34:12 +01:00
Salman
800d6019bf Replace reflect.DeepEqual with semantic equality check and remove status marshal 
Signed-off-by: salmanahmed404 <salmanahmed404@gmail.com>
 2021-03-27 12:49:14 +05:30
jetstack-bot
19ae739ab7
Merge pull request #3760 from SgtCoDFish/selfsigned-validity-3634 
selfsigned: warn when certs are issued with empty issuer DNs
 2021-03-26 12:30:58 +00:00
Ashley Davis
5e31fa37ff
selfsigned: warn when certs have empty issuer DNs 
as raised in#3634 - RFC 5280 states that the issuer field cannot be
empty, but this could easily happen with selfsigned certs which had
an empty subject (as the issuer matches the subject when the cert is
self signed)

this commit detects when a cert would be issued selfsigned with an
empty subject DN and emits a warning event, allowing cluster operators
to detect the warning and potentially either re-issue to generate a
compliant cert, or else accept the risk.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-03-26 11:51:46 +00:00
joshvanl
14d6f0720a Don't log from multiple controllers when a CertificateRequest is deleted 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-23 17:49:52 +00:00
joshvanl
65acf10858 Don't log error output in approver when CertificateRequest is deleted 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
32d0c5af4e Updates Approved/Denied tests for new reasons 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
c94ad99731 Updates approver controller to use custom Approved Reason 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
a3e63b1787 Update CertificateRequest controllers to use new Denied type, and add 
tests for when a CertificateRequest is denied

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00