weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
5,777 Commits 45 Branches 0 Tags 96 MiB
e18e29ea45
Commit Graph

1073 Commits

Author SHA1 Message Date
joshvanl
e18e29ea45 Adds unit tests for CertificateSigningRequest ACME handle owner 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:00:09 +01:00
joshvanl
9e322a4033 Removes old comment which is no longer relevant 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:00:09 +01:00
joshvanl
b84e3edcc9 Review comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:00:09 +01:00
joshvanl
bec5d5be32 Remove CA annotation from ACME CertificateSigningRequest controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:00:09 +01:00
joshvanl
43f002b0f0 Adds CertificateSigningRequest ACME controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:00:09 +01:00
joshvanl
37dbf770da Fire event when CertificateSigningRequest hasn't been signed yet 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-20 10:39:27 +01:00
joshvanl
a1a953f40f More comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-19 19:29:40 +01:00
joshvanl
0fdd52e603 Adds comments to some func's and changes return err names to be more 
clear

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-19 15:50:23 +01:00
joshvanl
0116bf18bd Changed Venafi CSR request "the request will be retried" -> "waiting" 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-19 15:50:23 +01:00
joshvanl
6e57e1093f Adds comment about what the pickup ID is in the CSR controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-19 15:50:23 +01:00
joshvanl
e0fc320d41 Remove CA annotation being set on Venafi CertificateSigningRequest 
controller

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-19 15:50:23 +01:00
joshvanl
c4914f7103 Adds venafi CertificateSigningRequest controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-19 15:50:23 +01:00
Maël Valais
368c7659ee gateway-shim: test: two different secrets create two Certificates 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-15 20:35:47 +02:00
Maël Valais
f77954e5e3 gateway-shim: document issuerForIngressLike and translateAnnotations 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-15 20:35:41 +02:00
Maël Valais
30f9c123d3 gateway-shim: add the gateway-shim controller 
Note that the gateway-shim is only half the work for supporting the
Gateway API in cert-manager. The other half is the HTTP01 solver
support, which is still worked on.

The Gateway API in cert-manager is releases as an experimental feature
and needs to be enabled manually with the following flag:

  --controllers=*,gateway-shim

All the annotations supported by ingress-shim are also supported by
gateway-shim, with some exceptions:

  "acme.cert-manager.io/http01-ingress-class"

This annotation is not supported on the Gateway resource. Although the
Gateway resource also has a "gatewayClass" field, we will need to add
another field instead of "ingress-class" to avoid confusion with the
ingress-shim.

  "acme.cert-manager.io/http01-edit-in-place"

This annotation is not supported because it is specific to some ingress
controllers like ingress-gce.

  "kubernetes.io/tls-acme"

This annotation is not supported because it is a behavior inherited from
kube-lego and we chose not to keep this behavior with the Gateway API.

Unlike the ingress-shim, you can reuse the same Secret name in multiple
TLS configurations on the same Gateway resource.

The ingress-shim now shows the exact location of the duplicate
secretName when the user gives the same secretName in two separate TLS
blocks.

Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-15 20:34:55 +02:00
Maël Valais
b13b751d63 PR review with Irbe: re-queue Ingress on "Update" and "Add" of certs 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Irbe Krumina <irbekrm@gmail.com>
 2021-07-13 19:06:10 +02:00
Maël Valais
e12173b4c2 ingress-shim: unit-test certificateDeleted, only call on deletion 
The func certificateDeleted was being called on every possible event
(deleted, created, updated).

Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-12 17:30:01 +02:00
Maël Valais
59051432e3 ingress-shim: remove unused issuer and clusterissuer listers 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-12 17:26:58 +02:00
Maël Valais
c119b64fdf ingress-shim: I was syncing on Issuers instead of Ingresses 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-12 17:26:50 +02:00
Maël Valais
30ad33784d ingress-shim: remove unecessary/verbose comment 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-09 18:27:08 +02:00
Maël Valais
1cb39d1efe ingress-shim: remove duplicate line 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-09 17:43:01 +02:00
Maël Valais
0b12a5cf5f ingress-shim: explain why the owner ref does not have a namespace 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-09 17:42:48 +02:00
Maël Valais
75b9bd6598 ingress-shim: untangle logic for "looking for cert owners" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-07 13:27:30 +02:00
Maël Valais
26b074241a issuing controller test: check w.Register error 
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Richard Wall <richard.wall@jetstack.io>
 2021-07-06 12:51:01 +02:00
Maël Valais
37bee71d68 static analysis party: fix errcheck warnings 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-06 12:51:01 +02:00
Maël Valais
98bf0b6478
DataForCertificate: explain what the "current" and "next" CRs are used for 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-05 13:32:32 +02:00
joshvanl
2c217f0377 Remove CA field from Vault CertificateSigningRequest controllers 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-29 10:50:33 +01:00
joshvanl
d0e7ccd805 Update some CSR comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-29 10:41:03 +01:00
joshvanl
f5b609e446 Adds Vault CertificateSigningRequest Issuer controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-29 09:11:43 +01:00
joshvanl
7e8bf731b2 Remove the experimental.cert-manager.io/ca annotation from the 
CertificateSigningRequest

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-25 16:02:37 +01:00
irbekrm
fd61e1ccc7 Delete 'next' CertificateRequests that failed in last issuance cycle 
So that the issuance is retried

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-06-22 07:28:06 +01:00
irbekrm
feb62b1fe5 Make the back off period const public 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-06-22 06:37:07 +01:00
irbekrm
428c280f76 Pass clock to request manager controller 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-06-22 06:36:26 +01:00
jetstack-bot
fbd2a6d06a
Merge pull request #4105 from kit837/add-clock-time-seconds 
Add clock_time_seconds metric
 2021-06-15 21:00:53 +01:00
kit837
0f97e6d19d pass in clock.Clock for better test 
Signed-off-by: kit837 <66801824+kit837@users.noreply.github.com>
 2021-06-15 17:48:20 +00:00
jetstack-bot
02d90248de
Merge pull request #4079 from annerajb/support-ed25519 
support-ed25519
 2021-06-15 16:17:53 +01:00
jetstack-bot
91540b14a2
Merge pull request #4100 from JoshVanL/certificate-signing-request-selfsigned 
CertificateSigningRequest selfsigned controller
 2021-06-15 12:36:39 +01:00
joshvanl
19f94c877d Remove references to CA private key from SelfSigned CSR controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-15 12:13:52 +01:00
Anner J. Bonilla
9546a357a5
Add support for certificates with ed25519 private keys 
Note that using ed25519 on the public internet is not currently
recommended, since it's not widely supported. You'd likely not be able
to use an Ed25519 cert with an ACME issuer today.

Ed25519 certs might be useful for internal PKI, though - an ed25519 CA
issuer, say - or for testing ed25519 certs before they become more
widely available on the public internet. They're not currently
supported by Vault, Venafi or ACME (Letsencrypt) issuers.

Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
Signed-off-by: Anner J. Bonilla <annerjb@gmail.com>
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-06-14 11:17:35 +01:00
joshvanl
d5007c2e37 Adds the CertificateSigningRequest selfsigned controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-14 10:18:54 +01:00
irbekrm
e6b748047d Remove the default renewBefore value 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-06-11 10:03:12 +01:00
joshvanl
abdd1f54fa Fix CA CertificateSigningRequest controller to return potential error 
from updating failed status

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-07 17:48:49 +01:00
joshvanl
d4fd4f9acc Move determining Issuer resource Kind into CSR/util 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-07 15:27:43 +01:00
joshvanl
1678d0833e Reverts ACME issuer from forming a chain bundle and populating the 
ca.crt

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-02 12:21:50 +01:00
joshvanl
36bd7a459c Changes CSR util signername to use if statements rather than switch 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-28 10:34:43 +01:00
joshvanl
acc5431f1b Fix signernames to allow clusterissuers with dots in name 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-28 10:13:00 +01:00
joshvanl
9e1b0342d0 Updates with review comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-27 18:48:50 +01:00
joshvanl
e014b6655d Use ca.crt with the CertificateSigningRequest CA controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-27 10:49:21 +01:00
joshvanl
62dee4783e Adds CertificateSigningRequest CA Issuer controller as optional 
controller

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-27 00:32:24 +01:00
joshvanl
3b74c34089 Adds CertificateSigningRequest CA Issuer controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-27 00:25:02 +01:00