weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
8,917 Commits 45 Branches 0 Tags 96 MiB
e1c19274c2
Commit Graph

39 Commits

Author SHA1 Message Date
Tim Ramlot
9e649cc8f1
only retry when encountering a Vault non-InvalidData error 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-06-20 13:35:02 +02:00
Tim Ramlot
363a63ac96
Add client certificate authentication for Vault issuers 
Co-authored-by: Maël Valais <mael@vls.dev>
Signed-off-by: Joshua Mühlfort <muehlfort@gonicus.de>
 2024-06-17 09:16:26 +02:00
Tim Ramlot
52320fbeea
fix contextcheck linter 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-05-07 12:19:41 +02:00
Tim Ramlot
24e47ff364
fix predeclared linter 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-04-29 17:32:49 +02:00
Tim Ramlot
b86af60308
fix usestdlibvars linter 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-04-29 16:54:13 +02:00
Tim Ramlot
ae98ba806b
fix gocritic linter 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-04-29 15:50:47 +02:00
Tim Ramlot
085136068a
fix misspell linter 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-04-29 15:21:07 +02:00
Tim Ramlot
9db044b232
fix gci linter 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-04-29 13:47:25 +02:00
Tim Ramlot
e85b024c20
replace deprecated functions 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-02-20 08:40:38 +01:00
jetstack-bot
7f92e38988
Merge pull request #6614 from rodrigorfk/feat-vault-mtls 
feat: Add the ability to communicate with Vault via mTLS
 2024-02-16 18:11:26 +00:00
cloudwiz
75d1449903
move audiences under the SA ref 
Signed-off-by: cloudwiz <andrey.dubnik@maersk.com>
 2024-02-08 14:07:03 +00:00
cloudwiz
9cf9cb7ea5
Vault extra audiences (#3) 
---------

Signed-off-by: cloudwiz <andrey.dubnik@maersk.com>
 2024-02-06 10:06:17 +00:00
Rodrigo Fior Kuntzer
199c98689f
feat: supporting Vault server mTLS 
Signed-off-by: Rodrigo Fior Kuntzer <rodrigo@miro.com>
 2024-01-15 09:25:30 -03:00
Vinny Sabatini
ef6ef1f0db additional improvements to vault issuer error messages 
When initializing a Vault issuer:

* Create different error messages depending on if Vault is sealed or not initialized
* Do not explicitly parse the Vault server URL (this is covered when trying to access health endpoint)

Signed-off-by: Vinny Sabatini <vincent.sabatini@kohls.com>
 2023-10-20 16:36:11 -05:00
Vincent Sabatini
298ceb3b2a fix error message when setting up vault issuer 
* Ensure Vault URL can be parsed
* Separate generic http errors from vault specific errors when checking
health endpoint

Signed-off-by: Vincent Sabatini <vincent.sabatini@gmail.com>
 2023-10-19 08:23:04 -05:00
Tim Ramlot
cf8e37291a
replace k8s.io/utils/pointer with k8s.io/utils/ptr 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-28 09:33:10 +02:00
irbekrm
7d592a8270 Swap upstream core informers factory with out wrapper 
This does not actually change how the informers work. This also adds a partial metadata client to root context

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
Maël Valais
5083b3e36c removed the unused "addVaultNamespaceToRequest" 
I had mistakenly re-added this function in 76eef68730.
It had been removed in 6e05f43f8e.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-07 18:18:40 +01:00
Maël Valais
c35a245631 serviceAccountRef: fix panicking since serviceAccountRef can now be nil 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
511e64feaa serviceAccountRef: 10 minutes is the min for SA tokens 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Tim Ramlot
ed310388e1 add validation for Vault Issuer Auth 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-02-06 18:28:49 +01:00
Maël Valais
aed8a2ec85 serviceAccountRef: auto-generate "aud" and hardcode "exp" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
76eef68730 serviceAccountRef: the vault issuer can now use bound SA tokens 
Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).

With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Richard Wall
75b2ba12dc Test that the Sign function *does* use the Vault namespace 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-23 10:40:59 +00:00
Richard Wall
e1740afedf Recreate the original behaviour of sending a Vault token to the unauthenticated sys/health endpoint. 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-23 10:40:59 +00:00
Richard Wall
6b2c3b5295 Remove unused Token method 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-22 17:41:49 +00:00
Richard Wall
23437dfbbc Remove unused Sys methods 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-22 17:41:49 +00:00
Richard Wall
51ac6fe181 Test 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-22 17:41:49 +00:00
Richard Wall
6e05f43f8e Set the Vault namespace using the official method in the vault SDK 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-22 17:29:58 +00:00
Tim Ramlot
b999749854
improve gen.CSR and use it everywhere 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-11-10 09:21:31 +01:00
Nils
81e6c24293 fixup! Add option to load Vault CA bundle from Kubernetes Secret 
Co-authored-by: Josh van Leeuwen <joshua.vanleeuwen@jetstack.io>
Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-21 07:41:15 +03:00
Nils Mueller
2f6fa9dddf fixup! Add option to load Vault CA bundle from Kubernetes Secret 
Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-16 02:57:43 +03:00
Nils Mueller
00a20097b6 Add option to load Vault CA bundle from Kubernetes Secret 
Vault distributions like "Bank Vaults" automatically configure
and provision Vault and provide the CA bundle via a Kubernetes
Secret. Having to hard-code the bundle in the Issuer instead
of dynamically referencing it through the Secret requires
a manual second step when using a GitOps workflow.

Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-15 03:10:51 +03:00
Ashley Davis
fb231ab641
Remove bazel 🎉 
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.

There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-07-26 11:38:50 +01:00
Ashley Davis
3a055cc2f5
rename all uses of github.com/jetstack/cert-manager 
This was done by running the following command twice:

 ```bash
 grep -Ri "github.com/jetstack/cert-manager" . | \
 cut -d":" -f1 | \
 sort | \
 uniq | \
 xargs sed -i
 "s/github.com\/jetstack\/cert-manager/github.com\/cert-manager\/cert-manager/"
 ```

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-02-02 09:08:31 +00:00
Krzysztof Ostrowski
e35cb361c8
add comments to satisfy linter 
Signed-off-by: Krzysztof Ostrowski <kostrows@redhat.com>
Co-authored-by: Irbe Krumina <irbekrm@gmail.com>
 2021-11-04 18:15:46 +01:00
James Munnelly
8ee719c135 Update bazel visibility rules 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2021-10-21 12:30:21 +01:00
James Munnelly
e7dea9f2a2 Replace all references to pkg/internal with internal 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2021-10-21 12:27:04 +01:00
James Munnelly
f81703d9ab Move pkg/internal/ to internal/ 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2021-10-21 12:24:28 +01:00