weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
7,569 Commits 45 Branches 0 Tags 96 MiB
e309dca4ba
Commit Graph

3050 Commits

Author SHA1 Message Date
irbekrm
7e6f2be820 Fixes goimports 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:29:41 +01:00
irbekrm
8217ff8714 Adds some extra unit tests 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
e14d17b1b0 Adds a couple comments to ACME call methods 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
dba18119aa Ensures that key for an ACME challenge is only retrieved from the ACME server once 
Thus reducing the number of HTTP01ChallengeResponse/DNS01ChallengeResponse calls

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
202d75ffe6 Updates code comment 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
0964d6d03d Removes extra GET calls for ACME order resource 
In cases where a synced Order does not require any processing from this controller

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 16:28:14 +01:00
irbekrm
b2b3eade26 Updates cert.status.lastFailureTime description 
To match the current behaviour

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-05 12:54:14 +01:00
irbekrm
de34694516 Makes some updates to CertificateRequests design 
The design is out of date in general though

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-27 09:57:44 +01:00
irbekrm
6e294ae359 Certificate-requests controller does not process invalid certificaterequests 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-24 15:38:34 +00:00
irbekrm
f5ea958317 Issuing controller fails issuances for denied/invalid CRs 
This is not necessarily a breaking change as this appears to have been the current behaviour in most cases due to the race condition that this commit fixes

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-24 15:37:57 +00:00
jetstack-bot
0c071f8d2f
Merge pull request #5878 from avi-08/handle-foreground-deletion 
Skip syncing resources deleted via foreground cascading
 2023-03-21 12:01:38 +00:00
Avi Sharma
a62f92e33d Add testcases for foreground deletion sync 
Signed-off-by: Avi Sharma <avi.08.sh@gmail.com>
 2023-03-21 15:33:53 +05:30
Avi Sharma
e5d9745078 Skip syncing resources deleted via foreground cascading 
Signed-off-by: Avi Sharma <avi.08.sh@gmail.com>
 2023-03-21 15:33:28 +05:30
jetstack-bot
706ad574b9
Merge pull request #5820 from lucacome/bump-k8s.io-deps 
Bump k8s.io dependencies
 2023-03-20 12:13:41 +00:00
Andrew Starr-Bochicchio
70594bd7ca digitalocean: Pass user agent string to godo client. 
Signed-off-by: Andrew Starr-Bochicchio <a.starr.b@gmail.com>
 2023-03-16 11:20:56 -04:00
Luca Comellini
0f64e055ae
Bump k8s.io dependencies 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2023-03-10 14:55:26 -08:00
Maël Valais
f0449ddb3b ingressClassName: document the "oneOf" contraint for the "name" field 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-09 15:15:39 +01:00
Maël Valais
ca9aaa0440 ingressClassName: let's remove the link placeholder 
The link itself is way too long to fit in the API reference.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-09 14:42:21 +01:00
Maël Valais
1b9cd207d3 remove unused test func 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-07 15:06:58 +01:00
Maël Valais
6458ed1543 Move from a flag to the Issuer field "ingressClassName" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-03 17:50:30 +01:00
Daniel Sonck
44d1467217 Add flag to allow switching ingressClassName specification 
Adds a flag to allow between using the old class name annotation or the new
ingressClassName that is gaining support in more ingress controllers.

Signed-off-by: Daniel Sonck <daniel@sonck.nl>
 2023-03-03 17:42:43 +01:00
Tim Ramlot
f36c06f10d
move cmd/util/ to internal/cmd/util/, since it is also imported by packages outside of cmd/ 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-02-28 12:38:59 +01:00
Michael Malov
dc621e9306 Add imagePullSecrets for AMCE http01 solver pod 
Signed-off-by: Michael Malov <mmeemail@gmail.com>
 2023-02-13 14:18:50 +03:00
Maël Valais
7a856af843 serviceAccountRef: update tests of the controller-side validation 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-07 13:26:35 +01:00
Maël Valais
c35a245631 serviceAccountRef: fix panicking since serviceAccountRef can now be nil 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
ac9791abae api: explicit the fact that no "oneOf" validation is performed 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
f1cfffd06b serviceAccountRef: detail why secretRef isn't a pointer 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
aed8a2ec85 serviceAccountRef: auto-generate "aud" and hardcode "exp" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
bfce543640 serviceAccountRef: remove aud and exp, secretRef now a pointer 
Changing SecretRef to be a pointer will break people using the package as
a library.

I disabled the ability to set the audience and expiry time for security
reasons:

We decided to generate the audience dynamically instead of letting the
user configure it, and we also decided to encode the namespace and
issuer name into the audience to remediate the risk of hijacking an
existing issuer and service account with a malicious issuer.

Regarding the expiration duration of the JWT, it doesn't make sense to
let the user configure it since cert-manager will authenticate using the
JWT and immediately discard it. We thought that 1 minute would be
acceptable, although the Kubernetes API server may return a totally
different duration.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
76eef68730 serviceAccountRef: the vault issuer can now use bound SA tokens 
Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).

With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
15748767ef vault: add unit tests around Setup 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-03 16:27:52 +01:00
jetstack-bot
7ab1461674
Merge pull request #5764 from irbekrm/cainjector_filter_injectables 
Cainjector: only reconcile annotated injectables
 2023-02-01 11:41:49 +00:00
irbekrm
74b258c3be Code review feedback 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-02-01 08:53:27 +00:00
irbekrm
7e4dea1c2e Clarify the error message when secret annotation is missing namespace prefix 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-31 11:12:31 +00:00
irbekrm
24040c4989 Ensure that updates to injectables are caught 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-31 10:49:56 +00:00
irbekrm
a174f0faa4 Filter injectables that trigger reconciles 
Only trigger reconciles for events on injectable types that are annotated, not random unrelated resources

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-30 11:27:15 +00:00
irbekrm
7a5c71a1ed Cleanup, better comments 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-30 11:26:07 +00:00
Richard Wall
e727df6c1d Disable automountServiceAccountToken in the ACME HTTP01 solver Pod 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2023-01-26 17:22:42 +00:00
jetstack-bot
9f7a4053ab
Merge pull request #5746 from irbekrm/cainjector_remove_duplicate_cache 
Remove the double cache mechanism for cainjector
 2023-01-25 15:05:57 +00:00
Richard Wall
24cbfc7ba8 Revert "automount service account tokens off by default" 
This reverts commit 954eb0d875.

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2023-01-24 17:19:52 +00:00
Richard Wall
954eb0d875 automount service account tokens off by default 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2023-01-24 17:00:11 +00:00
irbekrm
3aba8ed32d Makes cainjector Certificate watch optional 
Configurable via a flag, true by default

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-24 13:52:45 +00:00
irbekrm
4776597cb4 Remove the double cache mechanism for cainjector 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-23 17:38:46 +00:00
Tim Ramlot
191e7ca305
add (deprecated) stub functions 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-01-23 13:26:37 +01:00
Tim Ramlot
23de5240e9
move utility functions to reduce fragmentation and rename functions for consistency 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-01-23 13:19:39 +01:00
jetstack-bot
1038ca4494
Merge pull request #4502 from ctrought/master 
support subject and email annotations for ingress/gateway
 2023-01-20 14:35:37 +00:00
ctrought
575e3155c2 fix: goimports 
Signed-off-by: ctrought <k8s@trought.ca>
 2023-01-19 14:57:10 -05:00
irbekrm
216b60e98b RFC2136 solver has an init option to reset secrets lister 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-18 17:41:51 +00:00
irbekrm
1834afaa00 A bunch of comments on webhook solver functionality 
With the goal of making folks working on these parts of code be aware that this is the one bit that will be imported in external projects

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-18 17:41:02 +00:00
jetstack-bot
aa7fe1130c
Merge pull request #5660 from irbekrm/certificate_labels 
Ensures that certificate.spec.secretName and temporary private key Secrets are labelled
 2023-01-09 10:57:30 +00:00