weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
8,865 Commits 45 Branches 0 Tags 96 MiB
e30ad68ab2
Commit Graph

400 Commits

Author SHA1 Message Date
Tim Ramlot
f158e1dfac
cleanup featuregate comments 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-25 09:36:47 +02:00
Tim Ramlot
e55b03c127
Update the fuzzer so it only sets values in case the random value is an empty value for fields that will be defaulted. 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-17 13:17:12 +02:00
Tim Ramlot
80a3923fd2
use logsapi.LoggingConfiguration instead of logs.Options 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-17 12:51:19 +02:00
Tim Ramlot
31b5ed6620
Make webhook Logging options configurable using configfile. 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-17 12:00:50 +02:00
Tim Ramlot
e8b5b2e354
Fix bug in ControllerConfiguration's defaulting of logging config, where config would not be correctly defaulted in case a partial logging configuration is provided. 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-17 11:19:16 +02:00
Tim Ramlot
db1fcdabb1
add comment explaining port 0 behavior 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-16 11:08:36 +02:00
Tim Ramlot
b19d11d267
change the types of ports in the WebhookConfiguration: 
internal: *int -> int32
public: *int -> *int32

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-15 20:53:58 +02:00
guiyong.ou
3d76c20f51 cleanup: some redundant code clean up 
Signed-off-by: guiyong.ou <guiyong.ou@daocloud.io>
 2023-08-14 17:36:25 +08:00
jetstack-bot
9d618a17fb
Merge pull request #6242 from inteon/restructure_controller_configfile 
Restructure the controller configfile
 2023-08-10 15:37:09 +02:00
Tim Ramlot
f50167ce31
restructure the controller configfile 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-10 11:30:33 +02:00
Tim Ramlot
ae287461d0
prepare cmctl improvements 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-08-01 10:32:35 +02:00
Cody W. Eilar
282a6d58a9 Preserve internal types 
- Needed to add custom conversion functions to handle conversions from
  public facing types to internal ones.

Signed-off-by: Cody W. Eilar <ecody@vmware.com>
 2023-07-27 16:44:38 -07:00
Cody W. Eilar
6212b63e51 Address the non-optional values in internal config 
- This  commit changes the internal config to have fewer number of
  optional parameters.  It changes the types to match the ones that are
  already present in https://github.com/kubernetes/apimachinery/blob/master/pkg/apis/meta/v1/conversion.go
  so that custom converters do not have to be written for types "int"
  and "float32".

Signed-off-by: Cody W. Eilar <ecody@vmware.com>
 2023-07-27 16:44:38 -07:00
Cody W. Eilar
1243fe285b Add to ability to start controller with config file 
Signed-off-by: Cody W. Eilar <ecody@vmware.com>
 2023-07-27 16:44:38 -07:00
jetstack-bot
9de9809ac5
Merge pull request #6108 from inteon/ctl_logging 
Use logging library with json support in cmctl (part 1)
 2023-07-27 17:54:51 +02:00
Tim Ramlot
36ddf19e2e
improve Trigger, Readiness and PostIssuance Policy chains 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-07-24 09:42:19 +02:00
Tim Ramlot
4d7f6281d0
use pki validation code for CSR validation 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-07-10 12:48:12 +02:00
jetstack-bot
843deed22f
Merge pull request #6199 from inteon/add_validation_to_pki 
Add validation to pki CertificateTemplate functions
 2023-07-07 09:32:14 +02:00
Tim Ramlot
5ba29272c0
add validation to pki CertificateTemplate function 
and add support for add DontAllowInsecureCSRUsageDefinition featuregate
to use old behavior in controller

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-07-05 13:04:21 +02:00
jetstack-bot
914944c020
Merge pull request #6176 from inteon/reconcile_managed_annotations_and_labels 
Reconcile when managed annotations/ labels are out-of-sync
 2023-07-04 11:55:29 +02:00
Tim Ramlot
bfa61c7804
add comments explaining what the label and annotation checks do 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-29 18:50:28 +02:00
Tim Ramlot
c16a34e0b1
use .Delete() 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-29 18:50:24 +02:00
Tim Ramlot
1649730a0d
Update internal/controller/certificates/policies/checks.go 
Co-authored-by: Richard Wall <wallrj@users.noreply.github.com>
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-29 12:54:20 +01:00
Tim Ramlot
2f56c3c89a
add DontAllowInsecureCSRUsageDefinition feature gate to disable the strict CSR validation 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-28 11:11:32 +02:00
Tim Ramlot
63387015d0
make CertificateRequest webhook validation more strict (the Usages array should always be the source of truth) 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-26 10:08:13 +02:00
Tim Ramlot
a9339849e5
improve label and annotation checks 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-23 17:05:42 +02:00
Tim Ramlot
229f99c197
update testcase based on feedback 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-23 09:14:38 +02:00
Tim Ramlot
19377b43b1
fix feedback from @wallrj 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-21 15:31:20 +02:00
Tim Ramlot
d310d8597c
improve comments 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-20 16:48:56 +02:00
Tim Ramlot
22440e8710
add SecretPublicKeysDiffersFromCurrentCertificateRequest check 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-20 16:48:50 +02:00
Tim Ramlot
9c9e833c5a
add TODO comment that explains that we don't understand the reason for the current behaviour 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-14 14:51:07 +02:00
Tim Ramlot
3aa7b82e43
Update internal/controller/certificates/policies/checks.go 
Co-authored-by: EDDIE-DAV <136573637+EDDIE-DAV@users.noreply.github.com>
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-14 10:19:52 +01:00
Tim Ramlot
8ddf016b00
fix a bug that caused the issuer-ref and certificate-name annotations on Secrets to be correct when being updated. 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-06-13 16:54:32 +02:00
cui fliter
4723347260 fix function name in comments 
Signed-off-by: cui fliter <imcusg@gmail.com>
 2023-06-07 17:17:07 +08:00
Tim Ramlot
3490a005b1
prepare cmctl libraries to support logging 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-05-30 18:35:45 +02:00
jetstack-bot
c5e6bf39d6
Merge pull request #6054 from inteon/correct_versions 
Use Version 3 for *x509.Certificate
 2023-05-26 13:57:32 +01:00
irbekrm
8a34cbc0a0 Adds some warnings for folks to not import feature gates into shared code 
Really we should restructure this to remove the possibility of accidentally overwriting other component's feature gates

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-05-23 12:02:55 +01:00
Tim Ramlot
e7530880ce
use Version 3 for all Certificates and Version 0 for all CertificateRequests 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-05-11 10:21:55 +02:00
Tim Ramlot
0cf0f80b40
switch to non-deprecated functions in source code 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-05-10 19:22:49 +02:00
jetstack-bot
a64088792d
Merge pull request #5991 from inteon/pr/JoshVanL/4810 
Server Side Apply: Adds support for CA Injector controller
 2023-05-05 14:21:07 +01:00
jetstack-bot
5035dda25e
Merge pull request #6006 from vidarno/cache-private-key-hash-on-issuer-status 
Cache private key hash on issuer status
 2023-05-05 08:05:07 +01:00
Tim Ramlot
bce882b477
use cainjector feature flags 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-05-03 19:52:13 +02:00
vidarno
4934183927 Extend CRDs and structs to include LastPrivateKeyHash field 
Signed-off-by: vidarno <>
 2023-04-29 09:12:56 +02:00
Thomas Müller
12483d3d54 Check JKS/PKCS12 truststores only if issuer provides the CA 
The current policy check for keystores in Secrets creates a loop because
the truststore.jks or truststore.p12 will never exist when the issuer didn't
provide the CA certificate. This behaviour was introduced by #5597

The JKS and PKCS12 truststores are only added to the Secret
if the CA is provided by the issuer. The CertificateRequest API
reference states:

> The PEM encoded x509 certificate of the signer, also known
> as the CA (Certificate Authority). This is set on a best-effort basis by
> different issuers. If not set, the CA is assumed to be unknown/not available.

This change will only check the PKCS12/JKS truststores if the CA cert from the
issuer exists in the secret.

Fixes #5755

Signed-off-by: Thomas Müller <thomas@chaschperli.ch>
 2023-04-27 17:09:41 +02:00
irbekrm
3d82e94789 Ensures metadata only is cached for pods and services 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-25 06:20:58 +01:00
jetstack-bot
4f02c5c405
Merge pull request #5967 from avi-08/validate-secretName 
Validate certificate.spec.secretName is a valid k8s resource name
 2023-04-20 17:52:58 +01:00
Avi Sharma
5ad23ae756 Validate certificate.spec.secretName is a valid k8s resource name 
Signed-off-by: Avi Sharma <avi.08.sh@gmail.com>
 2023-04-20 17:41:05 +05:30
irbekrm
a6dc42201c Ensures that partial meta secrets are cleaned up before caching 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-20 10:15:44 +01:00
jetstack-bot
e53f32d377
Merge pull request #5874 from inteon/webhook_approval_cleanup 
Cleanup certificate request approval webhook
 2023-04-11 10:34:17 +01:00
irbekrm
85c766a082 Code review feedback 
Signed-off-by: irbekrm <irbekrm@gmail.com>
Co-authored-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-04-06 10:48:20 +01:00
irbekrm
729d358cd2 Cleanup 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:21:13 +00:00
irbekrm
2370e1be62 Adds unit tests 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
d8dcf0b5e5 Adds fakes for listers and secrets client 
To enable unit testing

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
16d9863743 Adds a core informer factory with a filtered secrets informer 
The new core informer factory wraps a typed and a partial metadata factory

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
7d592a8270 Swap upstream core informers factory with out wrapper 
This does not actually change how the informers work. This also adds a partial metadata client to root context

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
1612d7548d Adds custom informer interfaces and implementation 
To enable swapping core informers for custom implementations

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
irbekrm
53918b5d6c Adds SecretsFilteredCaching alpha feature 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-03-22 09:03:16 +00:00
Tim Ramlot
fc83eece01
cleanup certificate request approval webhook 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-03-20 13:19:41 +01:00
Maël Valais
f0449ddb3b ingressClassName: document the "oneOf" contraint for the "name" field 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-09 15:15:39 +01:00
Maël Valais
ca9aaa0440 ingressClassName: let's remove the link placeholder 
The link itself is way too long to fit in the API reference.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-09 14:42:21 +01:00
Maël Valais
6458ed1543 Move from a flag to the Issuer field "ingressClassName" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-03-03 17:50:30 +01:00
jetstack-bot
4e889b702b
Merge pull request #5834 from inteon/remove_unused_parameter 
Removed unused NewCertManagerWebhookServer function argument
 2023-02-28 13:04:33 +00:00
Tim Ramlot
f36c06f10d
move cmd/util/ to internal/cmd/util/, since it is also imported by packages outside of cmd/ 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-02-28 12:38:59 +01:00
Tim Ramlot
82beacaee2
removed unused NewCertManagerWebhookServer function argument 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-02-28 12:30:44 +01:00
Michael Malov
dc621e9306 Add imagePullSecrets for AMCE http01 solver pod 
Signed-off-by: Michael Malov <mmeemail@gmail.com>
 2023-02-13 14:18:50 +03:00
Maël Valais
5083b3e36c removed the unused "addVaultNamespaceToRequest" 
I had mistakenly re-added this function in 76eef68730.
It had been removed in 6e05f43f8e.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-07 18:18:40 +01:00
Maël Valais
7a856af843 serviceAccountRef: update tests of the controller-side validation 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-07 13:26:35 +01:00
Maël Valais
c35a245631 serviceAccountRef: fix panicking since serviceAccountRef can now be nil 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
511e64feaa serviceAccountRef: 10 minutes is the min for SA tokens 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
1c5d9df4f0 serviceAccountRef: validation tests 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
d54f18d0c0 serviceAccountRef: comment on the reason for backwards compatibility 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
ac9791abae api: explicit the fact that no "oneOf" validation is performed 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
f1cfffd06b serviceAccountRef: detail why secretRef isn't a pointer 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Tim Ramlot
ed310388e1 add validation for Vault Issuer Auth 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-02-06 18:28:49 +01:00
Maël Valais
aed8a2ec85 serviceAccountRef: auto-generate "aud" and hardcode "exp" 
Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
bfce543640 serviceAccountRef: remove aud and exp, secretRef now a pointer 
Changing SecretRef to be a pointer will break people using the package as
a library.

I disabled the ability to set the audience and expiry time for security
reasons:

We decided to generate the audience dynamically instead of letting the
user configure it, and we also decided to encode the namespace and
issuer name into the audience to remediate the risk of hijacking an
existing issuer and service account with a malicious issuer.

Regarding the expiration duration of the JWT, it doesn't make sense to
let the user configure it since cert-manager will authenticate using the
JWT and immediately discard it. We thought that 1 minute would be
acceptable, although the Kubernetes API server may return a totally
different duration.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Maël Valais
76eef68730 serviceAccountRef: the vault issuer can now use bound SA tokens 
Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).

With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.

Signed-off-by: Maël Valais <mael@vls.dev>
 2023-02-06 18:28:49 +01:00
Tim Ramlot
23de5240e9
move utility functions to reduce fragmentation and rename functions for consistency 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-01-23 13:19:39 +01:00
jetstack-bot
1038ca4494
Merge pull request #4502 from ctrought/master 
support subject and email annotations for ingress/gateway
 2023-01-20 14:35:37 +00:00
irbekrm
5e8fd7dc41 Policy check ensures that cert.sepc.secretName secret gets labelled 
Makes sure that when an unlabelled Secret is encountered at any point (even outside issuance) it will be labelled

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-06 18:31:31 +00:00
irbekrm
c7465fd921 Issuing controller ensures that cert.spec.secretName secrets are labelled 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2023-01-06 18:29:51 +00:00
Ashley Davis
c5924f54a1
add + use CABundle field for ACME servers in issuers 
Previously it wasn't possible to set a custom CA bundle for an ACME
server, leading users to either patch the cert-manager system CA bundle
manually or else use SkipTLSVerify which is a security issue.

This adds CABundle for ACME, similar to what we have for Vault and
Venafi TPP issuers.

Longer term we'd like to have a more fully featured approach. It would
for example make sense to support loading CA bundles from ConfigMaps or
Secrets (similar to what we do for Vault issuers today), but for now this
change is the simplest change.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-12-15 16:21:07 +00:00
Ashley Davis
f68693bb6a
change wording on descriptions for Vault and TPP 'CABundle' fields 
Clarifies language a little; makes it clearer that the bundle
should be base64 encoded. Previously it was slightly confusing
in that PEM certificates are themselves base64 encoded.

Also makes it clearer what our CABundle validation does and does not do
by adding a standalone validation function and tweaking the error
message for an invalid CA bundle.

Also updates validation to not print CA bundle for Vault issuer when the
bundle is invalid, since it won't help with debugging anything.
Currently the bundle is printed as byte values ("0x32, 0x58, 0x43...")
and in any case printing the whole bundle could be noisy if it's large

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-12-15 16:21:02 +00:00
Sathyanarayanan Saravanamuthu
f719247d2b Addressing review comments 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
Sathyanarayanan Saravanamuthu
4a6bae60be Update internal/controller/certificates/policies/checks.go 
Co-authored-by: Richard Wall <wallrj@users.noreply.github.com>
Signed-off-by: Sathyanarayanan Saravanamuthu <107846526+sathyanarays@users.noreply.github.com>
 2022-12-06 18:54:46 +05:30
Sathyanarayanan Saravanamuthu
42ae76ae30 Refreshing secrets when the keystore fields change 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-12-06 18:54:46 +05:30
jetstack-bot
6ec8da3366
Merge pull request #5583 from lvyanru8200/uodateGwVerison 
feature: update gateway api to v1beta1
 2022-12-05 14:52:48 +00:00
lv
a13c76d312 feature: update gateway api to v1beta1 
Signed-off-by: lvyanru <yanru.lv@daocloud.io>

feature: update gateway api to v1beta1

Signed-off-by: lvyanru <1113706590@qq.com>
 2022-12-05 14:03:21 +00:00
jetstack-bot
43e13bfa0d
Merge pull request #5587 from SpectralHiss/SpectralHiss/add-fields-to-subject-rdn 
Add support for required LDAP (rfc4514) RDNs in LiteralSubject
 2022-11-29 15:19:25 +00:00
Richard Wall
75b2ba12dc Test that the Sign function *does* use the Vault namespace 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-23 10:40:59 +00:00
Richard Wall
e1740afedf Recreate the original behaviour of sending a Vault token to the unauthenticated sys/health endpoint. 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-23 10:40:59 +00:00
Richard Wall
6b2c3b5295 Remove unused Token method 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-22 17:41:49 +00:00
Richard Wall
23437dfbbc Remove unused Sys methods 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-22 17:41:49 +00:00
Richard Wall
51ac6fe181 Test 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-22 17:41:49 +00:00
Richard Wall
6e05f43f8e Set the Vault namespace using the official method in the vault SDK 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2022-11-22 17:29:58 +00:00
Houssem El Fekih
f41cf33efe Add support for required LDAP (rfc4514) RDNs in LiteralSubject 
* Add OID translation for mandatory DC component
* Used extensively in LDAP certificates, also required by rfc5280
* Add support for UID, mentioned in LDAP RFC
* solves https://github.com/cert-manager/cert-manager/issues/5582

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2022-11-18 10:22:39 +00:00
jetstack-bot
95dc198cd6
Merge pull request #5571 from inteon/cleanup_csr_generation 
Improve gen.CSR and use it in all tests
 2022-11-15 14:08:44 +00:00
Sathyanarayanan Saravanamuthu
860ba8465a Addressing review comments 
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-11-10 14:27:26 +05:30
Tim Ramlot
b999749854
improve gen.CSR and use it everywhere 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-11-10 09:21:31 +01:00
jetstack-bot
da3265115b
Merge pull request #5387 from Tolsto/vault-ca-bundle-secret-ref 
Add option to load Vault CA bundle from Kubernetes Secret
 2022-10-13 09:55:09 +01:00
Sathyanarayanan Saravanamuthu
40947b0ef4 Generate Certificate Request with predictable name 
Co-authored-by: Cody W Eilar <ecody@vmware.com>

Signed-off-by: Cody W Eilar <ecody@vmware.com>
Signed-off-by: Sathyanarayanan Saravanamuthu <sathyanarays@vmware.com>
 2022-10-11 17:01:26 +05:30
ctrought
d9a95b7afa remove empty subject annotations 
Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com>
 2022-08-22 11:01:22 -04:00
ctrought
d9a8047f9c ingress subject annotations & helper tests 
Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com>
 2022-08-22 11:01:18 -04:00
ctrought
89ae7238be cleanup comment 
Signed-off-by: ctrought <65360454+ctrought@users.noreply.github.com>
 2022-08-22 10:55:40 -04:00
Nils
81e6c24293 fixup! Add option to load Vault CA bundle from Kubernetes Secret 
Co-authored-by: Josh van Leeuwen <joshua.vanleeuwen@jetstack.io>
Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-21 07:41:15 +03:00
Nils Mueller
2f6fa9dddf fixup! Add option to load Vault CA bundle from Kubernetes Secret 
Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-16 02:57:43 +03:00
Nils Mueller
00a20097b6 Add option to load Vault CA bundle from Kubernetes Secret 
Vault distributions like "Bank Vaults" automatically configure
and provision Vault and provide the CA bundle via a Kubernetes
Secret. Having to hard-code the bundle in the Issuer instead
of dynamically referencing it through the Secret requires
a manual second step when using a GitOps workflow.

Signed-off-by: Nils Mueller <nm@impactful.it>
 2022-08-15 03:10:51 +03:00
Tim Ramlot
836793e7e3 upgrade gateway api to v0.5.0 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-08 08:52:59 +00:00
Tim Ramlot
93caba980e apply go fmt for go1.19 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2022-08-04 09:51:57 +00:00
jetstack-bot
e58b47f345
Merge pull request #5340 from SgtCoDFish/byebazel 
Remove bazel 🎉
 2022-07-27 09:13:05 +01:00
joshvanl
4138aa8986 Add code comment which states that it is valid to use neither an 
AccessKeyID or AccessKeySecretRef

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-07-26 11:56:13 +01:00
joshvanl
0c60503cc3 In PR https://github.com/cert-manager/cert-manager/pull/5194, we 
introduced a validation whereby an issuer would be rejected if it did
not contain AccessKeyID or SecretAccessKeyID when using the route53 DNS
solver. This is incorrect, since neither should need to be defined when
using AWS ambient credentials.

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-07-26 11:51:16 +01:00
Daniel Quackenbush
54e1da255c remove issue error if role is specified 
Signed-off-by: Dan Quackenbush<25692880+danquack@users.noreply.github.com>
 2022-07-26 11:49:57 +01:00
Ashley Davis
fb231ab641
Remove bazel 🎉 
This removes all .bazel and .bzl files, and a bunch of scripts relating
to bazel, now that it's been entirely replaced.

There are still a few places where traces could be removed, but this
removes the brunt of the bazel stuff that remains.

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-07-26 11:38:50 +01:00
jetstack-bot
b84ea96d73
Merge pull request #5194 from Compy/master 
Support secrets for Route53 Access Key IDs
 2022-07-05 12:33:21 +01:00
joshvanl
cc0a4bc488 Adds unit tests for route53 access key ID secret validation 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-07-04 17:06:49 +01:00
joshvanl
f1d7c43276 Updates wording for aws rout53 dns CRD field comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-07-04 17:06:40 +01:00
irbekrm
1d326af871 Runs ./hack/update-bazel.sh 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-06-30 10:20:40 +01:00
irbekrm
05a3133b34 Removes support for networking/v1beta1 Ingress 
As the lowest version of Kubernetes that we support now is v1.20 that serves v1 networking

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-06-30 09:24:59 +01:00
Ashley Davis
35f2206404
change name of bin dir to _bin by default and make it a variable 
This is needed because go and other tools will ignore directories
starting with "_" or "." but would treat a dir called "bin" as a regular
directory.

This in turn meant that when we vendored Go in bin, these tools would by
default scan the whole stdlib included with the bundled vendored go.

See https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns for details

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-06-21 16:34:26 +01:00
Compy
9c47be0964 Changed SecretAccessKeyID member to pointer as it is optional and tagged omitempty. Added issuer tests for access key ID secret validation. Added issuer API validations for AccessKeyID/SecretAccessKeyID. 
Signed-off-by: Compy <hello@86pixels.com>
 2022-06-17 22:52:17 -05:00
Compy
561103934d Updating and regenerating CRDs to make SecretAccessKeyID field usage more clear 
Signed-off-by: Compy <hello@86pixels.com>
 2022-06-11 10:48:10 -05:00
Compy
153e5420cf Add support for pulling Route53/AWS access key IDs out of secrets 
Signed-off-by: Compy <hello@86pixels.com>
 2022-06-08 16:33:00 -05:00
Alessandro Vermeulen
1da01211ee Feature gated support for using literal subjects in Certificates 
Signed-off-by: Alessandro Vermeulen <alessandro.vermeulen@ing.com>
 2022-06-08 20:50:00 +02:00
Irbe Krumina
1d917ef311 Revert "Use Apply instead of Update to modify resources in tests" 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-05-03 11:31:47 +01:00
irbekrm
58b633aa04 Code review feedback 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-29 12:42:41 +01:00
irbekrm
54a487f1fb certificates.Apply returns the patched certificate 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-28 14:41:22 +01:00
irbekrm
e458b6c813 Sets Challenge managed fields to nil when applying a spec patch 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-04-01 11:53:44 +01:00
joshvanl
aa456b9c3f Adds roundtrip tests to challenge apply serializer 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-04-01 11:53:44 +01:00
joshvanl
8ebedac654 Fix challenge serialization, and add integration tests for apply helpers 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-04-01 11:53:44 +01:00
joshvanl
82c068f0fd Updates ACME challenge controllers to use apply 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-04-01 11:53:44 +01:00
joshvanl
ebcad79cf9 Adds controller challenges apply helpers 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-04-01 11:53:44 +01:00
jetstack-bot
86ad9962a3
Merge pull request #4967 from maelvls/gwapi-v1alpha2-optional-labels 
Gateway API: with v1alpha2, the labels have become optional
 2022-03-30 15:11:33 +01:00
Jake Sanders
6dfd6d5800
update bazel BUILD 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-03-30 12:58:41 +01:00
Jake Sanders
d8b88f056b
tidy imports 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-03-30 12:54:20 +01:00
Jake Sanders
b72db63761
Change label description for HTTP-01 Gateway API solver and fix tests 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-03-30 12:52:34 +01:00
joshvanl
a8bfc2fd36 Adds certificates policy checks for owner references 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-03-29 13:54:27 +01:00
jetstack-bot
bfcc204c2b
Merge pull request #4811 from JoshVanL/controllers-server-side-apply-certificates-shim 
Server Side Apply: Adds support for certificate-shim controllers to use SSA with Feature Gate
 2022-03-28 14:33:31 +01:00
jetstack-bot
e116d416f3
Merge pull request #4799 from JoshVanL/controllers-server-side-apply-orders 
Server Side Apply: Adds support for Order controllers to use SSA with Feature Gate
 2022-03-28 13:11:31 +01:00
joshvanl
c1c2d2d081 Add roundtrip test to Certificate serializing. Add field manager to 
certificates-shim Create API call

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-03-28 12:40:29 +01:00
joshvanl
82e3b6aa43 Adds apply helper function for Certificates 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-03-28 12:39:09 +01:00
Maël Valais
4b3af946db gateway-api: with v1alpha2, the labels have become optional 
Previously, in v1alpha1, an HTTPRoute was matched to a Gateway using
the label selectors present on the Gateways. For example, with the
following Gateway:

  apiVersion: networking.x-k8s.io/v1alpha1
  kind: Gateway
  metadata:
    name: acmesolver
  spec:
    listeners:
      - protocol: HTTP
        port: 80
        routes:
          kind: HTTPRoute
          selector:
            matchLabels:
              app: foo

you would have to use the following labels on the HTTPRoute in order to
get the above Gateway to be used:

  apiVersion: networking.x-k8s.io/v1alpha1
  kind: HTTPRoute
  metadata:
    labels:
      app: foo

With v1alpha2, the label selectors have been dropped. Instead, the
HTTPRoute has to give a direct reference to the Gateway:

    apiVersion: gateway.networking.k8s.io/v1alpha2
    kind: HTTPRoute
    spec:
      parentRefs:
        - kind: Gateway
          name: acmesolver
          namespace: traefik

This means that the "labels" field on the gatewayHTTPRoute solver is now
optional:

    apiVersion: cert-manager.io/v1
    kind: Issuer
    spec:
      acme:
        solvers:
          - http01:
              gatewayHTTPRoute:
                labels:              | This field is
                  app: test          | now optional.
                parentRefs:
                  - kind: Gateway
                    name: acmesolver

Signed-off-by: Maël Valais <mael@vls.dev>
 2022-03-21 17:39:10 +01:00
irbekrm
dbad3d98f3 Rename issuanceAttempts -> failedIssuanceAttempts 
In an attempt to convey the meaning of the field better

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:33:51 +00:00
irbekrm
4c901aefab Code review comments 
Adds test conditions to certs via patch API call instead of update to avoid conflicts

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:33:51 +00:00
irbekrm
affb5e86ef Adds IssuanceAttempts field to Certificate's status 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2022-03-21 07:33:51 +00:00
Maël Valais
05f3cf51f1 e2e: try to load the Make-built crds before the Bazel-built crds 
Since bazel-bin systematically exists, the Make-based CRDs were never
picked up, since the bazel-bin folder gets recreated on every invocation
of Bazel.

Signed-off-by: Maël Valais <mael@vls.dev>
 2022-03-13 12:32:08 +01:00
Joakim Ahrlin
eb64e6494c
update deps and BUILD files 
Signed-off-by: Joakim Ahrlin <joakim.ahrlin@gmail.com>
 2022-03-01 15:05:18 +00:00
jetstack-bot
d998e37a44
Merge pull request #4873 from SgtCoDFish/importsfixes 
Fix imports in a few files
 2022-02-21 11:41:48 +00:00
Ashley Davis
6420aa4bfa
fix imports in a few files 
this is according to our policy on organizing imports, see:
https://cert-manager.io/docs/contributing/coding-conventions/#organizing-imports

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-02-18 17:42:45 +00:00
Ashley Davis
a57110c6bb
Add targets for unit and integration tests in make 
These lean heavily on `go test` for everything possible.

Also adds setup for versionchecker test in make, and a script for
extracting CRDs from templated rendered YAML files

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-02-17 14:48:57 +00:00
Ashley Davis
eb6c29756d
Refactor CRD provisioning for integration tests 
Falls back to looking in bin/crds if nothing has been provisioned in
bazel.

Removes "bazel.go" and consolidates in "paths.go", since the bazel name
will become obsolete and the functionality has changed

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-02-17 14:48:56 +00:00
jetstack-bot
10c5d72279
Merge pull request #4792 from JoshVanL/controllers-server-side-apply-certificaterequests 
Server Side Apply: Adds support for CertificateRequests controller to use SSA with Feature Gate
 2022-02-16 10:57:37 +00:00
joshvanl
3e81f9c5f1 Adds correct copyright year, and fix owner string match 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-16 10:33:48 +00:00
joshvanl
1aa5b0e5f5 Adds roundtrip test to order status serializer 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-16 10:33:48 +00:00
joshvanl
0802489f4e Updates Order controller to support apply call when feature gate it 
enabled

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-16 10:33:48 +00:00
joshvanl
4e73b60a32 Adds orders apply helper function 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-16 10:33:47 +00:00
jetstack-bot
12a2148df3
Merge pull request #4794 from JoshVanL/controllers-server-side-apply-issuers 
Server Side Apply: Adds support for [Cluster]Issuer controller to use SSA with Feature Gate
 2022-02-11 19:37:01 +00:00
joshvanl
f73d6584fb Fix copyright year. Remove carrot from OWNERS string match 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:26:56 +00:00
joshvanl
d1ffb0ad0d Adds roundtrip tests for issuer and cluster issuer serialize 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:26:56 +00:00
joshvanl
085b2bf34b Updates issuer and cluster issuer controllers to optionally user server 
side apply

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:26:56 +00:00
joshvanl
5c37326e36 Adds issuer apply helper 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:26:56 +00:00
joshvanl
49108a0278 Adds list map type to Conditions for both Issuers and Cluster Issuers 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:26:56 +00:00
joshvanl
8f43629e5f Remove carrot from OWNERS string match 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:23:23 +00:00
joshvanl
77915b11f6 Adds roundtrip test for CR apply status. Adds comment on why we are 
manually serializing the object.

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:22:33 +00:00
joshvanl
07c243df2d Adds a unit test to ensure serializing preserves CR spec in round trip 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:22:33 +00:00
joshvanl
2f922cf37d Adds integration test for CertificateRequest apply helper 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:22:33 +00:00
joshvanl
7b943d65cc Change import paths jetstack/cert-manager -> 
`cert-manager/cert-manager`

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:22:33 +00:00
joshvanl
99fd5f3412 Use optional Apply and Apply status to CertificateRequests 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:22:04 +00:00
joshvanl
9a04b3cb08 Return CR object from apply helper 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:22:03 +00:00
joshvanl
26c26c7ce2 Adds list type map to CR Conditions field 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:21:19 +00:00
joshvanl
d6ea92afd8 Adds apply helper function for CertificateRequests. Integration for 
condition map

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:21:19 +00:00
joshvanl
593ea18341 Remove carrot from OWNERS file match string 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:18:44 +00:00
joshvanl
4dc6c957d4 Adds review comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:15:57 +00:00
joshvanl
e31070a68f Fix list map type tag for internal Certificate API definitions 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:15:57 +00:00
joshvanl
6b3cde9327 Fix apply[_test].go package names 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:15:57 +00:00
joshvanl
37775615ff Use ApplyStatus in all Certificates controllers. When ServerSideApply 
enabled, set Issuing condition to False instead of removing it

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:15:57 +00:00
joshvanl
f4f3ab22e1 Adds shared internal controller certificates apply status func 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:15:57 +00:00
joshvanl
2417132b3c Adds ServerSideApply feature gate 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:14:31 +00:00
joshvanl
279a8ede99 Adds listType=map and listMapKey=type to Certificate Status Conditions 
field

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-11 16:14:31 +00:00
jetstack-bot
4f11cc27dd
Merge pull request #4822 from JoshVanL/devel-feature-gates-parse 
Parse and distribute feature gates in devel script
 2022-02-11 13:19:01 +00:00
joshvanl
4de248e883 Updates comments to read better 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-08 16:07:04 +00:00
joshvanl
23603775e1 Change import jetstack/cert-manager -> cert-manager/cert-manager 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-07 15:05:06 +00:00
joshvanl
19b68c9ba2 Update SecretTemplate comments on policy checks 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-07 15:02:51 +00:00
joshvanl
fdf7743f21 Adds PostIssuanceChecks for Certificate's AdditionalOutputFormats 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-07 14:40:51 +00:00
joshvanl
0bba16e0f9 Adds empty feature set for cainjector. Parses feature gates in devel 
script, and passes them on to each component

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-07 14:39:46 +00:00
Ashley Davis
3a055cc2f5
rename all uses of github.com/jetstack/cert-manager 
This was done by running the following command twice:

 ```bash
 grep -Ri "github.com/jetstack/cert-manager" . | \
 cut -d":" -f1 | \
 sort | \
 uniq | \
 xargs sed -i
 "s/github.com\/jetstack\/cert-manager/github.com\/cert-manager\/cert-manager/"
 ```

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2022-02-02 09:08:31 +00:00
joshvanl
35fba365bf Update AdditionalOutputFormats comment to reflect addition of feature to 
webhook set.

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-01 17:04:55 +00:00
joshvanl
8b219a45b2 Fix AdditationOutputFormat validation, and adds unit tests. Use correct 
feature set

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-01 17:03:37 +00:00
joshvanl
1cf06889bf Add AdditionalCertificateOutputFormats feature to webhook set. Make 
@joshvanl owner of feature in controller.

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-02-01 17:02:48 +00:00
jetstack-bot
b12d78d364
Merge pull request #4746 from JoshVanL/controller-readiness-certificates-spec-match 
Certificates controller policies refactor
 2022-01-27 12:45:40 +00:00
joshvanl
5d56566575 Adds more test cases to secrets.go and fix imports for checks.go 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2022-01-27 12:01:51 +00:00
jetstack-bot
39e388eaa5
Merge pull request #4762 from jakexks/use-only-ingress-annotation 
Always use the kubernetes.io/ingress.class annotation (#4537)
 2022-01-21 13:45:07 +00:00
Jake Sanders
65902d57a3
Always use the kubernetes.io/ingress.class annotation (#4537) 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2022-01-21 10:35:25 +00:00
James Munnelly
5407376768 Add comment clarifying why we absorb authorizer errors 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-01-20 10:56:51 +00:00
James Munnelly
bf98c92a44 Remove ServerOption type now that webhook initialization has moved to internal package 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-01-20 10:56:51 +00:00
James Munnelly
07a0171e98 Use regular discovery client instead of cache 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-01-20 10:56:50 +00:00
James Munnelly
5d6be6a639 Add tests for resourcevalidation plugin 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-01-20 10:56:50 +00:00
James Munnelly
31244942d1 Call ServerGroups when initializing discovery 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-01-20 10:56:50 +00:00
James Munnelly
e13c879681 Remove old handlers & admission plugins 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-01-20 10:56:50 +00:00
James Munnelly
708de3c580 webhook: use new admission-plugin backed validation and mutation handlers 
Signed-off-by: James Munnelly <jmunnelly@apple.com>
 2022-01-20 10:56:46 +00:00