weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
5,399 Commits 45 Branches 0 Tags 96 MiB
ecc552a7de
Commit Graph

5399 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Edward Lynes
ecc552a7de Update Aka issuer to use v2 API 
Signed-off-by: Edward Lynes <elynes@akamai.com>
 2021-05-14 13:31:13 -04:00
jetstack-bot
e941307bdc
Merge pull request #3938 from irbekrm/3879_test_acme_issuer_setup 
3879 test acme issuer setup
 2021-05-14 13:35:50 +01:00
irbekrm
9ecf896130 Implement feedback from code review 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-14 12:40:30 +01:00
jetstack-bot
0ff2b8778c
Merge pull request #3983 from JoshVanL/parse-certificate-chain-venafi 
Parse certificate chain venafi
 2021-05-13 14:21:14 +01:00
jetstack-bot
22ff380f39
Merge pull request #3984 from JoshVanL/parse-certificate-chain-acme 
Parse certificate chain acme
 2021-05-13 13:50:14 +01:00
jetstack-bot
96ea5e51d4
Merge pull request #3985 from JoshVanL/parse-certificate-chain-ca 
Parse certificate chain CA Issuer
 2021-05-13 13:23:14 +01:00
jetstack-bot
12c891e9b0
Merge pull request #4000 from irbekrm/re_enable_venafi_tpp_tests 
Re-enable e2e tests that connect to Venafi TPP.
 2021-05-13 12:28:14 +01:00
irbekrm
3ef1643cd7 Re-enable e2e tests that connect to Venafi TPP. 
This reverts commit 9d059a2425.

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-13 11:50:29 +01:00
jetstack-bot
595d753339
Merge pull request #3982 from JoshVanL/parse-certificate-chain 
Change Vault Issuer to construct the certificate chain to populate the CertificateRequest CA with the root most cert.
 2021-05-12 17:34:13 +01:00
jetstack-bot
11bd87b58d
Merge pull request #3997 from irbekrm/temp_disable_tpp_tests 
Temporarily revert "Re-enable the Venafi TPP E2E tests"
 2021-05-12 16:32:52 +01:00
irbekrm
9d059a2425 Temporarily revert "Re-enable the Venafi TPP E2E tests" 
These tests are currently failing- we should investigate and re-enable
them.

This reverts commit c769432db5.

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-12 16:11:07 +01:00
joshvanl
58a25314f7 Changes CR CA controller to use ECDSA keys 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 15:07:25 +01:00
joshvanl
ea2cfdc3c9 Updates CA issuer to updates SignCSRTemplate and propagate CA 
certificate down

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:22:59 +01:00
joshvanl
d327d40297 Updates SignCSRTemplate to use ParseCertificateChain 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:22:59 +01:00
joshvanl
9622b664bf Adds SecretTLSKeyPairAndCA to parse a certificate chain and CA from a 
target Secret

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:22:59 +01:00
joshvanl
e4d3d3f725 Change ParseCertificateChain to ParseSingleCertificateChain 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:17:41 +01:00
joshvanl
33fcf0d082 Uses ParseCertificateChainPEM for ACME Order Response 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:17:02 +01:00
joshvanl
d69a4e1a3c Change ParseCertificateChain to ParseSingleCertificateChain 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:15:54 +01:00
joshvanl
1030bbadb5 Change Venafi Signer to use ParseCertificateChain to populate Status.CA 
correctly

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:14:47 +01:00
joshvanl
68aeb330b7 Change ParseCertificateChain to ParseSingleCertificateChain to show 
intention better

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-12 14:12:06 +01:00
jetstack-bot
3bb830c2ab
Merge pull request #3989 from maelvls/fix-crd-generation 
Controller-gen can now update CRDs like before
 2021-05-12 09:16:52 +01:00
Maël Valais
39c9c662f7 controller-gen can now update CRDs like before 
The controller-gen tool is quite rude and won't tell you when one of the
CRD manifests cannot be parsed when the option schemapatch is used. As
an example, the following:

  sed -i 's/RFC8555/RFC8556/g' pkg/apis/certmanager/v1/types_issuer.go
  controller-gen schemapatch:manifests=./deploy/crds output:dir=./deploy/crds paths=./pkg/apis/...

should trigger a change in the crd-clusterissuers.yaml:

  @@ -3184,7 +3184,7 @@ spec:
                 type: object
                 properties:
                   acme:
  -                  description: ACME [...] communicate with a RFC8555
  +                  description: ACME [...] communicate with a RFC8556
                     type: object

Unfortunately, controller-gen v0.2.9-0.20200414181213-645d44dca7c0
silently skips faulty CRD manifests. In our case, the CRD had become a
non-YAML file (we need to use some if statements):

  {{- if .Values.webhook.url.host }}
  url: https://{{ .Values.webhook.url.host }}/convert
  {{- else }}
  service:
    name: {{ template "webhook.fullname" . }}
    namespace: {{ .Release.Namespace | quote }}
    path: /convert
  {{- end }}

Two issues can be found (we can use a YAML parser like yq for that):

1. The pipe "|" used in ".Release.Namespace | quote" makes it an invalid
   YAML file. We could rewrite that to

     {{ quote .Release.Namespace }}

  but I decided to go with actual quotes like with the rest of the
  file.

2. The {{ if }}, {{ else }} and {{ end }} are also invalid YAML syntax,
   and one easy workaround is to comment them.

So many workarounds... but it now works!

Signed-off-by: Maël Valais <mael@vls.dev>
 2021-05-11 17:29:06 +02:00
jetstack-bot
2aa625edcb
Merge pull request #3988 from jakexks/revert-istio-virtualservice 
Revert Istio VirtualService support for 1.4 release.
 2021-05-11 15:50:53 +01:00
Jake Sanders
ef2a830614
./hack/update-bazel.sh 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-11 14:50:28 +01:00
Jake Sanders
79d8d9cb7b
Revert "Merge pull request #3724 from inteon/istio-virtualservice-for-http01" 
This reverts commit 80f27739b5, reversing
changes made to 96604d02a3.

Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-11 14:50:25 +01:00
Jake Sanders
423e82b65b
Revert "Merge pull request #3939 from JoshVanL/istio-api-to-internal-apis" 
This reverts commit f2a74ade5e, reversing
changes made to 7ff54e61e9.

Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-11 14:50:23 +01:00
Jake Sanders
8ca19b26f9
Revert "Merge pull request #3946 from inteon/fix_kubectl_apply" 
This reverts commit c7514d9262, reversing
changes made to 49cbedf262.

Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-11 14:50:18 +01:00
jetstack-bot
bd817cce0a
Merge pull request #3936 from irbekrm/webhook_warnings 
Webhook warnings
 2021-05-11 13:43:53 +01:00
irbekrm
6cb57c4c33 Makes ACME EAB key algo warning value unexported 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-11 13:14:33 +01:00
joshvanl
88693435b8 Change ParseCertificateChain test func to use ECDSA keys to speed up 
runtime

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-10 19:13:31 +01:00
joshvanl
d17626c927 Changes vault issuer to use ParseCertificateChain from response from 
vault

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-10 19:07:31 +01:00
joshvanl
744906ebaf Adds ParseCertificateChain to parse and test a pem bundle to ensure its 
a valid flat chain. Returns a chain and optional CA

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-10 19:06:21 +01:00
irbekrm
e82ea35744 Adds a unit test for ACME issuer Setup function 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-10 09:53:53 +01:00
irbekrm
284de092e9 Adds a few ACME-specific functions to issuer gen 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-10 09:53:39 +01:00
irbekrm
0c751f51e4 Adds functionality to generate issuer conditions to gen 
So they can be generated in tests with less lines of code

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-10 09:53:20 +01:00
irbekrm
6318de527c Adds a fake Secrets client 
A simpler implementation than https://github.com/kubernetes/client-go/blob/master/kubernetes/typed/core/v1/fake/fake_secret.go and more suited for unit tests that don't spin up a controller

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-10 09:52:58 +01:00
irbekrm
c97b14a216 Fix FakeRegistry.AddClient + ensure that FakeACME implements accounts.Registry 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-10 09:52:34 +01:00
irbekrm
f438ae30ab Refactor Setup to make it more DRY + use consts instead of string literals 
This commit also ensures that issuer's observed generation is updated in cases where the issuer spec has changed, but the re-registration is skipped as the current registration seems already valid

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-10 09:51:24 +01:00
irbekrm
d8367cbac8 Remove direct calls to external deps from Setup function 
Allow the functionality to set up a new ACME client and to retrieve and decode ACME account's key to be stubbed in tests

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-10 09:51:07 +01:00
jetstack-bot
3434c78188
Merge pull request #3960 from wallrj/538-lint-fixes-richardw 
Fix some linting errors
 2021-05-07 11:50:34 +01:00
Richard Wall
fc1f6ffea9 ./hack/update-deps.sh 
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-05-07 09:55:09 +01:00
Richard Wall
3811847872 Fail benchmark if scheduleN returns an error 
pkg/controller/acmechallenges/scheduler/scheduler_test.go:84:16                          errcheck     Error return value of `s.scheduleN` is not checked
pkg/controller/acmechallenges/scheduler/scheduler_test.go:98:16                          errcheck     Error return value of `s.scheduleN` is not checked
pkg/controller/acmechallenges/scheduler/scheduler_test.go:112:16                         errcheck     Error return value of `s.scheduleN` is not checked
pkg/controller/acmechallenges/scheduler/scheduler_test.go:314:51                         errcheck     Error return value of `` is not checked

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-05-07 09:55:09 +01:00
Richard Wall
c9eb75c447 Remove unused test-case field 
pkg/controller/certificaterequests/venafi/venafi_test.go:787:2                           structcheck  `issuer` is unused

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-05-07 09:55:09 +01:00
Richard Wall
b35ae551bf Fail test of Register returns an error 
pkg/controller/issuers/sync_test.go:55:12                                                errcheck     Error return value of `c.Register` is not checked

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-05-07 09:55:09 +01:00
Richard Wall
98d2672d3a Fail test on unexpected errors 
pkg/issuer/acme/dns/rfc2136/rfc2136_test.go:58:23                                        errcheck     Error return value of `server.Shutdown` is not checked
pkg/issuer/acme/dns/rfc2136/rfc2136_test.go:336:12                                       errcheck     Error return value of `w.WriteMsg` is not checked
pkg/issuer/acme/dns/rfc2136/rfc2136_test.go:355:12                                       errcheck     Error return value of `w.WriteMsg` is not checked
pkg/issuer/acme/dns/rfc2136/rfc2136_test.go:361:12                                       errcheck     Error return value of `w.WriteMsg` is not checked

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
 2021-05-07 09:55:09 +01:00
jetstack-bot
7872f04d3f
Merge pull request #3962 from jakexks/staticcheck-party 
Static Analysis fixes
 2021-05-06 13:28:20 +01:00
Jake Sanders
98c3b56e43
close stopch in failure cases 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-06 12:18:56 +01:00
jetstack-bot
024603814f
Merge pull request #3970 from SgtCoDFish/munnerz_security_contact 
Add @munnerz to SECURITY_CONTACTS.md
 2021-05-05 20:21:12 +01:00
Ashley Davis
00d017da78
add @munnerz to SECURITY_CONTACTS.md 
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
 2021-05-05 17:35:10 +01:00
Jake Sanders
bb519a59b9
Log a message when test framework fails to parse cover profile flag 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-05 16:40:16 +01:00