weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
5,983 Commits 45 Branches 0 Tags 96 MiB
ef32714434
Commit Graph

188 Commits

Author SHA1 Message Date
Johan Fleury
ef32714434
Make leader election defaults consistent 
Signed-off-by: Johan Fleury <jfleury@arcaik.net>
 2021-08-13 12:14:40 -04:00
Jake Sanders
ed4ad50b22
Don't start the Gateway Shared Informer Factory if the Gateway API feature is disabled 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-05 15:22:02 +01:00
Jake Sanders
36aa9e2501
The gateway-api support is now gated behind --feature-gate=ExperimentalGatewayAPISupport=true 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-05 14:37:54 +01:00
Jake Sanders
27348a7072
Better error messages when Gateway API CRDs aren't installed 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-03 14:21:02 +01:00
Jake Sanders
b38869b551
Gateway HTTP01: Make docs better, only enable gateway solver if gateway API is found 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-02 14:06:23 +01:00
Jake Sanders
deb9ccc5a9
HTTP01 solver support for the Gateway API 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-08-02 14:06:16 +01:00
jetstack-bot
d062176777
Merge pull request #4243 from inteon/improved_go_routines 
Cleanup goroutine management
 2021-07-28 15:36:41 +01:00
Inteon
78d13787e6
remove duplicated error messages & cobra help messages on error 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-28 15:55:14 +02:00
Inteon
d430113666
remove os.Exit from cert-manager controller and make sure LeaderElection ReleaseOnCancel works 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-27 21:40:42 +02:00
jetstack-bot
3b50d78ae4
Merge pull request #4225 from jakexks/ingressv1 
Feature: Support both v1 and v1beta1 ingresses.
 2021-07-27 20:11:37 +01:00
Inteon
48e9c2bd16
exit with exit code 0 on cancel & release leader-election on cancel 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-27 19:43:08 +02:00
irbekrm
2ddf6fe637 Allows for annotations passed from CSR to Order to be filtered 
Using the value from copied-annotation-prefixes flag, where by default kubectl, fluxcd, argocd annotations are excluded

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-27 10:55:09 +01:00
Irbe Krumina
3834a8fc0a Code review feedback 
Co-authored-by: Josh Van Leeuwen <joshua.vanleeuwen@jetstack.io>
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-26 20:00:37 +01:00
irbekrm
ddf7e130b7 Allow users to specify which annotations should be copied from Certificate to CertificateRequest 
Default to all being copied except for kubectl, fluxcd, argocd annotations

Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-07-26 20:00:10 +01:00
Jake Sanders
67c6586161
Addressing code review comments in #4225 
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-26 18:29:54 +01:00
Jake Sanders
0d93b93fc5
Feature: Support both v1 and v1beta1 ingresses. 
Kubernetes is removing support for the v1beta1 Ingress type in 1.22: https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/#api-changes
However, we still wish to support k8s v1.16 until mid 2022 when Openshift 3 becomes out of support.

cert-manager will now use v1 Ingress if available by using the discovery API.

Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-26 18:29:42 +01:00
joshvanl
b041a8fb3d Wires up ACME CSR controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-23 16:00:09 +01:00
Inteon
632459c6d9
resolve bug & cleanup 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-23 15:41:24 +02:00
Inteon
81e216eeba
wait for goroutines to end before exiting 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-23 15:30:26 +02:00
jetstack-bot
9ad9e220f3
Merge pull request #4230 from inteon/fix_exit_codes 
set correct exit codes
 2021-07-23 13:06:09 +01:00
Inteon
d6cd6f457d
set correct exit codes when exiting 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-07-22 12:57:08 +02:00
joshvanl
65cec6c212 Wires up Venafi CertificateSigningRequest controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-07-19 15:50:23 +01:00
Maël Valais
e5436df521 gateway-shim: don't crash cert-manager if the Gateway CRD isn't there 
The Gateway CRD has to be installed, meaning that the CRDs may be
installed after cert-manager. We don't want cert-manager to crash in
that case; instead, we let the user know that cert-manager will keep
retrying looking for the CRDs with this message on startup:

  controller.go:181] cert-manager/controller/build-context "msg"="the
  Gateway API CRDs do not seem to be present, cert-manager will keep
  retrying watching for them"

The user then sees the following message printed (using an exponential
back-off):

  reflector.go:167: Failed to watch *v1alpha1.Gateway: failed to list
  *v1alpha1.Gateway: the server could not find the requested resource
  (get gateways.networking.x-k8s.io)

Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-15 20:35:47 +02:00
Maël Valais
b5142f84c0 gateway-shim: only discover the gateway api when gateway-shim is enabled 
Signed-off-by: Maël Valais <mael@vls.dev>
 2021-07-15 20:35:34 +02:00
Maël Valais
30f9c123d3 gateway-shim: add the gateway-shim controller 
Note that the gateway-shim is only half the work for supporting the
Gateway API in cert-manager. The other half is the HTTP01 solver
support, which is still worked on.

The Gateway API in cert-manager is releases as an experimental feature
and needs to be enabled manually with the following flag:

  --controllers=*,gateway-shim

All the annotations supported by ingress-shim are also supported by
gateway-shim, with some exceptions:

  "acme.cert-manager.io/http01-ingress-class"

This annotation is not supported on the Gateway resource. Although the
Gateway resource also has a "gatewayClass" field, we will need to add
another field instead of "ingress-class" to avoid confusion with the
ingress-shim.

  "acme.cert-manager.io/http01-edit-in-place"

This annotation is not supported because it is specific to some ingress
controllers like ingress-gce.

  "kubernetes.io/tls-acme"

This annotation is not supported because it is a behavior inherited from
kube-lego and we chose not to keep this behavior with the Gateway API.

Unlike the ingress-shim, you can reuse the same Secret name in multiple
TLS configurations on the same Gateway resource.

The ingress-shim now shows the exact location of the duplicate
secretName when the user gives the same secretName in two separate TLS
blocks.

Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Jake Sanders <i@am.so-aweso.me>
 2021-07-15 20:34:55 +02:00
joshvanl
d9be35c299 Wires up Vault CSR controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-29 09:11:43 +01:00
jetstack-bot
fbd2a6d06a
Merge pull request #4105 from kit837/add-clock-time-seconds 
Add clock_time_seconds metric
 2021-06-15 21:00:53 +01:00
kit837
0f97e6d19d pass in clock.Clock for better test 
Signed-off-by: kit837 <66801824+kit837@users.noreply.github.com>
 2021-06-15 17:48:20 +00:00
joshvanl
72800ae0f2 Wires up the SelfSigned CertificateSigningRequest controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-06-14 10:19:28 +01:00
joshvanl
9e1b0342d0 Updates with review comments 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-27 18:48:50 +01:00
joshvanl
60d5974115 Moves CertificateSigningRequest controller to feature gate flag 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-27 12:00:56 +01:00
joshvanl
62dee4783e Adds CertificateSigningRequest CA Issuer controller as optional 
controller

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-05-27 00:32:24 +01:00
irbekrm
b539cbea89 Use ConfigmapsLeases Multilock for controller's leader election 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-05-17 18:19:38 +01:00
Jake Sanders
79d8d9cb7b
Revert "Merge pull request #3724 from inteon/istio-virtualservice-for-http01" 
This reverts commit 80f27739b5, reversing
changes made to 96604d02a3.

Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-11 14:50:25 +01:00
Jake Sanders
423e82b65b
Revert "Merge pull request #3939 from JoshVanL/istio-api-to-internal-apis" 
This reverts commit f2a74ade5e, reversing
changes made to 7ff54e61e9.

Signed-off-by: Jake Sanders <i@am.so-aweso.me>
 2021-05-11 14:50:23 +01:00
joshvanl
01716e2907 Fixes stutter: istio.IsIstioInstalled -> istio.IsInstalled 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-29 11:42:21 +01:00
joshvanl
00ceff3421 Update bazel 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-29 11:36:49 +01:00
joshvanl
3af22cf6c6 Move istio util duncs to pkg/util/istio 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-04-29 11:35:41 +01:00
Inteon
2d7dfcb462 start DynamicSharedInformerFactory unconditionally; only listen for VirtualServices conditionally 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-04-28 09:20:49 +02:00
Inteon
624e2b9e69 add ACME HTTP01 Istio support 
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
 2021-04-28 09:19:53 +02:00
joshvanl
8f5b03427c Fix options_test.go boilerplate header 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 11:28:01 +00:00
joshvanl
6ef840972c Change controller options to return a set of enabled controllers, and 
log enabled controllers on start

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 11:28:01 +00:00
joshvanl
5c3e02d7a5 Changes the controllers flag to allow disabling controllers. This is the 
same behaviour as kube-controller-manager

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 11:28:01 +00:00
joshvanl
0382c9d8b2 Adds a cert-manager-controller flag to disable controllers, for example, 
the certificaterequests-approver

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-26 11:28:01 +00:00
jetstack-bot
a8c75fab1a
Merge pull request #3773 from JoshVanL/certificate-revision-history-limit 
Certificate revision history limit
 2021-03-26 11:13:58 +00:00
joshvanl
6957bc31df Adds the CertificateRequest approver controller to 
cert-manager-controller

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-17 13:10:39 +00:00
joshvanl
c4b918c0aa Adds RevisionManager controller to default enabled controller 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
 2021-03-15 14:54:35 +00:00
irbekrm
b852e97ffb Removes the deprecated renew-before-expiry flag 
Signed-off-by: irbekrm <irbekrm@gmail.com>
 2021-02-21 10:22:25 +00:00
jetstack-bot
cdc53b65cb
Merge pull request #3500 from meyskens/update-copy 
Update copyright to cert-manager project
 2020-12-15 10:12:31 +00:00
Maartje Eyskens
ab0cd57dc5 Use The cert-manager Authors. 
Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
 2020-12-11 19:04:13 +01:00