This is not necessarily a breaking change as this appears to have been the current behaviour in most cases due to the race condition that this commit fixes
Signed-off-by: irbekrm <irbekrm@gmail.com>
Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authentication" method. The downside to this service
account Secret token is that it has the default JWT iss
"kubernetes/serviceaccount" (along with the fact that the token is not
bound to a particular pod and has no expiry).
With the new serviceAccountRef, cert-manager now requests the token on
behalf of the pod in order to authenticate with Vault.
Signed-off-by: Maël Valais <mael@vls.dev>
Makes sure that when an unlabelled Secret is encountered at any point (even outside issuance) it will be labelled
Signed-off-by: irbekrm <irbekrm@gmail.com>
cainjector will still watch cluster-scoped resources such as CRDs, so it can get references to Secrets or Certificates in namespaces that are out of scope
Signed-off-by: irbekrm <irbekrm@gmail.com>
Ensures that when cainjector has the namespace flag passed, namespaced resource caching is scoped to that namespace
Signed-off-by: irbekrm <irbekrm@gmail.com>
See https://github.com/cert-manager/cert-manager/issues/5601
When referring to external issuers whose kind is not "Issuer" or
"ClusterIssuer" we log an error message thanks to a new check added in
a previous PR[1] which should only trigger for SelfSigned issuers.
The error previously looked like:
```text
"error"="invalid value \"x\" for issuerRef.kind. Must
be empty, \"Issuer\" or \"ClusterIssuer\""
```
After this PR, any CR with an issuer whose group or kind doesn't
match what's expected for a built-in issuer will be skipped
https://github.com/cert-manager/cert-manager/pull/5336
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
WIP: test other issuer kinds
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This fixes two instances where loop variables were being incorrectly
used:
- using a loop variable in a closure passed to `ginkgo.It()` is
incorrect, as the capture happens by reference and only the last test
case will be executed (multiple times).
- a similar issue happens in the context of a goroutine; specifically,
we need to create a copy of the `runDurationFunc` before calling it in
a goroutine as done by the controller's `Run` function.
With regards to the second issue, I believe it never came to the
surface because, in production code, only one `runDurationFunc` is
passed; tests don't exercise the multiple funcs path either.
Issues were automatically found with the `loopvarcapture` linter.
Signed-off-by: Renato Costa <renato@cockroachlabs.com>
informer, and no longer mark the request as Failed when the private key
Secret is malformed. This behaviour matches the CertificateRequest
self signed controller.
Signed-off-by: joshvanl <me@joshvanl.dev>
