Compare commits
67 Commits
master
...
release-1.
| Author | SHA1 | Date | |
|---|---|---|---|
|
88be48cff1 | ||
|
|
5d4221902d | ||
|
|
8e8811f595 | ||
|
|
91e8a0ca5a | ||
|
|
475ee0448f | ||
|
|
d792557c3c | ||
|
|
f54dd1dc98 | ||
|
|
c5eaff4015 | ||
|
|
ea90ac617f | ||
|
|
a85e1e973d | ||
|
|
26955c1ec6 | ||
|
|
28ec1c5481 | ||
|
|
fbb2643c05 | ||
|
|
e33ba250a6 | ||
|
|
00c2d2ccc3 | ||
|
|
6db08a0582 | ||
|
|
83791ee45f | ||
|
|
5028279bbb | ||
|
|
ebfc9c54f9 | ||
|
|
50b747fd36 | ||
|
|
03b0e08946 | ||
|
|
7c7ea2a0b9 | ||
|
|
18180336bc | ||
|
|
6bf1457f6d | ||
|
|
244bbc8266 | ||
|
|
707dcff96a | ||
|
|
fe3f251458 | ||
|
|
5f2c459dbc | ||
|
|
b31a36e5fe | ||
|
|
99fb7ab838 | ||
|
|
14f72bafb9 | ||
|
|
34cd1344eb | ||
|
|
93f72dcc25 | ||
|
|
12bf49141f | ||
|
|
15269caefc | ||
|
|
ff8589d3ce | ||
|
|
b7d1ce1c42 | ||
|
|
c18921a176 | ||
|
|
73ab9e0f25 | ||
|
|
edabf2752d | ||
|
|
cb6fb3be11 | ||
|
|
6cbdf95fb2 | ||
|
|
e92d036b85 | ||
|
|
0819177147 | ||
|
|
8d35ba6c4e | ||
|
|
3552a445b3 | ||
|
|
ba3a352195 | ||
|
|
eece93ccaa | ||
|
|
0cd9010d24 | ||
|
|
4ba14a537e | ||
|
|
50667553dc | ||
|
|
3642ed5b18 | ||
|
|
6125381cf7 | ||
|
|
494d9b587d | ||
|
|
8aa7a48614 | ||
|
|
a7d8c46592 | ||
|
|
67460e2e2c | ||
|
|
b8389e1edd | ||
|
|
775ca3a199 | ||
|
|
4b62a31b73 | ||
|
|
1e6a6bba92 | ||
|
|
a96bae172d | ||
|
|
9a4093a28d | ||
|
|
7dcefa943b | ||
|
|
9639231f0c | ||
|
|
d401c8e8ff | ||
|
|
ce17ce8eec |
2
.gitignore
vendored
2
.gitignore
vendored
@ -18,3 +18,5 @@ _bin/
|
||||
.bin/
|
||||
user.bazelrc
|
||||
*.bak
|
||||
/go.work.sum
|
||||
/go.work
|
||||
|
||||
14
.trivyignore
Normal file
14
.trivyignore
Normal file
@ -0,0 +1,14 @@
|
||||
# These vulns relate to issues with v1 of the AWS Golang SDK
|
||||
# These issues relate to S3 encryption issues which cert-manager is unlikely to hit
|
||||
# Fixing them requires upgrading to v2 of the AWS Golang SDK which is a potentially large task
|
||||
CVE-2020-8911
|
||||
CVE-2020-8912
|
||||
GHSA-7f33-f4f5-xwgw
|
||||
GHSA-f5pg-7wfw-84q9
|
||||
|
||||
# This vuln affects malicious helm charts using DNS
|
||||
# Fixing this requires a huge amount of upgrades because the underlying helm upgrade itself
|
||||
# had so many dependencies.
|
||||
# The vulnerability is likely to be more dangerous in the underlying Helm tool which we can
|
||||
# upgrade, but the library dependency doesn't seem worth it to upgrade.
|
||||
CVE-2023-25165
|
||||
16
LICENSES
16
LICENSES
@ -36,7 +36,7 @@ github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util,https://github.com
|
||||
github.com/cespare/xxhash/v2,https://github.com/cespare/xxhash/blob/v2.1.2/LICENSE.txt,MIT
|
||||
github.com/chai2010/gettext-go,https://github.com/chai2010/gettext-go/blob/v1.0.2/LICENSE,BSD-3-Clause
|
||||
github.com/cloudflare/cloudflare-go,https://github.com/cloudflare/cloudflare-go/blob/v0.50.0/LICENSE,BSD-3-Clause
|
||||
github.com/containerd/containerd,https://github.com/containerd/containerd/blob/v1.6.6/LICENSE,Apache-2.0
|
||||
github.com/containerd/containerd,https://github.com/containerd/containerd/blob/v1.6.18/LICENSE,Apache-2.0
|
||||
github.com/coreos/go-semver/semver,https://github.com/coreos/go-semver/blob/v0.3.0/LICENSE,Apache-2.0
|
||||
github.com/coreos/go-systemd/v22,https://github.com/coreos/go-systemd/blob/v22.3.2/LICENSE,Apache-2.0
|
||||
github.com/cpu/goacmedns,https://github.com/cpu/goacmedns/blob/v0.1.1/LICENSE,MIT
|
||||
@ -126,7 +126,7 @@ github.com/mailru/easyjson,https://github.com/mailru/easyjson/blob/v0.7.6/LICENS
|
||||
github.com/mattn/go-colorable,https://github.com/mattn/go-colorable/blob/v0.1.12/LICENSE,MIT
|
||||
github.com/mattn/go-isatty,https://github.com/mattn/go-isatty/blob/v0.0.14/LICENSE,MIT
|
||||
github.com/mattn/go-runewidth,https://github.com/mattn/go-runewidth/blob/v0.0.13/LICENSE,MIT
|
||||
github.com/matttproud/golang_protobuf_extensions/pbutil,https://github.com/matttproud/golang_protobuf_extensions/blob/c182affec369/LICENSE,Apache-2.0
|
||||
github.com/matttproud/golang_protobuf_extensions/pbutil,https://github.com/matttproud/golang_protobuf_extensions/blob/v1.0.4/LICENSE,Apache-2.0
|
||||
github.com/miekg/dns,https://github.com/miekg/dns/blob/v1.1.50/LICENSE,BSD-3-Clause
|
||||
github.com/mitchellh/copystructure,https://github.com/mitchellh/copystructure/blob/v1.2.0/LICENSE,MIT
|
||||
github.com/mitchellh/go-homedir,https://github.com/mitchellh/go-homedir/blob/v1.1.0/LICENSE,MIT
|
||||
@ -148,7 +148,7 @@ github.com/onsi/gomega,https://github.com/onsi/gomega/blob/v1.20.2/LICENSE,MIT
|
||||
github.com/opencontainers/go-digest,https://github.com/opencontainers/go-digest/blob/v1.0.0/LICENSE,Apache-2.0
|
||||
github.com/opencontainers/image-spec/specs-go,https://github.com/opencontainers/image-spec/blob/c5a74bcca799/LICENSE,Apache-2.0
|
||||
github.com/patrickmn/go-cache,https://github.com/patrickmn/go-cache/blob/v2.1.0/LICENSE,MIT
|
||||
github.com/pavlo-v-chernykh/keystore-go/v4,https://github.com/pavlo-v-chernykh/keystore-go/blob/v4.4.0/LICENSE,MIT
|
||||
github.com/pavlo-v-chernykh/keystore-go/v4,https://github.com/pavlo-v-chernykh/keystore-go/blob/v4.4.1/LICENSE,MIT
|
||||
github.com/peterbourgon/diskv,https://github.com/peterbourgon/diskv/blob/v2.0.1/LICENSE,MIT
|
||||
github.com/pierrec/lz4,https://github.com/pierrec/lz4/blob/v2.5.2/LICENSE,BSD-3-Clause
|
||||
github.com/pkg/errors,https://github.com/pkg/errors/blob/v0.9.1/LICENSE,BSD-2-Clause
|
||||
@ -195,12 +195,12 @@ go.uber.org/atomic,https://github.com/uber-go/atomic/blob/v1.9.0/LICENSE.txt,MIT
|
||||
go.uber.org/multierr,https://github.com/uber-go/multierr/blob/v1.6.0/LICENSE.txt,MIT
|
||||
go.uber.org/zap,https://github.com/uber-go/zap/blob/v1.21.0/LICENSE.txt,MIT
|
||||
golang.org/x/crypto,https://cs.opensource.google/go/x/crypto/+/4ba4fb4d:LICENSE,BSD-3-Clause
|
||||
golang.org/x/net,https://cs.opensource.google/go/x/net/+/db77216a:LICENSE,BSD-3-Clause
|
||||
golang.org/x/net,https://cs.opensource.google/go/x/net/+/v0.7.0:LICENSE,BSD-3-Clause
|
||||
golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/f2134210:LICENSE,BSD-3-Clause
|
||||
golang.org/x/sync,https://cs.opensource.google/go/x/sync/+/7f9b1623:LICENSE,BSD-3-Clause
|
||||
golang.org/x/sys,https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE,BSD-3-Clause
|
||||
golang.org/x/term,https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE,BSD-3-Clause
|
||||
golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.3.7:LICENSE,BSD-3-Clause
|
||||
golang.org/x/sys,https://cs.opensource.google/go/x/sys/+/v0.5.0:LICENSE,BSD-3-Clause
|
||||
golang.org/x/term,https://cs.opensource.google/go/x/term/+/v0.5.0:LICENSE,BSD-3-Clause
|
||||
golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.7.0:LICENSE,BSD-3-Clause
|
||||
golang.org/x/time/rate,https://cs.opensource.google/go/x/time/+/579cf78f:LICENSE,BSD-3-Clause
|
||||
gomodules.xyz/jsonpatch/v2,https://github.com/gomodules/jsonpatch/blob/v2.2.0/v2/LICENSE,Apache-2.0
|
||||
google.golang.org/api,https://github.com/googleapis/google-api-go-client/blob/v0.97.0/LICENSE,BSD-3-Clause
|
||||
@ -215,7 +215,7 @@ gopkg.in/square/go-jose.v2,https://github.com/square/go-jose/blob/v2.5.1/LICENSE
|
||||
gopkg.in/square/go-jose.v2/json,https://github.com/square/go-jose/blob/v2.5.1/json/LICENSE,BSD-3-Clause
|
||||
gopkg.in/yaml.v2,https://github.com/go-yaml/yaml/blob/v2.4.0/LICENSE,Apache-2.0
|
||||
gopkg.in/yaml.v3,https://github.com/go-yaml/yaml/blob/v3.0.1/LICENSE,MIT
|
||||
helm.sh/helm/v3,https://github.com/helm/helm/blob/v3.10.0/LICENSE,Apache-2.0
|
||||
helm.sh/helm/v3,https://github.com/helm/helm/blob/v3.10.3/LICENSE,Apache-2.0
|
||||
k8s.io/api,https://github.com/kubernetes/api/blob/v0.25.2/LICENSE,Apache-2.0
|
||||
k8s.io/apiextensions-apiserver/pkg,https://github.com/kubernetes/apiextensions-apiserver/blob/v0.25.2/LICENSE,Apache-2.0
|
||||
k8s.io/apimachinery/pkg,https://github.com/kubernetes/apimachinery/blob/v0.25.2/LICENSE,Apache-2.0
|
||||
|
||||
@ -21,6 +21,9 @@ KIND_IMAGE_K8S_123=docker.io/kindest/node@sha256:9402cf1330bbd3a0d097d2033fa489b
|
||||
KIND_IMAGE_K8S_124=docker.io/kindest/node@sha256:97e8d00bc37a7598a0b32d1fabd155a96355c49fa0d4d4790aab0f161bf31be1
|
||||
KIND_IMAGE_K8S_125=docker.io/kindest/node@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace
|
||||
|
||||
# Manually set - see hack/latest-kind-images.sh for details
|
||||
KIND_IMAGE_K8S_126=docker.io/kindest/node@sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352
|
||||
|
||||
# docker.io/kindest/node:v1.20.15
|
||||
KIND_IMAGE_SHA_K8S_120=sha256:d67de8f84143adebe80a07672f370365ec7d23f93dc86866f0e29fa29ce026fe
|
||||
|
||||
@ -39,6 +42,9 @@ KIND_IMAGE_SHA_K8S_124=sha256:97e8d00bc37a7598a0b32d1fabd155a96355c49fa0d4d4790a
|
||||
# docker.io/kindest/node:v1.25.2
|
||||
KIND_IMAGE_SHA_K8S_125=sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace
|
||||
|
||||
# Manually set - see hack/latest-kind-images.sh for details
|
||||
KIND_IMAGE_SHA_K8S_126=sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352
|
||||
|
||||
# note that these 'full' digests should be avoided since not all tools support them
|
||||
# prefer KIND_IMAGE_K8S_*** instead
|
||||
KIND_IMAGE_FULL_K8S_120=docker.io/kindest/node:v1.20.15@sha256:d67de8f84143adebe80a07672f370365ec7d23f93dc86866f0e29fa29ce026fe
|
||||
@ -48,3 +54,5 @@ KIND_IMAGE_FULL_K8S_123=docker.io/kindest/node:v1.23.12@sha256:9402cf1330bbd3a0d
|
||||
KIND_IMAGE_FULL_K8S_124=docker.io/kindest/node:v1.24.6@sha256:97e8d00bc37a7598a0b32d1fabd155a96355c49fa0d4d4790aab0f161bf31be1
|
||||
KIND_IMAGE_FULL_K8S_125=docker.io/kindest/node:v1.25.2@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace
|
||||
|
||||
# Manually set - see hack/latest-kind-images.sh for details
|
||||
KIND_IMAGE_FULL_K8S_126=docker.io/kindest/node:v1.26.0@sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352
|
||||
|
||||
37
gcb/build_cert_manager.yaml
Normal file
37
gcb/build_cert_manager.yaml
Normal file
@ -0,0 +1,37 @@
|
||||
# This cloudbuild config file is intended to be triggered when a tag is pushed to the cert-manager repo
|
||||
# and will build a cert-manager release and push to Google Cloud Storage (GCS).
|
||||
|
||||
# The release won't be published automatically; this file just defines the build steps.
|
||||
|
||||
# The full release and publish process is documented here:
|
||||
# https://cert-manager.io/docs/contributing/release-process/
|
||||
|
||||
timeout: 2700s # 45m
|
||||
|
||||
steps:
|
||||
# cert-manager relies on the git checkout to determine release version, among other things
|
||||
# By default, gcb only does a shallow clone, so we need to "unshallow" to get more details
|
||||
- name: gcr.io/cloud-builders/git
|
||||
args: ['fetch', '--unshallow']
|
||||
|
||||
## Build release artifacts and push to a bucket
|
||||
- name: 'eu.gcr.io/jetstack-build-infra-images/make-dind:20230406-0ef4440-bullseye'
|
||||
entrypoint: bash
|
||||
args:
|
||||
- -c
|
||||
- |
|
||||
set -eu -o pipefail
|
||||
make vendor-go
|
||||
make CMREL_KEY="${_KMS_KEY}" RELEASE_TARGET_BUCKET="${_RELEASE_TARGET_BUCKET}" -j16 upload-release
|
||||
echo "Wrote to ${_RELEASE_TARGET_BUCKET}"
|
||||
|
||||
tags:
|
||||
- "cert-manager-tag-push"
|
||||
- "ref-${REF_NAME}-${COMMIT_SHA}"
|
||||
|
||||
substitutions:
|
||||
_KMS_KEY: "projects/cert-manager-release/locations/europe-west1/keyRings/cert-manager-release/cryptoKeys/cert-manager-release-signing-key/cryptoKeyVersions/1"
|
||||
_RELEASE_TARGET_BUCKET: "cert-manager-release"
|
||||
|
||||
options:
|
||||
machineType: N1_HIGHCPU_32
|
||||
16
go.mod
16
go.mod
@ -25,7 +25,7 @@ require (
|
||||
github.com/munnerz/crd-schema-fuzz v1.0.0
|
||||
github.com/onsi/ginkgo/v2 v2.2.0
|
||||
github.com/onsi/gomega v1.20.2
|
||||
github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.0
|
||||
github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.1
|
||||
github.com/pkg/errors v0.9.1
|
||||
github.com/prometheus/client_golang v1.13.0
|
||||
github.com/segmentio/encoding v0.3.5
|
||||
@ -38,7 +38,7 @@ require (
|
||||
golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7
|
||||
gomodules.xyz/jsonpatch/v2 v2.2.0
|
||||
google.golang.org/api v0.97.0
|
||||
helm.sh/helm/v3 v3.10.0
|
||||
helm.sh/helm/v3 v3.10.3
|
||||
k8s.io/api v0.25.2
|
||||
k8s.io/apiextensions-apiserver v0.25.2
|
||||
k8s.io/apimachinery v0.25.2
|
||||
@ -86,7 +86,7 @@ require (
|
||||
github.com/cenkalti/backoff/v3 v3.0.0 // indirect
|
||||
github.com/cespare/xxhash/v2 v2.1.2 // indirect
|
||||
github.com/chai2010/gettext-go v1.0.2 // indirect
|
||||
github.com/containerd/containerd v1.6.6 // indirect
|
||||
github.com/containerd/containerd v1.6.18 // indirect
|
||||
github.com/coreos/go-semver v0.3.0 // indirect
|
||||
github.com/coreos/go-systemd/v22 v22.3.2 // indirect
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
|
||||
@ -168,7 +168,7 @@ require (
|
||||
github.com/mattn/go-colorable v0.1.12 // indirect
|
||||
github.com/mattn/go-isatty v0.0.14 // indirect
|
||||
github.com/mattn/go-runewidth v0.0.13 // indirect
|
||||
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
|
||||
github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
|
||||
github.com/mitchellh/copystructure v1.2.0 // indirect
|
||||
github.com/mitchellh/go-testing-interface v1.0.0 // indirect
|
||||
github.com/mitchellh/go-wordwrap v1.0.0 // indirect
|
||||
@ -228,10 +228,10 @@ require (
|
||||
go.uber.org/multierr v1.6.0 // indirect
|
||||
go.uber.org/zap v1.21.0 // indirect
|
||||
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
|
||||
golang.org/x/net v0.0.0-20220921155015-db77216a4ee9 // indirect
|
||||
golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
|
||||
golang.org/x/text v0.3.7 // indirect
|
||||
golang.org/x/net v0.7.0 // indirect
|
||||
golang.org/x/sys v0.5.0 // indirect
|
||||
golang.org/x/term v0.5.0 // indirect
|
||||
golang.org/x/text v0.7.0 // indirect
|
||||
golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
|
||||
golang.org/x/tools v0.1.12 // indirect
|
||||
google.golang.org/appengine v1.6.7 // indirect
|
||||
|
||||
35
go.sum
35
go.sum
@ -109,8 +109,8 @@ github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmy
|
||||
github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk=
|
||||
github.com/Masterminds/squirrel v1.5.3 h1:YPpoceAcxuzIljlr5iWpNKaql7hLeG1KLSrhvdHpkZc=
|
||||
github.com/Masterminds/squirrel v1.5.3/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
|
||||
github.com/Microsoft/go-winio v0.5.1 h1:aPJp2QD7OOrhO5tQXqQoGSJc+DjDtWTGLOmNyAm6FgY=
|
||||
github.com/Microsoft/hcsshim v0.9.3 h1:k371PzBuRrz2b+ebGuI2nVgVhgsVX60jMfSw80NECxo=
|
||||
github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
|
||||
github.com/Microsoft/hcsshim v0.9.6 h1:VwnDOgLeoi2du6dAznfmspNqTiwczvjv4K7NxuY9jsY=
|
||||
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
|
||||
github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
|
||||
github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
|
||||
@ -195,9 +195,9 @@ github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWH
|
||||
github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
|
||||
github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
|
||||
github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
|
||||
github.com/containerd/cgroups v1.0.3 h1:ADZftAkglvCiD44c77s5YmMqaP2pzVCFZvBmAlBdAP4=
|
||||
github.com/containerd/containerd v1.6.6 h1:xJNPhbrmz8xAMDNoVjHy9YHtWwEQNS+CDkcIRh7t8Y0=
|
||||
github.com/containerd/containerd v1.6.6/go.mod h1:ZoP1geJldzCVY3Tonoz7b1IXk8rIX0Nltt5QE4OMNk0=
|
||||
github.com/containerd/cgroups v1.0.4 h1:jN/mbWBEaz+T1pi5OFtnkQ+8qnmEbAr1Oo1FRm5B0dA=
|
||||
github.com/containerd/containerd v1.6.18 h1:qZbsLvmyu+Vlty0/Ex5xc0z2YtKpIsb5n45mAMI+2Ns=
|
||||
github.com/containerd/containerd v1.6.18/go.mod h1:1RdCUu95+gc2v9t3IL+zIlpClSmew7/0YS8O5eQZrOw=
|
||||
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
|
||||
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
||||
github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
||||
@ -713,8 +713,8 @@ github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsO
|
||||
github.com/mattn/go-sqlite3 v1.14.6 h1:dNPt6NO46WmLVt2DLNpwczCmdV5boIZ6g/tlDrlRUbg=
|
||||
github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
|
||||
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
|
||||
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
|
||||
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
|
||||
github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
|
||||
github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
|
||||
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
|
||||
github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
|
||||
github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
|
||||
@ -795,8 +795,8 @@ github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144T
|
||||
github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
|
||||
github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
|
||||
github.com/pavel-v-chernykh/keystore-go/v4 v4.1.0/go.mod h1:2ejgys4qY+iNVW1IittZhyRYA6MNv8TgM6VHqojbB9g=
|
||||
github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.0 h1:y9azNmMzvkNBPyczpNRwaV4bm0U6e7Oyrj7gi2/SNFI=
|
||||
github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.0/go.mod h1:lAVhWwbNaveeJmxrxuSTxMgKpF6DjnuVpn6T8WiBwYQ=
|
||||
github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.1 h1:FyBdsRqqHH4LctMLL+BL2oGO+ONcIPwn96ctofCVtNE=
|
||||
github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.1/go.mod h1:lAVhWwbNaveeJmxrxuSTxMgKpF6DjnuVpn6T8WiBwYQ=
|
||||
github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
|
||||
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
|
||||
github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
|
||||
@ -1160,8 +1160,8 @@ golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su
|
||||
golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
|
||||
golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
|
||||
golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
|
||||
golang.org/x/net v0.0.0-20220921155015-db77216a4ee9 h1:SdDGdqRuKrF2R4XGcnPzcvZ63c/55GvhoHUus0o+BNI=
|
||||
golang.org/x/net v0.0.0-20220921155015-db77216a4ee9/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
|
||||
golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
|
||||
golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
|
||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
@ -1289,11 +1289,13 @@ golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBc
|
||||
golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg=
|
||||
golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
|
||||
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
|
||||
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
|
||||
golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
@ -1303,8 +1305,9 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
|
||||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
||||
golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
|
||||
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||
golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
@ -1618,8 +1621,8 @@ gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
|
||||
gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
|
||||
gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
|
||||
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
|
||||
helm.sh/helm/v3 v3.10.0 h1:y/MYONZ/bsld9kHwqgBX2uPggnUr5hahpjwt9/jrHlI=
|
||||
helm.sh/helm/v3 v3.10.0/go.mod h1:paPw0hO5KVfrCMbi1M8+P8xdfBri3IiJiVKATZsFR94=
|
||||
helm.sh/helm/v3 v3.10.3 h1:wL7IUZ7Zyukm5Kz0OUmIFZgKHuAgByCrUcJBtY0kDyw=
|
||||
helm.sh/helm/v3 v3.10.3/go.mod h1:CXOcs02AYvrlPMWARNYNRgf2rNP7gLJQsi/Ubd4EDrI=
|
||||
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
|
||||
@ -41,7 +41,7 @@ fi
|
||||
|
||||
echo "+++ verifying that generated CRDs are up-to-date..." >&2
|
||||
|
||||
tmpdir="$(mktemp -d)"
|
||||
tmpdir="$(mktemp -d tmp-CHECKCRD-XXXXXXXXX --tmpdir)"
|
||||
trap 'rm -r $tmpdir' EXIT
|
||||
|
||||
make PATCH_CRD_OUTPUT_DIR=$tmpdir patch-crds
|
||||
|
||||
@ -55,7 +55,6 @@ LATEST_123_TAG=$(latest_kind_tag "1\\.23")
|
||||
LATEST_124_TAG=$(latest_kind_tag "1\\.24")
|
||||
LATEST_125_TAG=$(latest_kind_tag "1\\.25")
|
||||
|
||||
|
||||
LATEST_120_DIGEST=$(crane digest $KIND_IMAGE_REPO:$LATEST_120_TAG)
|
||||
LATEST_121_DIGEST=$(crane digest $KIND_IMAGE_REPO:$LATEST_121_TAG)
|
||||
LATEST_122_DIGEST=$(crane digest $KIND_IMAGE_REPO:$LATEST_122_TAG)
|
||||
@ -63,6 +62,9 @@ LATEST_123_DIGEST=$(crane digest $KIND_IMAGE_REPO:$LATEST_123_TAG)
|
||||
LATEST_124_DIGEST=$(crane digest $KIND_IMAGE_REPO:$LATEST_124_TAG)
|
||||
LATEST_125_DIGEST=$(crane digest $KIND_IMAGE_REPO:$LATEST_125_TAG)
|
||||
|
||||
# 1.26 is manually added for now, pending a wider rethink of how we can automate bumping of kind images
|
||||
# given that kind release notes say there are specific digests which should be used with specific kind releases
|
||||
|
||||
cat << EOF | tee ./devel/cluster/kind_cluster_node_versions.sh > ./make/kind_images.sh
|
||||
# Copyright 2022 The cert-manager Authors.
|
||||
#
|
||||
@ -87,6 +89,9 @@ KIND_IMAGE_K8S_123=$KIND_IMAGE_REPO@$LATEST_123_DIGEST
|
||||
KIND_IMAGE_K8S_124=$KIND_IMAGE_REPO@$LATEST_124_DIGEST
|
||||
KIND_IMAGE_K8S_125=$KIND_IMAGE_REPO@$LATEST_125_DIGEST
|
||||
|
||||
# Manually set - see hack/latest-kind-images.sh for details
|
||||
KIND_IMAGE_K8S_126=docker.io/kindest/node@sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352
|
||||
|
||||
# $KIND_IMAGE_REPO:$LATEST_120_TAG
|
||||
KIND_IMAGE_SHA_K8S_120=$LATEST_120_DIGEST
|
||||
|
||||
@ -105,6 +110,9 @@ KIND_IMAGE_SHA_K8S_124=$LATEST_124_DIGEST
|
||||
# $KIND_IMAGE_REPO:$LATEST_125_TAG
|
||||
KIND_IMAGE_SHA_K8S_125=$LATEST_125_DIGEST
|
||||
|
||||
# Manually set - see hack/latest-kind-images.sh for details
|
||||
KIND_IMAGE_SHA_K8S_126=sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352
|
||||
|
||||
# note that these 'full' digests should be avoided since not all tools support them
|
||||
# prefer KIND_IMAGE_K8S_*** instead
|
||||
KIND_IMAGE_FULL_K8S_120=$KIND_IMAGE_REPO:$LATEST_120_TAG@$LATEST_120_DIGEST
|
||||
@ -114,6 +122,8 @@ KIND_IMAGE_FULL_K8S_123=$KIND_IMAGE_REPO:$LATEST_123_TAG@$LATEST_123_DIGEST
|
||||
KIND_IMAGE_FULL_K8S_124=$KIND_IMAGE_REPO:$LATEST_124_TAG@$LATEST_124_DIGEST
|
||||
KIND_IMAGE_FULL_K8S_125=$KIND_IMAGE_REPO:$LATEST_125_TAG@$LATEST_125_DIGEST
|
||||
|
||||
# Manually set - see hack/latest-kind-images.sh for details
|
||||
KIND_IMAGE_FULL_K8S_126=docker.io/kindest/node:v1.26.0@sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352
|
||||
EOF
|
||||
|
||||
cat << EOF
|
||||
|
||||
@ -64,7 +64,3 @@ func (c *Client) Token() string {
|
||||
func (c *Client) RawRequest(r *vault.Request) (*vault.Response, error) {
|
||||
return c.RawRequestFn(r)
|
||||
}
|
||||
|
||||
func (c *Client) Sys() *vault.Sys {
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -20,7 +20,6 @@ package fake
|
||||
import (
|
||||
"time"
|
||||
|
||||
vault "github.com/hashicorp/vault/api"
|
||||
corelisters "k8s.io/client-go/listers/core/v1"
|
||||
|
||||
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
|
||||
@ -80,11 +79,6 @@ func (v *Vault) New(ns string, sl corelisters.SecretLister, iss v1.GenericIssuer
|
||||
return v, nil
|
||||
}
|
||||
|
||||
// Sys returns an empty `vault.Sys`.
|
||||
func (v *Vault) Sys() *vault.Sys {
|
||||
return new(vault.Sys)
|
||||
}
|
||||
|
||||
// IsVaultInitializedAndUnsealed always returns nil
|
||||
func (v *Vault) IsVaultInitializedAndUnsealed() error {
|
||||
return nil
|
||||
|
||||
@ -45,10 +45,8 @@ type ClientBuilder func(namespace string, secretsLister corelisters.SecretLister
|
||||
// Interface implements various high level functionality related to connecting
|
||||
// with a Vault server, verifying its status and signing certificate request for
|
||||
// Vault's certificate.
|
||||
// TODO: Sys() is duplicated here and in Client interface
|
||||
type Interface interface {
|
||||
Sign(csrPEM []byte, duration time.Duration) (certPEM []byte, caPEM []byte, err error)
|
||||
Sys() *vault.Sys
|
||||
IsVaultInitializedAndUnsealed() error
|
||||
}
|
||||
|
||||
@ -57,8 +55,6 @@ type Client interface {
|
||||
NewRequest(method, requestPath string) *vault.Request
|
||||
RawRequest(r *vault.Request) (*vault.Response, error)
|
||||
SetToken(v string)
|
||||
Token() string
|
||||
Sys() *vault.Sys
|
||||
}
|
||||
|
||||
// Vault implements Interface and holds a Vault issuer, secrets lister and a
|
||||
@ -68,7 +64,22 @@ type Vault struct {
|
||||
issuer v1.GenericIssuer
|
||||
namespace string
|
||||
|
||||
// The pattern below, of namespaced and non-namespaced Vault clients, is copied from Hashicorp Nomad:
|
||||
// https://github.com/hashicorp/nomad/blob/6e4410a9b13ce167bc7ef53da97c621b5c9dcd12/nomad/vault.go#L180-L190
|
||||
|
||||
// client is the Vault API client used for Namespace-relative integrations
|
||||
// with the Vault API (anything except `/v1/sys`).
|
||||
// The namespace feature is only available in Vault Enterprise.
|
||||
// The namespace HTTP header (X-Vault-Namespace) is ignored by the open source version of Vault.
|
||||
// See https://www.vaultproject.io/docs/enterprise/namespaces
|
||||
client Client
|
||||
|
||||
// clientSys is the Vault API client used for non-Namespace-relative integrations
|
||||
// with the Vault API (anything involving `/v1/sys`). This client is never configured
|
||||
// with a Vault namespace, because these endpoints may return errors if a namespace
|
||||
// header is provided
|
||||
// See https://developer.hashicorp.com/vault/docs/enterprise/namespaces#root-only-api-paths
|
||||
clientSys Client
|
||||
}
|
||||
|
||||
// New returns a new Vault instance with the given namespace, issuer and
|
||||
@ -92,11 +103,26 @@ func New(namespace string, secretsLister corelisters.SecretLister, issuer v1.Gen
|
||||
return nil, fmt.Errorf("error initializing Vault client: %s", err.Error())
|
||||
}
|
||||
|
||||
if err := v.setToken(client); err != nil {
|
||||
// Set the Vault namespace.
|
||||
// An empty namespace string will cause the client to not send the namespace related HTTP headers to Vault.
|
||||
clientNS := client.WithNamespace(issuer.GetSpec().Vault.Namespace)
|
||||
|
||||
// Use the (maybe) namespaced client to authenticate.
|
||||
// If a Vault namespace is configured, then the authentication endpoints are
|
||||
// expected to be in that namespace.
|
||||
if err := v.setToken(clientNS); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
v.client = client
|
||||
// A client for use with namespaced API paths
|
||||
v.client = clientNS
|
||||
|
||||
// Create duplicate Vault client without a namespace, for interacting with root-only API paths.
|
||||
// For backwards compatibility, this client will use the token from the namespaced client,
|
||||
// although this is probably unnecessary / bad practice, since we only
|
||||
// interact with the sys/health endpoint which is an unauthenticated endpoint:
|
||||
// https://github.com/hashicorp/vault/issues/209#issuecomment-102485565.
|
||||
v.clientSys = clientNS.WithNamespace("")
|
||||
|
||||
return v, nil
|
||||
}
|
||||
@ -124,8 +150,6 @@ func (v *Vault) Sign(csrPEM []byte, duration time.Duration) (cert []byte, ca []b
|
||||
|
||||
request := v.client.NewRequest("POST", url)
|
||||
|
||||
v.addVaultNamespaceToRequest(request)
|
||||
|
||||
if err := request.SetJSONBody(parameters); err != nil {
|
||||
return nil, nil, fmt.Errorf("failed to build vault request: %s", err)
|
||||
}
|
||||
@ -312,8 +336,6 @@ func (v *Vault) requestTokenWithAppRoleRef(client Client, appRole *v1.VaultAppRo
|
||||
return "", fmt.Errorf("error encoding Vault parameters: %s", err.Error())
|
||||
}
|
||||
|
||||
v.addVaultNamespaceToRequest(request)
|
||||
|
||||
resp, err := client.RawRequest(request)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("error logging in to Vault server: %s", err.Error())
|
||||
@ -373,8 +395,6 @@ func (v *Vault) requestTokenWithKubernetesAuth(client Client, kubernetesAuth *v1
|
||||
return "", fmt.Errorf("error encoding Vault parameters: %s", err.Error())
|
||||
}
|
||||
|
||||
v.addVaultNamespaceToRequest(request)
|
||||
|
||||
resp, err := client.RawRequest(request)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("error calling Vault server: %s", err.Error())
|
||||
@ -395,10 +415,6 @@ func (v *Vault) requestTokenWithKubernetesAuth(client Client, kubernetesAuth *v1
|
||||
return token, nil
|
||||
}
|
||||
|
||||
func (v *Vault) Sys() *vault.Sys {
|
||||
return v.client.Sys()
|
||||
}
|
||||
|
||||
func extractCertificatesFromVaultCertificateSecret(secret *certutil.Secret) ([]byte, []byte, error) {
|
||||
parsedBundle, err := certutil.ParsePKIMap(secret.Data)
|
||||
if err != nil {
|
||||
@ -425,8 +441,8 @@ func extractCertificatesFromVaultCertificateSecret(secret *certutil.Secret) ([]b
|
||||
|
||||
func (v *Vault) IsVaultInitializedAndUnsealed() error {
|
||||
healthURL := path.Join("/v1", "sys", "health")
|
||||
healthRequest := v.client.NewRequest("GET", healthURL)
|
||||
healthResp, err := v.client.RawRequest(healthRequest)
|
||||
healthRequest := v.clientSys.NewRequest("GET", healthURL)
|
||||
healthResp, err := v.clientSys.RawRequest(healthRequest)
|
||||
|
||||
if healthResp != nil {
|
||||
defer healthResp.Body.Close()
|
||||
@ -448,16 +464,3 @@ func (v *Vault) IsVaultInitializedAndUnsealed() error {
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (v *Vault) addVaultNamespaceToRequest(request *vault.Request) {
|
||||
vaultIssuer := v.issuer.GetSpec().Vault
|
||||
if vaultIssuer != nil && vaultIssuer.Namespace != "" {
|
||||
if request.Headers != nil {
|
||||
request.Headers.Add("X-VAULT-NAMESPACE", vaultIssuer.Namespace)
|
||||
} else {
|
||||
vaultReqHeaders := http.Header{}
|
||||
vaultReqHeaders.Add("X-VAULT-NAMESPACE", vaultIssuer.Namespace)
|
||||
request.Headers = vaultReqHeaders
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -29,6 +29,7 @@ import (
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
@ -36,11 +37,15 @@ import (
|
||||
vault "github.com/hashicorp/vault/api"
|
||||
"github.com/hashicorp/vault/sdk/helper/certutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/jsonutil"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
clientcorev1 "k8s.io/client-go/listers/core/v1"
|
||||
|
||||
vaultfake "github.com/cert-manager/cert-manager/internal/vault/fake"
|
||||
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
|
||||
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
|
||||
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
|
||||
"github.com/cert-manager/cert-manager/pkg/util/pki"
|
||||
"github.com/cert-manager/cert-manager/test/unit/gen"
|
||||
@ -1182,3 +1187,185 @@ func TestRequestTokenWithAppRoleRef(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestNewWithVaultNamespaces demonstrates that New initializes two Vault
|
||||
// clients, one with a namespace and one without a namespace which is used for
|
||||
// interacting with root-only APIs.
|
||||
func TestNewWithVaultNamespaces(t *testing.T) {
|
||||
type testCase struct {
|
||||
name string
|
||||
vaultNS string
|
||||
}
|
||||
|
||||
tests := []testCase{
|
||||
{
|
||||
name: "without-namespace",
|
||||
vaultNS: "",
|
||||
},
|
||||
{
|
||||
name: "with-namespace",
|
||||
vaultNS: "vault-ns-1",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
tc := tc
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
c, err := New(
|
||||
"k8s-ns1",
|
||||
listers.FakeSecretListerFrom(listers.NewFakeSecretLister(),
|
||||
listers.SetFakeSecretNamespaceListerGet(
|
||||
&corev1.Secret{
|
||||
Data: map[string][]byte{
|
||||
"key1": []byte("not-used"),
|
||||
},
|
||||
}, nil),
|
||||
),
|
||||
&cmapi.Issuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "issuer1",
|
||||
Namespace: "k8s-ns1",
|
||||
},
|
||||
Spec: v1.IssuerSpec{
|
||||
IssuerConfig: v1.IssuerConfig{
|
||||
Vault: &v1.VaultIssuer{
|
||||
Namespace: tc.vaultNS,
|
||||
Auth: cmapi.VaultAuth{
|
||||
TokenSecretRef: &cmmeta.SecretKeySelector{
|
||||
LocalObjectReference: cmmeta.LocalObjectReference{
|
||||
Name: "secret1",
|
||||
},
|
||||
Key: "key1",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, tc.vaultNS, c.(*Vault).client.(*vault.Client).Namespace(),
|
||||
"The vault client should have the namespace provided in the Issuer recource")
|
||||
assert.Equal(t, "", c.(*Vault).clientSys.(*vault.Client).Namespace(),
|
||||
"The vault sys client should never have a namespace")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestIsVaultInitiatedAndUnsealedIntegration demonstrates that it interacts only with the
|
||||
// sys/health endpoint and that it supplies the Vault token but not a Vault namespace header.
|
||||
func TestIsVaultInitiatedAndUnsealedIntegration(t *testing.T) {
|
||||
|
||||
const vaultToken = "token1"
|
||||
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc("/v1/sys/health", func(response http.ResponseWriter, request *http.Request) {
|
||||
assert.Empty(t, request.Header.Values("X-Vault-Namespace"), "Unexpected Vault namespace header for root-only API path")
|
||||
assert.Equal(t, vaultToken, request.Header.Get("X-Vault-Token"), "Expected the Vault token for root-only API path")
|
||||
})
|
||||
server := httptest.NewServer(mux)
|
||||
defer server.Close()
|
||||
|
||||
v, err := New(
|
||||
"k8s-ns1",
|
||||
listers.FakeSecretListerFrom(listers.NewFakeSecretLister(),
|
||||
listers.SetFakeSecretNamespaceListerGet(
|
||||
&corev1.Secret{
|
||||
Data: map[string][]byte{
|
||||
"key1": []byte(vaultToken),
|
||||
},
|
||||
}, nil),
|
||||
),
|
||||
&cmapi.Issuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "issuer1",
|
||||
Namespace: "k8s-ns1",
|
||||
},
|
||||
Spec: v1.IssuerSpec{
|
||||
IssuerConfig: v1.IssuerConfig{
|
||||
Vault: &v1.VaultIssuer{
|
||||
Server: server.URL,
|
||||
Namespace: "ns1",
|
||||
Auth: cmapi.VaultAuth{
|
||||
TokenSecretRef: &cmmeta.SecretKeySelector{
|
||||
LocalObjectReference: cmmeta.LocalObjectReference{
|
||||
Name: "secret1",
|
||||
},
|
||||
Key: "key1",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
err = v.IsVaultInitializedAndUnsealed()
|
||||
require.NoError(t, err)
|
||||
}
|
||||
|
||||
// TestSignIntegration demonstrates that it interacts only with the API endpoint
|
||||
// path supplied in the Issuer resource and that it supplies the Vault namespace
|
||||
// and token to that endpoint.
|
||||
func TestSignIntegration(t *testing.T) {
|
||||
const (
|
||||
vaultToken = "token1"
|
||||
vaultNamespace = "vault-ns-1"
|
||||
vaultPath = "my_pki_mount/sign/my-role-name"
|
||||
)
|
||||
|
||||
privatekey := generateRSAPrivateKey(t)
|
||||
csrPEM := generateCSR(t, privatekey)
|
||||
|
||||
rootBundleData, err := bundlePEM(testIntermediateCa, testRootCa)
|
||||
require.NoError(t, err)
|
||||
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc(fmt.Sprintf("/v1/%s", vaultPath), func(response http.ResponseWriter, request *http.Request) {
|
||||
assert.Equal(t, vaultNamespace, request.Header.Get("X-Vault-Namespace"), "Expected Vault namespace header for namespaced API path")
|
||||
assert.Equal(t, vaultToken, request.Header.Get("X-Vault-Token"), "Expected the Vault token for root-only API path")
|
||||
_, err := response.Write(rootBundleData)
|
||||
require.NoError(t, err)
|
||||
})
|
||||
server := httptest.NewServer(mux)
|
||||
defer server.Close()
|
||||
|
||||
v, err := New(
|
||||
"k8s-ns1",
|
||||
listers.FakeSecretListerFrom(listers.NewFakeSecretLister(),
|
||||
listers.SetFakeSecretNamespaceListerGet(
|
||||
&corev1.Secret{
|
||||
Data: map[string][]byte{
|
||||
"key1": []byte(vaultToken),
|
||||
},
|
||||
}, nil),
|
||||
),
|
||||
&cmapi.Issuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "issuer1",
|
||||
Namespace: "k8s-ns1",
|
||||
},
|
||||
Spec: v1.IssuerSpec{
|
||||
IssuerConfig: v1.IssuerConfig{
|
||||
Vault: &v1.VaultIssuer{
|
||||
Server: server.URL,
|
||||
Path: vaultPath,
|
||||
Namespace: vaultNamespace,
|
||||
Auth: cmapi.VaultAuth{
|
||||
TokenSecretRef: &cmmeta.SecretKeySelector{
|
||||
LocalObjectReference: cmmeta.LocalObjectReference{
|
||||
Name: "secret1",
|
||||
},
|
||||
Key: "key1",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
certPEM, caPEM, err := v.Sign(csrPEM, time.Hour)
|
||||
require.NoError(t, err)
|
||||
require.NotEmpty(t, certPEM)
|
||||
require.NotEmpty(t, caPEM)
|
||||
}
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
# autogenerated by hack/latest-base-images.sh
|
||||
STATIC_BASE_IMAGE_amd64 := gcr.io/distroless/static@sha256:99252947b483b5c14d0004c633964d1a235776a3d70f5ca355e9ef8d24cb8275
|
||||
STATIC_BASE_IMAGE_arm64 := gcr.io/distroless/static@sha256:9363a36eb72591c3e501d4072406aab2eff3899fe4dfbd131b038e53ed56ba80
|
||||
STATIC_BASE_IMAGE_s390x := gcr.io/distroless/static@sha256:78e1f66d521df86c93a344ba44dfe99c60671848a33944c955cf178cf6b912cc
|
||||
STATIC_BASE_IMAGE_arm := gcr.io/distroless/static@sha256:98e098bfea31fa6090f8ee7bb558a573fc1ee2d8b74fa4856c43b97b21f8a75e
|
||||
STATIC_BASE_IMAGE_ppc64le := gcr.io/distroless/static@sha256:1105995233315eb338996ab515b697c6dec9a08a1f1080911e2f9a25520e58cd
|
||||
DYNAMIC_BASE_IMAGE_amd64 := gcr.io/distroless/base@sha256:826bce53be26d70d4c7a99d1bdadef47f73134ed47b90b8480a2f4a96b300461
|
||||
DYNAMIC_BASE_IMAGE_arm64 := gcr.io/distroless/base@sha256:520b5d929d01aa5867b28de37b80b3b8c6479c11072d8398fd1cf6cf66343c17
|
||||
DYNAMIC_BASE_IMAGE_s390x := gcr.io/distroless/base@sha256:e7fda00b189020c7683e862c087a00832f7293f056e2d70da96cb17dadb233ea
|
||||
DYNAMIC_BASE_IMAGE_arm := gcr.io/distroless/base@sha256:4f6eff9ee15b0f9a66d989386c53fc2b8edfae4ba46de841505d8f0222d09311
|
||||
DYNAMIC_BASE_IMAGE_ppc64le := gcr.io/distroless/base@sha256:9f77713a049486c301e75078c4d7c4c726daac6f28fab3dcea9b0ff2828c0401
|
||||
STATIC_BASE_IMAGE_amd64 := gcr.io/distroless/static@sha256:5b2fa762fb6ebf66ff88ae1db2dc4ad8fc6ddf1164477297dfac1a09f20e7339
|
||||
STATIC_BASE_IMAGE_arm64 := gcr.io/distroless/static@sha256:6ecd23a434fca0bca716a7a484aa462d86e4c3d18397701d61b7cccc4d035f6f
|
||||
STATIC_BASE_IMAGE_s390x := gcr.io/distroless/static@sha256:ea565db08ea3f726e7761ffa5ba594c1096bc1741a22c832b4ec1128e5f1ee37
|
||||
STATIC_BASE_IMAGE_arm := gcr.io/distroless/static@sha256:dd7e98090e5415071ef3353055bde559729ad17cd90c3bd4d944c554abd73d12
|
||||
STATIC_BASE_IMAGE_ppc64le := gcr.io/distroless/static@sha256:a77004eb85b3e38fa6963064d44cb8b100988319eb9850eaae77307b043ddfe6
|
||||
DYNAMIC_BASE_IMAGE_amd64 := gcr.io/distroless/base@sha256:839543093a9b27ac281cb9ae15f0272a410001b66720a4884068d74dfcaa7125
|
||||
DYNAMIC_BASE_IMAGE_arm64 := gcr.io/distroless/base@sha256:f62c7dfb39450d8345478f9fbc3aeaeab7ad93672dec31e95828dacf838099fa
|
||||
DYNAMIC_BASE_IMAGE_s390x := gcr.io/distroless/base@sha256:91acb5bd679d98f2a892bd451a3db407c37c9061fc3c4504168db7b034d080e6
|
||||
DYNAMIC_BASE_IMAGE_arm := gcr.io/distroless/base@sha256:e429a3d7f2d9da2775396873507673b3bb0359c51564afa66d3f959b50f71667
|
||||
DYNAMIC_BASE_IMAGE_ppc64le := gcr.io/distroless/base@sha256:a2b00152ac32836bafe09ad5118c4eeade8ab99ff073ac74444aec1fe2ba5e3b
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
## request or change is merged.
|
||||
##
|
||||
## @category CI
|
||||
ci-presubmit: verify-imports verify-errexit verify-boilerplate verify-codegen verify-crds verify-licenses
|
||||
ci-presubmit: verify-imports verify-errexit verify-boilerplate verify-codegen verify-crds
|
||||
|
||||
.PHONY: verify-imports
|
||||
verify-imports: | $(NEEDS_GOIMPORTS)
|
||||
@ -25,6 +25,9 @@ verify-boilerplate:
|
||||
$(__PYTHON) hack/verify_boilerplate.py
|
||||
|
||||
.PHONY: verify-licenses
|
||||
## Check that the LICENSES file is up to date; must pass before a change to go.mod can be merged
|
||||
##
|
||||
## @category CI
|
||||
verify-licenses: $(BINDIR)/scratch/LATEST-LICENSES
|
||||
@diff $(BINDIR)/scratch/LATEST-LICENSES LICENSES >/dev/null || (echo -e "\033[0;33mLICENSES seem to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
|
||||
|
||||
|
||||
@ -110,6 +110,7 @@ case "$k8s_version" in
|
||||
1.23*) image=$KIND_IMAGE_FULL_K8S_123 ;;
|
||||
1.24*) image=$KIND_IMAGE_FULL_K8S_124 ;;
|
||||
1.25*) image=$KIND_IMAGE_FULL_K8S_125 ;;
|
||||
1.26*) image=$KIND_IMAGE_FULL_K8S_126 ;;
|
||||
v*) printf "${red}${redcross}Error${end}: Kubernetes version must be given without the leading 'v'\n" >&2 && exit 1 ;;
|
||||
*) printf "${red}${redcross}Error${end}: unsupported Kubernetes version ${yel}${k8s_version}${end}\n" >&2 && exit 1 ;;
|
||||
esac
|
||||
|
||||
@ -10,9 +10,9 @@ CRI_ARCH := $(HOST_ARCH)
|
||||
|
||||
# TODO: this version is also defaulted in ./make/cluster.sh. Make it so that it
|
||||
# is set in one place only.
|
||||
K8S_VERSION := 1.24
|
||||
K8S_VERSION := 1.25
|
||||
|
||||
IMAGE_ingressnginx_amd64 := k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:7464dc90abfaa084204176bcc0728f182b0611849395787143f6854dc6c38c85
|
||||
IMAGE_ingressnginx_amd64 := registry.k8s.io/ingress-nginx/controller:v1.1.0@sha256:7464dc90abfaa084204176bcc0728f182b0611849395787143f6854dc6c38c85
|
||||
IMAGE_kyverno_amd64 := ghcr.io/kyverno/kyverno:v1.7.1@sha256:aec4b029660d47aea025336150fdc2822c991f592d5170d754b6acaf158b513e
|
||||
IMAGE_kyvernopre_amd64 := ghcr.io/kyverno/kyvernopre:v1.7.1@sha256:1bcec6bc854720e22f439c6dcea02fcf689f31976babcf03a449d750c2b1f34a
|
||||
IMAGE_vault_amd64 := index.docker.io/library/vault:1.2.3@sha256:b1c86c9e173f15bb4a926e4144a63f7779531c30554ac7aee9b2a408b22b2c01
|
||||
@ -22,7 +22,7 @@ IMAGE_projectcontour_amd64 := ghcr.io/projectcontour/contour:v1.22.0@sha256:c8ee
|
||||
IMAGE_pebble_amd64 := local/pebble:local
|
||||
IMAGE_vaultretagged_amd64 := local/vault:local
|
||||
|
||||
IMAGE_ingressnginx_arm64 := k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:86be28e506653cbe29214cb272d60e7c8841ddaf530da29aa22b1b1017faa956
|
||||
IMAGE_ingressnginx_arm64 := registry.k8s.io/ingress-nginx/controller:v1.1.0@sha256:86be28e506653cbe29214cb272d60e7c8841ddaf530da29aa22b1b1017faa956
|
||||
IMAGE_kyverno_arm64 := ghcr.io/kyverno/kyverno:v1.7.1@sha256:4355f1f65ea5e952886e929a15628f0c6704905035b4741c6f560378871c9335
|
||||
IMAGE_kyvernopre_arm64 := ghcr.io/kyverno/kyvernopre:v1.7.1@sha256:141234fb74242155c7b843180b90ee5fb6a20c9e77598bd9c138c687059cdafd
|
||||
IMAGE_vault_arm64 := index.docker.io/library/vault:1.2.3@sha256:226a269b83c4b28ff8a512e76f1e7b707eccea012e4c3ab4c7af7fff1777ca2d
|
||||
@ -229,6 +229,7 @@ e2e-setup-ingressnginx: $(call image-tar,ingressnginx) load-$(call image-tar,ing
|
||||
--namespace ingress-nginx \
|
||||
--create-namespace \
|
||||
--set controller.image.tag=$(TAG) \
|
||||
--set controller.image.registry=registry.k8s.io \
|
||||
--set controller.image.digest= \
|
||||
--set controller.image.pullPolicy=Never \
|
||||
--set controller.service.clusterIP=${SERVICE_IP_PREFIX}.15 \
|
||||
@ -315,7 +316,7 @@ e2e-setup-projectcontour: $(call image-tar,projectcontour) load-$(call image-tar
|
||||
$(HELM) upgrade \
|
||||
--install \
|
||||
--wait \
|
||||
--version 7.8.1 \
|
||||
--version 10.0.1 \
|
||||
--namespace projectcontour \
|
||||
--create-namespace \
|
||||
--set contour.ingressClass.create=false \
|
||||
|
||||
@ -21,6 +21,9 @@ KIND_IMAGE_K8S_123=docker.io/kindest/node@sha256:9402cf1330bbd3a0d097d2033fa489b
|
||||
KIND_IMAGE_K8S_124=docker.io/kindest/node@sha256:97e8d00bc37a7598a0b32d1fabd155a96355c49fa0d4d4790aab0f161bf31be1
|
||||
KIND_IMAGE_K8S_125=docker.io/kindest/node@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace
|
||||
|
||||
# Manually set - see hack/latest-kind-images.sh for details
|
||||
KIND_IMAGE_K8S_126=docker.io/kindest/node@sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352
|
||||
|
||||
# docker.io/kindest/node:v1.20.15
|
||||
KIND_IMAGE_SHA_K8S_120=sha256:d67de8f84143adebe80a07672f370365ec7d23f93dc86866f0e29fa29ce026fe
|
||||
|
||||
@ -39,6 +42,9 @@ KIND_IMAGE_SHA_K8S_124=sha256:97e8d00bc37a7598a0b32d1fabd155a96355c49fa0d4d4790a
|
||||
# docker.io/kindest/node:v1.25.2
|
||||
KIND_IMAGE_SHA_K8S_125=sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace
|
||||
|
||||
# Manually set - see hack/latest-kind-images.sh for details
|
||||
KIND_IMAGE_SHA_K8S_126=sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352
|
||||
|
||||
# note that these 'full' digests should be avoided since not all tools support them
|
||||
# prefer KIND_IMAGE_K8S_*** instead
|
||||
KIND_IMAGE_FULL_K8S_120=docker.io/kindest/node:v1.20.15@sha256:d67de8f84143adebe80a07672f370365ec7d23f93dc86866f0e29fa29ce026fe
|
||||
@ -48,3 +54,5 @@ KIND_IMAGE_FULL_K8S_123=docker.io/kindest/node:v1.23.12@sha256:9402cf1330bbd3a0d
|
||||
KIND_IMAGE_FULL_K8S_124=docker.io/kindest/node:v1.24.6@sha256:97e8d00bc37a7598a0b32d1fabd155a96355c49fa0d4d4790aab0f161bf31be1
|
||||
KIND_IMAGE_FULL_K8S_125=docker.io/kindest/node:v1.25.2@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace
|
||||
|
||||
# Manually set - see hack/latest-kind-images.sh for details
|
||||
KIND_IMAGE_FULL_K8S_126=docker.io/kindest/node:v1.26.0@sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352
|
||||
|
||||
@ -41,23 +41,23 @@ release-manifests: $(BINDIR)/scratch/cert-manager-manifests-unsigned.tar.gz
|
||||
## @category Release
|
||||
release-manifests-signed: $(BINDIR)/release/cert-manager-manifests.tar.gz $(BINDIR)/metadata/cert-manager-manifests.tar.gz.metadata.json
|
||||
|
||||
$(BINDIR)/release/cert-manager-manifests.tar.gz: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz.prov | $(BINDIR)/scratch/manifests $(BINDIR)/release
|
||||
mkdir -p $(BINDIR)/scratch/manifests/deploy/chart/
|
||||
mkdir -p $(BINDIR)/scratch/manifests/deploy/manifests/
|
||||
cp $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz.prov $(BINDIR)/scratch/manifests/deploy/chart/
|
||||
cp $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/scratch/manifests/deploy/manifests/
|
||||
$(BINDIR)/release/cert-manager-manifests.tar.gz: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz.prov | $(BINDIR)/scratch/manifests-signed $(BINDIR)/release
|
||||
mkdir -p $(BINDIR)/scratch/manifests-signed/deploy/chart/
|
||||
mkdir -p $(BINDIR)/scratch/manifests-signed/deploy/manifests/
|
||||
cp $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz.prov $(BINDIR)/scratch/manifests-signed/deploy/chart/
|
||||
cp $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/scratch/manifests-signed/deploy/manifests/
|
||||
# removes leading ./ from archived paths
|
||||
find $(BINDIR)/scratch/manifests -maxdepth 1 -mindepth 1 | sed 's|.*/||' | tar czf $@ -C $(BINDIR)/scratch/manifests -T -
|
||||
rm -rf $(BINDIR)/scratch/manifests
|
||||
find $(BINDIR)/scratch/manifests-signed -maxdepth 1 -mindepth 1 | sed 's|.*/||' | tar czf $@ -C $(BINDIR)/scratch/manifests-signed -T -
|
||||
rm -rf $(BINDIR)/scratch/manifests-signed
|
||||
|
||||
$(BINDIR)/scratch/cert-manager-manifests-unsigned.tar.gz: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml | $(BINDIR)/scratch/manifests
|
||||
mkdir -p $(BINDIR)/scratch/manifests/deploy/chart/
|
||||
mkdir -p $(BINDIR)/scratch/manifests/deploy/manifests/
|
||||
cp $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/scratch/manifests/deploy/chart/
|
||||
cp $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/scratch/manifests/deploy/manifests/
|
||||
$(BINDIR)/scratch/cert-manager-manifests-unsigned.tar.gz: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml | $(BINDIR)/scratch/manifests-unsigned
|
||||
mkdir -p $(BINDIR)/scratch/manifests-unsigned/deploy/chart/
|
||||
mkdir -p $(BINDIR)/scratch/manifests-unsigned/deploy/manifests/
|
||||
cp $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/scratch/manifests-unsigned/deploy/chart/
|
||||
cp $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/scratch/manifests-unsigned/deploy/manifests/
|
||||
# removes leading ./ from archived paths
|
||||
find $(BINDIR)/scratch/manifests -maxdepth 1 -mindepth 1 | sed 's|.*/||' | tar czf $@ -C $(BINDIR)/scratch/manifests -T -
|
||||
rm -rf $(BINDIR)/scratch/manifests
|
||||
find $(BINDIR)/scratch/manifests-unsigned -maxdepth 1 -mindepth 1 | sed 's|.*/||' | tar czf $@ -C $(BINDIR)/scratch/manifests-unsigned -T -
|
||||
rm -rf $(BINDIR)/scratch/manifests-unsigned
|
||||
|
||||
# This metadata blob is constructed slightly differently and doesn't use hack/artifact-metadata.template.json directly;
|
||||
# this is because the bazel staged releases didn't include an "os" or "architecture" field for this artifact
|
||||
@ -164,7 +164,10 @@ $(BINDIR)/helm/cert-manager/templates:
|
||||
$(BINDIR)/scratch/yaml:
|
||||
@mkdir -p $@
|
||||
|
||||
$(BINDIR)/scratch/manifests:
|
||||
$(BINDIR)/scratch/manifests-unsigned:
|
||||
@mkdir -p $@
|
||||
|
||||
$(BINDIR)/scratch/manifests-signed:
|
||||
@mkdir -p $@
|
||||
|
||||
$(BINDIR)/yaml/templated-crds:
|
||||
|
||||
@ -11,7 +11,7 @@ export PATH := $(PWD)/$(BINDIR)/tools:$(PATH)
|
||||
CTR=docker
|
||||
|
||||
TOOLS :=
|
||||
TOOLS += helm=v3.10.0
|
||||
TOOLS += helm=v3.11.1
|
||||
TOOLS += kubectl=v1.25.2
|
||||
TOOLS += kind=v0.16.0
|
||||
TOOLS += controller-gen=v0.10.0
|
||||
@ -36,7 +36,7 @@ KUBEBUILDER_ASSETS_VERSION=1.25.0
|
||||
TOOLS += etcd=$(KUBEBUILDER_ASSETS_VERSION)
|
||||
TOOLS += kube-apiserver=$(KUBEBUILDER_ASSETS_VERSION)
|
||||
|
||||
VENDORED_GO_VERSION := 1.19.1
|
||||
VENDORED_GO_VERSION := 1.19.6
|
||||
|
||||
# When switching branches which use different versions of the tools, we
|
||||
# need a way to re-trigger the symlinking from $(BINDIR)/downloaded to $(BINDIR)/tools.
|
||||
@ -211,9 +211,9 @@ $(foreach GO_DEPENDENCY,$(GO_DEPENDENCIES),$(eval $(call go_dependency,$(word 1,
|
||||
# Helm #
|
||||
########
|
||||
|
||||
HELM_linux_amd64_SHA256SUM=bf56beb418bb529b5e0d6d43d56654c5a03f89c98400b409d1013a33d9586474
|
||||
HELM_darwin_amd64_SHA256SUM=1e7fd528482ac2ef2d79fe300724b3e07ff6f846a2a9b0b0fe6f5fa05691786b
|
||||
HELM_darwin_arm64_SHA256SUM=f7f6558ebc8211824032a7fdcf0d55ad064cb33ec1eeec3d18057b9fe2e04dbe
|
||||
HELM_linux_amd64_SHA256SUM=0b1be96b66fab4770526f136f5f1a385a47c41923d33aab0dcb500e0f6c1bf7c
|
||||
HELM_darwin_amd64_SHA256SUM=2548a90e5cc957ccc5016b47060665a9d2cd4d5b4d61dcc32f5de3144d103826
|
||||
HELM_darwin_arm64_SHA256SUM=43d0198a7a2ea2639caafa81bb0596c97bee2d4e40df50b36202343eb4d5c46b
|
||||
|
||||
$(BINDIR)/downloaded/tools/helm@$(HELM_VERSION)_%: | $(BINDIR)/downloaded/tools
|
||||
$(CURL) https://get.helm.sh/helm-$(HELM_VERSION)-$(subst _,-,$*).tar.gz -o $@.tar.gz
|
||||
|
||||
@ -112,7 +112,10 @@ func (c *Config) Complete() CompletedConfig {
|
||||
return CompletedConfig{&completedCfg}
|
||||
}
|
||||
|
||||
// New returns a new instance of AdmissionServer from the given config.
|
||||
// New returns a new instance of apiserver from the given config. Each of the
|
||||
// configured solvers will have an API GroupVersion registered with the new
|
||||
// apiserver and will have its Initialize function passed as post-start hook
|
||||
// with the server.
|
||||
func (c completedConfig) New() (*ChallengeServer, error) {
|
||||
genericServer, err := c.GenericConfig.New("challenge-server", genericapiserver.NewEmptyDelegate()) // completion is done in Complete, no need for a second time
|
||||
if err != nil {
|
||||
|
||||
@ -29,6 +29,11 @@ import (
|
||||
logf "github.com/cert-manager/cert-manager/pkg/logs"
|
||||
)
|
||||
|
||||
// RunWebhookServer creates and starts a new apiserver that acts as a external
|
||||
// webhook server for solving DNS challenges using the provided solver
|
||||
// implementations. This can be used as an entry point by external webhook
|
||||
// implementations, see
|
||||
// https://github.com/cert-manager/webhook-example/blob/899c408751425f8d0842b61c0e62fd8035d00316/main.go#L23-L31
|
||||
func RunWebhookServer(groupName string, hooks ...webhook.Solver) {
|
||||
stopCh, exit := util.SetupExitHandler(util.GracefulShutdown)
|
||||
defer exit() // This function might call os.Exit, so defer last
|
||||
|
||||
@ -97,6 +97,9 @@ func (o *WebhookServerOptions) Complete() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Config creates a new webhook server config that includes generic upstream
|
||||
// apiserver options, rest client config and the Solvers configured for this
|
||||
// webhook server
|
||||
func (o WebhookServerOptions) Config() (*apiserver.Config, error) {
|
||||
// TODO have a "real" external address
|
||||
if err := o.RecommendedOptions.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
|
||||
@ -118,6 +121,8 @@ func (o WebhookServerOptions) Config() (*apiserver.Config, error) {
|
||||
return config, nil
|
||||
}
|
||||
|
||||
// RunWebhookServer creates a new apiserver, registers an API Group for each of
|
||||
// the configured solvers and runs the new apiserver.
|
||||
func (o WebhookServerOptions) RunWebhookServer(stopCh <-chan struct{}) error {
|
||||
config, err := o.Config()
|
||||
if err != nil {
|
||||
|
||||
@ -24,7 +24,9 @@ import (
|
||||
whapi "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
|
||||
)
|
||||
|
||||
// Solver has the functionality to solve ACME challenges.
|
||||
// Solver has the functionality to solve ACME challenges. This interface is
|
||||
// implemented internally by RFC2136 DNS provider and by external webhook solver
|
||||
// implementations see https://github.com/cert-manager/webhook-example
|
||||
type Solver interface {
|
||||
// Name is the name of this ACME solver as part of the API group.
|
||||
// This must match what you configure in the ACME Issuer's DNS01 config.
|
||||
@ -41,5 +43,6 @@ type Solver interface {
|
||||
CleanUp(ch *whapi.ChallengeRequest) error
|
||||
|
||||
// Initialize is called as a post-start hook when the apiserver starts.
|
||||
// https://github.com/kubernetes/apiserver/blob/release-1.26/pkg/server/hooks.go#L32-L42
|
||||
Initialize(kubeClientConfig *restclient.Config, stopCh <-chan struct{}) error
|
||||
}
|
||||
|
||||
@ -26,6 +26,7 @@ import (
|
||||
"k8s.io/client-go/util/workqueue"
|
||||
|
||||
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
|
||||
cmdoc "github.com/cert-manager/cert-manager/pkg/apis/certmanager"
|
||||
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
|
||||
clientv1 "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
|
||||
controllerpkg "github.com/cert-manager/cert-manager/pkg/controller"
|
||||
@ -85,6 +86,11 @@ func certificateRequestsForSecret(log logr.Logger,
|
||||
dbg.Info("checking if self signed certificate requests reference secret")
|
||||
var affected []*cmapi.CertificateRequest
|
||||
for _, request := range requests {
|
||||
if request.Spec.IssuerRef.Group != cmdoc.GroupName {
|
||||
dbg.Info("skipping SelfSigned secret reference checks since issuer has external group", "group", request.Spec.IssuerRef.Group)
|
||||
continue
|
||||
}
|
||||
|
||||
issuerObj, err := helper.GetGenericIssuer(request.Spec.IssuerRef, request.Namespace)
|
||||
if k8sErrors.IsNotFound(err) {
|
||||
dbg.Info("issuer not found, skipping")
|
||||
|
||||
@ -225,6 +225,20 @@ func Test_certificatesRequestsForSecret(t *testing.T) {
|
||||
},
|
||||
expectedAffected: []*cmapi.CertificateRequest{},
|
||||
},
|
||||
"if issuer has different group, do nothing": {
|
||||
existingCRs: []runtime.Object{
|
||||
gen.CertificateRequest("a",
|
||||
gen.SetCertificateRequestNamespace("test-namespace"),
|
||||
gen.SetCertificateRequestAnnotations(map[string]string{
|
||||
"cert-manager.io/private-key-secret-name": "test-secret",
|
||||
}), gen.SetCertificateRequestIssuer(cmmeta.ObjectReference{
|
||||
Name: "a", Kind: "Keith", Group: "not-cert-manager.io",
|
||||
}),
|
||||
),
|
||||
},
|
||||
existingIssuers: []runtime.Object{},
|
||||
expectedAffected: []*cmapi.CertificateRequest{},
|
||||
},
|
||||
"should not return requests which are in a different namespace": {
|
||||
existingCRs: []runtime.Object{
|
||||
gen.CertificateRequest("a",
|
||||
|
||||
@ -488,9 +488,10 @@ func (s *Solver) dns01SolverForConfig(config *cmacme.ACMEChallengeSolverDNS01) (
|
||||
// NewSolver creates a Solver which can instantiate the appropriate DNS
|
||||
// provider.
|
||||
func NewSolver(ctx *controller.Context) (*Solver, error) {
|
||||
secretsLister := ctx.KubeSharedInformerFactory.Core().V1().Secrets().Lister()
|
||||
webhookSolvers := []webhook.Solver{
|
||||
&webhookslv.Webhook{},
|
||||
rfc2136.New(rfc2136.WithNamespace(ctx.Namespace)),
|
||||
rfc2136.New(rfc2136.WithNamespace(ctx.Namespace), rfc2136.WithSecretsLister(secretsLister)),
|
||||
}
|
||||
|
||||
initialized := make(map[string]webhook.Solver)
|
||||
|
||||
@ -33,8 +33,12 @@ import (
|
||||
logf "github.com/cert-manager/cert-manager/pkg/logs"
|
||||
)
|
||||
|
||||
const SolverName = "rfc2136"
|
||||
|
||||
type Solver struct {
|
||||
secretLister corelisters.SecretLister
|
||||
// options to apply when the lister gets initialized
|
||||
initOpts []Option
|
||||
|
||||
// If specified, namespace will cause the rfc2136 provider to limit the
|
||||
// scope of the lister/watcher to a single namespace, to allow for
|
||||
@ -50,6 +54,27 @@ func WithNamespace(ns string) Option {
|
||||
}
|
||||
}
|
||||
|
||||
func WithSecretsLister(secretLister corelisters.SecretLister) Option {
|
||||
return func(s *Solver) {
|
||||
s.secretLister = secretLister
|
||||
}
|
||||
}
|
||||
|
||||
// InitializeResetLister is a hack to make RFC2136 solver fit the Solver
|
||||
// interface. Unlike external solvers that are run as apiserver implementations,
|
||||
// this solver is created as part of challenge controller initialization. That
|
||||
// makes its Initialize method not fit the Solver interface very well as we want
|
||||
// a way to initialize the solver with the existing Secrets lister rather than a
|
||||
// new kube apiserver client. InitializeResetLister allows to reset secrets
|
||||
// lister when Initialize function is called so that a new lister can be
|
||||
// created. This is useful in tests where a kube clientset can get recreated for
|
||||
// an existing solver (which would not happen when this solver runs normally).
|
||||
func InitializeResetLister() Option {
|
||||
return func(s *Solver) {
|
||||
s.initOpts = []Option{func(s *Solver) { s.secretLister = nil }}
|
||||
}
|
||||
}
|
||||
|
||||
func New(opts ...Option) *Solver {
|
||||
s := &Solver{}
|
||||
for _, o := range opts {
|
||||
@ -59,7 +84,7 @@ func New(opts ...Option) *Solver {
|
||||
}
|
||||
|
||||
func (s *Solver) Name() string {
|
||||
return "rfc2136"
|
||||
return SolverName
|
||||
}
|
||||
|
||||
func (s *Solver) Present(ch *whapi.ChallengeRequest) error {
|
||||
@ -91,18 +116,25 @@ func (s *Solver) CleanUp(ch *whapi.ChallengeRequest) error {
|
||||
}
|
||||
|
||||
func (s *Solver) Initialize(kubeClientConfig *restclient.Config, stopCh <-chan struct{}) error {
|
||||
cl, err := kubernetes.NewForConfig(kubeClientConfig)
|
||||
if err != nil {
|
||||
return err
|
||||
for _, opt := range s.initOpts {
|
||||
opt(s)
|
||||
}
|
||||
// Only start a secrets informerfactory if it is needed (if the solver
|
||||
// is not already initialized with a secrets lister) This is legacy
|
||||
// functionality and is currently only used in integration tests.
|
||||
if s.secretLister == nil {
|
||||
cl, err := kubernetes.NewForConfig(kubeClientConfig)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// obtain a secret lister and start the informer factory to populate the
|
||||
// secret cache
|
||||
factory := informers.NewSharedInformerFactoryWithOptions(cl, time.Minute*5, informers.WithNamespace(s.namespace))
|
||||
s.secretLister = factory.Core().V1().Secrets().Lister()
|
||||
factory.Start(stopCh)
|
||||
factory.WaitForCacheSync(stopCh)
|
||||
|
||||
// obtain a secret lister and start the informer factory to populate the
|
||||
// secret cache
|
||||
factory := informers.NewSharedInformerFactoryWithOptions(cl, time.Minute*5, informers.WithNamespace(s.namespace))
|
||||
s.secretLister = factory.Core().V1().Secrets().Lister()
|
||||
factory.Start(stopCh)
|
||||
factory.WaitForCacheSync(stopCh)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
@ -17,7 +17,11 @@ limitations under the License.
|
||||
package client
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
vcert "github.com/Venafi/vcert/v4"
|
||||
@ -135,28 +139,27 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister corelisters.SecretLi
|
||||
username := string(tppSecret.Data[tppUsernameKey])
|
||||
password := string(tppSecret.Data[tppPasswordKey])
|
||||
accessToken := string(tppSecret.Data[tppAccessTokenKey])
|
||||
caBundle := string(tpp.CABundle)
|
||||
|
||||
return &vcert.Config{
|
||||
ConnectorType: endpoint.ConnectorTypeTPP,
|
||||
BaseUrl: tpp.URL,
|
||||
Zone: venCfg.Zone,
|
||||
// always enable verbose logging for now
|
||||
LogVerbose: true,
|
||||
ConnectionTrust: caBundle,
|
||||
LogVerbose: true,
|
||||
// We supply the CA bundle here, to trigger the vcert's builtin
|
||||
// validation of the supplied PEM content.
|
||||
// This is somewhat redundant because the value (if valid) will be
|
||||
// ignored by vcert since we also supply a custom HTTP client,
|
||||
// below. But we want to retain the CA bundle validation errors that
|
||||
// were returned in previous versions of this code.
|
||||
// https://github.com/Venafi/vcert/blob/89645a7710a7b529765274cb60dc5e28066217a1/client.go#L55-L61
|
||||
ConnectionTrust: string(tpp.CABundle),
|
||||
Credentials: &endpoint.Authentication{
|
||||
User: username,
|
||||
Password: password,
|
||||
AccessToken: accessToken,
|
||||
},
|
||||
// this is needed for local development when tunneling to the TPP server
|
||||
//Client: &http.Client{
|
||||
// Transport: &http.Transport{
|
||||
// TLSClientConfig: &tls.Config{
|
||||
// Renegotiation: tls.RenegotiateOnceAsClient,
|
||||
// },
|
||||
// },
|
||||
//},
|
||||
Client: httpClientForVcertTPP(tpp.CABundle),
|
||||
}, nil
|
||||
case venCfg.Cloud != nil:
|
||||
cloud := venCfg.Cloud
|
||||
@ -187,6 +190,84 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister corelisters.SecretLi
|
||||
return nil, fmt.Errorf("neither Venafi Cloud or TPP configuration found")
|
||||
}
|
||||
|
||||
// httpClientForVcertTPP creates an HTTP client and customises it to allow client TLS renegotiation.
|
||||
//
|
||||
// Here's why:
|
||||
//
|
||||
// 1. The TPP API server is served by Microsoft Windows Server and IIS.
|
||||
// 2. IIS uses TLS-1.2 by default[1] and it uses a
|
||||
// TLS-1.2 feature called "renegotiation" to allow client certificate
|
||||
// settings to be configured at the folder level. e.g.
|
||||
// https://tpp.example.com/vedauth may Require or Accept client
|
||||
// certificates while https://tpp.example.com/vedsdk may Ignore
|
||||
// client certificates.
|
||||
// 3. When IIS is configured this way it behaves as follows[2]:
|
||||
// "Server receives a connection request on port 443; it begins a
|
||||
// handshake. The server does not ask for a client certificate. Once
|
||||
// the handshake is completed, the client sends the actual target URL
|
||||
// as a HTTP request in the SSL tunnel. Up to that point, the server
|
||||
// did not know which page was targeted; it only knew, at best, the
|
||||
// intended server name (through the Server Name Indication). Now
|
||||
// that the server knows which page is targeted, he knows which
|
||||
// "site" (i.e. part of the server, in IIS terminology) is to be
|
||||
// used."
|
||||
// 4. In this scenario, the Go HTTP client MUST be configured to
|
||||
// renegotiate (by default it will refuse to renegotiate).
|
||||
// We use RenegotiateOnceAsClient rather than RenegotiateFreelyAsClient
|
||||
// because cert-manager establishes a new HTTPS connection for each API
|
||||
// request and therefore should only ever need to renegotiate once in this
|
||||
// scenario.
|
||||
// 5. But overriding the HTTP client causes vcert to ignore the
|
||||
// `vcert.Config.ConnectionTrust` field, so we also have to set up the root
|
||||
// CA trust pool ourselves.
|
||||
// 6. And the value of RootCAs MUST be nil unless the user has supplied a
|
||||
// custom CA, because a nil value causes the Go HTTP client to load the
|
||||
// system default root CAs.
|
||||
//
|
||||
// [1] TLS protocol version support in Microsoft Windows: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-#tls-protocol-version-support
|
||||
// [2] Should I use SSL/TLS renegotiation?: https://security.stackexchange.com/a/24569
|
||||
func httpClientForVcertTPP(caBundle []byte) *http.Client {
|
||||
// Copy vcert's default HTTP transport, which is mostly identical to the
|
||||
// http.DefaultTransport settings in Go's stdlib.
|
||||
// https://github.com/Venafi/vcert/blob/89645a7710a7b529765274cb60dc5e28066217a1/pkg/venafi/tpp/tpp.go#L481-L513
|
||||
transport := &http.Transport{
|
||||
Proxy: http.ProxyFromEnvironment,
|
||||
DialContext: (&net.Dialer{
|
||||
Timeout: 30 * time.Second,
|
||||
KeepAlive: 30 * time.Second,
|
||||
// Note: This DualStack setting is copied from vcert but
|
||||
// deviates from the http.DefaultTransport in Go's stdlib.
|
||||
DualStack: true,
|
||||
}).DialContext,
|
||||
MaxIdleConns: 100,
|
||||
IdleConnTimeout: 90 * time.Second,
|
||||
TLSHandshakeTimeout: 10 * time.Second,
|
||||
ExpectContinueTimeout: 1 * time.Second,
|
||||
}
|
||||
|
||||
// Copy vcert's initialization of the TLS client config
|
||||
tlsClientConfig := http.DefaultTransport.(*http.Transport).TLSClientConfig.Clone()
|
||||
if tlsClientConfig == nil {
|
||||
tlsClientConfig = &tls.Config{}
|
||||
}
|
||||
if len(caBundle) > 0 {
|
||||
rootCAs := x509.NewCertPool()
|
||||
rootCAs.AppendCertsFromPEM(caBundle)
|
||||
tlsClientConfig.RootCAs = rootCAs
|
||||
}
|
||||
transport.TLSClientConfig = tlsClientConfig
|
||||
|
||||
// Enable TLS 1.2 renegotiation (see earlier comment for justification).
|
||||
transport.TLSClientConfig.Renegotiation = tls.RenegotiateOnceAsClient
|
||||
|
||||
// Copy vcert's initialization of the HTTP client, which overrides the default timeout.
|
||||
// https://github.com/Venafi/vcert/blob/89645a7710a7b529765274cb60dc5e28066217a1/pkg/venafi/tpp/tpp.go#L481-L513
|
||||
return &http.Client{
|
||||
Transport: transport,
|
||||
Timeout: time.Second * 30,
|
||||
}
|
||||
}
|
||||
|
||||
func (v *Venafi) Ping() error {
|
||||
return v.vcertClient.Ping()
|
||||
}
|
||||
|
||||
@ -42,8 +42,7 @@ func init() {
|
||||
type fixture struct {
|
||||
// testSolver is the actual DNS solver that is under test.
|
||||
// It is set when calling the NewFixture function.
|
||||
testSolver webhook.Solver
|
||||
|
||||
testSolver webhook.Solver
|
||||
resolvedFQDN string
|
||||
resolvedZone string
|
||||
allowAmbientCredentials bool
|
||||
@ -78,34 +77,10 @@ type fixture struct {
|
||||
propagationLimit time.Duration
|
||||
}
|
||||
|
||||
func (f *fixture) setup(t *testing.T) func() {
|
||||
f.setupLock.Lock()
|
||||
defer f.setupLock.Unlock()
|
||||
|
||||
if err := validate(f); err != nil {
|
||||
t.Fatalf("error validating test fixture configuration: %v", err)
|
||||
}
|
||||
|
||||
env, stopFunc := apiserver.RunBareControlPlane(t)
|
||||
f.environment = env
|
||||
|
||||
cl, err := kubernetes.NewForConfig(env.Config)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
f.clientset = cl
|
||||
|
||||
stopCh := make(chan struct{})
|
||||
f.testSolver.Initialize(env.Config, stopCh)
|
||||
|
||||
return func() {
|
||||
close(stopCh)
|
||||
stopFunc()
|
||||
}
|
||||
}
|
||||
|
||||
// RunConformance will execute all conformance tests using the supplied
|
||||
// configuration
|
||||
// configuration These conformance tests should be run by all external DNS
|
||||
// solver webhook implementations, see
|
||||
// https://github.com/cert-manager/webhook-example
|
||||
func (f *fixture) RunConformance(t *testing.T) {
|
||||
defer f.setup(t)()
|
||||
t.Run("Conformance", func(t *testing.T) {
|
||||
@ -127,3 +102,30 @@ func (f *fixture) RunExtended(t *testing.T) {
|
||||
t.Run("DeletingOneRecordRetainsOthers", f.TestExtendedDeletingOneRecordRetainsOthers)
|
||||
})
|
||||
}
|
||||
|
||||
func (f *fixture) setup(t *testing.T) func() {
|
||||
f.setupLock.Lock()
|
||||
defer f.setupLock.Unlock()
|
||||
|
||||
if err := validate(f); err != nil {
|
||||
t.Fatalf("error validating test fixture configuration: %v", err)
|
||||
}
|
||||
|
||||
env, stopFunc := apiserver.RunBareControlPlane(t)
|
||||
f.environment = env
|
||||
|
||||
cl, err := kubernetes.NewForConfig(env.Config)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
f.clientset = cl
|
||||
|
||||
stopCh := make(chan struct{})
|
||||
|
||||
f.testSolver.Initialize(env.Config, stopCh)
|
||||
|
||||
return func() {
|
||||
close(stopCh)
|
||||
stopFunc()
|
||||
}
|
||||
}
|
||||
|
||||
@ -32,7 +32,10 @@ import (
|
||||
type Option func(*fixture)
|
||||
|
||||
// NewFixture constructs a new *fixture, applying the given Options before
|
||||
// returning.
|
||||
// returning. Solver is an implementation of
|
||||
// https://github.com/cert-manager/cert-manager/blob/v1.11.0/pkg/acme/webhook/webhook.go#L27-L45
|
||||
// and could be RFC2136 solver or any of external solvers that run these
|
||||
// conformance tests.
|
||||
func NewFixture(solver webhook.Solver, opts ...Option) *fixture {
|
||||
f := &fixture{
|
||||
testSolver: solver,
|
||||
|
||||
@ -17,6 +17,7 @@ limitations under the License.
|
||||
package chart
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"fmt"
|
||||
"io"
|
||||
@ -146,16 +147,12 @@ func (c *Chart) runInstall() error {
|
||||
}
|
||||
|
||||
cmd := c.buildHelmCmd(args...)
|
||||
cmd.Stdout = nil
|
||||
out, err := cmd.StdoutPipe()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer out.Close()
|
||||
stdoutBuf := &bytes.Buffer{}
|
||||
cmd.Stdout = stdoutBuf
|
||||
|
||||
err = cmd.Run()
|
||||
err := cmd.Run()
|
||||
if err != nil {
|
||||
_, err2 := io.Copy(os.Stdout, out)
|
||||
_, err2 := io.Copy(os.Stdout, stdoutBuf)
|
||||
if err2 != nil {
|
||||
return fmt.Errorf("cmd.Run: %v: io.Copy: %v", err, err2)
|
||||
}
|
||||
@ -179,19 +176,15 @@ func (c *Chart) buildHelmCmd(args ...string) *exec.Cmd {
|
||||
|
||||
func (c *Chart) getHelmVersion() (string, error) {
|
||||
cmd := c.buildHelmCmd("version", "--template", "{{.Client.Version}}")
|
||||
cmd.Stdout = nil
|
||||
out, err := cmd.StdoutPipe()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
defer out.Close()
|
||||
stdoutBuf := &bytes.Buffer{}
|
||||
cmd.Stdout = stdoutBuf
|
||||
|
||||
err = cmd.Run()
|
||||
err := cmd.Run()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
outBytes, err := io.ReadAll(out)
|
||||
outBytes, err := io.ReadAll(stdoutBuf)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
@ -202,16 +195,12 @@ func (c *Chart) getHelmVersion() (string, error) {
|
||||
// Deprovision the deployed instance of tiller-deploy
|
||||
func (c *Chart) Deprovision() error {
|
||||
cmd := c.buildHelmCmd("delete", "--namespace", c.Namespace, c.ReleaseName)
|
||||
cmd.Stdout = nil
|
||||
out, err := cmd.StdoutPipe()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer out.Close()
|
||||
stdoutBuf := &bytes.Buffer{}
|
||||
cmd.Stdout = stdoutBuf
|
||||
|
||||
err = cmd.Run()
|
||||
err := cmd.Run()
|
||||
if err != nil {
|
||||
_, err2 := io.Copy(os.Stdout, out)
|
||||
_, err2 := io.Copy(os.Stdout, stdoutBuf)
|
||||
if err2 != nil {
|
||||
return fmt.Errorf("cmd.Run: %v: io.Copy: %v", err, err2)
|
||||
}
|
||||
|
||||
@ -59,7 +59,7 @@ func TestRunSuiteWithTSIG(t *testing.T) {
|
||||
TSIGKeyName: rfc2136TestTsigKeyName,
|
||||
}
|
||||
|
||||
fixture := dns.NewFixture(&rfc2136.Solver{},
|
||||
fixture := dns.NewFixture(rfc2136.New(rfc2136.InitializeResetLister()),
|
||||
dns.SetResolvedZone(rfc2136TestZone),
|
||||
dns.SetResolvedFQDN(rfc2136TestFqdn),
|
||||
dns.SetAllowAmbientCredentials(false),
|
||||
@ -91,7 +91,7 @@ func TestRunSuiteNoTSIG(t *testing.T) {
|
||||
Nameserver: server.ListenAddr(),
|
||||
}
|
||||
|
||||
fixture := dns.NewFixture(&rfc2136.Solver{},
|
||||
fixture := dns.NewFixture(rfc2136.New(rfc2136.InitializeResetLister()),
|
||||
dns.SetResolvedZone(rfc2136TestZone),
|
||||
dns.SetResolvedFQDN(rfc2136TestFqdn),
|
||||
dns.SetAllowAmbientCredentials(false),
|
||||
|
||||
Loading…
Reference in New Issue
Block a user