12483d3d54
The current policy check for keystores in Secrets creates a loop because the truststore.jks or truststore.p12 will never exist when the issuer didn't provide the CA certificate. This behaviour was introduced by #5597 The JKS and PKCS12 truststores are only added to the Secret if the CA is provided by the issuer. The CertificateRequest API reference states: > The PEM encoded x509 certificate of the signer, also known > as the CA (Certificate Authority). This is set on a best-effort basis by > different issuers. If not set, the CA is assumed to be unknown/not available. This change will only check the PKCS12/JKS truststores if the CA cert from the issuer exists in the secret. Fixes #5755 Signed-off-by: Thomas Müller <thomas@chaschperli.ch> |
||
|---|---|---|
| .github | ||
| cmd | ||
| deploy | ||
| design | ||
| docs | ||
| gcb | ||
| hack | ||
| internal | ||
| logo | ||
| make | ||
| pkg | ||
| test | ||
| tools | ||
| .bazelignore | ||
| .bazelrc | ||
| .gitignore | ||
| .krew.yaml | ||
| .trivyignore | ||
| CODE_OF_CONDUCT.md | ||
| CONTRIBUTING.md | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| LICENSES | ||
| Makefile | ||
| OWNERS | ||
| README.md | ||
| ROADMAP.md | ||
| SECURITY_CONTACTS.md | ||
| SECURITY.md | ||
| USERS.md | ||
cert-manager
cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.
It supports issuing certificates from a variety of sources, including Let's Encrypt (ACME), HashiCorp Vault, and Venafi TPP / TLS Protect Cloud, as well as local in-cluster issuance.
cert-manager also ensures certificates remain valid and up to date, attempting to renew certificates at an appropriate time before expiry to reduce the risk of outages and remove toil.
Documentation
Documentation for cert-manager can be found at cert-manager.io.
For the common use-case of automatically issuing TLS certificates for Ingress resources, see the cert-manager nginx-ingress quick start guide.
For a more comprensive guide to issuing your first certificate, see our getting started guide.
Installation
Installation is documented on the website, with a variety of supported methods.
Troubleshooting
If you encounter any issues whilst using cert-manager, we have a number of ways to get help:
- A troubleshooting guide on our website.
- Our official Kubernetes Slack channel - the quickest way to ask!
- Searching for an existing issue.
If you believe you've found a bug and cannot find an existing issue, feel free to open a new issue! Be sure to include as much information as you can about your environment.
Community
The cert-manager-dev Google Group is used for project wide announcements and development coordination.
Anybody can join the group by visiting here
and clicking "Join Group". A Google account is required to join the group.
Meetings
We have several public meetings which any member of our Google Group is more than welcome to join!
Check out the details on our website. Feel free to drop in and ask questions, chat with us or just to say hi!
Contributing
We welcome pull requests with open arms! There's a lot of work to do here, and we're especially concerned with ensuring the longevity and reliability of the project. The contributing guide will help you get started.
Coding Conventions
Code style guidelines are documented on the coding conventions page of the cert-manager website. Please try to follow those guidelines if you're submitting a pull request for cert-manager.
Importing cert-manager as a Module
⚠️ Please note that cert-manager does not currently provide a Go module compatibility guarantee. That means that
most code under pkg/ is subject to change in a breaking way, even between minor or patch releases and even if
the code is currently publicly exported.
The lack of a Go module compatibility guarantee does not affect API version guarantees under the Kubernetes Deprecation Policy.
For more details see Importing cert-manager in Go on the cert-manager website.
The import path for cert-manager versions 1.8 and later is github.com/cert-manager/cert-manager.
For all versions of cert-manager before 1.8, including minor and patch releases, the import path is github.com/jetstack/cert-manager.
Security Reporting
Security is the number one priority for cert-manager. If you think you've found a security vulnerability, we'd love to hear from you.
Follow the instructions in SECURITY.md to make a report.
Changelog
Every release on GitHub has a changelog, and we also publish release notes on the website.
History
cert-manager is loosely based upon the work of kube-lego and has borrowed some wisdom from other similar projects such as kube-cert-manager.
Logo design by Zoe Paterson