weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
12483d3d54
cert-manager/deploy
History
Thomas Müller 12483d3d54 Check JKS/PKCS12 truststores only if issuer provides the CA 
The current policy check for keystores in Secrets creates a loop because
the truststore.jks or truststore.p12 will never exist when the issuer didn't
provide the CA certificate. This behaviour was introduced by #5597

The JKS and PKCS12 truststores are only added to the Secret
if the CA is provided by the issuer. The CertificateRequest API
reference states:

> The PEM encoded x509 certificate of the signer, also known
> as the CA (Certificate Authority). This is set on a best-effort basis by
> different issuers. If not set, the CA is assumed to be unknown/not available.

This change will only check the PKCS12/JKS truststores if the CA cert from the
issuer exists in the secret.

Fixes #5755

Signed-off-by: Thomas Müller <thomas@chaschperli.ch>
2023-04-27 17:09:41 +02:00
..
charts/cert-manager Merge pull request #5962 from wallrj/5670-controller-manager-liveness-probe 2023-04-27 15:09:54 +01:00
crds Check JKS/PKCS12 truststores only if issuer provides the CA 2023-04-27 17:09:41 +02:00
manifests Remove obsolete bazel documentation 2023-03-17 11:44:15 +01:00
OWNERS Add more OWNERS files with auto-labels 2019-01-24 19:38:31 +00:00