bbd9249198
* Configurable issuer duration and renewBefore [1/3] This is part one of (probably) three parts manually moving the changes from commit 723015174a167d746323f506ab3575cfb243d8bd to the new master. This commit moves the basic functionality of configurable duration while skipping e2e tests and docs. It does not include new work. Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Configurable issuer duration and renewBefore [2/3] This commit moves over most of the e2e testing updates, some things are intentionally left out as they may be obsolete Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Configurable issuer duration and renewBefore [3/3] This commit moves the documentation changes, completely the migration of the original code to the latest master Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerunning all hack scripts with since the massive bazel update Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add missing boilerplate headers Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerun codegen hack Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerunning update-docs hack Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix failing unit tests Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix build errors in e2e tests Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerun update-deps Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Don't recreate the CA issuer, it already exists Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Need to create new issuers for the duration and renew time tests because those fields are set in the issuer, so make sure they are named uniquely Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add duration e2e tests for self-signed issuer Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add duration e2e tests for vault w/ custom mount path Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add validation to disallow acme certificates with duration and renewBefore set and update unit tests to verify Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Update docs to mention duration/renew for self-signed issuer and fix potential parsing errors with rst formatting Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Self-signed issuer was missing duration validation Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix a bug causing certificates with a short enough renew-before w.r.t their duration to be renewed instantly and forever Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Print the exact time until renewal Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Move duration and renwal validation to the issuer validation Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Update e2e tests to work with new validation Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add e2e test for the self-signed issuer Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Redo cert duration and renew before to appear as part of the CSR and not the issuer Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Updating tests to match new duration/renewbefore format Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Update e2e tests to match new format Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Update docs to reflect changing the field from issuers to certificates Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove event firing and replace with a TODO as of discussion on PR Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Run hack scripts Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove the sync unit test since without events there is no way to catch the warnings that it was testing Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Use IssuerOptions RenewBeforeExpiryDuration if certificates dont set a renewBefore value for immediate renewal checks Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Delete check on certificate data length in e2e test for certificate duration as there is no reason it should be there Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Update e2e tests since certificate creation will never generate an event Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerunning hack scripts after big rebase Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix a few problems that slipped through during the rebase Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix an e2e error that resulted from the rebase Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add unit test for the calculateTimeBeforeExpiry function Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Adding back in a bunch of missing error checks Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove unused function Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add missing boilerplate Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove unused constant Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Move log constants to function body Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerun hack scripts Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove mistakenly commited file Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove double-import of util package Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix bad function call in e2e vault issuer Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Change duration and renewBefore to be pointer fields as they are optional Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove wrong vault issuer test that got passed the rebase somehow Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Change e2e to use pointer format Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Move e2e cert tests out of issuer test file Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Move e2e self-signed issuer test to new location Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Make sure to check for nil in GenerateTemplate Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add more empty checks to be safe Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerunning hacks after rebase Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix bad function call in new e2e test Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Try not setting duration and renewbefore on acme e2e tests Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Zero checks should really just be replaced by nil tests, zero should be caught as any other too-small value Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fixed a missing nil check that got away Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Change e2e duration test format to use pointer times to better simulate API calls Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix sync unit test to match e2e test format Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix vault e2e test Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Revert changes to Certificate sync function Signed-off-by: James Munnelly <james@munnelly.eu> * Remove selfsigned e2e issuer.go Signed-off-by: James Munnelly <james@munnelly.eu> * Don't use ACME issuer in duration example and tidy up line endings Signed-off-by: James Munnelly <james@munnelly.eu> * Allow renewBefore to be set on ACME certificates Signed-off-by: James Munnelly <james@munnelly.eu> * Update renewBefore ACME docs. Remove unused fields. Signed-off-by: James Munnelly <james@munnelly.eu> * Rename calculateTimeBeforeExpiry to calculateDurationUntilRenew Signed-off-by: James Munnelly <james@munnelly.eu> |
||
|---|---|---|
| .github | ||
| cmd | ||
| contrib | ||
| docs | ||
| hack | ||
| pkg | ||
| test | ||
| third_party | ||
| vendor | ||
| .bazelrc | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .kazelcfg.json | ||
| BUILD.bazel | ||
| CODE_OF_CONDUCT.md | ||
| CONTRIBUTING.md | ||
| Gopkg.lock | ||
| Gopkg.toml | ||
| labels.yaml | ||
| LICENSE | ||
| Makefile | ||
| OWNERS | ||
| README.md | ||
| WORKSPACE | ||
cert-manager
cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources.
It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry.
It is loosely based upon the work of kube-lego and has borrowed some wisdom from other similar projects e.g. kube-cert-manager.
Current status
As this project is pre-1.0, we do not currently offer strong guarantees around our API stability.
Notably, we may choose to make breaking changes to our API specification (i.e. the Issuer, ClusterIssuer and Certificate resources) in new minor releases.
These will always be clearly documented in the upgrade section of the documentation
Documentation
Documentation for cert-manager can be found at cert-manager.readthedocs.io. Please make sure to select the correct version of the documentation to view on the bottom left of the page.
Troubleshooting
If you encounter any issues whilst using cert-manager, we have a number of places you can use to try and get help.
The quickest way to ask a question is to first post on our Slack channel (#cert-manager) on the Kubernetes Slack. There are a lot of community members in this channel, and you can often get an answer to your question straight away!
You can also try searching for an existing issue. Properly searching for an existing issue will help reduce the number of duplicates, and help you find the answer you are looking for quicker.
Please also make sure to read through the relevant pages in the documentation before opening an issue. You can also search the documentation using the search box on the top left of the page.
If you believe you have encountered a bug, and cannot find an existing issue similar to your own, you may open a new issue. Please be sure to include as much information as possible about your environment.
Community
There is a Google Group used for project wide announcements and development coordination. Anybody can join the group by visiting here and clicking "Join Group". A Google account is required to join the group.
Once you have become a member, you should receive an invite to the weekly development meeting, hosted on Wednesdays at 4pm UTC on Zoom.us.
Anyone is welcome to join these calls, even if just to ask questions.
Meeting notes are recorded in Google docs.
Contributing
We welcome pull requests with open arms! There's a lot of work to do here, and we're especially concerned with ensuring the longevity and reliability of the project.
Please take a look at our issue tracker if you are unsure where to start with getting involved!
We also use the #cert-manager channel on kubernetes.slack.com for chat relating to the project.
Developer documentation is available in the official documentation.
Changelog
The list of releases is the best place to look for information on changes between releases.