bfce543640
Changing SecretRef to be a pointer will break people using the package as a library. I disabled the ability to set the audience and expiry time for security reasons: We decided to generate the audience dynamically instead of letting the user configure it, and we also decided to encode the namespace and issuer name into the audience to remediate the risk of hijacking an existing issuer and service account with a malicious issuer. Regarding the expiration duration of the JWT, it doesn't make sense to let the user configure it since cert-manager will authenticate using the JWT and immediately discard it. We thought that 1 minute would be acceptable, although the Kubernetes API server may return a totally different duration. Signed-off-by: Maël Valais <mael@vls.dev> |
||
|---|---|---|
| .. | ||
| crd-certificaterequests.yaml | ||
| crd-certificates.yaml | ||
| crd-challenges.yaml | ||
| crd-clusterissuers.yaml | ||
| crd-issuers.yaml | ||
| crd-orders.yaml | ||
| README.md | ||
CRDs source directory
Warning
: if you are an end-user, you do NOT need to use the files in this directory. These files are for development purposes only.
This directory contains 'source code' used to build our CustomResourceDefinition resources in a way that can be consumed by all our different deployment methods.
This package exposes a number of different Bazel targets:
templates: the Helm templates for the CRD manifestscrds: the templated CRD manifests (after runninghelm template)crd.templated: for each CRD type, the one CRD after runninghelm templatetemplated_files: a filegroup containing all of the individual templated CRD files
Most users should never utilise the files in this directory directly. Instead, Bazel
build targets in other packages (i.e. //deploy/manifests, //deploy/charts etc)
will be configured to automatically consume the appropriate artifact listed above.