[pull] master from cert-manager:master#1066
Open
pull[bot] wants to merge 3804 commits into
Open
Conversation
Propagate global.commonLabels from the Helm chart (or --acme-http01-solver-extra-labels CLI flag) to dynamically-created ACME HTTP01 solver pods, services, ingresses, and Gateway API HTTPRoutes. These labels are applied in addition to standard ACME challenge identification labels, with Per-Issuer PodTemplate/IngressTemplate/ GatewayHTTPRoute.Labels taking precedence. Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
…istenerSets (#8749) * feat: fall back to Gateway HTTP listener for ACME HTTP-01 solver when ListenerSet has no HTTP listener Signed-off-by: apkatsikas <apkatsikas@gmail.com> * feat: use parent Gateway as HTTP-01 solver parentRef when ListenerSet opts in via annotation Signed-off-by: apkatsikas <apkatsikas@gmail.com> * feat: rename fallback annotation to match parentrefkind/name style Signed-off-by: apkatsikas <apkatsikas@gmail.com> * feat: extract ListenerSet parentRef annotation logic into function Signed-off-by: apkatsikas <apkatsikas@gmail.com> * feat: skip empty parentref namespace annotation override Signed-off-by: apkatsikas <apkatsikas@gmail.com> * feat: clear stale namespace annotation when fallback is disabled Signed-off-by: apkatsikas <apkatsikas@gmail.com> * feat: add tests for parentref namespace annotation override and deduplication Signed-off-by: apkatsikas <apkatsikas@gmail.com> * fix: restore per-case nil check to avoid initializing annotations for Ingress Signed-off-by: apkatsikas <apkatsikas@gmail.com> * fix: remove unused kind param from parentRefs test helper Signed-off-by: apkatsikas <apkatsikas@gmail.com> * fix: combine namespace annotation nil and empty checks Signed-off-by: apkatsikas <apkatsikas@gmail.com> * fix: use strconv.ParseBool for http01-parentreffallback annotation Signed-off-by: apkatsikas <apkatsikas@gmail.com> * fix: switch ptrMode to new in sync_test Signed-off-by: apkatsikas <apkatsikas@gmail.com> --------- Signed-off-by: apkatsikas <apkatsikas@gmail.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Nikola <peac36@abv.bg>
Signed-off-by: Nikola <peac36@abv.bg>
Signed-off-by: Nikola <peac36@abv.bg>
add dns issuer secrets validation before marking it as ready
…b-actions chore(deps): update github/codeql-action action to v4.35.3 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
* adding helm unit tests for controller Signed-off-by: hjoshi123 <mail@hjoshi.me> * adding helm unit tests Signed-off-by: hjoshi123 <mail@hjoshi.me> Signed-off-by: Hemant Joshi <mail@hjoshi.me> --------- Signed-off-by: hjoshi123 <mail@hjoshi.me> Signed-off-by: Hemant Joshi <mail@hjoshi.me>
Make cainjector use SSA unconditionally
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…x-deps fix(deps): update module golang.org/x/crypto to v0.51.0 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Hemant Joshi <mail@hjoshi.me>
replacing pebble with our fork
fix(deps): update cloud go deps (master)
…b-actions chore(deps): update github/codeql-action action to v4.35.4 (master)
It seems this had no effect: kubernetes/gengo#209 Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
fix(deps): update module github.com/venafi/vcert/v5 to v5.13.2 (master)
This brings in a tonne of changes to codegen which come with the upgraded versions of the codegen tools This is being done along with the bounding-dirs flag removal because they come together Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
```text pkg/controller/util.go:217:62: inline: Constant reflect.Ptr should be inlined (govet) if v := reflect.ValueOf(arg); !v.IsValid() || ((v.Kind() == reflect.Ptr || ``` Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
Delete now-removed bounding dirs flag && make upgrade
Prevent global solver extra labels from overwriting ACME identity labels (acme.cert-manager.io/http-domain, acme.cert-manager.io/http-token, acme.cert-manager.io/http01-solver) on dynamically-created HTTP01 solver resources. A filterACMEIdentityLabels helper strips these protected keys before merging. Without this guard, extra labels could silently break resource discovery. Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
Signed-off-by: Richard Wall <richard@the-moon.net>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…-go-deps fix(deps): update module sigs.k8s.io/controller-runtime to v0.24.1 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…odules chore(deps): update makefile modules to 72b0d34 (master)
The one-shot renewal timer in startRenewalWatcher uses Go's monotonic clock (CLOCK_MONOTONIC), which does not advance during system suspend (S3/S4) or VM live migration. When the system resumes, the timer deadline has not yet been reached, so the webhook serving certificate is never renewed — even though wall-clock time has advanced past the renewal moment. Add a periodic ticker that polls time.Now() against the wall-clock renewal deadline. Because time.Now() uses CLOCK_REALTIME for comparisons with wall-clock timestamps (such as certificate NotAfter), the ticker detects the missed renewal and triggers certificate renewal. The goroutine now returns after the first send and wraps sends in select/ctx.Done() to prevent goroutine leaks. An early return when renewalAt is the zero value prevents a spurious signal before the first certificate is issued. Signed-off-by: Nikola <peac36@abv.bg> Co-authored-by: Nikola <peac36@abv.bg> Co-authored-by: Richard Wall <richard.wall@cyberark.com> Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Remove Challenge `create` and Order `create`, `patch`, `update` from the `cert-manager-edit` aggregate ClusterRole. - A user-created Challenge with attacker-controlled spec.solver can exfiltrate ClusterIssuer credentials cross-namespace. - A user who can update an Order can change spec.issuerRef to reference a different ClusterIssuer, triggering credential exfiltration when the controller recreates the Challenge. - Challenge `patch`/`update` are retained because spec is immutable after creation (ValidateChallengeUpdate) and users need them to remove stuck finalizers (#3851, #3870). This change was already shipped in v1.19.6 and v1.20.3 via #8940 and #8941 respectively. This PR brings it to master. Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Defence in depth for GHSA-8rvj-mm4h-c258, complementing the RBAC fix in #8958. Webhook validation: - ValidateChallenge: reject Challenges lacking a controller owner reference to an Order. - ValidateOrderSpecUpdate: reject any Order spec mutation after creation. Controller hardening: - Order controller verifies both ownership AND exact spec equivalence for same-name Challenges. Mismatched Challenges are deleted and recreated. - Set gateway parentRef Group explicitly to match the CRD OpenAPI default, preventing a nil-vs-populated mismatch in spec comparison (#7890, #8518, #8619). Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Harden ACME Challenge and Order validation (GHSA-8rvj-mm4h-c258)
…odules chore(deps): update makefile modules to c9f456a (master)
…)" Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Renew webhook serving certificate after system suspend
Cleanup Helm metrics path and port
…-c258 Revert "Harden ACME Challenge and Order validation (GHSA-8rvj-mm4h-c258)"
…ls-digest fix(deps): update k8s.io/utils digest to be93311 (master)
Harden ACME Challenge and Order RBAC (GHSA-8rvj-mm4h-c258)
fix(deps): update cloud go deps (master)
Fix make e2e-setup-pebble when _bin/downloaded is missing
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…trata domain Signed-off-by: Maël Valais <mael@vls.dev>
vcert: upgrade lib so that the ngts API defaults to the correct api.strata domain
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
fix(deps): update module github.com/aws/smithy-go to v1.27.3 (master)
…o-gateway-api-1.x chore(deps): update module sigs.k8s.io/gateway-api to v1.6.0 (master)
…pi v1.6.0 gateway-api v1.6.0 bumped to k8s 1.36 deps (kubernetes-sigs/gateway-api#4819), which picked up the removal of the Deprecated godoc annotation from gwfake.NewSimpleClientset (kubernetes/kubernetes#136455). With no deprecation notice, staticcheck SA1019 no longer fires, so the //nolint:staticcheck directive became dead code that nolintlint now rejects. Also expand the FIXME comment to link to the root-cause issue (kubernetes/kubernetes#126850) and the un-deprecation PR, so future readers understand why NewSimpleClientset is still used deliberately. Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…-go-deps fix(deps): update module sigs.k8s.io/gateway-api to v1.6.0 (master)
Signed-off-by: Hemant Joshi <mail@hjoshi.me>
…ndition fix(controller/trigger): adding check for race condition of get v/s list in trigger ctrl
Introduce `CertificateRequestMaximumBackoffDuration` field to the controller config API, `--certificate-request-maximum-backoff-duration` to the controller CLI flags, default as 32h for backwards compatibility. Allow users controlling the upper bound of exponential backoff after certificate request failures, which previously hardcoded at 32h. Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
Replace hardcoded maxDelay/stopIncreaseBackoff constants with the configured `CertificateRequestMaximumBackoffDuration`, add overflow guard for extreme attempt counts. Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
feat: Add configurable CertificateRequest max backoff duration as controller option
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )