Skip to content

[pull] master from cert-manager:master#1066

Open
pull[bot] wants to merge 3804 commits into
next-stack:masterfrom
cert-manager:master
Open

[pull] master from cert-manager:master#1066
pull[bot] wants to merge 3804 commits into
next-stack:masterfrom
cert-manager:master

Conversation

@pull

@pull pull Bot commented Oct 28, 2022

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot]

Can you help keep this open source service alive? 💖 Please sponsor : )

@pull pull Bot added the ⤵️ pull label Oct 28, 2022
lunarwhite and others added 29 commits May 1, 2026 16:28
Propagate global.commonLabels from the Helm chart (or
--acme-http01-solver-extra-labels CLI flag) to dynamically-created
ACME HTTP01 solver pods, services, ingresses, and Gateway API HTTPRoutes.
These labels are applied in addition to standard ACME challenge
identification labels, with Per-Issuer PodTemplate/IngressTemplate/
GatewayHTTPRoute.Labels taking precedence.

Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
…istenerSets (#8749)

* feat: fall back to Gateway HTTP listener for ACME HTTP-01 solver when ListenerSet has no HTTP listener

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* feat: use parent Gateway as HTTP-01 solver parentRef when ListenerSet opts in via annotation

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* feat: rename fallback annotation to match parentrefkind/name style

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* feat: extract ListenerSet parentRef annotation logic into function

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* feat: skip empty parentref namespace annotation override

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* feat: clear stale namespace annotation when fallback is disabled

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* feat: add tests for parentref namespace annotation override and deduplication

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* fix: restore per-case nil check to avoid initializing annotations for Ingress

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* fix: remove unused kind param from parentRefs test helper

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* fix: combine namespace annotation nil and empty checks

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* fix: use strconv.ParseBool for http01-parentreffallback annotation

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* fix: switch ptrMode to new in sync_test

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

---------

Signed-off-by: apkatsikas <apkatsikas@gmail.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Nikola <peac36@abv.bg>
add dns issuer secrets validation before marking it as ready
…b-actions

chore(deps): update github/codeql-action action to v4.35.3 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
* adding helm unit tests for controller

Signed-off-by: hjoshi123 <mail@hjoshi.me>

* adding helm unit tests

Signed-off-by: hjoshi123 <mail@hjoshi.me>
Signed-off-by: Hemant Joshi <mail@hjoshi.me>

---------

Signed-off-by: hjoshi123 <mail@hjoshi.me>
Signed-off-by: Hemant Joshi <mail@hjoshi.me>
Make cainjector use SSA unconditionally
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…x-deps

fix(deps): update module golang.org/x/crypto to v0.51.0 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Hemant Joshi <mail@hjoshi.me>
…b-actions

chore(deps): update github/codeql-action action to v4.35.4 (master)
It seems this had no effect: kubernetes/gengo#209

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
fix(deps): update module github.com/venafi/vcert/v5 to v5.13.2 (master)
This brings in a tonne of changes to codegen which come with
the upgraded versions of the codegen tools

This is being done along with the bounding-dirs flag
removal because they come together

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
```text
pkg/controller/util.go:217:62: inline: Constant reflect.Ptr should be inlined (govet)
	if v := reflect.ValueOf(arg); !v.IsValid() || ((v.Kind() == reflect.Ptr ||
```

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
Delete now-removed bounding dirs flag && make upgrade
Prevent global solver extra labels from overwriting ACME identity labels
(acme.cert-manager.io/http-domain, acme.cert-manager.io/http-token,
acme.cert-manager.io/http01-solver) on dynamically-created HTTP01 solver
resources. A filterACMEIdentityLabels helper strips these protected keys
before merging. Without this guard, extra labels could silently break
resource discovery.

Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
Signed-off-by: Richard Wall <richard@the-moon.net>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…-go-deps

fix(deps): update module sigs.k8s.io/controller-runtime to v0.24.1 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
renovate Bot and others added 30 commits June 28, 2026 21:14
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…odules

chore(deps): update makefile modules to 72b0d34 (master)
The one-shot renewal timer in startRenewalWatcher uses Go's monotonic
clock (CLOCK_MONOTONIC), which does not advance during system suspend
(S3/S4) or VM live migration. When the system resumes, the timer
deadline has not yet been reached, so the webhook serving certificate
is never renewed — even though wall-clock time has advanced past the
renewal moment.

Add a periodic ticker that polls time.Now() against the wall-clock
renewal deadline. Because time.Now() uses CLOCK_REALTIME for
comparisons with wall-clock timestamps (such as certificate NotAfter),
the ticker detects the missed renewal and triggers certificate renewal.

The goroutine now returns after the first send and wraps sends in
select/ctx.Done() to prevent goroutine leaks. An early return when
renewalAt is the zero value prevents a spurious signal before the
first certificate is issued.

Signed-off-by: Nikola <peac36@abv.bg>
Co-authored-by: Nikola <peac36@abv.bg>
Co-authored-by: Richard Wall <richard.wall@cyberark.com>
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Remove Challenge `create` and Order `create`, `patch`, `update`
from the `cert-manager-edit` aggregate ClusterRole.

- A user-created Challenge with attacker-controlled spec.solver
  can exfiltrate ClusterIssuer credentials cross-namespace.
- A user who can update an Order can change spec.issuerRef to
  reference a different ClusterIssuer, triggering credential
  exfiltration when the controller recreates the Challenge.
- Challenge `patch`/`update` are retained because spec is
  immutable after creation (ValidateChallengeUpdate) and users
  need them to remove stuck finalizers (#3851, #3870).

This change was already shipped in v1.19.6 and v1.20.3 via #8940
and #8941 respectively. This PR brings it to master.

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Defence in depth for GHSA-8rvj-mm4h-c258, complementing the RBAC
fix in #8958.

Webhook validation:
- ValidateChallenge: reject Challenges lacking a controller owner
  reference to an Order.
- ValidateOrderSpecUpdate: reject any Order spec mutation after
  creation.

Controller hardening:
- Order controller verifies both ownership AND exact spec
  equivalence for same-name Challenges. Mismatched Challenges are
  deleted and recreated.
- Set gateway parentRef Group explicitly to match the CRD OpenAPI
  default, preventing a nil-vs-populated mismatch in spec
  comparison (#7890, #8518, #8619).

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…odules

chore(deps): update makefile modules to c9f456a (master)
…)"

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Renew webhook serving certificate after system suspend
…ls-digest

fix(deps): update k8s.io/utils digest to be93311 (master)
Fix make e2e-setup-pebble when _bin/downloaded is missing
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…trata domain

Signed-off-by: Maël Valais <mael@vls.dev>
vcert: upgrade lib so that the ngts API defaults to the correct api.strata domain
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
fix(deps): update module github.com/aws/smithy-go to v1.27.3 (master)
…o-gateway-api-1.x

chore(deps): update module sigs.k8s.io/gateway-api to v1.6.0 (master)
…pi v1.6.0

gateway-api v1.6.0 bumped to k8s 1.36 deps (kubernetes-sigs/gateway-api#4819),
which picked up the removal of the Deprecated godoc annotation from
gwfake.NewSimpleClientset (kubernetes/kubernetes#136455). With no deprecation
notice, staticcheck SA1019 no longer fires, so the //nolint:staticcheck directive
became dead code that nolintlint now rejects.

Also expand the FIXME comment to link to the root-cause issue
(kubernetes/kubernetes#126850) and the un-deprecation PR, so future readers
understand why NewSimpleClientset is still used deliberately.

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…-go-deps

fix(deps): update module sigs.k8s.io/gateway-api to v1.6.0 (master)
Signed-off-by: Hemant Joshi <mail@hjoshi.me>
…ndition

fix(controller/trigger): adding check for race condition of get v/s list in trigger ctrl
Introduce `CertificateRequestMaximumBackoffDuration` field to the
controller config API, `--certificate-request-maximum-backoff-duration`
to the controller CLI flags, default as 32h for backwards compatibility.

Allow users controlling the upper bound of exponential backoff after
certificate request failures, which previously hardcoded at 32h.

Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
Replace hardcoded maxDelay/stopIncreaseBackoff constants with the
configured `CertificateRequestMaximumBackoffDuration`, add overflow
guard for extreme attempt counts.

Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
feat: Add configurable CertificateRequest max backoff duration as controller option
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.