Stephen Augustus
481cf6fbe7
generated: Run hack/update-gofmt.sh
...
Signed-off-by: Stephen Augustus <foo@auggie.dev>
2021-08-24 15:47:49 -04:00
Jordan Liggitt
236e72cf8a
Make CSR cleaner tolerate objects with invalid status.certificate
2021-07-21 10:35:17 -04:00
Monis Khan
cd91e59f7c
csr: add expirationSeconds field to control cert lifetime
...
This change updates the CSR API to add a new, optional field called
expirationSeconds. This field is a request to the signer for the
maximum duration the client wishes the cert to have. The signer is
free to ignore this request based on its own internal policy. The
signers built-in to KCM will honor this field if it is not set to a
value greater than --cluster-signing-duration. The minimum allowed
value for this field is 600 seconds (ten minutes).
This change will help enforce safer durations for certificates in
the Kube ecosystem and will help related projects such as
cert-manager with their migration to the Kube CSR API.
Future enhancements may update the Kubelet to take advantage of this
field when it is configured in a way that can tolerate shorter
certificate lifespans with regular rotation.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-07-01 23:38:15 -04:00
Monis Khan
7e891e5d6c
csr: correctly handle backdating of short lived certs
...
This change updates the backdating logic to only be applied to the
NotBefore date and not the NotAfter date when the certificate is
short lived. Thus when such a certificate is issued, it will not be
immediately expired. Long lived certificates continue to have the
same lifetime as before.
Consolidated all certificate lifetime logic into the
PermissiveSigningPolicy.policy method.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-23 15:36:11 -04:00
Kubernetes Prow Robot
df9ad4d7d2
Merge pull request #96094 from Hellcatlk/m
...
Some comments' typos
2021-04-16 11:54:22 -07:00
Kubernetes Prow Robot
d51f15ed0d
Merge pull request #100885 from enj/enj/i/auth_owners
...
Update sig-auth OWNERS
2021-04-12 22:18:49 -07:00
David Eads
443e4ea0df
include description of what kube-root-ca.crt can be used to verify
2021-04-08 10:43:41 -04:00
Monis Khan
bca4993004
Update auth OWNERS files to only use aliases
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-07 10:46:03 -04:00
Benjamin Elder
56e092e382
hack/update-bazel.sh
2021-02-28 15:17:29 -08:00
Shihang Zhang
bbce0468d4
add metrics for rootcacertpublisher controller
2021-02-16 21:56:41 -08:00
Shihang Zhang
2c378beb64
abort if namespace doesn't exist or terminating
2020-11-05 11:12:15 -08:00
Shihang Zhang
d40f0c43c4
separate RootCAConfigMap from BoundServiceAccountTokenVolume
2020-11-04 17:10:39 -08:00
zouyu
7dd4622c84
Some comments' typos
...
Signed-off-by: zouyu <zouy.fnst@cn.fujitsu.com>
2020-11-02 15:05:23 +08:00
qingsenLi
30bfa7d078
remove unused const failedExpiration
2020-10-22 18:57:36 +08:00
Kubernetes Prow Robot
215d2c6bce
Merge pull request #92983 from iotty/csr.clean
...
[pkg/controller/certificates]: remove staled func comments
2020-08-27 19:08:23 -07:00
Zhou Peng
80519cee5b
[pkg/controller/certificates]: remove staled func comments
...
This was introduced by commit: f04ce3cfba
2020-07-11 17:08:28 +08:00
David Eads
1233a6f63e
generated
2020-07-09 08:14:55 -04:00
David Eads
e88fecf26b
allow setting different certificates for kube-controller-managed CSR signers
2020-07-09 08:14:55 -04:00
Kobayashi Daisuke
4ae11dac2e
Replace StartLogging(klog.Infof) with StartStructuredLogging(0)
2020-06-15 17:48:35 +09:00
Jordan Liggitt
db4ca87d9d
Switch CSR approver/signer/cleaner controllers to v1
2020-06-05 18:45:34 -04:00
Jordan Liggitt
7049149181
Generated files
2020-05-28 16:53:23 -04:00
Jordan Liggitt
94fd1d76ca
Switch issued check to inspect certificate length
2020-05-28 12:20:40 -04:00
Jordan Liggitt
d33a19cee7
Clean failed CSRs
2020-05-28 12:20:40 -04:00
Jordan Liggitt
57eddd5e04
Record Failed condition in signer controller
2020-05-28 12:20:40 -04:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:27 -04:00
David Eads
83035890ad
refactor the CSR controller into distinct controllers to allow easy configuration of multiple signing keys
2020-05-05 10:18:04 -04:00
Jordan Liggitt
d8abacba40
client-go: update expansions callers
2020-03-06 16:50:41 -05:00
Mike Danese
c58e69ec79
automated refactor
2020-03-05 14:59:46 -08:00
James Munnelly
d5dae04898
certificates: update controllers to understand signerName field
...
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
2020-02-27 15:54:31 +00:00
James Munnelly
a983356caa
Add signerName field to CSR resource spec
...
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
2020-02-27 10:17:55 +00:00
taesun_lee
79680b5d9b
Fix pkg/controller typos in some error messages, comments etc
...
- applied review results by LuisSanchez
- Co-Authored-By: Luis Sanchez <sanchezl@redhat.com>
genernal -> general
iniital -> initial
initalObjects -> initialObjects
intentionaly -> intentionally
inforer -> informer
anotother -> another
triger -> trigger
mutli -> multi
Verifyies -> Verifies
valume -> volume
unexpect -> unexpected
unfulfiled -> unfulfilled
implenets -> implements
assignement -> assignment
expectataions -> expectations
nexpected -> unexpected
boundSatsified -> boundSatisfied
externel -> external
calcuates -> calculates
workes -> workers
unitialized -> uninitialized
afater -> after
Espected -> Expected
nodeMontiorGracePeriod -> NodeMonitorGracePeriod
estimateGrracefulTermination -> estimateGracefulTermination
secondrary -> secondary
ShouldRunDaemonPodOnUnscheduableNode -> ShouldRunDaemonPodOnUnschedulableNode
rrror -> error
expectatitons -> expectations
foud -> found
epackage -> package
succesfulJobs -> successfulJobs
namesapce -> namespace
ConfigMapResynce -> ConfigMapResync
2020-02-27 00:15:33 +09:00
Mike Danese
25651408ae
generated: run refactor
2020-02-08 12:30:21 -05:00
Mike Danese
3aa59f7f30
generated: run refactor
2020-02-07 18:16:47 -08:00
Tim Allclair
9d3670f358
Ensure testing credentials are labeled as such
2020-02-04 10:36:05 -08:00
David Eads
5c2d2c5ef1
rename dynamic cert loading to be more accurate
2020-01-22 15:00:46 -05:00
David Eads
6ccfc3aecf
add dynamic reloading for CSR signing controllers
2020-01-22 15:00:46 -05:00
Jordan Liggitt
054e3846fc
Use v1 subjectaccessreview API in controller-manager CSR approver
2020-01-13 15:55:52 -05:00
danielqsj
5bc0e26c19
unify alias of api errors under pkg and staging
2019-12-26 16:42:28 +08:00
yuxiaobo
81e9f21f83
Correct spelling mistakes
...
Signed-off-by: yuxiaobo <yuxiaobogo@163.com>
2019-11-06 20:25:19 +08:00
Mike Danese
6a004d0c18
support URI SANs in local signer
2019-11-04 10:56:06 -08:00
Mike Danese
fe51712288
refactor into seperate authority package
2019-11-04 10:56:06 -08:00
Mike Danese
4bd2c3998f
don't use cfssl in signer
2019-11-04 10:56:06 -08:00
Ryan Phillips
f87da3fdfa
fixes for tests to pass with FIPS compiler
...
* use P256 ECDSA key since P224 is not supported
* regen test certs to be 2048bits
2019-10-30 10:10:11 -05:00
wojtekt
7b6bcdf780
Autogenerated code
2019-10-24 20:21:00 +02:00
Yassine TIJANI
c1487840bc
move util/metrics to component-base
...
Signed-off-by: Yassine TIJANI <ytijani@vmware.com>
2019-10-08 14:42:31 +02:00
David Eads
e8b5781499
add identification for particular certificate controllers
2019-09-03 14:05:04 -04:00
Yassine TIJANI
7e4c3096fe
move WaitForCacheSync to the sharedInformer package
...
Signed-off-by: Yassine TIJANI <ytijani@vmware.com>
2019-08-22 16:13:41 +01:00
David Xia
fabfd950b1
cleanup: fix some log and error capitalizations
...
Part of https://github.com/kubernetes/kubernetes/issues/15863
2019-07-20 18:26:16 -04:00
SataQiu
3c35e4e2d6
fix golint failures of pkg/controller/certificates/approver
2019-05-02 10:37:38 +08:00
