Commit Graph

169 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
cb41d5002c
Merge pull request #111061 from pacoxu/key-encipherment-optional
modify the signing/approving controller to tolerate either set of usages for kubelet client and serving certificates
2022-08-02 18:55:51 -07:00
Paco Xu
e6176c28b7 modify the signing/approving controller to tolerate either set of usages for kubelet client and serving certificates
Signed-off-by: Paco Xu <paco.xu@daocloud.io>
2022-08-03 05:12:04 +08:00
Davanum Srinivas
a9593d634c
Generate and format files
- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2022-07-26 13:14:05 -04:00
Wojciech Tyczyński
d9d46d5326 Clean shutdown of certificates integration tests 2022-06-02 21:02:04 +02:00
Kubernetes Prow Robot
14e8db067e
Merge pull request #108191 from ravisantoshgudimetla/wire-cert-contexts
Wire cert contexts
2022-03-23 11:20:17 -07:00
Ryan Richard
e29ac0f8be Promote CertificateSigningRequest's Spec.ExpirationSeconds field to GA
Remove the comment "As of v1.22, this field is beta and is controlled
via the CSRDuration feature gate" from the expirationSeconds field's
godoc.

Mark the "CSRDuration" feature gate as GA in 1.24, lock its value to
"true", and remove the various logic which handled when the gate was
"false".

Update conformance test to check that the CertificateSigningRequest's
Spec.ExpirationSeconds field is stored, but do not check if the field
is honored since this functionality is optional.
2022-03-18 14:41:43 -07:00
Ravi Gudimetla
72a62f47f7 Wire context for cert controllers
All the controllers should use context for signalling termination of communication with API server. Once kcm cancels context all the cert controllers which are started via kcm should cancel the APIServer request in flight instead of hanging around.
2022-03-07 10:19:45 -05:00
sivchari
a5c5acf56e fix curent to current 2021-12-17 03:33:22 +09:00
Davanum Srinivas
9405e9b55e
Check in OWNERS modified by update-yamlfmt.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-12-09 21:31:26 -05:00
Stanislav Laznicka
b67bd722a9
rootcacertpublisher: drop the namespace label from metrics to reduce its cardinality
The `root_ca_cert_publisher_sync_duration_seconds` metric tracks the sync
duration in the root CA cert publisher per code and namespace. In
clusters with a high namespace turnover (like CI clusters), this may
cause the kube-controller-manager to expose over 100k series to
Prometheus, which may cause degradation of that service.

Drop the `namespace` label to remove the metrics' cardinality, tracking
this metric by namespace does not justify the impact of keeping it.
2021-09-16 14:05:32 +02:00
wojtekt
e233feb99b Migrate to k8s.io/utils/clock in pkg/controller 2021-09-10 11:42:32 +02:00
Stephen Augustus
481cf6fbe7
generated: Run hack/update-gofmt.sh
Signed-off-by: Stephen Augustus <foo@auggie.dev>
2021-08-24 15:47:49 -04:00
Jordan Liggitt
236e72cf8a Make CSR cleaner tolerate objects with invalid status.certificate 2021-07-21 10:35:17 -04:00
Monis Khan
cd91e59f7c
csr: add expirationSeconds field to control cert lifetime
This change updates the CSR API to add a new, optional field called
expirationSeconds.  This field is a request to the signer for the
maximum duration the client wishes the cert to have.  The signer is
free to ignore this request based on its own internal policy.  The
signers built-in to KCM will honor this field if it is not set to a
value greater than --cluster-signing-duration.  The minimum allowed
value for this field is 600 seconds (ten minutes).

This change will help enforce safer durations for certificates in
the Kube ecosystem and will help related projects such as
cert-manager with their migration to the Kube CSR API.

Future enhancements may update the Kubelet to take advantage of this
field when it is configured in a way that can tolerate shorter
certificate lifespans with regular rotation.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-07-01 23:38:15 -04:00
Monis Khan
7e891e5d6c
csr: correctly handle backdating of short lived certs
This change updates the backdating logic to only be applied to the
NotBefore date and not the NotAfter date when the certificate is
short lived. Thus when such a certificate is issued, it will not be
immediately expired.  Long lived certificates continue to have the
same lifetime as before.

Consolidated all certificate lifetime logic into the
PermissiveSigningPolicy.policy method.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-23 15:36:11 -04:00
Kubernetes Prow Robot
df9ad4d7d2
Merge pull request #96094 from Hellcatlk/m
Some comments' typos
2021-04-16 11:54:22 -07:00
Kubernetes Prow Robot
d51f15ed0d
Merge pull request #100885 from enj/enj/i/auth_owners
Update sig-auth OWNERS
2021-04-12 22:18:49 -07:00
David Eads
443e4ea0df include description of what kube-root-ca.crt can be used to verify 2021-04-08 10:43:41 -04:00
Monis Khan
bca4993004
Update auth OWNERS files to only use aliases
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-07 10:46:03 -04:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Shihang Zhang
bbce0468d4 add metrics for rootcacertpublisher controller 2021-02-16 21:56:41 -08:00
Shihang Zhang
2c378beb64 abort if namespace doesn't exist or terminating 2020-11-05 11:12:15 -08:00
Shihang Zhang
d40f0c43c4 separate RootCAConfigMap from BoundServiceAccountTokenVolume 2020-11-04 17:10:39 -08:00
zouyu
7dd4622c84 Some comments' typos
Signed-off-by: zouyu <zouy.fnst@cn.fujitsu.com>
2020-11-02 15:05:23 +08:00
qingsenLi
30bfa7d078 remove unused const failedExpiration 2020-10-22 18:57:36 +08:00
Kubernetes Prow Robot
215d2c6bce
Merge pull request #92983 from iotty/csr.clean
[pkg/controller/certificates]: remove staled func comments
2020-08-27 19:08:23 -07:00
Zhou Peng
80519cee5b [pkg/controller/certificates]: remove staled func comments
This was introduced by commit: f04ce3cfba
Since this func is simple and clear enough, just not comment it anymore.

Signed-off-by: Zhou Peng <p@ctriple.cn>
2020-07-11 17:08:28 +08:00
David Eads
1233a6f63e generated 2020-07-09 08:14:55 -04:00
David Eads
e88fecf26b allow setting different certificates for kube-controller-managed CSR signers 2020-07-09 08:14:55 -04:00
Kobayashi Daisuke
4ae11dac2e Replace StartLogging(klog.Infof) with StartStructuredLogging(0) 2020-06-15 17:48:35 +09:00
Jordan Liggitt
db4ca87d9d Switch CSR approver/signer/cleaner controllers to v1 2020-06-05 18:45:34 -04:00
Jordan Liggitt
7049149181 Generated files 2020-05-28 16:53:23 -04:00
Jordan Liggitt
94fd1d76ca Switch issued check to inspect certificate length 2020-05-28 12:20:40 -04:00
Jordan Liggitt
d33a19cee7 Clean failed CSRs 2020-05-28 12:20:40 -04:00
Jordan Liggitt
57eddd5e04 Record Failed condition in signer controller 2020-05-28 12:20:40 -04:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:27 -04:00
David Eads
83035890ad refactor the CSR controller into distinct controllers to allow easy configuration of multiple signing keys 2020-05-05 10:18:04 -04:00
Jordan Liggitt
d8abacba40 client-go: update expansions callers 2020-03-06 16:50:41 -05:00
Mike Danese
c58e69ec79 automated refactor 2020-03-05 14:59:46 -08:00
James Munnelly
d5dae04898 certificates: update controllers to understand signerName field
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
2020-02-27 15:54:31 +00:00
James Munnelly
a983356caa Add signerName field to CSR resource spec
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
2020-02-27 10:17:55 +00:00
taesun_lee
79680b5d9b Fix pkg/controller typos in some error messages, comments etc
- applied review results by LuisSanchez
- Co-Authored-By: Luis Sanchez <sanchezl@redhat.com>

genernal -> general
iniital -> initial
initalObjects -> initialObjects
intentionaly -> intentionally
inforer -> informer
anotother -> another
triger -> trigger
mutli -> multi
Verifyies -> Verifies
valume -> volume
unexpect -> unexpected
unfulfiled -> unfulfilled
implenets -> implements
assignement -> assignment
expectataions -> expectations
nexpected -> unexpected
boundSatsified -> boundSatisfied
externel -> external
calcuates -> calculates
workes -> workers
unitialized -> uninitialized
afater -> after
Espected -> Expected
nodeMontiorGracePeriod -> NodeMonitorGracePeriod
estimateGrracefulTermination -> estimateGracefulTermination
secondrary -> secondary
ShouldRunDaemonPodOnUnscheduableNode -> ShouldRunDaemonPodOnUnschedulableNode
rrror -> error
expectatitons -> expectations
foud -> found
epackage -> package
succesfulJobs -> successfulJobs
namesapce -> namespace
ConfigMapResynce -> ConfigMapResync
2020-02-27 00:15:33 +09:00
Mike Danese
25651408ae generated: run refactor 2020-02-08 12:30:21 -05:00
Mike Danese
3aa59f7f30 generated: run refactor 2020-02-07 18:16:47 -08:00
Tim Allclair
9d3670f358 Ensure testing credentials are labeled as such 2020-02-04 10:36:05 -08:00
David Eads
5c2d2c5ef1 rename dynamic cert loading to be more accurate 2020-01-22 15:00:46 -05:00
David Eads
6ccfc3aecf add dynamic reloading for CSR signing controllers 2020-01-22 15:00:46 -05:00
Jordan Liggitt
054e3846fc Use v1 subjectaccessreview API in controller-manager CSR approver 2020-01-13 15:55:52 -05:00
danielqsj
5bc0e26c19 unify alias of api errors under pkg and staging 2019-12-26 16:42:28 +08:00