github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
106,685 Commits 1 Branch 31 Tags 1,019 MiB
f4df7d0eb2
Commit Graph

41 Commits

Author SHA1 Message Date
sivchari
a5c5acf56e fix curent to current 2021-12-17 03:33:22 +09:00
wojtekt
e233feb99b Migrate to k8s.io/utils/clock in pkg/controller 2021-09-10 11:42:32 +02:00
Stephen Augustus
481cf6fbe7
generated: Run hack/update-gofmt.sh 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2021-08-24 15:47:49 -04:00
Monis Khan
cd91e59f7c
csr: add expirationSeconds field to control cert lifetime 
This change updates the CSR API to add a new, optional field called
expirationSeconds.  This field is a request to the signer for the
maximum duration the client wishes the cert to have.  The signer is
free to ignore this request based on its own internal policy.  The
signers built-in to KCM will honor this field if it is not set to a
value greater than --cluster-signing-duration.  The minimum allowed
value for this field is 600 seconds (ten minutes).

This change will help enforce safer durations for certificates in
the Kube ecosystem and will help related projects such as
cert-manager with their migration to the Kube CSR API.

Future enhancements may update the Kubelet to take advantage of this
field when it is configured in a way that can tolerate shorter
certificate lifespans with regular rotation.

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-07-01 23:38:15 -04:00
Monis Khan
7e891e5d6c
csr: correctly handle backdating of short lived certs 
This change updates the backdating logic to only be applied to the
NotBefore date and not the NotAfter date when the certificate is
short lived. Thus when such a certificate is issued, it will not be
immediately expired.  Long lived certificates continue to have the
same lifetime as before.

Consolidated all certificate lifetime logic into the
PermissiveSigningPolicy.policy method.

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-06-23 15:36:11 -04:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
David Eads
1233a6f63e generated 2020-07-09 08:14:55 -04:00
David Eads
e88fecf26b allow setting different certificates for kube-controller-managed CSR signers 2020-07-09 08:14:55 -04:00
Jordan Liggitt
db4ca87d9d Switch CSR approver/signer/cleaner controllers to v1 2020-06-05 18:45:34 -04:00
Jordan Liggitt
7049149181 Generated files 2020-05-28 16:53:23 -04:00
Jordan Liggitt
57eddd5e04 Record Failed condition in signer controller 2020-05-28 12:20:40 -04:00
David Eads
83035890ad refactor the CSR controller into distinct controllers to allow easy configuration of multiple signing keys 2020-05-05 10:18:04 -04:00
James Munnelly
d5dae04898 certificates: update controllers to understand signerName field 
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
 2020-02-27 15:54:31 +00:00
James Munnelly
a983356caa Add signerName field to CSR resource spec 
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
 2020-02-27 10:17:55 +00:00
Mike Danese
25651408ae generated: run refactor 2020-02-08 12:30:21 -05:00
Mike Danese
3aa59f7f30 generated: run refactor 2020-02-07 18:16:47 -08:00
Tim Allclair
9d3670f358 Ensure testing credentials are labeled as such 2020-02-04 10:36:05 -08:00
David Eads
5c2d2c5ef1 rename dynamic cert loading to be more accurate 2020-01-22 15:00:46 -05:00
David Eads
6ccfc3aecf add dynamic reloading for CSR signing controllers 2020-01-22 15:00:46 -05:00
Mike Danese
fe51712288 refactor into seperate authority package 2019-11-04 10:56:06 -08:00
Mike Danese
4bd2c3998f don't use cfssl in signer 2019-11-04 10:56:06 -08:00
wojtekt
7b6bcdf780 Autogenerated code 2019-10-24 20:21:00 +02:00
David Eads
e8b5781499 add identification for particular certificate controllers 2019-09-03 14:05:04 -04:00
David Xia
fabfd950b1
cleanup: fix some log and error capitalizations 
Part of https://github.com/kubernetes/kubernetes/issues/15863
 2019-07-20 18:26:16 -04:00
stewart-yu
ecbd5427e7 auto-generated file 2019-03-02 12:55:26 +08:00
stewart-yu
e01ff1641c move config local to every controllers in kube-controller-manager 2019-03-02 12:54:33 +08:00
David Eads
179dc4ca43 csr signer has no need to sign certificates for a duration longer than the signer itself 2019-02-04 13:22:17 -05:00
Jeff Grafton
23ceebac22 Run hack/update-bazel.sh 2018-06-22 16:22:57 -07:00
Jeff Grafton
ef56a8d6bb Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
Jeff Grafton
efee0704c6 Autogenerate BUILD files 2017-12-23 13:12:11 -08:00
supereagle
b694d51842 use versiond group clients from client-go 2017-11-07 14:47:22 +08:00
Mike Danese
1181a88cf2 certs: remove always nil error from New signature 2017-10-23 11:43:08 -07:00
Jeff Grafton
aee5f457db update BUILD files 2017-10-15 18:18:13 -07:00
Jeff Grafton
a7f49c906d Use buildozer to delete licenses() rules except under third_party/ 2017-08-11 09:32:39 -07:00
Jeff Grafton
33276f06be Use buildozer to remove deprecated automanaged tags 2017-08-11 09:31:50 -07:00
Jacob Simpson
29c1b81d4c Scripted migration from clientset_generated to client-go. 2017-07-17 15:05:37 -07:00
Chao Xu
60604f8818 run hack/update-all 2017-06-22 11:31:03 -07:00
Chao Xu
cde4772928 run ./root-rewrite-all-other-apis.sh, then run make all, pkg/... compiles 2017-06-22 11:30:52 -07:00
Slava Semushin
418cf3710c Improve error reporting by including file name in the message. 2017-06-06 17:47:11 +02:00
Jacob Simpson
07e9b0e197 Add support for specifying certificate duration at runtime. 2017-05-24 13:29:46 -07:00
Mike Danese
f04ce3cfba refactor certificate controller 2017-05-23 15:25:58 -07:00