Previously, the Vault issuer was only able to use a Secret in order to
use the "Kubernetes authe...

Signed-off-by: Maël Valais <[email protected]>

The documentation [1] mentions that `StdoutPipe` should not be used
along with `Run`:

"Wait wil...

Vault: add unit tests for the controller-side validation of the Vault Issuer

make: the kubebuilder 1.26.0 hash for linux/amd64 changed

Signed-off-by: Maël Valais <[email protected]>

Signed-off-by: Maël Valais <[email protected]>

To reduce the variations of naming

Signed-off-by: irbekrm <[email protected]>

Also changes name of --watch-certs flag to --enable-certificate-data-source

Signed-off-by: irbe...

Make the file structure and struct naming more intuitive, add some comments

Signed-off-by: irbe...

Reduce the amount of interfaces enclosing the injectable instance from 3 to 1. Also some minor r...

Cainjector: only reconcile annotated injectables

Signed-off-by: irbekrm <[email protected]>

Disable auto mount service account token in the ACME HTTP01 pod

Signed-off-by: Richard Wall <[email protected]>

Signed-off-by: irbekrm <[email protected]>

Signed-off-by: irbekrm <[email protected]>

Signed-off-by: yulng <[email protected]>

Only trigger reconciles for events on injectable types that are annotated, not random unrelated ...

Signed-off-by: irbekrm <[email protected]>

Bump base images to latest

Signed-off-by: Ashley Davis <[email protected]>

Signed-off-by: Tim Ramlot <[email protected]>

Signed-off-by: Richard Wall <[email protected]>

Signed-off-by: Richard Wall <[email protected]>

https://kyverno.io/policies/other/restrict_automount_sa_token/restrict_automount_sa_token/

Sign...

Signed-off-by: Richard Wall <[email protected]>

Remove the double cache mechanism for cainjector

Revert "automount service account tokens off by default"

This reverts commit 954eb0d875cb79d6da8eca233ccc9267ebf1420c.

Signed-off-by: Richard Wall <rich...

Signed-off-by: Richard Wall <[email protected]>

Configurable via a flag, true by default

Signed-off-by: irbekrm <[email protected]>

Move and rename Certificate util functions

Added the ability to set volumes and volumeMounts to all pods via helm

Signed-off-by: Tim Ramlot <[email protected]>

Co-authored-by: Tim Ramlot <[email protected]>
Signed-off-by: Aaron Aichl...

Signed-off-by: irbekrm <[email protected]>

Signed-off-by: Tim Ramlot <[email protected]>

Signed-off-by: Tim Ramlot <[email protected]>

support subject and email annotations for ingress/gateway

Signed-off-by: ctrought <[email protected]>

Webhook solver conformance bugfix

Signed-off-by: irbekrm <[email protected]>

The way the tests run (a new kube apiserver with a different client created for the same initial...

Signed-off-by: irbekrm <[email protected]>

With the goal of making folks working on these parts of code be aware that this is the one bit t...

Add org.opencontainers.image.source OCI label to containers

Bump keystore-go to v4.4.1

Bump dependencies

Signed-off-by: Aaron Aichlmayr <[email protected]>

Signed-off-by: Aaron Aichlmayr <[email protected]>

helm: expose enable-certificate-owner-ref and -dns01-recursive-nameservers as helm value

Signed-off-by: Jan-Otto Kröpke <[email protected]>

This version points to the same commit as v4.4.0, so there is no actual
code change. However, tr...

Signed-off-by: Luca Comellini <[email protected]>

Signed-off-by: Luca Comellini <[email protected]>

Signed-off-by: Luca Comellini <[email protected]>

Bump base images to latest

Signed-off-by: Ashley Davis <[email protected]>

A full list of pre-defined annotations is available at:
https://github.com/opencontainers/image-...

Use fake kube apiserver version when generating helm template in cmctl x install

Signed-off-by: irbekrm <[email protected]>

Signed-off-by: irbekrm <[email protected]>

Signed-off-by: irbekrm <[email protected]>

Bump go to 1.19.5

Signed-off-by: yanggang <[email protected]>

Signed-off-by: irbekrm <[email protected]>

Bump containerd to fix reported vuln

note that cert-manager is not actually vulnerable to CVE-2022-23471
since the affected code is n...

Ensures that certificate.spec.secretName and temporary private key Secrets are labelled

Move custom acmesolver image above extraArgs

Makes sure that when an unlabelled Secret is encountered at any point (even outside issuance) it...

Signed-off-by: irbekrm <[email protected]>

Signed-off-by: irbekrm <[email protected]>

Signed-off-by: irbekrm <[email protected]>

Fix cainjector's namespace flag

cainjector will still watch cluster-scoped resources such as CRDs, so it can get references to S...

Ensures that only one secrets cache is created for cert-manager controller

Bump golang.org/x/crypto and golang.org/x/oauth2

Ensures that when cainjector has the namespace flag passed, namespaced resource caching is scope...

Signed-off-by: irbekrm <[email protected]>

Signed-off-by: Luca Comellini <[email protected]>

since the acmesolver image has defaults (i.e. the repository is set by
default[1]), the helm cha...

Signed-off-by: irbekrm <[email protected]>

Signed-off-by: irbekrm <[email protected]>

bump base images to latest

Signed-off-by: Ashley Davis <[email protected]>

Bump sigs.k8s.io deps

Avoid logging confusing error messages for external issuers

See https://github.com/cert-manager/cert-manager/issues/5601

When referring to external issuers...

Allow custom helm values files to be supplied to make ko-deploy-certmanager

Remove duplicate ko-deploy-cert-manager make target

fix(AzureDNS): prevent early reconciliations for misconfigured Workload Identity

Various ginkgo tweaks

Signed-off-by: Richard Wall <[email protected]>

Signed-off-by: Richard Wall <[email protected]>

1. Remove deprecated args (progress, slow spec threshold)
2. Disable colors in CI

Signed-off-by...

Signed-off-by: Richard Wall <[email protected]>

Use template when generating tempdir in verify-crds

Due to a bug in controller-gen[1] certain paths are incorrectly split
and part of these paths ca...