[pull] master from cert-manager:master #1066
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
[CI] Merge self-upgrade-master into master
Signed-off-by: harshitasao <harshitasao@gmail.com>
Signed-off-by: Richard Wall <richard.wall@venafi.com>
Signed-off-by: Richard Wall <richard.wall@venafi.com>
Signed-off-by: Richard Wall <richard.wall@venafi.com>
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
Signed-off-by: harshitasao <harshitasao@gmail.com>
Reduce memory usage by only caching the metadata of Secret resources
BUGFIX: AWS route53: Set global region for sts
This allows configuration of the http01 solver PodSecurityContext as part of the Issuer specification. Signed-off-by: Adrian Lai <aidy@loathe.me.uk>
Signed-off-by: Adrian Lai <aidy@loathe.me.uk>
Signed-off-by: Adrian Lai <aidy@loathe.me.uk>
Signed-off-by: Adrian Lai <adrian.lai@jetstack.io>
Signed-off-by: Adrian Lai <adrian.lai@jetstack.io>
These were copy-pasted in from the parent definitions. We don't marshal to protobuf (none of the other structs have equivalent annotations), so remove them as they are unnecessary. Signed-off-by: Adrian Lai <adrian.lai@jetstack.io>
Signed-off-by: Bartosz Slawianowski <bartosz.slawianowski@natzka.com>
Signed-off-by: Miguel Varela Ramos <miguel@cohere.ai>
Signed-off-by: Miguel Varela Ramos <miguel@cohere.ai>
Signed-off-by: Miguel Varela Ramos <miguel@cohere.ai>
Signed-off-by: Bartosz Slawianowski <bartosz.slawianowski@natzka.com>
Signed-off-by: Miguel Varela Ramos <miguel@cohere.ai>
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
Signed-off-by: Miguel Varela Ramos <miguel@cohere.ai>
Use new go 1.23 iterators
Signed-off-by: Adam Talbot <adamtalbot93@googlemail.com>
…eated when a certificate is deleted Signed-off-by: Adam Talbot <adamtalbot93@googlemail.com>
…te-requests-while-being-deleted fix: don't create certificaterequests while being deleted
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
[CI] Self-upgrade merging self-upgrade-master into master
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
add IPv6 example for recursive DNS arg
See also #7357 A US DoD document [1] states that: > Effective immediately, all Public Key enabled commercial-off-the-shelf > software and Public Key enabled Open-Source software integrations [...] > must support at least RSA-3072 (4096 is preferred) and SHA-384. cert-manager already supports large RSA keys - that's no problem. But we always use SHA256 with all RSA keys currently; this commit changes that so we use SHA512 for RSA keys 4096 bits and above, or else SHA384 for RSA keys 3072 bits and above, or else SHA256. We discussed in standups / in the issue how to roll this out, and the consensus so far has been to roll this out unilaterally. Albeit we don't have data to support our assumption, we believe there won't be any huge compatibility problems from using this approach. One potential issue is that SHA512 can take (much) longer on some low powered 32-bit platforms (think older Raspberry Pis). We decided that the risk of slowdown there isn't worth delaying the rollout of this. Plus, people using those devices always have the option of using RSA-2048 or else ECDSA / Ed25519. [1]: https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/pdf/unclass-memo_dodcryptoalgorithms.pdf Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
Use different hash algorithms for larger RSA keys
Remove unused test functions
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
Cleanup key gen / RSA key sizes
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
Signed-off-by: Jochen Richter <jochenrichter84@gmail.com>
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
add tenantID option to azureDNS managedIdentity
Resources with applyset labels will be pruned, which is problematic. Instead of a generic annotation to control label propagation, the applyset labels are always excluded. This should be a good middleground whilst an API for doing this in a more generic way is discussed. The label should not ever be propagated, and so is a safe default. Fixes: #7306 Signed-off-by: Thomas Way <thomas@6f.io>
Do not propagate applyset labels
Includes a lot of comments explaining how the maxima were calculated. This is _very_ conservative, and assumes we're dealing with RSA keys twice the size of what we actually allow as a maximum. From running the included benchmark it seems the pathological runtime is about 13617196ns (13ms) on an M2 Max which seems acceptable. Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
Restrict max size of PEM inputs
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )