├── .github ├── dependabot.yaml └── workflows │ ├── debian-trust-package-release-bookworm.yaml │ ├── debian-trust-package-release-bullseye.yaml │ ├── debian-trust-package-upgrade-bookworm.yaml │ ├── debian-trust-package-upgrade-bullseye.yaml │ ├── govulncheck.yaml │ ├── make-self-upgrade.yaml │ └── release.yaml ├── .gitignore ├── .golangci.yaml ├── CONTRIBUTING.md ├── LICENSE ├── LICENSES ├── Makefile ├── OWNERS ├── OWNERS_ALIASES ├── README.md ├── RELEASE.md ├── SECURITY.md ├── cmd ├── trust-manager │ ├── app │ │ ├── app.go │ │ └── options │ │ │ └── options.go │ └── main.go └── validate-trust-package │ └── main.go ├── deploy ├── charts │ └── trust-manager │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── certificate.yaml │ │ ├── clusterrole.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── crd-trust.cert-manager.io_bundles.yaml │ │ ├── deployment.yaml │ │ ├── extra-manifests.yaml │ │ ├── metrics-service.yaml │ │ ├── metrics-servicemonitor.yaml │ │ ├── poddisruptionbudget.yaml │ │ ├── role.yaml │ │ ├── rolebinding.yaml │ │ ├── serviceaccount.yaml │ │ └── webhook.yaml │ │ ├── values.linter.exceptions │ │ ├── values.schema.json │ │ └── values.yaml └── crds │ ├── README.md │ └── trust.cert-manager.io_bundles.yaml ├── design ├── 20210715.bundle-crd.md ├── 20220722-publicbundle.md └── 20241124-rename-bunde-to-clusterbundle.md ├── docs └── alphav2-changes.md ├── go.mod ├── go.sum ├── klone.yaml ├── make ├── 00_debian_bookworm_version.mk ├── 00_debian_version.mk ├── 00_mod.mk ├── 02_mod.mk ├── _shared │ ├── boilerplate │ │ ├── 00_mod.mk │ │ ├── 01_mod.mk │ │ └── template │ │ │ └── boilerplate.go.txt │ ├── cert-manager │ │ ├── 00_mod.mk │ │ └── 01_mod.mk │ ├── controller-gen │ │ └── 01_mod.mk │ ├── generate-verify │ │ ├── 00_mod.mk │ │ ├── 02_mod.mk │ │ └── util │ │ │ └── verify.sh │ ├── go │ │ ├── .golangci.override.yaml │ │ ├── 01_mod.mk │ │ ├── README.md │ │ └── base │ │ │ └── .github │ │ │ └── workflows │ │ │ └── govulncheck.yaml │ ├── helm │ │ ├── 01_mod.mk │ │ ├── crd.template.footer.yaml │ │ ├── crd.template.header.yaml │ │ ├── crds.mk │ │ ├── crds_dir.README.md │ │ ├── deploy.mk │ │ └── helm.mk │ ├── help │ │ ├── 01_mod.mk │ │ └── help.sh │ ├── kind │ │ ├── 00_kind_image_versions.mk │ │ ├── 00_mod.mk │ │ ├── 01_mod.mk │ │ ├── kind-image-preload.mk │ │ └── kind.mk │ ├── klone │ │ └── 01_mod.mk │ ├── licenses │ │ ├── 00_mod.mk │ │ └── 01_mod.mk │ ├── oci-build │ │ ├── 00_mod.mk │ │ └── 01_mod.mk │ ├── oci-publish │ │ ├── 00_mod.mk │ │ ├── 01_mod.mk │ │ └── image-exists.sh │ ├── repository-base │ │ ├── 01_mod.mk │ │ ├── base-dependabot │ │ │ └── .github │ │ │ │ └── dependabot.yaml │ │ └── base │ │ │ ├── .github │ │ │ └── workflows │ │ │ │ └── make-self-upgrade.yaml │ │ │ ├── LICENSE │ │ │ ├── Makefile │ │ │ └── OWNERS_ALIASES │ └── tools │ │ ├── 00_mod.mk │ │ └── util │ │ ├── checkhash.sh │ │ ├── hash.sh │ │ └── lock.sh ├── config │ └── kind │ │ └── cluster.yaml ├── debian-trust-package-bookworm.mk ├── debian-trust-package-fetch.sh ├── debian-trust-package.mk ├── test-integration.mk ├── test-smoke.mk ├── test-unit.mk └── validate-trust-package.mk ├── pkg ├── apis │ ├── doc.go │ ├── trust │ │ ├── doc.go │ │ └── v1alpha1 │ │ │ ├── conversion.go │ │ │ ├── conversion_test.go │ │ │ ├── doc.go │ │ │ ├── register.go │ │ │ ├── types_bundle.go │ │ │ ├── zz_generated.conversion.go │ │ │ └── zz_generated.deepcopy.go │ └── trustmanager │ │ ├── doc.go │ │ └── v1alpha2 │ │ ├── conversion.go │ │ ├── doc.go │ │ ├── register.go │ │ ├── types_cluster_bundle.go │ │ └── zz_generated.deepcopy.go ├── applyconfigurations │ ├── internal │ │ └── internal.go │ ├── trust │ │ └── v1alpha1 │ │ │ ├── additionalformats.go │ │ │ ├── bundle.go │ │ │ ├── bundlesource.go │ │ │ ├── bundlespec.go │ │ │ ├── bundlestatus.go │ │ │ ├── bundletarget.go │ │ │ ├── jks.go │ │ │ ├── keyselector.go │ │ │ ├── pkcs12.go │ │ │ ├── sourceobjectkeyselector.go │ │ │ ├── targetmetadata.go │ │ │ └── targettemplate.go │ ├── trustmanager │ │ └── v1alpha2 │ │ │ ├── bundlesource.go │ │ │ ├── bundlespec.go │ │ │ ├── bundlestatus.go │ │ │ ├── bundletarget.go │ │ │ ├── clusterbundle.go │ │ │ ├── keyvaluetarget.go │ │ │ ├── pkcs12.go │ │ │ ├── sourceobjectkeyselector.go │ │ │ ├── targetkeyvalue.go │ │ │ └── targetmetadata.go │ └── utils.go ├── bundle │ ├── bundle.go │ ├── bundle_test.go │ ├── controller.go │ ├── internal │ │ ├── ssa_client │ │ │ ├── bundle_status.go │ │ │ ├── migrate.go │ │ │ └── patch.go │ │ ├── target │ │ │ ├── target.go │ │ │ └── target_test.go │ │ └── truststore │ │ │ ├── TestHTTPConnection.java │ │ │ ├── java_test.go │ │ │ ├── types.go │ │ │ └── types_test.go │ ├── source.go │ ├── source_test.go │ ├── util.go │ └── util_test.go ├── compat │ ├── negative_serial_number.go │ ├── negative_serial_number_godebug_test.go │ ├── negative_serial_number_test.go │ ├── parse_cert.go │ └── util_test.go ├── fspkg │ ├── package.go │ └── package_test.go ├── util │ ├── cert_pool.go │ ├── cert_pool_test.go │ ├── conversion │ │ └── conversion.go │ └── pem_test.go └── webhook │ ├── validation.go │ ├── validation_test.go │ └── webhook.go ├── test ├── dummy │ ├── certificates.go │ └── certificates_test.go ├── env │ ├── data.go │ └── ginkgo.go ├── gen │ └── bundle.go ├── integration │ └── bundle │ │ ├── integration.go │ │ ├── integration_test.go │ │ ├── suite.go │ │ └── validation_test.go ├── kind-cluster.yaml └── smoke │ ├── config │ └── config.go │ ├── smoke_test.go │ └── suite_test.go └── trust-packages ├── README.md └── debian ├── LICENSE ├── LICENSES ├── README.md ├── go.mod ├── go.sum └── main.go /.github/dependabot.yaml: -------------------------------------------------------------------------------- 1 | # THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. 2 | # Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base-dependabot/.github/dependabot.yaml instead. 3 | 4 | # Update Go dependencies and GitHub Actions dependencies daily. 5 | version: 2 6 | updates: 7 | - package-ecosystem: gomod 8 | directory: / 9 | schedule: 10 | interval: daily 11 | groups: 12 | all: 13 | patterns: ["*"] 14 | - package-ecosystem: github-actions 15 | directory: / 16 | schedule: 17 | interval: daily 18 | groups: 19 | all: 20 | patterns: ["*"] 21 | -------------------------------------------------------------------------------- /.github/workflows/debian-trust-package-release-bookworm.yaml: -------------------------------------------------------------------------------- 1 | name: debian-trust-package-release-bookworm 2 | on: 3 | push: 4 | branches: ['main'] 5 | paths: 6 | - make/00_debian_bookworm_version.mk 7 | 8 | jobs: 9 | build_images: 10 | runs-on: ubuntu-latest 11 | 12 | permissions: 13 | contents: read # needed for checkout 14 | packages: write # needed for push images 15 | id-token: write # needed for keyless signing 16 | 17 | steps: 18 | - uses: actions/checkout@v4 19 | # Adding `fetch-depth: 0` makes sure tags are also fetched. We need 20 | # the tags so `git describe` returns a valid version. 21 | # see https://github.com/actions/checkout/issues/701 for extra info about this option 22 | with: { fetch-depth: 0 } 23 | 24 | - id: go-version 25 | run: | 26 | make print-go-version >> "$GITHUB_OUTPUT" 27 | 28 | - uses: docker/login-action@v3 29 | with: 30 | registry: quay.io 31 | username: ${{ secrets.QUAY_USERNAME }} 32 | password: ${{ secrets.QUAY_PASSWORD }} 33 | 34 | - uses: actions/setup-go@v5 35 | with: 36 | go-version: ${{ steps.go-version.outputs.result }} 37 | 38 | - id: release 39 | run: make release-debian-bookworm-trust-package 40 | 41 | outputs: 42 | RELEASE_OCI_MANAGER_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_PACKAGE_DEBIAN_BOOKWORM_IMAGE }} 43 | RELEASE_OCI_MANAGER_TAG: ${{ steps.release.outputs.RELEASE_OCI_PACKAGE_DEBIAN_BOOKWORM_TAG }} 44 | -------------------------------------------------------------------------------- /.github/workflows/debian-trust-package-release-bullseye.yaml: -------------------------------------------------------------------------------- 1 | name: debian-trust-package-release-bullseye 2 | on: 3 | push: 4 | branches: ['main'] 5 | paths: 6 | - make/00_debian_version.mk 7 | 8 | jobs: 9 | build_and_push: 10 | runs-on: ubuntu-latest 11 | 12 | permissions: 13 | contents: read # needed for checkout 14 | packages: write # needed for push images 15 | id-token: write # needed for keyless signing 16 | 17 | steps: 18 | - uses: actions/checkout@v4 19 | # Adding `fetch-depth: 0` makes sure tags are also fetched. We need 20 | # the tags so `git describe` returns a valid version. 21 | # see https://github.com/actions/checkout/issues/701 for extra info about this option 22 | with: { fetch-depth: 0 } 23 | 24 | - id: go-version 25 | run: | 26 | make print-go-version >> "$GITHUB_OUTPUT" 27 | 28 | - uses: docker/login-action@v3 29 | with: 30 | registry: quay.io 31 | username: ${{ secrets.QUAY_USERNAME }} 32 | password: ${{ secrets.QUAY_PASSWORD }} 33 | 34 | - uses: actions/setup-go@v5 35 | with: 36 | go-version: ${{ steps.go-version.outputs.result }} 37 | 38 | - id: release 39 | run: make release-debian-trust-package 40 | 41 | outputs: 42 | RELEASE_OCI_MANAGER_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_PACKAGE_DEBIAN_IMAGE }} 43 | RELEASE_OCI_MANAGER_TAG: ${{ steps.release.outputs.RELEASE_OCI_PACKAGE_DEBIAN_TAG }} 44 | -------------------------------------------------------------------------------- /.github/workflows/debian-trust-package-upgrade-bookworm.yaml: -------------------------------------------------------------------------------- 1 | name: debian-trust-package-upgrade-bookworm 2 | concurrency: debian-trust-package-upgrade-bookworm 3 | on: 4 | workflow_dispatch: {} 5 | schedule: 6 | - cron: '1 1 * * *' 7 | 8 | jobs: 9 | debian-trust-package-upgrade-bookworm: 10 | runs-on: ubuntu-latest 11 | 12 | permissions: 13 | contents: write 14 | pull-requests: write 15 | 16 | env: 17 | SOURCE_BRANCH: "${{ github.ref_name }}" 18 | SELF_UPGRADE_BRANCH: "debian-trust-package-upgrade-bookworm-${{ github.ref_name }}" 19 | 20 | steps: 21 | - name: Fail if branch is not head of branch. 22 | if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }} 23 | run: | 24 | echo "This workflow should not be run on a non-branch-head." 25 | exit 1 26 | 27 | - uses: actions/checkout@v4 28 | # Adding `fetch-depth: 0` makes sure tags are also fetched. We need 29 | # the tags so `git describe` returns a valid version. 30 | # see https://github.com/actions/checkout/issues/701 for extra info about this option 31 | with: { fetch-depth: 0 } 32 | 33 | - id: go-version 34 | run: | 35 | make print-go-version >> "$GITHUB_OUTPUT" 36 | 37 | - uses: actions/setup-go@v5 38 | with: 39 | go-version: ${{ steps.go-version.outputs.result }} 40 | 41 | - run: | 42 | git checkout -B "$SELF_UPGRADE_BRANCH" 43 | 44 | - run: | 45 | make -j upgrade-debian-trust-package-bookworm-version 46 | 47 | - id: is-up-to-date 48 | shell: bash 49 | run: | 50 | git_status=$(git status -s) 51 | is_up_to_date="true" 52 | if [ -n "$git_status" ]; then 53 | is_up_to_date="false" 54 | echo "The following changes will be committed:" 55 | echo "$git_status" 56 | fi 57 | echo "result=$is_up_to_date" >> "$GITHUB_OUTPUT" 58 | 59 | - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} 60 | run: | 61 | git config --global user.name "cert-manager-bot" 62 | git config --global user.email "cert-manager-bot@users.noreply.github.com" 63 | git add -A && git commit -m "BOT: run 'make upgrade-debian-trust-package-bookworm-version'" --signoff 64 | git push -f origin "$SELF_UPGRADE_BRANCH" 65 | 66 | - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} 67 | uses: actions/github-script@v7 68 | with: 69 | script: | 70 | const { repo, owner } = context.repo; 71 | const pulls = await github.rest.pulls.list({ 72 | owner: owner, 73 | repo: repo, 74 | head: owner + ':' + process.env.SELF_UPGRADE_BRANCH, 75 | base: process.env.SOURCE_BRANCH, 76 | state: 'open', 77 | }); 78 | 79 | if (pulls.data.length < 1) { 80 | await github.rest.pulls.create({ 81 | title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH, 82 | owner: owner, 83 | repo: repo, 84 | head: process.env.SELF_UPGRADE_BRANCH, 85 | base: process.env.SOURCE_BRANCH, 86 | body: [ 87 | 'This PR is auto-generated to bump the Debian Bookworm package version', 88 | ].join('\n'), 89 | }); 90 | } 91 | -------------------------------------------------------------------------------- /.github/workflows/debian-trust-package-upgrade-bullseye.yaml: -------------------------------------------------------------------------------- 1 | name: debian-trust-package-upgrade-bullseye 2 | concurrency: debian-trust-package-upgrade-bullseye 3 | on: 4 | workflow_dispatch: {} 5 | schedule: 6 | - cron: '0 0 * * *' 7 | 8 | jobs: 9 | debian-trust-package-upgrade: 10 | runs-on: ubuntu-latest 11 | 12 | permissions: 13 | contents: write 14 | pull-requests: write 15 | 16 | env: 17 | SOURCE_BRANCH: "${{ github.ref_name }}" 18 | SELF_UPGRADE_BRANCH: "debian-trust-package-upgrade-${{ github.ref_name }}" 19 | 20 | steps: 21 | - name: Fail if branch is not head of branch. 22 | if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }} 23 | run: | 24 | echo "This workflow should not be run on a non-branch-head." 25 | exit 1 26 | 27 | - uses: actions/checkout@v4 28 | # Adding `fetch-depth: 0` makes sure tags are also fetched. We need 29 | # the tags so `git describe` returns a valid version. 30 | # see https://github.com/actions/checkout/issues/701 for extra info about this option 31 | with: { fetch-depth: 0 } 32 | 33 | - id: go-version 34 | run: | 35 | make print-go-version >> "$GITHUB_OUTPUT" 36 | 37 | - uses: actions/setup-go@v5 38 | with: 39 | go-version: ${{ steps.go-version.outputs.result }} 40 | 41 | - run: | 42 | git checkout -B "$SELF_UPGRADE_BRANCH" 43 | 44 | - run: | 45 | make -j upgrade-debian-trust-package-version 46 | 47 | - id: is-up-to-date 48 | shell: bash 49 | run: | 50 | git_status=$(git status -s) 51 | is_up_to_date="true" 52 | if [ -n "$git_status" ]; then 53 | is_up_to_date="false" 54 | echo "The following changes will be committed:" 55 | echo "$git_status" 56 | fi 57 | echo "result=$is_up_to_date" >> "$GITHUB_OUTPUT" 58 | 59 | - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} 60 | run: | 61 | git config --global user.name "cert-manager-bot" 62 | git config --global user.email "cert-manager-bot@users.noreply.github.com" 63 | git add -A && git commit -m "BOT: run 'make upgrade-debian-trust-package-version'" --signoff 64 | git push -f origin "$SELF_UPGRADE_BRANCH" 65 | 66 | - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} 67 | uses: actions/github-script@v7 68 | with: 69 | script: | 70 | const { repo, owner } = context.repo; 71 | const pulls = await github.rest.pulls.list({ 72 | owner: owner, 73 | repo: repo, 74 | head: owner + ':' + process.env.SELF_UPGRADE_BRANCH, 75 | base: process.env.SOURCE_BRANCH, 76 | state: 'open', 77 | }); 78 | 79 | if (pulls.data.length < 1) { 80 | await github.rest.pulls.create({ 81 | title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH, 82 | owner: owner, 83 | repo: repo, 84 | head: process.env.SELF_UPGRADE_BRANCH, 85 | base: process.env.SOURCE_BRANCH, 86 | body: [ 87 | 'This PR is auto-generated to bump the Debian package version', 88 | ].join('\n'), 89 | }); 90 | } 91 | -------------------------------------------------------------------------------- /.github/workflows/govulncheck.yaml: -------------------------------------------------------------------------------- 1 | # THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. 2 | # Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml instead. 3 | 4 | # Run govulncheck at midnight every night on the main branch, 5 | # to alert us to recent vulnerabilities which affect the Go code in this 6 | # project. 7 | name: govulncheck 8 | on: 9 | workflow_dispatch: {} 10 | schedule: 11 | - cron: '0 0 * * *' 12 | 13 | permissions: 14 | contents: read 15 | 16 | jobs: 17 | govulncheck: 18 | runs-on: ubuntu-latest 19 | 20 | if: github.repository_owner == 'cert-manager' 21 | 22 | steps: 23 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 24 | # Adding `fetch-depth: 0` makes sure tags are also fetched. We need 25 | # the tags so `git describe` returns a valid version. 26 | # see https://github.com/actions/checkout/issues/701 for extra info about this option 27 | with: { fetch-depth: 0 } 28 | 29 | - id: go-version 30 | run: | 31 | make print-go-version >> "$GITHUB_OUTPUT" 32 | 33 | - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 34 | with: 35 | go-version: ${{ steps.go-version.outputs.result }} 36 | 37 | - run: make verify-govulncheck 38 | -------------------------------------------------------------------------------- /.github/workflows/release.yaml: -------------------------------------------------------------------------------- 1 | name: release 2 | on: 3 | push: 4 | tags: 5 | - "v*" 6 | 7 | env: 8 | VERSION: ${{ github.ref_name }} 9 | 10 | jobs: 11 | build_and_push: 12 | runs-on: ubuntu-latest 13 | 14 | permissions: 15 | contents: read # needed for checkout 16 | packages: write # needed for push images 17 | id-token: write # needed for keyless signing 18 | 19 | steps: 20 | - uses: actions/checkout@v4 21 | 22 | - id: go-version 23 | run: | 24 | make print-go-version >> "$GITHUB_OUTPUT" 25 | 26 | - uses: docker/login-action@v3 27 | with: 28 | registry: quay.io 29 | username: ${{ secrets.QUAY_USERNAME }} 30 | password: ${{ secrets.QUAY_PASSWORD }} 31 | 32 | - uses: actions/setup-go@v5 33 | with: 34 | go-version: ${{ steps.go-version.outputs.result }} 35 | 36 | - id: release 37 | run: make release 38 | 39 | outputs: 40 | RELEASE_OCI_MANAGER_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_MANAGER_IMAGE }} 41 | RELEASE_OCI_MANAGER_TAG: ${{ steps.release.outputs.RELEASE_OCI_MANAGER_TAG }} 42 | RELEASE_OCI_PACKAGE_DEBIAN_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_PACKAGE_DEBIAN_IMAGE }} 43 | RELEASE_OCI_PACKAGE_DEBIAN_TAG: ${{ steps.release.outputs.RELEASE_OCI_PACKAGE_DEBIAN_TAG }} 44 | RELEASE_HELM_CHART_IMAGE: ${{ steps.release.outputs.RELEASE_HELM_CHART_IMAGE }} 45 | RELEASE_HELM_CHART_VERSION: ${{ steps.release.outputs.RELEASE_HELM_CHART_VERSION }} 46 | 47 | github_release: 48 | runs-on: ubuntu-latest 49 | 50 | needs: build_and_push 51 | 52 | permissions: 53 | contents: write # needed for creating a PR 54 | pull-requests: write # needed for creating a PR 55 | 56 | steps: 57 | - run: | 58 | touch .notes-file 59 | echo "OCI_MANAGER_IMAGE: ${{ needs.build_and_push.outputs.RELEASE_OCI_MANAGER_IMAGE }}" >> .notes-file 60 | echo "OCI_MANAGER_TAG: ${{ needs.build_and_push.outputs.RELEASE_OCI_MANAGER_TAG }}" >> .notes-file 61 | echo "OCI_PACKAGE_DEBIAN_IMAGE: ${{ needs.build_and_push.outputs.RELEASE_OCI_PACKAGE_DEBIAN_IMAGE }}" >> .notes-file 62 | echo "OCI_PACKAGE_DEBIAN_TAG: ${{ needs.build_and_push.outputs.RELEASE_OCI_PACKAGE_DEBIAN_TAG }}" >> .notes-file 63 | echo "HELM_CHART_IMAGE: ${{ needs.build_and_push.outputs.RELEASE_HELM_CHART_IMAGE }}" >> .notes-file 64 | echo "HELM_CHART_VERSION: ${{ needs.build_and_push.outputs.RELEASE_HELM_CHART_VERSION }}" >> .notes-file 65 | 66 | - env: 67 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 68 | run: | 69 | gh release create "$VERSION" \ 70 | --repo="$GITHUB_REPOSITORY" \ 71 | --title="${VERSION}" \ 72 | --draft \ 73 | --verify-tag \ 74 | --notes-file .notes-file 75 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | *.exe 3 | *.exe~ 4 | *.dll 5 | *.so 6 | *.dylib 7 | bin 8 | testbin/* 9 | 10 | # Test binary, build with `go test -c` 11 | *.test 12 | 13 | # Output of the go coverage tool, specifically when used with LiteIDE 14 | *.out 15 | 16 | # Kubernetes Generated files - skip generated files, except for vendored files 17 | !vendor/**/zz_generated.* 18 | 19 | # editor and IDE paraphernalia 20 | .idea 21 | *.swp 22 | *.swo 23 | *~ 24 | 25 | _bin 26 | _certs 27 | _artifacts 28 | .vscode 29 | 30 | # direnv files 31 | .envrc 32 | -------------------------------------------------------------------------------- /.golangci.yaml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | linters: 3 | default: none 4 | exclusions: 5 | generated: lax 6 | presets: [comments, common-false-positives, legacy, std-error-handling] 7 | paths: [third_party$, builtin$, examples$] 8 | warn-unused: true 9 | settings: 10 | staticcheck: 11 | checks: ["all", "-ST1000", "-ST1001", "-ST1003", "-ST1005", "-ST1012", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-QF1001", "-QF1003", "-QF1008"] 12 | enable: 13 | - asasalint 14 | - asciicheck 15 | - bidichk 16 | - bodyclose 17 | - canonicalheader 18 | - contextcheck 19 | - copyloopvar 20 | - decorder 21 | - dogsled 22 | - dupword 23 | - durationcheck 24 | - errcheck 25 | - errchkjson 26 | - errname 27 | - exhaustive 28 | - exptostd 29 | - forbidigo 30 | - ginkgolinter 31 | - gocheckcompilerdirectives 32 | - gochecksumtype 33 | - gocritic 34 | - goheader 35 | - goprintffuncname 36 | - gosec 37 | - gosmopolitan 38 | - govet 39 | - grouper 40 | - importas 41 | - ineffassign 42 | - interfacebloat 43 | - intrange 44 | - loggercheck 45 | - makezero 46 | - mirror 47 | - misspell 48 | - musttag 49 | - nakedret 50 | - nilerr 51 | - nilnil 52 | - noctx 53 | - nosprintfhostport 54 | - predeclared 55 | - promlinter 56 | - protogetter 57 | - reassign 58 | - sloglint 59 | - staticcheck 60 | - tagalign 61 | - testableexamples 62 | - unconvert 63 | - unparam 64 | - unused 65 | - usestdlibvars 66 | - usetesting 67 | - wastedassign 68 | formatters: 69 | enable: [gci, gofmt] 70 | settings: 71 | gci: 72 | sections: 73 | - standard # Standard section: captures all standard packages. 74 | - default # Default section: contains all imports that could not be matched to another section type. 75 | - prefix(github.com/cert-manager/trust-manager) # Custom section: groups all imports with the specified Prefix. 76 | - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled. 77 | - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled. 78 | exclusions: 79 | generated: lax 80 | paths: [third_party$, builtin$, examples$] 81 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | You can find our full contributing guide on [our website](https://cert-manager.io/docs/contributing/). 4 | 5 | ## DCO Sign off 6 | 7 | All contributors to the project retain copyright to their work. However, to ensure 8 | that they are only submitting work that they have rights to, we require 9 | everyone to acknowledge this by signing their work. 10 | 11 | Any copyright notices in this repo should specify the authors as 12 | "The cert-manager Authors". 13 | 14 | To sign your work, just add a line like this at the end of your commit message: 15 | 16 | ```text 17 | Signed-off-by: Joe Bloggs 18 | ``` 19 | 20 | This can easily be done with the `--signoff` option to `git commit`. 21 | You can also mass sign-off a whole PR with `git rebase --signoff master`, replacing 22 | `master` with the branch you are creating a pull request again if not master. 23 | 24 | By doing this you state that you can certify the following (from https://developercertificate.org/): 25 | 26 | ```text 27 | Developer Certificate of Origin 28 | Version 1.1 29 | 30 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors. 31 | 1 Letterman Drive 32 | Suite D4700 33 | San Francisco, CA, 94129 34 | 35 | Everyone is permitted to copy and distribute verbatim copies of this 36 | license document, but changing it is not allowed. 37 | 38 | 39 | Developer's Certificate of Origin 1.1 40 | 41 | By making a contribution to this project, I certify that: 42 | 43 | (a) The contribution was created in whole or in part by me and I 44 | have the right to submit it under the open source license 45 | indicated in the file; or 46 | 47 | (b) The contribution is based upon previous work that, to the best 48 | of my knowledge, is covered under an appropriate open source 49 | license and I have the right under that license to submit that 50 | work with modifications, whether created in whole or in part 51 | by me, under the same open source license (unless I am 52 | permitted to submit under a different license), as indicated 53 | in the file; or 54 | 55 | (c) The contribution was provided directly to me by some other 56 | person who certified (a), (b) or (c) and I have not modified 57 | it. 58 | 59 | (d) I understand and agree that this project and the contribution 60 | are public and that a record of the contribution (including all 61 | personal information I submit with it, including my sign-off) is 62 | maintained indefinitely and may be redistributed consistent with 63 | this project or the open source license(s) involved. 64 | ``` 65 | -------------------------------------------------------------------------------- /OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - cm-maintainers 3 | - erikgb 4 | reviewers: 5 | - cm-maintainers 6 | - erikgb 7 | - thatsmrtalbot -------------------------------------------------------------------------------- /OWNERS_ALIASES: -------------------------------------------------------------------------------- 1 | # THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. 2 | # Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/OWNERS_ALIASES instead. 3 | 4 | aliases: 5 | cm-maintainers: 6 | - munnerz 7 | - joshvanl 8 | - wallrj 9 | - jakexks 10 | - maelvls 11 | - sgtcodfish 12 | - inteon 13 | - thatsmrtalbot 14 | - erikgb 15 | -------------------------------------------------------------------------------- /RELEASE.md: -------------------------------------------------------------------------------- 1 | # Releases 2 | 3 | ## Schedule 4 | 5 | The release schedule for this project is ad-hoc. Given the pre-1.0 status of the project we do not have a fixed release cadence. However if a vulnerability is discovered we will respond in accordance with our [security policy](https://github.com/cert-manager/community/blob/main/SECURITY.md) and this response may include a release. 6 | 7 | ## Process 8 | 9 | There is a semi-automated release process for this project. When you create a Git tag with a tagname that has a `v` prefix and push it to GitHub it will trigger the [release workflow]. 10 | 11 | The release process for this repo is documented below: 12 | 13 | 1. Create a tag for the new release: 14 | ```sh 15 | export VERSION=v0.5.0-alpha.0 16 | git tag --annotate --message="Release ${VERSION}" "${VERSION}" 17 | git push origin "${VERSION}" 18 | ``` 19 | 2. A GitHub action will see the new tag and do the following: 20 | - Build and publish any container images 21 | - Build and publish the Helm chart 22 | - Create a draft GitHub release 23 | 3. Wait for the PR to be merged and wait for OCI Helm chart to propagate and become available from https://charts.jetstack.io (this might take a few hours). 24 | 4. Visit the [releases page], edit the draft release, click "Generate release notes", then edit the notes to add the following to the top 25 | ``` 26 | trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters. 27 | ``` 28 | 5. Publish the release. 29 | 30 | ## Trust package 31 | 32 | As well as the trust-manager container images, we also publish a trust package image. For more information on what a trust package is, see the [trust-packages readme](trust-packages/README.md). This process is fully automated through GitHub Actions: 33 | 34 | 1. A cron [GitHub Action](https://venafi.slack.com/archives/D06C21X5L13/p1717075543900969) checks for a new ca-certificates package and creates a PR updating `make/00_debian_version.mk` if one is found 35 | 2. Once merged a [GitHub Action](https://github.com/cert-manager/trust-manager/blob/main/.github/workflows/debian-trust-package-release.yaml) will build and release the container image. 36 | 37 | ## Artifacts 38 | 39 | This repo will produce the following artifacts each release. For documentation on how those artifacts are produced see the "Process" section. 40 | 41 | - *Container Images* - Container images for the are published to `quay.io/jetstack`. 42 | - *Helm chart* - An official Helm chart is maintained within this repo and published to `quay.io/jetstack` and `charts.jetstack.io` on each release. 43 | 44 | [release workflow]: https://github.com/cert-manager/trust-manager/actions/workflows/release.yaml 45 | [releases page]: https://github.com/cert-manager/trust-manager/releases 46 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Vulnerability Reporting Process 2 | 3 | Security is the number one priority for cert-manager. If you think you've found 4 | a vulnerability in `trust-manager`, or in any cert-manager project, please follow the 5 | [vulnerability reporting process](https://github.com/cert-manager/cert-manager/blob/master/SECURITY.md) 6 | documented in the main cert-manager repository. 7 | -------------------------------------------------------------------------------- /cmd/trust-manager/main.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import ( 20 | "fmt" 21 | "os" 22 | 23 | "github.com/cert-manager/trust-manager/cmd/trust-manager/app" 24 | ) 25 | 26 | func main() { 27 | cmd := app.NewCommand() 28 | 29 | if err := cmd.Execute(); err != nil { 30 | fmt.Fprintf(os.Stderr, "error: %v\n", err) 31 | os.Exit(1) 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /cmd/validate-trust-package/main.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2023 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import ( 20 | "log" 21 | "os" 22 | 23 | "github.com/cert-manager/trust-manager/pkg/fspkg" 24 | ) 25 | 26 | func main() { 27 | stderrLogger := log.New(os.Stderr, "", log.LstdFlags) 28 | 29 | _, err := fspkg.LoadPackage(os.Stdin) 30 | if err != nil { 31 | stderrLogger.Printf("failed to load and validate trust package: %s", err.Error()) 32 | os.Exit(1) 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /deploy/charts/trust-manager/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | 3 | name: trust-manager 4 | type: application 5 | description: trust-manager is the easiest way to manage TLS trust bundles in Kubernetes and OpenShift clusters 6 | 7 | home: https://cert-manager.io/docs/trust/trust-manager 8 | icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png 9 | keywords: 10 | - trust-manager 11 | - cert-manager 12 | - tls 13 | - trust bundle 14 | - trust anchor 15 | annotations: 16 | artifacthub.io/license: Apache-2.0 17 | artifacthub.io/category: security 18 | artifacthub.io/recommendations: | 19 | - url: https://artifacthub.io/packages/helm/cert-manager/cert-manager 20 | artifacthub.io/prerelease: "false" 21 | maintainers: 22 | - name: cert-manager-maintainers 23 | email: cert-manager-maintainers@googlegroups.com 24 | url: https://cert-manager.io 25 | sources: 26 | - https://github.com/cert-manager/trust-manager 27 | 28 | kubeVersion: ">= 1.25.0-0" # The -0 is required for EKS: https://github.com/helm/helm/issues/10375 29 | 30 | appVersion: v0.0.0 31 | version: v0.0.0 32 | -------------------------------------------------------------------------------- /deploy/charts/trust-manager/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if (lt (int .Values.replicaCount) 2) }} 2 | ⚠️ WARNING: Consider increasing the Helm value `replicaCount` to 2 if you require high availability. 3 | {{- end }} 4 | 5 | {{- if (not .Values.podDisruptionBudget.enabled) }} 6 | ⚠️ WARNING: Consider setting the Helm value `podDisruptionBudget.enabled` to true if you require high availability. 7 | {{- end }} 8 | 9 | trust-manager {{ .Chart.AppVersion }} has been deployed successfully! 10 | 11 | {{- if .Values.defaultPackage.enabled }} 12 | Your installation includes a default CA package, using the following 13 | default CA package image: 14 | 15 | {{ .Values.defaultPackageImage.repository }}:{{ .Values.defaultPackageImage.tag }} 16 | 17 | It's imperative that you keep the default CA package image up to date. 18 | {{- end }} 19 | To find out more about securely running trust-manager and to get started 20 | with creating your first bundle, check out the documentation on the 21 | cert-manager website: 22 | 23 | https://cert-manager.io/docs/projects/trust-manager/ 24 | -------------------------------------------------------------------------------- /deploy/charts/trust-manager/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "trust-manager.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create chart name and version as used by the chart label. 11 | */}} 12 | {{- define "trust-manager.chart" -}} 13 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 14 | {{- end -}} 15 | 16 | {{/* 17 | Common labels 18 | */}} 19 | {{- define "trust-manager.labels" -}} 20 | app.kubernetes.io/name: {{ include "trust-manager.name" . }} 21 | helm.sh/chart: {{ include "trust-manager.chart" . }} 22 | app.kubernetes.io/instance: {{ .Release.Name }} 23 | {{- if .Chart.AppVersion }} 24 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 25 | {{- end }} 26 | app.kubernetes.io/managed-by: {{ .Release.Service }} 27 | {{- if .Values.commonLabels}} 28 | {{ toYaml .Values.commonLabels }} 29 | {{- end }} 30 | {{- end -}} 31 | 32 | {{/* 33 | Util function for generating the image URL based on the provided options. 34 | IMPORTANT: This function is standarized across all charts in the cert-manager GH organization. 35 | Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ... 36 | See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs. 37 | */}} 38 | {{- define "image" -}} 39 | {{- $defaultTag := index . 1 -}} 40 | {{- with index . 0 -}} 41 | {{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}} 42 | {{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}} 43 | {{- end }} 44 | {{- end }} 45 | 46 | {{/* 47 | Namespace for all resources to be installed into 48 | If not defined in values file then the helm release namespace is used 49 | By default this is not set so the helm release namespace will be used 50 | 51 | This gets around an problem within helm discussed here 52 | https://github.com/helm/helm/issues/5358 53 | */}} 54 | {{- define "trust-manager.namespace" -}} 55 | {{ .Values.namespace | default .Release.Namespace }} 56 | {{- end -}} 57 | 58 | {{/* 59 | Create the name of the service account to use 60 | */}} 61 | {{- define "trust-manager.serviceAccountName" -}} 62 | {{- if .Values.serviceAccount.create -}} 63 | {{ default (include "trust-manager.name" .) .Values.serviceAccount.name }} 64 | {{- else -}} 65 | {{ default "default" .Values.serviceAccount.name }} 66 | {{- end -}} 67 | {{- end -}} -------------------------------------------------------------------------------- /deploy/charts/trust-manager/templates/certificate.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.app.webhook.tls.helmCert.enabled -}} 2 | 3 | apiVersion: cert-manager.io/v1 4 | kind: Issuer 5 | metadata: 6 | name: {{ include "trust-manager.name" . }} 7 | namespace: {{ include "trust-manager.namespace" . }} 8 | labels: 9 | {{- include "trust-manager.labels" . | nindent 4 }} 10 | {{- with .Values.commonAnnotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | spec: 15 | selfSigned: {} 16 | 17 | --- 18 | 19 | apiVersion: cert-manager.io/v1 20 | kind: Certificate 21 | metadata: 22 | name: {{ include "trust-manager.name" . }} 23 | namespace: {{ include "trust-manager.namespace" . }} 24 | labels: 25 | {{- include "trust-manager.labels" . | nindent 4 }} 26 | {{- with .Values.commonAnnotations }} 27 | annotations: 28 | {{- toYaml . | nindent 4 }} 29 | {{- end }} 30 | spec: 31 | commonName: "{{ include "trust-manager.name" . }}.{{ include "trust-manager.namespace" . }}.svc" 32 | dnsNames: 33 | - "{{ include "trust-manager.name" . }}.{{ include "trust-manager.namespace" . }}.svc" 34 | secretName: {{ include "trust-manager.name" . }}-tls 35 | {{- with .Values.app.webhook.tls.certificate.secretTemplate }} 36 | secretTemplate: 37 | {{- toYaml .| nindent 4 }} 38 | {{- end }} 39 | revisionHistoryLimit: 1 40 | issuerRef: 41 | name: {{ include "trust-manager.name" . }} 42 | kind: Issuer 43 | group: cert-manager.io 44 | 45 | --- 46 | 47 | {{- if .Values.app.webhook.tls.approverPolicy.enabled -}} 48 | 49 | apiVersion: policy.cert-manager.io/v1alpha1 50 | kind: CertificateRequestPolicy 51 | metadata: 52 | name: trust-manager-policy 53 | labels: 54 | {{- include "trust-manager.labels" . | nindent 4 }} 55 | {{- with .Values.commonAnnotations }} 56 | annotations: 57 | {{- toYaml . | nindent 4 }} 58 | {{- end }} 59 | spec: 60 | allowed: 61 | commonName: 62 | value: "{{ include "trust-manager.name" . }}.{{ include "trust-manager.namespace" . }}.svc" 63 | required: true 64 | dnsNames: 65 | values: ["{{ include "trust-manager.name" . }}.{{ include "trust-manager.namespace" . }}.svc"] 66 | required: true 67 | selector: 68 | issuerRef: 69 | name: {{ include "trust-manager.name" . }} 70 | kind: Issuer 71 | group: cert-manager.io 72 | 73 | --- 74 | 75 | apiVersion: rbac.authorization.k8s.io/v1 76 | kind: ClusterRole 77 | metadata: 78 | name: trust-manager-policy-role 79 | labels: 80 | {{- include "trust-manager.labels" . | nindent 4 }} 81 | {{- with .Values.commonAnnotations }} 82 | annotations: 83 | {{- toYaml . | nindent 4 }} 84 | {{- end }} 85 | rules: 86 | - apiGroups: ["policy.cert-manager.io"] 87 | resources: ["certificaterequestpolicies"] 88 | verbs: ["use"] 89 | resourceNames: ["trust-manager-policy"] 90 | 91 | --- 92 | 93 | apiVersion: rbac.authorization.k8s.io/v1 94 | kind: ClusterRoleBinding 95 | metadata: 96 | name: trust-manager-policy-binding 97 | labels: 98 | {{- include "trust-manager.labels" . | nindent 4 }} 99 | {{- with .Values.commonAnnotations }} 100 | annotations: 101 | {{- toYaml . | nindent 4 }} 102 | {{- end }} 103 | roleRef: 104 | apiGroup: rbac.authorization.k8s.io 105 | kind: ClusterRole 106 | name: trust-manager-policy-role 107 | subjects: 108 | - kind: ServiceAccount 109 | name: {{ .Values.app.webhook.tls.approverPolicy.certManagerServiceAccount }} 110 | namespace: {{ .Values.app.webhook.tls.approverPolicy.certManagerNamespace }} 111 | 112 | {{ end }} 113 | 114 | {{ end }} 115 | -------------------------------------------------------------------------------- /deploy/charts/trust-manager/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | labels: 5 | {{- include "trust-manager.labels" . | nindent 4 }} 6 | {{- with .Values.commonAnnotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | name: {{ include "trust-manager.name" . }} 11 | rules: 12 | - apiGroups: 13 | - "trust.cert-manager.io" 14 | resources: 15 | - "bundles" 16 | # We also need patch here so we can perform migrations from old CSA to SSA. 17 | verbs: ["get", "list", "watch", "patch"] 18 | 19 | # Permissions to update finalizers are required for trust-manager to work correctly 20 | # on OpenShift, even though we don't directly use finalizers at the time of writing 21 | - apiGroups: 22 | - "trust.cert-manager.io" 23 | resources: 24 | - "bundles/finalizers" 25 | verbs: ["update"] 26 | 27 | - apiGroups: 28 | - "trust.cert-manager.io" 29 | resources: 30 | - "bundles/status" 31 | verbs: ["patch"] 32 | 33 | - apiGroups: 34 | - "" 35 | resources: 36 | - "configmaps" 37 | verbs: ["get", "list", "create", "patch", "watch", "delete"] 38 | - apiGroups: 39 | - "" 40 | resources: 41 | - "namespaces" 42 | verbs: ["get", "list", "watch"] 43 | 44 | - apiGroups: 45 | - "" 46 | resources: 47 | - "events" 48 | verbs: ["create", "patch"] 49 | 50 | {{- if .Values.secretTargets.enabled }} 51 | {{- if .Values.secretTargets.authorizedSecretsAll }} 52 | - apiGroups: 53 | - "" 54 | resources: 55 | - "secrets" 56 | verbs: ["get", "list", "create", "patch", "watch", "delete"] 57 | {{- else if .Values.secretTargets.authorizedSecrets }} 58 | - apiGroups: 59 | - "" 60 | resources: 61 | - "secrets" 62 | verbs: ["get", "list", "watch"] 63 | - apiGroups: 64 | - "" 65 | resources: 66 | - "secrets" 67 | verbs: ["create", "patch", "delete"] 68 | resourceNames: {{ .Values.secretTargets.authorizedSecrets | toYaml | nindent 2 }} 69 | {{- end -}} 70 | {{- end -}} 71 | -------------------------------------------------------------------------------- /deploy/charts/trust-manager/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | labels: 5 | {{- include "trust-manager.labels" . | nindent 4 }} 6 | {{- with .Values.commonAnnotations }} 7 | annotations: 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | name: {{ include "trust-manager.name" . }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ include "trust-manager.name" . }} 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ include "trust-manager.name" . }} 18 | namespace: {{ include "trust-manager.namespace" . }} 19 | -------------------------------------------------------------------------------- /deploy/charts/trust-manager/templates/extra-manifests.yaml: -------------------------------------------------------------------------------- 1 | {{ range .Values.extraObjects }} 2 | --- 3 | {{ tpl (toYaml .) $ }} 4 | {{ end }} 5 | -------------------------------------------------------------------------------- /deploy/charts/trust-manager/templates/metrics-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.app.metrics.service.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "trust-manager.name" . }}-metrics 6 | namespace: {{ include "trust-manager.namespace" . }} 7 | labels: 8 | app: {{ include "trust-manager.name" . }} 9 | {{- include "trust-manager.labels" . | nindent 4 }} 10 | {{- with .Values.commonAnnotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | spec: 15 | type: {{ .Values.app.metrics.service.type }} 16 | {{- if .Values.app.metrics.service.ipFamilyPolicy }} 17 | ipFamilyPolicy: {{ .Values.app.metrics.service.ipFamilyPolicy }} 18 | {{- end }} 19 | {{- if .Values.app.metrics.service.ipFamilies }} 20 | ipFamilies: {{ .Values.app.metrics.service.ipFamilies | toYaml | nindent 2 }} 21 | {{- end }} 22 | ports: 23 | - port: {{ .Values.app.metrics.port }} 24 | targetPort: {{ .Values.app.metrics.port }} 25 | protocol: TCP 26 | name: metrics 27 | selector: 28 | app: {{ include "trust-manager.name" . }} 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /deploy/charts/trust-manager/templates/metrics-servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.app.metrics.service.enabled .Values.app.metrics.service.servicemonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: {{ include "trust-manager.name" . }} 6 | namespace: {{ include "trust-manager.namespace" . }} 7 | labels: 8 | app: {{ include "trust-manager.name" . }} 9 | {{- include "trust-manager.labels" . | nindent 4 }} 10 | prometheus: {{ .Values.app.metrics.service.servicemonitor.prometheusInstance }} 11 | {{- with .Values.commonAnnotations }} 12 | annotations: 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- if .Values.app.metrics.service.servicemonitor.labels }} 16 | {{ toYaml .Values.app.metrics.service.servicemonitor.labels | indent 4}} 17 | {{- end }} 18 | spec: 19 | jobLabel: {{ include "trust-manager.name" . }} 20 | selector: 21 | matchLabels: 22 | app: {{ include "trust-manager.name" . }} 23 | namespaceSelector: 24 | matchNames: 25 | - {{ include "trust-manager.namespace" . }} 26 | endpoints: 27 | - targetPort: {{ .Values.app.metrics.port }} 28 | path: "/metrics" 29 | interval: {{ .Values.app.metrics.service.servicemonitor.interval }} 30 | scrapeTimeout: {{ .Values.app.metrics.service.servicemonitor.scrapeTimeout }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /deploy/charts/trust-manager/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ include "trust-manager.name" . }} 6 | namespace: {{ include "trust-manager.namespace" . }} 7 | labels: 8 | app: {{ include "trust-manager.name" . }} 9 | {{- include "trust-manager.labels" . | nindent 4 }} 10 | {{- with .Values.commonAnnotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | spec: 15 | selector: 16 | matchLabels: 17 | app: {{ include "trust-manager.name" . }} 18 | 19 | {{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }} 20 | minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set 21 | {{- end }} 22 | {{- if hasKey .Values.podDisruptionBudget "minAvailable" }} 23 | minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} 24 | {{- end }} 25 | {{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }} 26 | maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /deploy/charts/trust-manager/templates/role.yaml: -------------------------------------------------------------------------------- 1 | kind: Role 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: {{ include "trust-manager.name" . }} 5 | namespace: {{ .Values.app.trust.namespace }} 6 | labels: 7 | {{- include "trust-manager.labels" . | nindent 4 }} 8 | {{- with .Values.commonAnnotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | rules: 13 | - apiGroups: 14 | - "" 15 | resources: 16 | - "secrets" 17 | verbs: 18 | - "get" 19 | - "list" 20 | - "watch" 21 | --- 22 | kind: Role 23 | apiVersion: rbac.authorization.k8s.io/v1 24 | metadata: 25 | name: {{ include "trust-manager.name" . }}:leaderelection 26 | namespace: {{ include "trust-manager.namespace" . }} 27 | labels: 28 | {{- include "trust-manager.labels" . | nindent 4 }} 29 | {{- with .Values.commonAnnotations }} 30 | annotations: 31 | {{- toYaml . | nindent 4 }} 32 | {{- end }} 33 | rules: 34 | - apiGroups: 35 | - "coordination.k8s.io" 36 | resources: 37 | - "leases" 38 | verbs: 39 | - "get" 40 | - "create" 41 | - "update" 42 | - "watch" 43 | - "list" 44 | -------------------------------------------------------------------------------- /deploy/charts/trust-manager/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: {{ include "trust-manager.name" . }} 5 | namespace: {{ .Values.app.trust.namespace }} 6 | labels: 7 | {{- include "trust-manager.labels" . | nindent 4 }} 8 | {{- with .Values.commonAnnotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: Role 15 | name: {{ include "trust-manager.name" . }} 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ include "trust-manager.name" . }} 19 | namespace: {{ include "trust-manager.namespace" . }} 20 | --- 21 | kind: RoleBinding 22 | apiVersion: rbac.authorization.k8s.io/v1 23 | metadata: 24 | name: {{ include "trust-manager.name" . }}:leaderelection 25 | namespace: {{ include "trust-manager.namespace" . }} 26 | labels: 27 | {{- include "trust-manager.labels" . | nindent 4 }} 28 | {{- with .Values.commonAnnotations }} 29 | annotations: 30 | {{- toYaml . | nindent 4 }} 31 | {{- end }} 32 | roleRef: 33 | apiGroup: rbac.authorization.k8s.io 34 | kind: Role 35 | name: {{ include "trust-manager.name" . }}:leaderelection 36 | subjects: 37 | - kind: ServiceAccount 38 | name: {{ include "trust-manager.name" . }} 39 | namespace: {{ include "trust-manager.namespace" . }} 40 | -------------------------------------------------------------------------------- /deploy/charts/trust-manager/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} 5 | metadata: 6 | name: {{ include "trust-manager.name" . }} 7 | namespace: {{ include "trust-manager.namespace" . }} 8 | labels: 9 | {{- include "trust-manager.labels" . | nindent 4 }} 10 | {{- with .Values.commonAnnotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | {{- with .Values.imagePullSecrets }} 15 | imagePullSecrets: 16 | {{- toYaml . | nindent 2 }} 17 | {{- end }} 18 | {{- end }} -------------------------------------------------------------------------------- /deploy/charts/trust-manager/values.linter.exceptions: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cert-manager/trust-manager/8f7585c62c79ff07dd3932ac94d02904678d633f/deploy/charts/trust-manager/values.linter.exceptions -------------------------------------------------------------------------------- /deploy/crds/README.md: -------------------------------------------------------------------------------- 1 | # CRDs source directory 2 | 3 | > **WARNING**: if you are an end-user, you probably should NOT need to use the 4 | > files in this directory. These files are for **reference, development and testing purposes only**. 5 | 6 | This directory contains 'source code' used to build our CustomResourceDefinition 7 | resources consumed by our officially supported deployment methods (e.g. the Helm chart). 8 | The CRDs in this directory might be incomplete, and should **NOT** be used to provision the operator. -------------------------------------------------------------------------------- /docs/alphav2-changes.md: -------------------------------------------------------------------------------- 1 | # Version v1alpha2 API changes 2 | 3 | In v1alpha2, `ClusterBundle` was introduced as a replacement for v1alpha1 `Bundle`. 4 | This was mainly done to make room for a future namespace-scoped `Bundle`. 5 | But with this opportunity to improve the API, this highlights the changes to the API. 6 | 7 | ## Target API changes 8 | 9 | - The `namespaceSelector` for namespaced target resources is now a mandatory field. 10 | Previous default behavior of syncing to all namespaces can be achieved by setting an 11 | empty selector: `namespaceSelector: {}`. 12 | - The PKCS#12 trust store default profile has changed from `LegacyRC2` to `LegacyDES`, 13 | which is the profile with maximal compatibility (also supported by OpenSSL 3 or Java version > 20). 14 | - The deprecated JKS trust store format has been removed. 15 | - The structure of the target specification has changed, but any v1alpha1 target spec is still 16 | possible in v1alpha2. The new target spec supports use-cases that were not possible in v1alpha2: 17 | - Multiple target resource keys of the same format. This could be useful for migration or when 18 | consuming software mandates resources with specific keys (`cert`, `crt.pem`, etc.). 19 | - Different form on target configmaps and secrets for "additional formats" (JKS/PKCS#12). 20 | In v1alpha1 the `target.additionalFormats` would always apply to both configmaps and secrets. 21 | 22 | ## Future opportunities with the new API 23 | 24 | The API was changed to simplify trust-manager internals like validation, but also to make room 25 | for new features we want to implement like: 26 | 27 | - Integration with [Kubernetes `ClusterTrustBundle`](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#cluster-trust-bundles), 28 | which doesn't support JKS or PKCS#12 and also might impose some target naming constraints. 29 | -------------------------------------------------------------------------------- /make/00_debian_bookworm_version.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2025 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # WARNING: Changing this file triggers a build and release of the Debian trust package for Bookworm (Debian 12) 16 | # 17 | # This file is used to store the latest version of the debian trust package and the DEBIAN_BUNDLE_BOOKWORM_VERSION 18 | # variable is automatically updated by the `upgrade-debian-trust-package-version` target and cron GH action. 19 | 20 | DEBIAN_BUNDLE_BOOKWORM_VERSION=20230311.0 21 | DEBIAN_BUNDLE_BOOKWORM_SOURCE_IMAGE=docker.io/library/debian:12-slim 22 | -------------------------------------------------------------------------------- /make/00_debian_version.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # WARNING: Changing this file triggers a build and release of the debian trust package 16 | # This file is used to store the latest version of the debian trust package and the DEBIAN_BUNDLE_VERSION 17 | # variable is automatically updated by the `upgrade-debian-trust-package-version` target and cron GH action. 18 | 19 | DEBIAN_BUNDLE_VERSION := 20210119.0 20 | DEBIAN_BUNDLE_SOURCE_IMAGE=docker.io/library/debian:11-slim 21 | -------------------------------------------------------------------------------- /make/00_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | oci_platforms := linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x 16 | 17 | include make/00_debian_version.mk 18 | include make/00_debian_bookworm_version.mk 19 | 20 | repo_name := github.com/cert-manager/trust-manager 21 | 22 | kind_cluster_name := trust-manager 23 | kind_cluster_config := $(bin_dir)/scratch/kind_cluster.yaml 24 | 25 | build_names := manager package_debian package_debian_bookworm 26 | 27 | go_manager_main_dir := ./cmd/trust-manager 28 | go_manager_mod_dir := . 29 | go_manager_ldflags := -X $(repo_name)/internal/version.AppVersion=$(VERSION) -X $(repo_name)/internal/version.GitCommit=$(GITCOMMIT) 30 | oci_manager_base_image_flavor := static 31 | oci_manager_image_name := quay.io/jetstack/trust-manager 32 | oci_manager_image_tag := $(VERSION) 33 | oci_manager_image_name_development := cert-manager.local/trust-manager 34 | 35 | go_package_debian_main_dir := . 36 | go_package_debian_mod_dir := ./trust-packages/debian 37 | go_package_debian_ldflags := 38 | oci_package_debian_base_image_flavor := static 39 | oci_package_debian_image_name := quay.io/jetstack/cert-manager-package-debian 40 | oci_package_debian_image_tag := $(DEBIAN_BUNDLE_VERSION) 41 | oci_package_debian_image_name_development := cert-manager.local/cert-manager-package-debian 42 | debian_package_layer := $(bin_dir)/scratch/debian-trust-package 43 | oci_package_debian_additional_layers += $(debian_package_layer) 44 | 45 | go_package_debian_bookworm_main_dir := . 46 | go_package_debian_bookworm_mod_dir := ./trust-packages/debian 47 | go_package_debian_bookworm_ldflags := 48 | oci_package_debian_bookworm_base_image_flavor := static 49 | oci_package_debian_bookworm_image_name := quay.io/jetstack/trust-pkg-debian-bookworm 50 | oci_package_debian_bookworm_image_tag := $(DEBIAN_BUNDLE_BOOKWORM_VERSION) 51 | oci_package_debian_bookworm_image_name_development := cert-manager.local/trust-pkg-debian-bookworm 52 | debian_bookworm_package_layer := $(bin_dir)/scratch/debian-trust-package-bookworm 53 | oci_package_debian_bookworm_additional_layers += $(debian_bookworm_package_layer) 54 | 55 | 56 | deploy_name := trust-manager 57 | deploy_namespace := cert-manager 58 | 59 | helm_chart_source_dir := deploy/charts/trust-manager 60 | helm_chart_image_name := quay.io/jetstack/charts/trust-manager 61 | helm_chart_version := $(VERSION) 62 | helm_labels_template_name := trust-manager.labels 63 | 64 | golangci_lint_config := .golangci.yaml 65 | 66 | define helm_values_mutation_function 67 | $(YQ) \ 68 | '( .image.repository = "$(oci_manager_image_name)" ) | \ 69 | ( .image.tag = "$(oci_manager_image_tag)" ) | \ 70 | ( .defaultPackageImage.repository = "$(oci_package_debian_bookworm_image_name)" ) | \ 71 | ( .defaultPackageImage.tag = "$(oci_package_debian_bookworm_image_tag)" )' \ 72 | $1 --inplace 73 | endef 74 | -------------------------------------------------------------------------------- /make/_shared/boilerplate/00_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | default_go_header_file := $(dir $(lastword $(MAKEFILE_LIST)))/template/boilerplate.go.txt 16 | 17 | go_header_file ?= $(default_go_header_file) 18 | -------------------------------------------------------------------------------- /make/_shared/boilerplate/01_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | .PHONY: verify-boilerplate 16 | ## Verify that all files have the correct boilerplate. 17 | ## @category [shared] Generate/ Verify 18 | verify-boilerplate: | $(NEEDS_BOILERSUITE) 19 | $(BOILERSUITE) . 20 | 21 | shared_verify_targets += verify-boilerplate 22 | -------------------------------------------------------------------------------- /make/_shared/boilerplate/template/boilerplate.go.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ -------------------------------------------------------------------------------- /make/_shared/cert-manager/00_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | images_amd64 ?= 16 | images_arm64 ?= 17 | 18 | cert_manager_version := v1.17.0 19 | 20 | images_amd64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:7722bca28c95b4c568f3d4cd2debc9286e0c4b092f0426840ed4d8ed314c09db 21 | images_amd64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:d99797c5d6e702416e69defb4c28a978d515a37a8a03b4405c4991b818cc791c 22 | images_amd64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:e43e270c7c50a3c1872e115df93458a78c230118cc3d12e9f6c848956e94c151 23 | images_amd64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:ce2f25777ad4a159b736e47dbaabfd62bf2c339c6f49fb6a6de79fb6b4a8ebed 24 | 25 | images_arm64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:d63cd0d15a3ed99736dd5623b798a3dd78fc36495623528d1bf58df37bc4a6cd 26 | images_arm64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:aaae16a38c8f4176b9645ff3069797ca2ec6e3262142794729440b342d759b89 27 | images_arm64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:45e8765b48d913ef26188782ec8dbee32f132c142249456a4e06c5c5c41e3927 28 | images_arm64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:c29e6270e6fc78181bb3a956c0714df24ea56840b9d3916122a36ee25ec6eac6 29 | -------------------------------------------------------------------------------- /make/_shared/cert-manager/01_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cert_manager_crds := $(bin_dir)/scratch/cert-manager-$(cert_manager_version).yaml 16 | $(cert_manager_crds): | $(bin_dir)/scratch 17 | curl -sSLo $@ https://github.com/cert-manager/cert-manager/releases/download/$(cert_manager_version)/cert-manager.crds.yaml 18 | -------------------------------------------------------------------------------- /make/_shared/controller-gen/01_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################ 16 | # Check Inputs # 17 | ################ 18 | 19 | ifndef go_header_file 20 | $(error go_header_file is not set) 21 | endif 22 | 23 | ################ 24 | # Add targets # 25 | ################ 26 | 27 | .PHONY: generate-deepcopy 28 | ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. 29 | ## @category [shared] Generate/ Verify 30 | generate-deepcopy: | $(NEEDS_CONTROLLER-GEN) 31 | $(eval directories := $(shell ls -d */ | grep -v '_bin' | grep -v 'make')) 32 | $(CONTROLLER-GEN) object:headerFile=$(go_header_file) $(directories:%=paths=./%...) 33 | 34 | shared_generate_targets += generate-deepcopy 35 | -------------------------------------------------------------------------------- /make/_shared/generate-verify/00_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | shared_generate_targets ?= 16 | shared_generate_targets_dirty ?= 17 | shared_verify_targets ?= 18 | shared_verify_targets_dirty ?= 19 | -------------------------------------------------------------------------------- /make/_shared/generate-verify/02_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | .PHONY: generate 16 | ## Generate all generate targets. 17 | ## @category [shared] Generate/ Verify 18 | generate: $$(shared_generate_targets) 19 | @echo "The following targets cannot be run simultaneously with each other or other generate scripts:" 20 | $(foreach TARGET,$(shared_generate_targets_dirty), $(MAKE) $(TARGET)) 21 | 22 | verify_script := $(dir $(lastword $(MAKEFILE_LIST)))/util/verify.sh 23 | 24 | # Run the supplied make target argument in a temporary workspace and diff the results. 25 | verify-%: FORCE 26 | +$(verify_script) $(MAKE) $* 27 | 28 | verify_generated_targets = $(shared_generate_targets:%=verify-%) 29 | verify_generated_targets_dirty = $(shared_generate_targets_dirty:%=verify-%) 30 | 31 | verify_targets = $(sort $(verify_generated_targets) $(shared_verify_targets)) 32 | verify_targets_dirty = $(sort $(verify_generated_targets_dirty) $(shared_verify_targets_dirty)) 33 | 34 | .PHONY: verify 35 | ## Verify code and generate targets. 36 | ## @category [shared] Generate/ Verify 37 | verify: $$(verify_targets) 38 | @echo "The following targets create temporary files in the current directory, that is why they have to be run last:" 39 | $(foreach TARGET,$(verify_targets_dirty), $(MAKE) $(TARGET)) 40 | -------------------------------------------------------------------------------- /make/_shared/generate-verify/util/verify.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2023 The cert-manager Authors. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | # Verify that the supplied command does not make any changes to the repository. 18 | # 19 | # This is called from the Makefile to verify that all code generation scripts 20 | # have been run and that their changes have been committed to the repository. 21 | # 22 | # Runs any of the scripts or Make targets in this repository, after making a 23 | # copy of the repository, then reports any changes to the files in the copy. 24 | 25 | # For example: 26 | # 27 | # make verify-helm-chart-update || \ 28 | # make helm-chart-update 29 | # 30 | set -o errexit 31 | set -o nounset 32 | set -o pipefail 33 | 34 | projectdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../../../.." && pwd )" 35 | 36 | cd "${projectdir}" 37 | 38 | # Use short form arguments here to support BSD/macOS. `-d` instructs 39 | # it to make a directory, `-t` provides a prefix to use for the directory name. 40 | tmp="$(mktemp -d /tmp/verify.sh.XXXXXXXX)" 41 | 42 | cleanup() { 43 | rm -rf "${tmp}" 44 | } 45 | trap "cleanup" EXIT SIGINT 46 | 47 | # Why not just "cp" to the tmp dir? 48 | # A dumb "cp" will fail sometimes since _bin can get changed while it's being copied if targets are run in parallel, 49 | # and cp doesn't have some universal "exclude" option to ignore "_bin" 50 | # 51 | # We previously used "rsync" here, but: 52 | # 1. That's another tool we need to depend on 53 | # 2. rsync on macOS 15.4 and newer is actually openrsync, which has different permissions and throws errors when copying git objects 54 | # 55 | # So, we use find to list all files except _bin, and then copy each in turn 56 | find . -maxdepth 1 -not \( -path "./_bin" \) -not \( -path "." \) | xargs -I% cp -af "${projectdir}/%" "${tmp}/" 57 | 58 | pushd "${tmp}" >/dev/null 59 | 60 | "$@" 61 | 62 | popd >/dev/null 63 | 64 | if ! diff \ 65 | --exclude=".git" \ 66 | --exclude="_bin" \ 67 | --new-file --unified --show-c-function --recursive "${projectdir}" "${tmp}" 68 | then 69 | echo 70 | echo "Project '${projectdir}' is out of date." 71 | echo "Please run '${*}' or apply the above diffs" 72 | exit 1 73 | fi 74 | -------------------------------------------------------------------------------- /make/_shared/go/.golangci.override.yaml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | linters: 3 | default: none 4 | exclusions: 5 | generated: lax 6 | presets: [ comments, common-false-positives, legacy, std-error-handling ] 7 | paths: [ third_party$, builtin$, examples$ ] 8 | warn-unused: true 9 | settings: 10 | staticcheck: 11 | checks: [ "all", "-ST1000", "-ST1001", "-ST1003", "-ST1005", "-ST1012", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-QF1001", "-QF1003", "-QF1008" ] 12 | enable: 13 | - asasalint 14 | - asciicheck 15 | - bidichk 16 | - bodyclose 17 | - canonicalheader 18 | - contextcheck 19 | - copyloopvar 20 | - decorder 21 | - dogsled 22 | - dupword 23 | - durationcheck 24 | - errcheck 25 | - errchkjson 26 | - errname 27 | - exhaustive 28 | - exptostd 29 | - forbidigo 30 | - ginkgolinter 31 | - gocheckcompilerdirectives 32 | - gochecksumtype 33 | - gocritic 34 | - goheader 35 | - goprintffuncname 36 | - gosec 37 | - gosmopolitan 38 | - govet 39 | - grouper 40 | - importas 41 | - ineffassign 42 | - interfacebloat 43 | - intrange 44 | - loggercheck 45 | - makezero 46 | - mirror 47 | - misspell 48 | - musttag 49 | - nakedret 50 | - nilerr 51 | - nilnil 52 | - noctx 53 | - nosprintfhostport 54 | - predeclared 55 | - promlinter 56 | - protogetter 57 | - reassign 58 | - sloglint 59 | - staticcheck 60 | - tagalign 61 | - testableexamples 62 | - unconvert 63 | - unparam 64 | - unused 65 | - usestdlibvars 66 | - usetesting 67 | - wastedassign 68 | formatters: 69 | enable: [ gci, gofmt ] 70 | settings: 71 | gci: 72 | sections: 73 | - standard # Standard section: captures all standard packages. 74 | - default # Default section: contains all imports that could not be matched to another section type. 75 | - prefix({{REPO-NAME}}) # Custom section: groups all imports with the specified Prefix. 76 | - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled. 77 | - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled. 78 | exclusions: 79 | generated: lax 80 | paths: [ third_party$, builtin$, examples$ ] 81 | -------------------------------------------------------------------------------- /make/_shared/go/README.md: -------------------------------------------------------------------------------- 1 | # README 2 | 3 | A module for various Go static checks. 4 | -------------------------------------------------------------------------------- /make/_shared/go/base/.github/workflows/govulncheck.yaml: -------------------------------------------------------------------------------- 1 | # THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. 2 | # Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml instead. 3 | 4 | # Run govulncheck at midnight every night on the main branch, 5 | # to alert us to recent vulnerabilities which affect the Go code in this 6 | # project. 7 | name: govulncheck 8 | on: 9 | workflow_dispatch: {} 10 | schedule: 11 | - cron: '0 0 * * *' 12 | 13 | permissions: 14 | contents: read 15 | 16 | jobs: 17 | govulncheck: 18 | runs-on: ubuntu-latest 19 | 20 | if: github.repository_owner == 'cert-manager' 21 | 22 | steps: 23 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 24 | # Adding `fetch-depth: 0` makes sure tags are also fetched. We need 25 | # the tags so `git describe` returns a valid version. 26 | # see https://github.com/actions/checkout/issues/701 for extra info about this option 27 | with: { fetch-depth: 0 } 28 | 29 | - id: go-version 30 | run: | 31 | make print-go-version >> "$GITHUB_OUTPUT" 32 | 33 | - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 34 | with: 35 | go-version: ${{ steps.go-version.outputs.result }} 36 | 37 | - run: make verify-govulncheck 38 | -------------------------------------------------------------------------------- /make/_shared/helm/01_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ifndef helm_dont_include_crds 16 | include $(dir $(lastword $(MAKEFILE_LIST)))/crds.mk 17 | endif 18 | 19 | include $(dir $(lastword $(MAKEFILE_LIST)))/helm.mk 20 | include $(dir $(lastword $(MAKEFILE_LIST)))/deploy.mk 21 | -------------------------------------------------------------------------------- /make/_shared/helm/crd.template.footer.yaml: -------------------------------------------------------------------------------- 1 | {{- end }} -------------------------------------------------------------------------------- /make/_shared/helm/crd.template.header.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.crds.enabled }} 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: "REPLACE_CRD_NAME" 6 | {{- if .Values.crds.keep }} 7 | annotations: 8 | helm.sh/resource-policy: keep 9 | {{- end }} 10 | labels: 11 | {{- include "REPLACE_LABELS_TEMPLATE" . | nindent 4 }} -------------------------------------------------------------------------------- /make/_shared/helm/crds.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################ 16 | # Check Inputs # 17 | ################ 18 | 19 | ifndef helm_chart_source_dir 20 | $(error helm_chart_source_dir is not set) 21 | endif 22 | 23 | ifndef helm_labels_template_name 24 | $(error helm_labels_template_name is not set) 25 | endif 26 | 27 | ################ 28 | # Add targets # 29 | ################ 30 | 31 | crd_template_header := $(dir $(lastword $(MAKEFILE_LIST)))/crd.template.header.yaml 32 | crd_template_footer := $(dir $(lastword $(MAKEFILE_LIST)))/crd.template.footer.yaml 33 | 34 | # see https://stackoverflow.com/a/53408233 35 | sed_inplace := sed -i'' 36 | ifeq ($(HOST_OS),darwin) 37 | sed_inplace := sed -i '' 38 | endif 39 | 40 | crds_dir ?= deploy/crds 41 | crds_dir_readme := $(dir $(lastword $(MAKEFILE_LIST)))/crds_dir.README.md 42 | 43 | .PHONY: generate-crds 44 | ## Generate CRD manifests. 45 | ## @category [shared] Generate/ Verify 46 | generate-crds: | $(NEEDS_CONTROLLER-GEN) $(NEEDS_YQ) 47 | $(eval crds_gen_temp := $(bin_dir)/scratch/crds) 48 | $(eval directories := $(shell ls -d */ | grep -v -e 'make' $(shell git check-ignore -- * | sed 's/^/-e /'))) 49 | 50 | rm -rf $(crds_gen_temp) 51 | mkdir -p $(crds_gen_temp) 52 | 53 | $(CONTROLLER-GEN) crd \ 54 | $(directories:%=paths=./%...) \ 55 | output:crd:artifacts:config=$(crds_gen_temp) 56 | 57 | @echo "Updating CRDs with helm templating, writing to $(helm_chart_source_dir)/templates" 58 | 59 | @for i in $$(ls $(crds_gen_temp)); do \ 60 | crd_name=$$($(YQ) eval '.metadata.name' $(crds_gen_temp)/$$i); \ 61 | cat $(crd_template_header) > $(helm_chart_source_dir)/templates/crd-$$i; \ 62 | echo "" >> $(helm_chart_source_dir)/templates/crd-$$i; \ 63 | $(sed_inplace) "s/REPLACE_CRD_NAME/$$crd_name/g" $(helm_chart_source_dir)/templates/crd-$$i; \ 64 | $(sed_inplace) "s/REPLACE_LABELS_TEMPLATE/$(helm_labels_template_name)/g" $(helm_chart_source_dir)/templates/crd-$$i; \ 65 | $(YQ) -I2 '{"spec": .spec}' $(crds_gen_temp)/$$i >> $(helm_chart_source_dir)/templates/crd-$$i; \ 66 | cat $(crd_template_footer) >> $(helm_chart_source_dir)/templates/crd-$$i; \ 67 | done 68 | 69 | @if [ -n "$$(ls $(crds_gen_temp) 2>/dev/null)" ]; then \ 70 | cp $(crds_gen_temp)/* $(crds_dir)/ ; \ 71 | cp $(crds_dir_readme) $(crds_dir)/README.md ; \ 72 | fi 73 | 74 | shared_generate_targets += generate-crds 75 | -------------------------------------------------------------------------------- /make/_shared/helm/crds_dir.README.md: -------------------------------------------------------------------------------- 1 | # CRDs source directory 2 | 3 | > **WARNING**: if you are an end-user, you probably should NOT need to use the 4 | > files in this directory. These files are for **reference, development and testing purposes only**. 5 | 6 | This directory contains 'source code' used to build our CustomResourceDefinition 7 | resources consumed by our officially supported deployment methods (e.g. the Helm chart). 8 | The CRDs in this directory might be incomplete, and should **NOT** be used to provision the operator. -------------------------------------------------------------------------------- /make/_shared/helm/deploy.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ifndef deploy_name 16 | $(error deploy_name is not set) 17 | endif 18 | 19 | ifndef deploy_namespace 20 | $(error deploy_namespace is not set) 21 | endif 22 | 23 | # Install options allows the user configuration of extra flags 24 | INSTALL_OPTIONS ?= 25 | 26 | ########################################## 27 | 28 | .PHONY: install 29 | ## Install controller helm chart on the current active K8S cluster. 30 | ## @category [shared] Deployment 31 | install: $(helm_chart_archive) | $(NEEDS_HELM) 32 | $(HELM) upgrade $(deploy_name) $(helm_chart_archive) \ 33 | --wait \ 34 | --install \ 35 | --create-namespace \ 36 | $(INSTALL_OPTIONS) \ 37 | --namespace $(deploy_namespace) 38 | 39 | .PHONY: uninstall 40 | ## Uninstall controller helm chart from the current active K8S cluster. 41 | ## @category [shared] Deployment 42 | uninstall: | $(NEEDS_HELM) 43 | $(HELM) uninstall $(deploy_name) \ 44 | --wait \ 45 | --namespace $(deploy_namespace) 46 | 47 | .PHONY: template 48 | ## Template the helm chart. 49 | ## @category [shared] Deployment 50 | template: $(helm_chart_archive) | $(NEEDS_HELM) 51 | @$(HELM) template $(deploy_name) $(helm_chart_archive) \ 52 | --create-namespace \ 53 | $(INSTALL_OPTIONS) \ 54 | --namespace $(deploy_namespace) 55 | -------------------------------------------------------------------------------- /make/_shared/help/01_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | 16 | help_sh := $(dir $(lastword $(MAKEFILE_LIST)))/help.sh 17 | 18 | .PHONY: help 19 | help: 20 | @MAKEFILE_LIST="$(MAKEFILE_LIST)" \ 21 | MAKE="$(MAKE)" \ 22 | $(help_sh) 23 | -------------------------------------------------------------------------------- /make/_shared/kind/00_kind_image_versions.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2024 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # This file is auto-generated by the learn_kind_images.sh script in the makefile-modules repo. 16 | # Do not edit manually. 17 | 18 | kind_image_kindversion := v0.27.0 19 | 20 | kind_image_kube_1.29_amd64 := docker.io/kindest/node:v1.29.14@sha256:e7858e6394f5e834802ce573ab340a0584d8314f909cb0717e14b57f2dd97257 21 | kind_image_kube_1.29_arm64 := docker.io/kindest/node:v1.29.14@sha256:6eed9bfd0313cc3574c4613adeb7f53832cb8d9c0ca9ffa8b8221716fd96dc18 22 | kind_image_kube_1.30_amd64 := docker.io/kindest/node:v1.30.10@sha256:e382f9b891474f1c4b0b5cfcf27f8e471f1bdc1f285afe38adeec1bd5b856cfe 23 | kind_image_kube_1.30_arm64 := docker.io/kindest/node:v1.30.10@sha256:ca8e16c04ee9ebaeb9a4dd85abbe188f3893fb39bd658d6d3e639d16cf46e3da 24 | kind_image_kube_1.31_amd64 := docker.io/kindest/node:v1.31.6@sha256:37d52dc19f59394f9347b00547c3ed2d73eb301a60294b9b05fbe56fb6196517 25 | kind_image_kube_1.31_arm64 := docker.io/kindest/node:v1.31.6@sha256:4e6223faa19178922d30e7b62546c5464fdf9bc66a3df64073424a51ab44f2ab 26 | kind_image_kube_1.32_amd64 := docker.io/kindest/node:v1.32.2@sha256:a37b679ad8c1cfa7c64aca1734cc4299dc833258d6c131ed0204c8cd2bd56ff7 27 | kind_image_kube_1.32_arm64 := docker.io/kindest/node:v1.32.2@sha256:4d0e1b60f1da0d1349996a9778f8bace905189af5e05e04618eae0a155dd9f9c 28 | kind_image_kube_1.33_amd64 := docker.io/kindest/node:v1.33.0@sha256:c9ec7bf998c310c5a6c903d66c2e595fb3e2eb53fb626cd53d07a3a5499de412 29 | kind_image_kube_1.33_arm64 := docker.io/kindest/node:v1.33.0@sha256:96ae3b980f87769e0117c2a89ec74fc660b84eedb573432abd2a682af3eccc02 30 | 31 | kind_image_latest_amd64 := $(kind_image_kube_1.33_amd64) 32 | kind_image_latest_arm64 := $(kind_image_kube_1.33_arm64) 33 | -------------------------------------------------------------------------------- /make/_shared/kind/00_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | include $(dir $(lastword $(MAKEFILE_LIST)))/00_kind_image_versions.mk 16 | 17 | images_amd64 ?= 18 | images_arm64 ?= 19 | 20 | # K8S_VERSION can be used to specify a specific 21 | # kubernetes version to use with Kind. 22 | K8S_VERSION ?= 23 | ifeq ($(K8S_VERSION),) 24 | images_amd64 += $(kind_image_latest_amd64) 25 | images_arm64 += $(kind_image_latest_arm64) 26 | else 27 | fatal_if_undefined = $(if $(findstring undefined,$(origin $1)),$(error $1 is not set)) 28 | $(call fatal_if_undefined,kind_image_kube_$(K8S_VERSION)_amd64) 29 | $(call fatal_if_undefined,kind_image_kube_$(K8S_VERSION)_arm64) 30 | 31 | images_amd64 += $(kind_image_kube_$(K8S_VERSION)_amd64) 32 | images_arm64 += $(kind_image_kube_$(K8S_VERSION)_arm64) 33 | endif 34 | -------------------------------------------------------------------------------- /make/_shared/kind/01_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | include $(dir $(lastword $(MAKEFILE_LIST)))/kind.mk 16 | include $(dir $(lastword $(MAKEFILE_LIST)))/kind-image-preload.mk 17 | -------------------------------------------------------------------------------- /make/_shared/kind/kind-image-preload.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ifndef bin_dir 16 | $(error bin_dir is not set) 17 | endif 18 | 19 | ifndef images_amd64 20 | $(error images_amd64 is not set) 21 | endif 22 | 23 | ifndef images_arm64 24 | $(error images_arm64 is not set) 25 | endif 26 | 27 | ########################################## 28 | 29 | images := $(images_$(HOST_ARCH)) 30 | 31 | images_tar_dir := $(bin_dir)/downloaded/containers/$(HOST_ARCH) 32 | images_tars := $(foreach image,$(images),$(images_tar_dir)/$(subst :,+,$(image)).tar) 33 | 34 | # Download the images as tarballs. After downloading the image using 35 | # its digest, we use image-tool to modify the .[0].RepoTags[0] value in 36 | # the manifest.json file to have the correct tag (instead of "i-was-a-digest" 37 | # which is set when the image is pulled using its digest). This tag is used 38 | # to reference the image after it has been imported using docker or kind. Otherwise, 39 | # the image would be imported with the tag "i-was-a-digest" which is not very useful. 40 | # We would have to use digests to reference the image everywhere which might 41 | # not always be possible and does not match the default behavior of eg. our helm charts. 42 | # NOTE: the tag is fully determined based on the input, we fully allow the remote 43 | # tag to point to a different digest. This prevents CI from breaking due to upstream 44 | # changes. However, it also means that we can incorrectly combine digests with tags, 45 | # hence caution is advised. 46 | $(images_tars): $(images_tar_dir)/%.tar: | $(NEEDS_IMAGE-TOOL) $(NEEDS_CRANE) $(NEEDS_GOJQ) 47 | @$(eval full_image=$(subst +,:,$*)) 48 | @$(eval bare_image=$(word 1,$(subst :, ,$(full_image)))) 49 | @$(eval digest=$(word 2,$(subst @, ,$(full_image)))) 50 | @$(eval tag=$(word 2,$(subst :, ,$(word 1,$(subst @, ,$(full_image)))))) 51 | @mkdir -p $(dir $@) 52 | $(CRANE) pull "$(bare_image)@$(digest)" $@ --platform=linux/$(HOST_ARCH) 53 | $(IMAGE-TOOL) tag-docker-tar $@ "$(bare_image):$(tag)" 54 | 55 | # $1 = image 56 | # $2 = image:tag@sha256:digest 57 | define image_variables 58 | $1.TAR := $(images_tar_dir)/$(subst :,+,$2).tar 59 | $1.REPO := $1 60 | $1.TAG := $(word 2,$(subst :, ,$(word 1,$(subst @, ,$2)))) 61 | $1.FULL := $(word 1,$(subst @, ,$2)) 62 | endef 63 | 64 | $(foreach image,$(images),$(eval $(call image_variables,$(word 1,$(subst :, ,$(image))),$(image)))) 65 | 66 | .PHONY: images-preload 67 | ## Preload images. 68 | ## @category [shared] Kind cluster 69 | images-preload: | $(images_tars) 70 | -------------------------------------------------------------------------------- /make/_shared/kind/kind.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ifndef bin_dir 16 | $(error bin_dir is not set) 17 | endif 18 | 19 | ifndef kind_cluster_name 20 | $(error kind_cluster_name is not set) 21 | endif 22 | 23 | ifndef kind_cluster_config 24 | $(error kind_cluster_config is not set) 25 | endif 26 | 27 | ########################################## 28 | 29 | kind_kubeconfig := $(bin_dir)/scratch/kube.config 30 | absolute_kubeconfig := $(CURDIR)/$(kind_kubeconfig) 31 | 32 | $(bin_dir)/scratch/cluster-check: FORCE | $(NEEDS_KIND) $(bin_dir)/scratch 33 | @if ! $(KIND) get clusters -q | grep -q "^$(kind_cluster_name)\$$"; then \ 34 | echo "❌ cluster $(kind_cluster_name) not found. Starting ..."; \ 35 | echo "trigger" > $@; \ 36 | else \ 37 | echo "✅ existing cluster $(kind_cluster_name) found"; \ 38 | fi 39 | $(eval export KUBECONFIG=$(absolute_kubeconfig)) 40 | 41 | kind_post_create_hook ?= 42 | $(kind_kubeconfig): $(kind_cluster_config) $(bin_dir)/scratch/cluster-check | images-preload $(bin_dir)/scratch $(NEEDS_KIND) $(NEEDS_KUBECTL) $(NEEDS_CTR) 43 | @[ -f "$(bin_dir)/scratch/cluster-check" ] && ( \ 44 | $(KIND) delete cluster --name $(kind_cluster_name); \ 45 | $(CTR) load -i $(docker.io/kindest/node.TAR); \ 46 | $(KIND) create cluster \ 47 | --image $(docker.io/kindest/node.FULL) \ 48 | --name $(kind_cluster_name) \ 49 | --config "$<"; \ 50 | $(CTR) exec $(kind_cluster_name)-control-plane find /mounted_images/ -name "*.tar" -exec echo {} \; -exec ctr --namespace=k8s.io images import --all-platforms --no-unpack --digests {} \; ; \ 51 | $(MAKE) --no-print-directory noop $(kind_post_create_hook); \ 52 | $(KUBECTL) config use-context kind-$(kind_cluster_name); \ 53 | ) || true 54 | 55 | $(KIND) get kubeconfig --name $(kind_cluster_name) > $@ 56 | 57 | .PHONY: kind-cluster 58 | kind-cluster: $(kind_kubeconfig) 59 | 60 | .PHONY: kind-cluster-load 61 | ## Create Kind cluster and wait for nodes to be ready 62 | ## Load the kubeconfig into the default location so that 63 | ## it can be easily queried by kubectl. This target is 64 | ## meant to be used directly, NOT as a dependency. 65 | ## Use `kind-cluster` as a dependency instead. 66 | ## @category [shared] Kind cluster 67 | kind-cluster-load: kind-cluster | $(NEEDS_KUBECTL) 68 | mkdir -p ~/.kube 69 | KUBECONFIG=~/.kube/config:$(kind_kubeconfig) $(KUBECTL) config view --flatten > ~/.kube/config 70 | $(KUBECTL) config use-context kind-$(kind_cluster_name) 71 | 72 | .PHONY: kind-cluster-clean 73 | ## Delete the Kind cluster 74 | ## @category [shared] Kind cluster 75 | kind-cluster-clean: $(NEEDS_KIND) 76 | $(KIND) delete cluster --name $(kind_cluster_name) 77 | rm -rf $(kind_kubeconfig) 78 | $(MAKE) --no-print-directory noop $(kind_post_create_hook) 79 | 80 | .PHONY: kind-logs 81 | ## Get the Kind cluster 82 | ## @category [shared] Kind cluster 83 | kind-logs: | kind-cluster $(NEEDS_KIND) $(ARTIFACTS) 84 | rm -rf $(ARTIFACTS)/e2e-logs 85 | mkdir -p $(ARTIFACTS)/e2e-logs 86 | $(KIND) export logs $(ARTIFACTS)/e2e-logs --name=$(kind_cluster_name) 87 | -------------------------------------------------------------------------------- /make/_shared/klone/01_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | .PHONY: generate-klone 16 | ## Generate klone shared Makefiles 17 | ## @category [shared] Generate/ Verify 18 | generate-klone: | $(NEEDS_KLONE) 19 | $(KLONE) sync 20 | 21 | shared_generate_targets += generate-klone 22 | 23 | .PHONY: upgrade-klone 24 | ## Upgrade klone Makefile modules to latest version 25 | ## @category [shared] Self-upgrade 26 | upgrade-klone: | $(NEEDS_KLONE) 27 | $(KLONE) upgrade 28 | -------------------------------------------------------------------------------- /make/_shared/licenses/00_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2024 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Define default config for generating licenses 16 | license_ignore ?= 17 | -------------------------------------------------------------------------------- /make/_shared/licenses/01_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2024 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ###################### Generate LICENSES files ###################### 16 | 17 | # Create a go.work file so that go-licenses can discover the LICENSE file of the 18 | # other modules in the repo. 19 | # 20 | # Without this, go-licenses *guesses* the wrong LICENSE for local dependencies and 21 | # links to the wrong versions of LICENSES for transitive dependencies. 22 | licenses_go_work := $(bin_dir)/scratch/LICENSES.go.work 23 | $(licenses_go_work): $(bin_dir)/scratch 24 | GOWORK=$(abspath $@) \ 25 | $(MAKE) go-workspace 26 | 27 | ## Generate licenses for the golang dependencies 28 | ## @category [shared] Generate/Verify 29 | generate-go-licenses: # 30 | shared_generate_targets += generate-go-licenses 31 | 32 | define licenses_target 33 | $1/LICENSES: $1/go.mod $(licenses_go_work) | $(NEEDS_GO-LICENSES) 34 | cd $$(dir $$@) && \ 35 | GOWORK=$(abspath $(licenses_go_work)) \ 36 | GOOS=linux GOARCH=amd64 \ 37 | $(GO-LICENSES) report --ignore "$$(license_ignore)" ./... > LICENSES 38 | 39 | generate-go-licenses: $1/LICENSES 40 | # The /LICENSE targets make sure these files exist. 41 | # Otherwise, make will error. 42 | generate-go-licenses: $1/LICENSE 43 | endef 44 | 45 | # Calculate all the go.mod directories, build targets may share go.mod dirs so 46 | # we use $(sort) to de-duplicate. 47 | go_mod_dirs := $(foreach build_name,$(build_names),$(go_$(build_name)_mod_dir)) 48 | ifneq ("$(wildcard go.mod)","") 49 | go_mod_dirs += . 50 | endif 51 | go_mod_dirs := $(sort $(go_mod_dirs)) 52 | $(foreach go_mod_dir,$(go_mod_dirs),$(eval $(call licenses_target,$(go_mod_dir)))) 53 | 54 | ###################### Include LICENSES in OCI image ###################### 55 | 56 | define license_layer 57 | license_layer_path_$1 := $$(abspath $(bin_dir)/scratch/licenses-$1) 58 | 59 | # Target to generate image layer containing license information 60 | .PHONY: oci-license-layer-$1 61 | oci-license-layer-$1: | $(bin_dir)/scratch $(NEEDS_GO-LICENSES) 62 | rm -rf $$(license_layer_path_$1) 63 | mkdir -p $$(license_layer_path_$1)/licenses 64 | cp $$(go_$1_mod_dir)/LICENSE $$(license_layer_path_$1)/licenses/LICENSE 65 | cp $$(go_$1_mod_dir)/LICENSES $$(license_layer_path_$1)/licenses/LICENSES 66 | 67 | oci-build-$1: oci-license-layer-$1 68 | oci_$1_additional_layers += $$(license_layer_path_$1) 69 | endef 70 | 71 | $(foreach build_name,$(build_names),$(eval $(call license_layer,$(build_name)))) 72 | -------------------------------------------------------------------------------- /make/_shared/oci-publish/00_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Push names is equivalent to build_names, additional names can be added for 16 | # pushing images that are not build with the oci-build module 17 | push_names ?= 18 | push_names += $(build_names) 19 | 20 | # Sometimes we need to push to one registry, but pull from another. This allows 21 | # that. 22 | # 23 | # The lines should be in the format a=b 24 | # 25 | # The value on the left is the domain you include in your oci__image_name 26 | # variable, the one on the right is the domain that is actually pushed to. 27 | # 28 | # For example, if we set up a vanity domain for the current quay: 29 | # 30 | # oci_controller_image_name = registry.cert-manager.io/cert-manager-controller` 31 | # image_registry_rewrite += registry.cert-manager.io=quay.io/jetstack 32 | # 33 | # This would push to quay.io/jetstack/cert-manager-controller. 34 | # 35 | # The general idea is oci__image_name contains the final image name, after replication, after vanity domains etc. 36 | 37 | image_registry_rewrite ?= 38 | 39 | # Utilities for extracting the key and value from a foo=bar style line 40 | kv_key = $(word 1,$(subst =, ,$1)) 41 | kv_value = $(word 2,$(subst =, ,$1)) 42 | 43 | # Apply the image_registry_rewrite rules, if no rules match an image then the 44 | # image name is not changed. Any rules that match will be applied. 45 | # 46 | # For example, if there was a rule vanity-domain.com=real-registry.com/foo 47 | # then any references to vanity-domain.com/image would be rewritten to 48 | # real-registry.com/foo/image 49 | image_registry_rewrite_rules_for_image = $(strip $(sort $(foreach rule,$(image_registry_rewrite),$(if $(findstring $(call kv_key,$(rule)),$1),$(rule))))) 50 | apply_image_registry_rewrite_rules_to_image = $(if $(call image_registry_rewrite_rules_for_image,$1),\ 51 | $(foreach rule,$(call image_registry_rewrite_rules_for_image,$1),$(subst $(call kv_key,$(rule)),$(call kv_value,$(rule)),$1)),\ 52 | $1) 53 | apply_image_registry_rewrite_rules = $(foreach image_name,$1,$(call apply_image_registry_rewrite_rules_to_image,$(image_name))) 54 | 55 | # This is a helper function to return the image names for a given build_name. 56 | # It will apply all rewrite rules to the image names 57 | oci_image_names_for = $(call apply_image_registry_rewrite_rules,$(oci_$1_image_name)) 58 | oci_image_tag_for = $(oci_$1_image_tag) -------------------------------------------------------------------------------- /make/_shared/oci-publish/image-exists.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2022 The cert-manager Authors. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -o errexit 18 | set -o nounset 19 | set -o pipefail 20 | 21 | # This script checks if a given image exists in the upstream registry, and if it 22 | # does, whether it contains all the expected architectures. 23 | 24 | crane=${CRANE:-} 25 | 26 | FULL_IMAGE=${1:-} 27 | 28 | function print_usage() { 29 | echo "usage: $0 [commands...]" 30 | } 31 | 32 | if [[ -z $FULL_IMAGE ]]; then 33 | print_usage 34 | echo "Missing full-image" 35 | exit 1 36 | fi 37 | 38 | if [[ -z $crane ]]; then 39 | echo "CRANE environment variable must be set to the path of the crane binary" 40 | exit 1 41 | fi 42 | 43 | shift 1 44 | 45 | manifest=$(mktemp) 46 | trap 'rm -f "$manifest"' EXIT SIGINT 47 | 48 | manifest_error=$(mktemp) 49 | trap 'rm -f "$manifest_error"' EXIT SIGINT 50 | 51 | echo "+++ searching for $FULL_IMAGE in upstream registry" 52 | 53 | set +o errexit 54 | $crane manifest "$FULL_IMAGE" > "$manifest" 2> "$manifest_error" 55 | exit_code=$? 56 | set -o errexit 57 | 58 | manifest_error_data=$(cat "$manifest_error") 59 | if [[ $exit_code -eq 0 ]]; then 60 | echo "+++ upstream registry appears to contain $FULL_IMAGE, exiting" 61 | exit 0 62 | 63 | elif [[ "$manifest_error_data" == *"MANIFEST_UNKNOWN"* ]]; then 64 | echo "+++ upstream registry does not contain $FULL_IMAGE, will build and push" 65 | # fall through to run the commands passed to this script 66 | 67 | else 68 | echo "FATAL: upstream registry returned an unexpected error: $manifest_error_data, exiting" 69 | exit 1 70 | fi 71 | -------------------------------------------------------------------------------- /make/_shared/repository-base/01_mod.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/ 16 | base_dependabot_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base-dependabot/ 17 | 18 | ifdef repository_base_no_dependabot 19 | .PHONY: generate-base 20 | ## Generate base files in the repository 21 | ## @category [shared] Generate/ Verify 22 | generate-base: 23 | cp -r $(base_dir)/. ./ 24 | else 25 | .PHONY: generate-base 26 | ## Generate base files in the repository 27 | ## @category [shared] Generate/ Verify 28 | generate-base: 29 | cp -r $(base_dir)/. ./ 30 | cp -r $(base_dependabot_dir)/. ./ 31 | endif 32 | 33 | shared_generate_targets += generate-base 34 | -------------------------------------------------------------------------------- /make/_shared/repository-base/base-dependabot/.github/dependabot.yaml: -------------------------------------------------------------------------------- 1 | # THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. 2 | # Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base-dependabot/.github/dependabot.yaml instead. 3 | 4 | # Update Go dependencies and GitHub Actions dependencies daily. 5 | version: 2 6 | updates: 7 | - package-ecosystem: gomod 8 | directory: / 9 | schedule: 10 | interval: daily 11 | groups: 12 | all: 13 | patterns: ["*"] 14 | - package-ecosystem: github-actions 15 | directory: / 16 | schedule: 17 | interval: daily 18 | groups: 19 | all: 20 | patterns: ["*"] 21 | -------------------------------------------------------------------------------- /make/_shared/repository-base/base/OWNERS_ALIASES: -------------------------------------------------------------------------------- 1 | # THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. 2 | # Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/OWNERS_ALIASES instead. 3 | 4 | aliases: 5 | cm-maintainers: 6 | - munnerz 7 | - joshvanl 8 | - wallrj 9 | - jakexks 10 | - maelvls 11 | - sgtcodfish 12 | - inteon 13 | - thatsmrtalbot 14 | - erikgb 15 | -------------------------------------------------------------------------------- /make/_shared/tools/util/checkhash.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2023 The cert-manager Authors. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -o errexit 18 | set -o nounset 19 | set -o pipefail 20 | 21 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 22 | 23 | # This script takes the hash of its first argument and verifies it against the 24 | # hex hash given in its second argument 25 | 26 | function usage_and_exit() { 27 | echo "usage: $0 " 28 | echo "or: LEARN_FILE= $0 " 29 | exit 1 30 | } 31 | 32 | HASH_TARGET=${1:-} 33 | EXPECTED_HASH=${2:-} 34 | 35 | if [[ -z $HASH_TARGET ]]; then 36 | usage_and_exit 37 | fi 38 | 39 | if [[ -z $EXPECTED_HASH ]]; then 40 | usage_and_exit 41 | fi 42 | 43 | SHASUM=$("${SCRIPT_DIR}/hash.sh" "$HASH_TARGET") 44 | 45 | if [[ "$SHASUM" == "$EXPECTED_HASH" ]]; then 46 | exit 0 47 | fi 48 | 49 | # When running 'make learn-sha-tools', we don't want this script to fail. 50 | # Instead we log what sha values are wrong, so the make.mk file can be updated. 51 | 52 | if [ "${LEARN_FILE:-}" != "" ]; then 53 | echo "s/$EXPECTED_HASH/$SHASUM/g" >> "${LEARN_FILE:-}" 54 | exit 0 55 | fi 56 | 57 | echo "invalid checksum for \"$HASH_TARGET\": wanted \"$EXPECTED_HASH\" but got \"$SHASUM\"" 58 | exit 1 59 | -------------------------------------------------------------------------------- /make/_shared/tools/util/hash.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2023 The cert-manager Authors. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -o errexit 18 | set -o nounset 19 | set -o pipefail 20 | 21 | # This script is a wrapper for outputting purely the sha256 hash of the input file, 22 | # ideally in a portable way. 23 | 24 | case "$(uname -s)" in 25 | Darwin*) shasum -a 256 "$1";; 26 | *) sha256sum "$1" 27 | esac | cut -d" " -f1 -------------------------------------------------------------------------------- /make/_shared/tools/util/lock.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2023 The cert-manager Authors. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -o errexit 18 | set -o nounset 19 | set -o pipefail 20 | 21 | # This script is used to lock a file while it is being downloaded. It prevents 22 | # multiple processes from downloading the same file at the same time or from reading 23 | # a half-downloaded file. 24 | # We need this solution because we have recursive $(MAKE) calls in our makefile 25 | # which each will try to download a set of tools. To prevent them from all downloading 26 | # the same files, we re-use the same downloads folder for all $(MAKE) invocations and 27 | # use this script to deduplicate the download processes. 28 | 29 | finalfile="$1" 30 | lockfile="$finalfile.lock" 31 | 32 | # On macOS, flock is not installed, we just skip locking in that case, 33 | # this means that running verify in parallel without downloading all 34 | # tools first will not work. 35 | flock_installed=$(command -v flock >/dev/null && echo "yes" || echo "no") 36 | 37 | if [[ "$flock_installed" == "yes" ]]; then 38 | mkdir -p "$(dirname "$lockfile")" 39 | touch "$lockfile" 40 | exec {FD}<>"$lockfile" 41 | 42 | # wait for the file to be unlocked 43 | if ! flock -x $FD; then 44 | echo "Failed to obtain a lock for $lockfile" 45 | exit 1 46 | fi 47 | fi 48 | 49 | # now that we have the lock, check if file is already there 50 | if [[ -e "$finalfile" ]]; then 51 | exit 0 52 | fi 53 | 54 | # use a temporary file to prevent Make from thinking the file is ready 55 | # while in reality is is only a partial download 56 | # shellcheck disable=SC2034 57 | outfile="$finalfile.tmp" 58 | 59 | finish() { 60 | rv=$? 61 | if [[ $rv -eq 0 ]]; then 62 | mv "$outfile" "$finalfile" 63 | echo "[info]: downloaded $finalfile" 64 | else 65 | rm -rf "$outfile" || true 66 | rm -rf "$finalfile" || true 67 | fi 68 | rm -rf "$lockfile" || true 69 | } 70 | trap finish EXIT SIGINT 71 | -------------------------------------------------------------------------------- /make/config/kind/cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kind.x-k8s.io/v1alpha4 2 | kind: Cluster 3 | kubeadmConfigPatches: 4 | - | 5 | kind: ClusterConfiguration 6 | metadata: 7 | name: config 8 | etcd: 9 | local: 10 | extraArgs: 11 | unsafe-no-fsync: "true" 12 | networking: 13 | serviceSubnet: 10.0.0.0/16 14 | nodes: 15 | - role: control-plane 16 | 17 | extraMounts: 18 | - hostPath: {{KIND_IMAGES}} 19 | containerPath: /mounted_images 20 | -------------------------------------------------------------------------------- /make/debian-trust-package-bookworm.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2025 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package_name_bookworm := cert-manager-debian-bookworm 16 | 17 | debian_package_bookworm_layer := $(bin_dir)/scratch/debian-trust-package-bookworm 18 | debian_package_bookworm_json := $(debian_package_bookworm_layer)/debian-package/cert-manager-package-debian.json 19 | 20 | $(debian_package_bookworm_layer)/debian-package: 21 | mkdir -p $@ 22 | 23 | $(debian_package_bookworm_json): | $(bin_dir)/bin/validate-trust-package $(debian_package_bookworm_layer)/debian-package 24 | BIN_VALIDATE_TRUST_PACKAGE=$(bin_dir)/bin/validate-trust-package \ 25 | ./make/debian-trust-package-fetch.sh exact $(DEBIAN_BUNDLE_BOOKWORM_SOURCE_IMAGE) $@ $(DEBIAN_BUNDLE_BOOKWORM_VERSION) $(package_name_bookworm) 26 | 27 | oci-build-package_debian_bookworm: $(debian_package_bookworm_json) 28 | oci_additional_layers_package_debian_bookworm += $(debian_package_bookworm_layer) 29 | 30 | # see https://stackoverflow.com/a/53408233 31 | sed_inplace := sed -i'' 32 | ifeq ($(HOST_OS),darwin) 33 | sed_inplace := sed -i '' 34 | endif 35 | 36 | .PHONY: upgrade-debian-trust-package-bookworm-version 37 | upgrade-debian-trust-package-bookworm-version: | $(bin_dir)/bin/validate-trust-package $(bin_dir)/scratch 38 | $(eval temp_out := $(bin_dir)/scratch/debian-trust-package-bookworm.temp.json) 39 | rm -rf $(temp_out) 40 | 41 | BIN_VALIDATE_TRUST_PACKAGE=$(bin_dir)/bin/validate-trust-package \ 42 | ./make/debian-trust-package-fetch.sh latest $(DEBIAN_BUNDLE_BOOKWORM_SOURCE_IMAGE) $(temp_out) $(DEBIAN_BUNDLE_BOOKWORM_VERSION) $(package_name_bookworm) 43 | 44 | latest_version=$$(jq -r '.version' $(temp_out)); \ 45 | $(sed_inplace) "s/DEBIAN_BUNDLE_BOOKWORM_VERSION := .*/DEBIAN_BUNDLE_BOOKWORM_VERSION := $$latest_version/" make/00_debian_bookworm_version.mk 46 | -------------------------------------------------------------------------------- /make/debian-trust-package.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package_name := cert-manager-debian 16 | 17 | debian_package_layer := $(bin_dir)/scratch/debian-trust-package 18 | debian_package_json := $(debian_package_layer)/debian-package/cert-manager-package-debian.json 19 | 20 | $(debian_package_layer)/debian-package: 21 | mkdir -p $@ 22 | 23 | $(debian_package_json): | $(bin_dir)/bin/validate-trust-package $(debian_package_layer)/debian-package 24 | BIN_VALIDATE_TRUST_PACKAGE=$(bin_dir)/bin/validate-trust-package \ 25 | ./make/debian-trust-package-fetch.sh exact $(DEBIAN_BUNDLE_SOURCE_IMAGE) $@ $(DEBIAN_BUNDLE_VERSION) $(package_name) 26 | 27 | # Make sure the build the package json file when building 28 | # the OCI image. This will ensure that the $(debian_package_layer) 29 | # folder has the desired contents. 30 | oci-build-package_debian: $(debian_package_json) 31 | 32 | # see https://stackoverflow.com/a/53408233 33 | sed_inplace := sed -i'' 34 | ifeq ($(HOST_OS),darwin) 35 | sed_inplace := sed -i '' 36 | endif 37 | 38 | .PHONY: upgrade-debian-trust-package-version 39 | upgrade-debian-trust-package-version: | $(bin_dir)/bin/validate-trust-package $(bin_dir)/scratch 40 | $(eval temp_out := $(bin_dir)/scratch/debian-trust-package.temp.json) 41 | rm -rf $(temp_out) 42 | 43 | BIN_VALIDATE_TRUST_PACKAGE=$(bin_dir)/bin/validate-trust-package \ 44 | ./make/debian-trust-package-fetch.sh latest $(DEBIAN_BUNDLE_SOURCE_IMAGE) $(temp_out) $(DEBIAN_BUNDLE_VERSION) $(package_name) 45 | 46 | latest_version=$$(jq -r '.version' $(temp_out)); \ 47 | $(sed_inplace) "s/DEBIAN_BUNDLE_VERSION := .*/DEBIAN_BUNDLE_VERSION := $$latest_version/" make/00_debian_version.mk 48 | -------------------------------------------------------------------------------- /make/test-integration.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | .PHONY: test-integration 16 | ## Integration tests 17 | ## @category Testing 18 | test-integration: | $(NEEDS_GOTESTSUM) $(NEEDS_ETCD) $(NEEDS_KUBE-APISERVER) $(NEEDS_KUBECTL) $(ARTIFACTS) 19 | KUBEBUILDER_ASSETS=$(CURDIR)/$(bin_dir)/tools \ 20 | $(GOTESTSUM) \ 21 | --junitfile=$(ARTIFACTS)/junit-go-integration.xml \ 22 | -- \ 23 | -coverprofile=$(ARTIFACTS)/filtered.cov \ 24 | ./test/integration/... \ 25 | -- \ 26 | -ldflags $(go_manager_ldflags) \ 27 | -test.timeout 2m 28 | -------------------------------------------------------------------------------- /make/test-smoke.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | .PHONY: smoke-setup-cert-manager 16 | smoke-setup-cert-manager: | kind-cluster $(NEEDS_HELM) $(NEEDS_KUBECTL) 17 | $(HELM) upgrade \ 18 | --install \ 19 | --create-namespace \ 20 | --wait \ 21 | --version $(quay.io/jetstack/cert-manager-controller.TAG) \ 22 | --namespace cert-manager \ 23 | --repo https://charts.jetstack.io \ 24 | --set installCRDs=true \ 25 | --set image.repository=$(quay.io/jetstack/cert-manager-controller.REPO) \ 26 | --set image.tag=$(quay.io/jetstack/cert-manager-controller.TAG) \ 27 | --set image.pullPolicy=Never \ 28 | --set cainjector.image.repository=$(quay.io/jetstack/cert-manager-cainjector.REPO) \ 29 | --set cainjector.image.tag=$(quay.io/jetstack/cert-manager-cainjector.TAG) \ 30 | --set cainjector.image.pullPolicy=Never \ 31 | --set webhook.image.repository=$(quay.io/jetstack/cert-manager-webhook.REPO) \ 32 | --set webhook.image.tag=$(quay.io/jetstack/cert-manager-webhook.TAG) \ 33 | --set webhook.image.pullPolicy=Never \ 34 | --set startupapicheck.image.repository=$(quay.io/jetstack/cert-manager-startupapicheck.REPO) \ 35 | --set startupapicheck.image.tag=$(quay.io/jetstack/cert-manager-startupapicheck.TAG) \ 36 | --set startupapicheck.image.pullPolicy=Never \ 37 | cert-manager cert-manager >/dev/null 38 | 39 | # The "install" target can be run on its own with any currently active cluster, 40 | # we can't use any other cluster then a target containing "test-smoke" is run. 41 | # When a "test-smoke" target is run, the currently active cluster must be the kind 42 | # cluster created by the "kind-cluster" target. 43 | ifeq ($(findstring test-smoke,$(MAKECMDGOALS)),test-smoke) 44 | install: kind-cluster oci-load-manager oci-load-package_debian oci-load-package_debian_bookworm 45 | endif 46 | 47 | test-smoke-deps: INSTALL_OPTIONS := 48 | test-smoke-deps: INSTALL_OPTIONS += --set image.repository=$(oci_manager_image_name_development) 49 | test-smoke-deps: INSTALL_OPTIONS += --set defaultPackageImage.repository=$(oci_package_debian_bookworm_image_name_development) 50 | test-smoke-deps: INSTALL_OPTIONS += --set secretTargets.enabled=true --set secretTargets.authorizedSecretsAll=true 51 | test-smoke-deps: smoke-setup-cert-manager 52 | test-smoke-deps: install 53 | 54 | .PHONY: test-smoke 55 | ## Smoke end-to-end tests 56 | ## @category Testing 57 | test-smoke: test-smoke-deps | kind-cluster $(NEEDS_GINKGO) $(ARTIFACTS) 58 | $(GINKGO) \ 59 | --output-dir $(ARTIFACTS) \ 60 | --junit-report junit-go-e2e.xml \ 61 | --ldflags "$(go_manager_ldflags)" \ 62 | ./test/smoke/ \ 63 | -- \ 64 | --kubeconfig-path $(CURDIR)/$(kind_kubeconfig) 65 | -------------------------------------------------------------------------------- /make/test-unit.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | .PHONY: test-unit 16 | ## Run all unit tests for trust-manager 17 | ## @category Testing 18 | test-unit: test-unit-standard test-unit-negativeserial 19 | 20 | 21 | .PHONY: test-unit-standard 22 | test-unit-standard: | $(NEEDS_GOTESTSUM) $(ARTIFACTS) 23 | ## Standard unit tests. These tests are in contrast to test-unit-negativeserial, 24 | ## and do not set the x509negativeserial GODEBUG value. 25 | ## We're testing against a "standard" configuration of trust-manager. 26 | ## @category Testing 27 | $(GOTESTSUM) \ 28 | --junitfile=$(ARTIFACTS)/junit-go-e2e.xml \ 29 | -- \ 30 | -coverprofile=$(ARTIFACTS)/filtered.cov \ 31 | ./cmd/... ./pkg/... \ 32 | -- \ 33 | -ldflags $(go_manager_ldflags) \ 34 | -test.timeout 2m 35 | 36 | .PHONY: test-unit-negativeserial 37 | ## Specialised unit tests which set the x509negativeserial GODEBUG value 38 | ## so we can test our handling of a special case introduced in Go 1.23. 39 | ## See ./pkg/compat for details 40 | ## @category Testing 41 | test-unit-negativeserial: | $(NEEDS_GOTESTSUM) $(ARTIFACTS) 42 | $(GOTESTSUM) \ 43 | --junitfile=$(ARTIFACTS)/junit-go-unit-negativeserial.xml \ 44 | -- \ 45 | -tags=testnegativeserialon \ 46 | ./pkg/compat/... \ 47 | -- \ 48 | -ldflags $(go_manager_ldflags) \ 49 | -test.timeout 2m 50 | -------------------------------------------------------------------------------- /make/validate-trust-package.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2025 The cert-manager Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | $(bin_dir)/bin: 16 | mkdir -p $@ 17 | 18 | $(bin_dir)/bin/validate-trust-package: cmd/validate-trust-package/*.go pkg/fspkg/*.go | $(NEEDS_GO) $(bin_dir)/bin 19 | $(GO) build -o $@ ./cmd/validate-trust-package 20 | 21 | -------------------------------------------------------------------------------- /pkg/apis/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // +domain=trust.cert-manager.io 18 | 19 | package apis 20 | -------------------------------------------------------------------------------- /pkg/apis/trust/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package trust 18 | 19 | const GroupName = "trust.cert-manager.io" 20 | -------------------------------------------------------------------------------- /pkg/apis/trust/v1alpha1/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // +kubebuilder:object:generate=true 18 | // +groupName=trust.cert-manager.io 19 | // +k8s:conversion-gen=github.com/cert-manager/trust-manager/pkg/apis/trustmanager/v1alpha2 20 | package v1alpha1 21 | -------------------------------------------------------------------------------- /pkg/apis/trust/v1alpha1/register.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1alpha1 18 | 19 | import ( 20 | "fmt" 21 | 22 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 23 | "k8s.io/apimachinery/pkg/runtime" 24 | "k8s.io/apimachinery/pkg/runtime/schema" 25 | "k8s.io/client-go/kubernetes/scheme" 26 | 27 | "github.com/cert-manager/trust-manager/pkg/apis/trust" 28 | ) 29 | 30 | // SchemeGroupVersion is group version used to register these objects 31 | var SchemeGroupVersion = schema.GroupVersion{Group: trust.GroupName, Version: "v1alpha1"} 32 | 33 | // Resource takes an unqualified resource and returns a Group qualified GroupResource 34 | func Resource(resource string) schema.GroupResource { 35 | return SchemeGroupVersion.WithResource(resource).GroupResource() 36 | } 37 | 38 | var ( 39 | SchemeBuilder runtime.SchemeBuilder 40 | localSchemeBuilder = &SchemeBuilder 41 | AddToScheme = localSchemeBuilder.AddToScheme 42 | 43 | GlobalScheme *runtime.Scheme 44 | ) 45 | 46 | func init() { 47 | // We only register manually written functions here. The registration of the 48 | // generated functions takes place in the generated files. The separation 49 | // makes the code compile even when the generated files are missing. 50 | localSchemeBuilder.Register(addKnownTypes) 51 | 52 | GlobalScheme = runtime.NewScheme() 53 | if err := scheme.AddToScheme(GlobalScheme); err != nil { 54 | panic(fmt.Sprintf("failed to add k8s.io scheme: %s", err)) 55 | } 56 | if err := AddToScheme(GlobalScheme); err != nil { 57 | panic(fmt.Sprintf("failed to add trust.cert-manager.io scheme: %s", err)) 58 | } 59 | } 60 | 61 | // Adds the list of known types to api.Scheme. 62 | func addKnownTypes(scheme *runtime.Scheme) error { 63 | scheme.AddKnownTypes(SchemeGroupVersion, 64 | &Bundle{}, 65 | &BundleList{}, 66 | ) 67 | metav1.AddToGroupVersion(scheme, SchemeGroupVersion) 68 | return nil 69 | } 70 | -------------------------------------------------------------------------------- /pkg/apis/trustmanager/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package trustmanager 18 | 19 | const GroupName = "trust-manager.io" 20 | -------------------------------------------------------------------------------- /pkg/apis/trustmanager/v1alpha2/conversion.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2025 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1alpha2 18 | 19 | func (in *ClusterBundle) Hub() {} 20 | -------------------------------------------------------------------------------- /pkg/apis/trustmanager/v1alpha2/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // +kubebuilder:object:generate=true 18 | // +kubebuilder:skip 19 | // +groupName=trust-manager.io 20 | package v1alpha2 21 | -------------------------------------------------------------------------------- /pkg/apis/trustmanager/v1alpha2/register.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1alpha2 18 | 19 | import ( 20 | "fmt" 21 | 22 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 23 | "k8s.io/apimachinery/pkg/runtime" 24 | "k8s.io/apimachinery/pkg/runtime/schema" 25 | "k8s.io/client-go/kubernetes/scheme" 26 | 27 | "github.com/cert-manager/trust-manager/pkg/apis/trustmanager" 28 | ) 29 | 30 | // SchemeGroupVersion is group version used to register these objects 31 | var SchemeGroupVersion = schema.GroupVersion{Group: trustmanager.GroupName, Version: "v1alpha2"} 32 | 33 | // Resource takes an unqualified resource and returns a Group qualified GroupResource 34 | func Resource(resource string) schema.GroupResource { 35 | return SchemeGroupVersion.WithResource(resource).GroupResource() 36 | } 37 | 38 | var ( 39 | SchemeBuilder runtime.SchemeBuilder 40 | localSchemeBuilder = &SchemeBuilder 41 | AddToScheme = localSchemeBuilder.AddToScheme 42 | 43 | GlobalScheme *runtime.Scheme 44 | ) 45 | 46 | func init() { 47 | // We only register manually written functions here. The registration of the 48 | // generated functions takes place in the generated files. The separation 49 | // makes the code compile even when the generated files are missing. 50 | localSchemeBuilder.Register(addKnownTypes) 51 | 52 | GlobalScheme = runtime.NewScheme() 53 | if err := scheme.AddToScheme(GlobalScheme); err != nil { 54 | panic(fmt.Sprintf("failed to add k8s.io scheme: %s", err)) 55 | } 56 | if err := AddToScheme(GlobalScheme); err != nil { 57 | panic(fmt.Sprintf("failed to add trust-manager.io scheme: %s", err)) 58 | } 59 | } 60 | 61 | // Adds the list of known types to api.Scheme. 62 | func addKnownTypes(scheme *runtime.Scheme) error { 63 | scheme.AddKnownTypes(SchemeGroupVersion, 64 | &ClusterBundle{}, 65 | &ClusterBundleList{}, 66 | ) 67 | metav1.AddToGroupVersion(scheme, SchemeGroupVersion) 68 | return nil 69 | } 70 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/internal/internal.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package internal 19 | 20 | import ( 21 | fmt "fmt" 22 | sync "sync" 23 | 24 | typed "sigs.k8s.io/structured-merge-diff/v4/typed" 25 | ) 26 | 27 | func Parser() *typed.Parser { 28 | parserOnce.Do(func() { 29 | var err error 30 | parser, err = typed.NewParser(schemaYAML) 31 | if err != nil { 32 | panic(fmt.Sprintf("Failed to parse schema: %v", err)) 33 | } 34 | }) 35 | return parser 36 | } 37 | 38 | var parserOnce sync.Once 39 | var parser *typed.Parser 40 | var schemaYAML = typed.YAMLObject(`types: 41 | - name: __untyped_atomic_ 42 | scalar: untyped 43 | list: 44 | elementType: 45 | namedType: __untyped_atomic_ 46 | elementRelationship: atomic 47 | map: 48 | elementType: 49 | namedType: __untyped_atomic_ 50 | elementRelationship: atomic 51 | - name: __untyped_deduced_ 52 | scalar: untyped 53 | list: 54 | elementType: 55 | namedType: __untyped_atomic_ 56 | elementRelationship: atomic 57 | map: 58 | elementType: 59 | namedType: __untyped_deduced_ 60 | elementRelationship: separable 61 | `) 62 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trust/v1alpha1/additionalformats.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha1 19 | 20 | // AdditionalFormatsApplyConfiguration represents a declarative configuration of the AdditionalFormats type for use 21 | // with apply. 22 | type AdditionalFormatsApplyConfiguration struct { 23 | JKS *JKSApplyConfiguration `json:"jks,omitempty"` 24 | PKCS12 *PKCS12ApplyConfiguration `json:"pkcs12,omitempty"` 25 | } 26 | 27 | // AdditionalFormatsApplyConfiguration constructs a declarative configuration of the AdditionalFormats type for use with 28 | // apply. 29 | func AdditionalFormats() *AdditionalFormatsApplyConfiguration { 30 | return &AdditionalFormatsApplyConfiguration{} 31 | } 32 | 33 | // WithJKS sets the JKS field in the declarative configuration to the given value 34 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 35 | // If called multiple times, the JKS field is set to the value of the last call. 36 | func (b *AdditionalFormatsApplyConfiguration) WithJKS(value *JKSApplyConfiguration) *AdditionalFormatsApplyConfiguration { 37 | b.JKS = value 38 | return b 39 | } 40 | 41 | // WithPKCS12 sets the PKCS12 field in the declarative configuration to the given value 42 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 43 | // If called multiple times, the PKCS12 field is set to the value of the last call. 44 | func (b *AdditionalFormatsApplyConfiguration) WithPKCS12(value *PKCS12ApplyConfiguration) *AdditionalFormatsApplyConfiguration { 45 | b.PKCS12 = value 46 | return b 47 | } 48 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trust/v1alpha1/bundlesource.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha1 19 | 20 | // BundleSourceApplyConfiguration represents a declarative configuration of the BundleSource type for use 21 | // with apply. 22 | type BundleSourceApplyConfiguration struct { 23 | ConfigMap *SourceObjectKeySelectorApplyConfiguration `json:"configMap,omitempty"` 24 | Secret *SourceObjectKeySelectorApplyConfiguration `json:"secret,omitempty"` 25 | InLine *string `json:"inLine,omitempty"` 26 | UseDefaultCAs *bool `json:"useDefaultCAs,omitempty"` 27 | } 28 | 29 | // BundleSourceApplyConfiguration constructs a declarative configuration of the BundleSource type for use with 30 | // apply. 31 | func BundleSource() *BundleSourceApplyConfiguration { 32 | return &BundleSourceApplyConfiguration{} 33 | } 34 | 35 | // WithConfigMap sets the ConfigMap field in the declarative configuration to the given value 36 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 37 | // If called multiple times, the ConfigMap field is set to the value of the last call. 38 | func (b *BundleSourceApplyConfiguration) WithConfigMap(value *SourceObjectKeySelectorApplyConfiguration) *BundleSourceApplyConfiguration { 39 | b.ConfigMap = value 40 | return b 41 | } 42 | 43 | // WithSecret sets the Secret field in the declarative configuration to the given value 44 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 45 | // If called multiple times, the Secret field is set to the value of the last call. 46 | func (b *BundleSourceApplyConfiguration) WithSecret(value *SourceObjectKeySelectorApplyConfiguration) *BundleSourceApplyConfiguration { 47 | b.Secret = value 48 | return b 49 | } 50 | 51 | // WithInLine sets the InLine field in the declarative configuration to the given value 52 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 53 | // If called multiple times, the InLine field is set to the value of the last call. 54 | func (b *BundleSourceApplyConfiguration) WithInLine(value string) *BundleSourceApplyConfiguration { 55 | b.InLine = &value 56 | return b 57 | } 58 | 59 | // WithUseDefaultCAs sets the UseDefaultCAs field in the declarative configuration to the given value 60 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 61 | // If called multiple times, the UseDefaultCAs field is set to the value of the last call. 62 | func (b *BundleSourceApplyConfiguration) WithUseDefaultCAs(value bool) *BundleSourceApplyConfiguration { 63 | b.UseDefaultCAs = &value 64 | return b 65 | } 66 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trust/v1alpha1/bundlespec.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha1 19 | 20 | // BundleSpecApplyConfiguration represents a declarative configuration of the BundleSpec type for use 21 | // with apply. 22 | type BundleSpecApplyConfiguration struct { 23 | Sources []BundleSourceApplyConfiguration `json:"sources,omitempty"` 24 | Target *BundleTargetApplyConfiguration `json:"target,omitempty"` 25 | } 26 | 27 | // BundleSpecApplyConfiguration constructs a declarative configuration of the BundleSpec type for use with 28 | // apply. 29 | func BundleSpec() *BundleSpecApplyConfiguration { 30 | return &BundleSpecApplyConfiguration{} 31 | } 32 | 33 | // WithSources adds the given value to the Sources field in the declarative configuration 34 | // and returns the receiver, so that objects can be build by chaining "With" function invocations. 35 | // If called multiple times, values provided by each call will be appended to the Sources field. 36 | func (b *BundleSpecApplyConfiguration) WithSources(values ...*BundleSourceApplyConfiguration) *BundleSpecApplyConfiguration { 37 | for i := range values { 38 | if values[i] == nil { 39 | panic("nil value passed to WithSources") 40 | } 41 | b.Sources = append(b.Sources, *values[i]) 42 | } 43 | return b 44 | } 45 | 46 | // WithTarget sets the Target field in the declarative configuration to the given value 47 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 48 | // If called multiple times, the Target field is set to the value of the last call. 49 | func (b *BundleSpecApplyConfiguration) WithTarget(value *BundleTargetApplyConfiguration) *BundleSpecApplyConfiguration { 50 | b.Target = value 51 | return b 52 | } 53 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trust/v1alpha1/bundlestatus.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha1 19 | 20 | import ( 21 | v1 "k8s.io/client-go/applyconfigurations/meta/v1" 22 | ) 23 | 24 | // BundleStatusApplyConfiguration represents a declarative configuration of the BundleStatus type for use 25 | // with apply. 26 | type BundleStatusApplyConfiguration struct { 27 | Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"` 28 | DefaultCAPackageVersion *string `json:"defaultCAVersion,omitempty"` 29 | } 30 | 31 | // BundleStatusApplyConfiguration constructs a declarative configuration of the BundleStatus type for use with 32 | // apply. 33 | func BundleStatus() *BundleStatusApplyConfiguration { 34 | return &BundleStatusApplyConfiguration{} 35 | } 36 | 37 | // WithConditions adds the given value to the Conditions field in the declarative configuration 38 | // and returns the receiver, so that objects can be build by chaining "With" function invocations. 39 | // If called multiple times, values provided by each call will be appended to the Conditions field. 40 | func (b *BundleStatusApplyConfiguration) WithConditions(values ...*v1.ConditionApplyConfiguration) *BundleStatusApplyConfiguration { 41 | for i := range values { 42 | if values[i] == nil { 43 | panic("nil value passed to WithConditions") 44 | } 45 | b.Conditions = append(b.Conditions, *values[i]) 46 | } 47 | return b 48 | } 49 | 50 | // WithDefaultCAPackageVersion sets the DefaultCAPackageVersion field in the declarative configuration to the given value 51 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 52 | // If called multiple times, the DefaultCAPackageVersion field is set to the value of the last call. 53 | func (b *BundleStatusApplyConfiguration) WithDefaultCAPackageVersion(value string) *BundleStatusApplyConfiguration { 54 | b.DefaultCAPackageVersion = &value 55 | return b 56 | } 57 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trust/v1alpha1/bundletarget.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha1 19 | 20 | import ( 21 | v1 "k8s.io/client-go/applyconfigurations/meta/v1" 22 | ) 23 | 24 | // BundleTargetApplyConfiguration represents a declarative configuration of the BundleTarget type for use 25 | // with apply. 26 | type BundleTargetApplyConfiguration struct { 27 | ConfigMap *TargetTemplateApplyConfiguration `json:"configMap,omitempty"` 28 | Secret *TargetTemplateApplyConfiguration `json:"secret,omitempty"` 29 | AdditionalFormats *AdditionalFormatsApplyConfiguration `json:"additionalFormats,omitempty"` 30 | NamespaceSelector *v1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"` 31 | } 32 | 33 | // BundleTargetApplyConfiguration constructs a declarative configuration of the BundleTarget type for use with 34 | // apply. 35 | func BundleTarget() *BundleTargetApplyConfiguration { 36 | return &BundleTargetApplyConfiguration{} 37 | } 38 | 39 | // WithConfigMap sets the ConfigMap field in the declarative configuration to the given value 40 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 41 | // If called multiple times, the ConfigMap field is set to the value of the last call. 42 | func (b *BundleTargetApplyConfiguration) WithConfigMap(value *TargetTemplateApplyConfiguration) *BundleTargetApplyConfiguration { 43 | b.ConfigMap = value 44 | return b 45 | } 46 | 47 | // WithSecret sets the Secret field in the declarative configuration to the given value 48 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 49 | // If called multiple times, the Secret field is set to the value of the last call. 50 | func (b *BundleTargetApplyConfiguration) WithSecret(value *TargetTemplateApplyConfiguration) *BundleTargetApplyConfiguration { 51 | b.Secret = value 52 | return b 53 | } 54 | 55 | // WithAdditionalFormats sets the AdditionalFormats field in the declarative configuration to the given value 56 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 57 | // If called multiple times, the AdditionalFormats field is set to the value of the last call. 58 | func (b *BundleTargetApplyConfiguration) WithAdditionalFormats(value *AdditionalFormatsApplyConfiguration) *BundleTargetApplyConfiguration { 59 | b.AdditionalFormats = value 60 | return b 61 | } 62 | 63 | // WithNamespaceSelector sets the NamespaceSelector field in the declarative configuration to the given value 64 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 65 | // If called multiple times, the NamespaceSelector field is set to the value of the last call. 66 | func (b *BundleTargetApplyConfiguration) WithNamespaceSelector(value *v1.LabelSelectorApplyConfiguration) *BundleTargetApplyConfiguration { 67 | b.NamespaceSelector = value 68 | return b 69 | } 70 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trust/v1alpha1/jks.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha1 19 | 20 | // JKSApplyConfiguration represents a declarative configuration of the JKS type for use 21 | // with apply. 22 | type JKSApplyConfiguration struct { 23 | KeySelectorApplyConfiguration `json:",inline"` 24 | Password *string `json:"password,omitempty"` 25 | } 26 | 27 | // JKSApplyConfiguration constructs a declarative configuration of the JKS type for use with 28 | // apply. 29 | func JKS() *JKSApplyConfiguration { 30 | return &JKSApplyConfiguration{} 31 | } 32 | 33 | // WithKey sets the Key field in the declarative configuration to the given value 34 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 35 | // If called multiple times, the Key field is set to the value of the last call. 36 | func (b *JKSApplyConfiguration) WithKey(value string) *JKSApplyConfiguration { 37 | b.KeySelectorApplyConfiguration.Key = &value 38 | return b 39 | } 40 | 41 | // WithPassword sets the Password field in the declarative configuration to the given value 42 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 43 | // If called multiple times, the Password field is set to the value of the last call. 44 | func (b *JKSApplyConfiguration) WithPassword(value string) *JKSApplyConfiguration { 45 | b.Password = &value 46 | return b 47 | } 48 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trust/v1alpha1/keyselector.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha1 19 | 20 | // KeySelectorApplyConfiguration represents a declarative configuration of the KeySelector type for use 21 | // with apply. 22 | type KeySelectorApplyConfiguration struct { 23 | Key *string `json:"key,omitempty"` 24 | } 25 | 26 | // KeySelectorApplyConfiguration constructs a declarative configuration of the KeySelector type for use with 27 | // apply. 28 | func KeySelector() *KeySelectorApplyConfiguration { 29 | return &KeySelectorApplyConfiguration{} 30 | } 31 | 32 | // WithKey sets the Key field in the declarative configuration to the given value 33 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 34 | // If called multiple times, the Key field is set to the value of the last call. 35 | func (b *KeySelectorApplyConfiguration) WithKey(value string) *KeySelectorApplyConfiguration { 36 | b.Key = &value 37 | return b 38 | } 39 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trust/v1alpha1/pkcs12.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha1 19 | 20 | import ( 21 | trustv1alpha1 "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1" 22 | ) 23 | 24 | // PKCS12ApplyConfiguration represents a declarative configuration of the PKCS12 type for use 25 | // with apply. 26 | type PKCS12ApplyConfiguration struct { 27 | KeySelectorApplyConfiguration `json:",inline"` 28 | Password *string `json:"password,omitempty"` 29 | Profile *trustv1alpha1.PKCS12Profile `json:"profile,omitempty"` 30 | } 31 | 32 | // PKCS12ApplyConfiguration constructs a declarative configuration of the PKCS12 type for use with 33 | // apply. 34 | func PKCS12() *PKCS12ApplyConfiguration { 35 | return &PKCS12ApplyConfiguration{} 36 | } 37 | 38 | // WithKey sets the Key field in the declarative configuration to the given value 39 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 40 | // If called multiple times, the Key field is set to the value of the last call. 41 | func (b *PKCS12ApplyConfiguration) WithKey(value string) *PKCS12ApplyConfiguration { 42 | b.KeySelectorApplyConfiguration.Key = &value 43 | return b 44 | } 45 | 46 | // WithPassword sets the Password field in the declarative configuration to the given value 47 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 48 | // If called multiple times, the Password field is set to the value of the last call. 49 | func (b *PKCS12ApplyConfiguration) WithPassword(value string) *PKCS12ApplyConfiguration { 50 | b.Password = &value 51 | return b 52 | } 53 | 54 | // WithProfile sets the Profile field in the declarative configuration to the given value 55 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 56 | // If called multiple times, the Profile field is set to the value of the last call. 57 | func (b *PKCS12ApplyConfiguration) WithProfile(value trustv1alpha1.PKCS12Profile) *PKCS12ApplyConfiguration { 58 | b.Profile = &value 59 | return b 60 | } 61 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trust/v1alpha1/sourceobjectkeyselector.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha1 19 | 20 | import ( 21 | v1 "k8s.io/client-go/applyconfigurations/meta/v1" 22 | ) 23 | 24 | // SourceObjectKeySelectorApplyConfiguration represents a declarative configuration of the SourceObjectKeySelector type for use 25 | // with apply. 26 | type SourceObjectKeySelectorApplyConfiguration struct { 27 | Name *string `json:"name,omitempty"` 28 | Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"` 29 | Key *string `json:"key,omitempty"` 30 | IncludeAllKeys *bool `json:"includeAllKeys,omitempty"` 31 | } 32 | 33 | // SourceObjectKeySelectorApplyConfiguration constructs a declarative configuration of the SourceObjectKeySelector type for use with 34 | // apply. 35 | func SourceObjectKeySelector() *SourceObjectKeySelectorApplyConfiguration { 36 | return &SourceObjectKeySelectorApplyConfiguration{} 37 | } 38 | 39 | // WithName sets the Name field in the declarative configuration to the given value 40 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 41 | // If called multiple times, the Name field is set to the value of the last call. 42 | func (b *SourceObjectKeySelectorApplyConfiguration) WithName(value string) *SourceObjectKeySelectorApplyConfiguration { 43 | b.Name = &value 44 | return b 45 | } 46 | 47 | // WithSelector sets the Selector field in the declarative configuration to the given value 48 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 49 | // If called multiple times, the Selector field is set to the value of the last call. 50 | func (b *SourceObjectKeySelectorApplyConfiguration) WithSelector(value *v1.LabelSelectorApplyConfiguration) *SourceObjectKeySelectorApplyConfiguration { 51 | b.Selector = value 52 | return b 53 | } 54 | 55 | // WithKey sets the Key field in the declarative configuration to the given value 56 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 57 | // If called multiple times, the Key field is set to the value of the last call. 58 | func (b *SourceObjectKeySelectorApplyConfiguration) WithKey(value string) *SourceObjectKeySelectorApplyConfiguration { 59 | b.Key = &value 60 | return b 61 | } 62 | 63 | // WithIncludeAllKeys sets the IncludeAllKeys field in the declarative configuration to the given value 64 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 65 | // If called multiple times, the IncludeAllKeys field is set to the value of the last call. 66 | func (b *SourceObjectKeySelectorApplyConfiguration) WithIncludeAllKeys(value bool) *SourceObjectKeySelectorApplyConfiguration { 67 | b.IncludeAllKeys = &value 68 | return b 69 | } 70 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trust/v1alpha1/targetmetadata.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha1 19 | 20 | // TargetMetadataApplyConfiguration represents a declarative configuration of the TargetMetadata type for use 21 | // with apply. 22 | type TargetMetadataApplyConfiguration struct { 23 | Annotations map[string]string `json:"annotations,omitempty"` 24 | Labels map[string]string `json:"labels,omitempty"` 25 | } 26 | 27 | // TargetMetadataApplyConfiguration constructs a declarative configuration of the TargetMetadata type for use with 28 | // apply. 29 | func TargetMetadata() *TargetMetadataApplyConfiguration { 30 | return &TargetMetadataApplyConfiguration{} 31 | } 32 | 33 | // WithAnnotations puts the entries into the Annotations field in the declarative configuration 34 | // and returns the receiver, so that objects can be build by chaining "With" function invocations. 35 | // If called multiple times, the entries provided by each call will be put on the Annotations field, 36 | // overwriting an existing map entries in Annotations field with the same key. 37 | func (b *TargetMetadataApplyConfiguration) WithAnnotations(entries map[string]string) *TargetMetadataApplyConfiguration { 38 | if b.Annotations == nil && len(entries) > 0 { 39 | b.Annotations = make(map[string]string, len(entries)) 40 | } 41 | for k, v := range entries { 42 | b.Annotations[k] = v 43 | } 44 | return b 45 | } 46 | 47 | // WithLabels puts the entries into the Labels field in the declarative configuration 48 | // and returns the receiver, so that objects can be build by chaining "With" function invocations. 49 | // If called multiple times, the entries provided by each call will be put on the Labels field, 50 | // overwriting an existing map entries in Labels field with the same key. 51 | func (b *TargetMetadataApplyConfiguration) WithLabels(entries map[string]string) *TargetMetadataApplyConfiguration { 52 | if b.Labels == nil && len(entries) > 0 { 53 | b.Labels = make(map[string]string, len(entries)) 54 | } 55 | for k, v := range entries { 56 | b.Labels[k] = v 57 | } 58 | return b 59 | } 60 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trust/v1alpha1/targettemplate.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha1 19 | 20 | // TargetTemplateApplyConfiguration represents a declarative configuration of the TargetTemplate type for use 21 | // with apply. 22 | type TargetTemplateApplyConfiguration struct { 23 | Key *string `json:"key,omitempty"` 24 | Metadata *TargetMetadataApplyConfiguration `json:"metadata,omitempty"` 25 | } 26 | 27 | // TargetTemplateApplyConfiguration constructs a declarative configuration of the TargetTemplate type for use with 28 | // apply. 29 | func TargetTemplate() *TargetTemplateApplyConfiguration { 30 | return &TargetTemplateApplyConfiguration{} 31 | } 32 | 33 | // WithKey sets the Key field in the declarative configuration to the given value 34 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 35 | // If called multiple times, the Key field is set to the value of the last call. 36 | func (b *TargetTemplateApplyConfiguration) WithKey(value string) *TargetTemplateApplyConfiguration { 37 | b.Key = &value 38 | return b 39 | } 40 | 41 | // WithMetadata sets the Metadata field in the declarative configuration to the given value 42 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 43 | // If called multiple times, the Metadata field is set to the value of the last call. 44 | func (b *TargetTemplateApplyConfiguration) WithMetadata(value *TargetMetadataApplyConfiguration) *TargetTemplateApplyConfiguration { 45 | b.Metadata = value 46 | return b 47 | } 48 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trustmanager/v1alpha2/bundlesource.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha2 19 | 20 | // BundleSourceApplyConfiguration represents a declarative configuration of the BundleSource type for use 21 | // with apply. 22 | type BundleSourceApplyConfiguration struct { 23 | ConfigMap *SourceObjectKeySelectorApplyConfiguration `json:"configMap,omitempty"` 24 | Secret *SourceObjectKeySelectorApplyConfiguration `json:"secret,omitempty"` 25 | InLine *string `json:"inLine,omitempty"` 26 | UseDefaultCAs *bool `json:"useDefaultCAs,omitempty"` 27 | } 28 | 29 | // BundleSourceApplyConfiguration constructs a declarative configuration of the BundleSource type for use with 30 | // apply. 31 | func BundleSource() *BundleSourceApplyConfiguration { 32 | return &BundleSourceApplyConfiguration{} 33 | } 34 | 35 | // WithConfigMap sets the ConfigMap field in the declarative configuration to the given value 36 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 37 | // If called multiple times, the ConfigMap field is set to the value of the last call. 38 | func (b *BundleSourceApplyConfiguration) WithConfigMap(value *SourceObjectKeySelectorApplyConfiguration) *BundleSourceApplyConfiguration { 39 | b.ConfigMap = value 40 | return b 41 | } 42 | 43 | // WithSecret sets the Secret field in the declarative configuration to the given value 44 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 45 | // If called multiple times, the Secret field is set to the value of the last call. 46 | func (b *BundleSourceApplyConfiguration) WithSecret(value *SourceObjectKeySelectorApplyConfiguration) *BundleSourceApplyConfiguration { 47 | b.Secret = value 48 | return b 49 | } 50 | 51 | // WithInLine sets the InLine field in the declarative configuration to the given value 52 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 53 | // If called multiple times, the InLine field is set to the value of the last call. 54 | func (b *BundleSourceApplyConfiguration) WithInLine(value string) *BundleSourceApplyConfiguration { 55 | b.InLine = &value 56 | return b 57 | } 58 | 59 | // WithUseDefaultCAs sets the UseDefaultCAs field in the declarative configuration to the given value 60 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 61 | // If called multiple times, the UseDefaultCAs field is set to the value of the last call. 62 | func (b *BundleSourceApplyConfiguration) WithUseDefaultCAs(value bool) *BundleSourceApplyConfiguration { 63 | b.UseDefaultCAs = &value 64 | return b 65 | } 66 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trustmanager/v1alpha2/bundlespec.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha2 19 | 20 | // BundleSpecApplyConfiguration represents a declarative configuration of the BundleSpec type for use 21 | // with apply. 22 | type BundleSpecApplyConfiguration struct { 23 | Sources []BundleSourceApplyConfiguration `json:"sources,omitempty"` 24 | Target *BundleTargetApplyConfiguration `json:"target,omitempty"` 25 | } 26 | 27 | // BundleSpecApplyConfiguration constructs a declarative configuration of the BundleSpec type for use with 28 | // apply. 29 | func BundleSpec() *BundleSpecApplyConfiguration { 30 | return &BundleSpecApplyConfiguration{} 31 | } 32 | 33 | // WithSources adds the given value to the Sources field in the declarative configuration 34 | // and returns the receiver, so that objects can be build by chaining "With" function invocations. 35 | // If called multiple times, values provided by each call will be appended to the Sources field. 36 | func (b *BundleSpecApplyConfiguration) WithSources(values ...*BundleSourceApplyConfiguration) *BundleSpecApplyConfiguration { 37 | for i := range values { 38 | if values[i] == nil { 39 | panic("nil value passed to WithSources") 40 | } 41 | b.Sources = append(b.Sources, *values[i]) 42 | } 43 | return b 44 | } 45 | 46 | // WithTarget sets the Target field in the declarative configuration to the given value 47 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 48 | // If called multiple times, the Target field is set to the value of the last call. 49 | func (b *BundleSpecApplyConfiguration) WithTarget(value *BundleTargetApplyConfiguration) *BundleSpecApplyConfiguration { 50 | b.Target = value 51 | return b 52 | } 53 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trustmanager/v1alpha2/bundlestatus.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha2 19 | 20 | import ( 21 | v1 "k8s.io/client-go/applyconfigurations/meta/v1" 22 | ) 23 | 24 | // BundleStatusApplyConfiguration represents a declarative configuration of the BundleStatus type for use 25 | // with apply. 26 | type BundleStatusApplyConfiguration struct { 27 | Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"` 28 | DefaultCAPackageVersion *string `json:"defaultCAVersion,omitempty"` 29 | } 30 | 31 | // BundleStatusApplyConfiguration constructs a declarative configuration of the BundleStatus type for use with 32 | // apply. 33 | func BundleStatus() *BundleStatusApplyConfiguration { 34 | return &BundleStatusApplyConfiguration{} 35 | } 36 | 37 | // WithConditions adds the given value to the Conditions field in the declarative configuration 38 | // and returns the receiver, so that objects can be build by chaining "With" function invocations. 39 | // If called multiple times, values provided by each call will be appended to the Conditions field. 40 | func (b *BundleStatusApplyConfiguration) WithConditions(values ...*v1.ConditionApplyConfiguration) *BundleStatusApplyConfiguration { 41 | for i := range values { 42 | if values[i] == nil { 43 | panic("nil value passed to WithConditions") 44 | } 45 | b.Conditions = append(b.Conditions, *values[i]) 46 | } 47 | return b 48 | } 49 | 50 | // WithDefaultCAPackageVersion sets the DefaultCAPackageVersion field in the declarative configuration to the given value 51 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 52 | // If called multiple times, the DefaultCAPackageVersion field is set to the value of the last call. 53 | func (b *BundleStatusApplyConfiguration) WithDefaultCAPackageVersion(value string) *BundleStatusApplyConfiguration { 54 | b.DefaultCAPackageVersion = &value 55 | return b 56 | } 57 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trustmanager/v1alpha2/bundletarget.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha2 19 | 20 | import ( 21 | v1 "k8s.io/client-go/applyconfigurations/meta/v1" 22 | ) 23 | 24 | // BundleTargetApplyConfiguration represents a declarative configuration of the BundleTarget type for use 25 | // with apply. 26 | type BundleTargetApplyConfiguration struct { 27 | ConfigMap *KeyValueTargetApplyConfiguration `json:"configMap,omitempty"` 28 | Secret *KeyValueTargetApplyConfiguration `json:"secret,omitempty"` 29 | NamespaceSelector *v1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"` 30 | } 31 | 32 | // BundleTargetApplyConfiguration constructs a declarative configuration of the BundleTarget type for use with 33 | // apply. 34 | func BundleTarget() *BundleTargetApplyConfiguration { 35 | return &BundleTargetApplyConfiguration{} 36 | } 37 | 38 | // WithConfigMap sets the ConfigMap field in the declarative configuration to the given value 39 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 40 | // If called multiple times, the ConfigMap field is set to the value of the last call. 41 | func (b *BundleTargetApplyConfiguration) WithConfigMap(value *KeyValueTargetApplyConfiguration) *BundleTargetApplyConfiguration { 42 | b.ConfigMap = value 43 | return b 44 | } 45 | 46 | // WithSecret sets the Secret field in the declarative configuration to the given value 47 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 48 | // If called multiple times, the Secret field is set to the value of the last call. 49 | func (b *BundleTargetApplyConfiguration) WithSecret(value *KeyValueTargetApplyConfiguration) *BundleTargetApplyConfiguration { 50 | b.Secret = value 51 | return b 52 | } 53 | 54 | // WithNamespaceSelector sets the NamespaceSelector field in the declarative configuration to the given value 55 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 56 | // If called multiple times, the NamespaceSelector field is set to the value of the last call. 57 | func (b *BundleTargetApplyConfiguration) WithNamespaceSelector(value *v1.LabelSelectorApplyConfiguration) *BundleTargetApplyConfiguration { 58 | b.NamespaceSelector = value 59 | return b 60 | } 61 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trustmanager/v1alpha2/keyvaluetarget.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha2 19 | 20 | // KeyValueTargetApplyConfiguration represents a declarative configuration of the KeyValueTarget type for use 21 | // with apply. 22 | type KeyValueTargetApplyConfiguration struct { 23 | Data []TargetKeyValueApplyConfiguration `json:"data,omitempty"` 24 | Metadata *TargetMetadataApplyConfiguration `json:"metadata,omitempty"` 25 | } 26 | 27 | // KeyValueTargetApplyConfiguration constructs a declarative configuration of the KeyValueTarget type for use with 28 | // apply. 29 | func KeyValueTarget() *KeyValueTargetApplyConfiguration { 30 | return &KeyValueTargetApplyConfiguration{} 31 | } 32 | 33 | // WithData adds the given value to the Data field in the declarative configuration 34 | // and returns the receiver, so that objects can be build by chaining "With" function invocations. 35 | // If called multiple times, values provided by each call will be appended to the Data field. 36 | func (b *KeyValueTargetApplyConfiguration) WithData(values ...*TargetKeyValueApplyConfiguration) *KeyValueTargetApplyConfiguration { 37 | for i := range values { 38 | if values[i] == nil { 39 | panic("nil value passed to WithData") 40 | } 41 | b.Data = append(b.Data, *values[i]) 42 | } 43 | return b 44 | } 45 | 46 | // WithMetadata sets the Metadata field in the declarative configuration to the given value 47 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 48 | // If called multiple times, the Metadata field is set to the value of the last call. 49 | func (b *KeyValueTargetApplyConfiguration) WithMetadata(value *TargetMetadataApplyConfiguration) *KeyValueTargetApplyConfiguration { 50 | b.Metadata = value 51 | return b 52 | } 53 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trustmanager/v1alpha2/pkcs12.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha2 19 | 20 | import ( 21 | trustmanagerv1alpha2 "github.com/cert-manager/trust-manager/pkg/apis/trustmanager/v1alpha2" 22 | ) 23 | 24 | // PKCS12ApplyConfiguration represents a declarative configuration of the PKCS12 type for use 25 | // with apply. 26 | type PKCS12ApplyConfiguration struct { 27 | Password *string `json:"password,omitempty"` 28 | Profile *trustmanagerv1alpha2.PKCS12Profile `json:"profile,omitempty"` 29 | } 30 | 31 | // PKCS12ApplyConfiguration constructs a declarative configuration of the PKCS12 type for use with 32 | // apply. 33 | func PKCS12() *PKCS12ApplyConfiguration { 34 | return &PKCS12ApplyConfiguration{} 35 | } 36 | 37 | // WithPassword sets the Password field in the declarative configuration to the given value 38 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 39 | // If called multiple times, the Password field is set to the value of the last call. 40 | func (b *PKCS12ApplyConfiguration) WithPassword(value string) *PKCS12ApplyConfiguration { 41 | b.Password = &value 42 | return b 43 | } 44 | 45 | // WithProfile sets the Profile field in the declarative configuration to the given value 46 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 47 | // If called multiple times, the Profile field is set to the value of the last call. 48 | func (b *PKCS12ApplyConfiguration) WithProfile(value trustmanagerv1alpha2.PKCS12Profile) *PKCS12ApplyConfiguration { 49 | b.Profile = &value 50 | return b 51 | } 52 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trustmanager/v1alpha2/sourceobjectkeyselector.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha2 19 | 20 | import ( 21 | v1 "k8s.io/client-go/applyconfigurations/meta/v1" 22 | ) 23 | 24 | // SourceObjectKeySelectorApplyConfiguration represents a declarative configuration of the SourceObjectKeySelector type for use 25 | // with apply. 26 | type SourceObjectKeySelectorApplyConfiguration struct { 27 | Name *string `json:"name,omitempty"` 28 | Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"` 29 | Key *string `json:"key,omitempty"` 30 | IncludeAllKeys *bool `json:"includeAllKeys,omitempty"` 31 | } 32 | 33 | // SourceObjectKeySelectorApplyConfiguration constructs a declarative configuration of the SourceObjectKeySelector type for use with 34 | // apply. 35 | func SourceObjectKeySelector() *SourceObjectKeySelectorApplyConfiguration { 36 | return &SourceObjectKeySelectorApplyConfiguration{} 37 | } 38 | 39 | // WithName sets the Name field in the declarative configuration to the given value 40 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 41 | // If called multiple times, the Name field is set to the value of the last call. 42 | func (b *SourceObjectKeySelectorApplyConfiguration) WithName(value string) *SourceObjectKeySelectorApplyConfiguration { 43 | b.Name = &value 44 | return b 45 | } 46 | 47 | // WithSelector sets the Selector field in the declarative configuration to the given value 48 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 49 | // If called multiple times, the Selector field is set to the value of the last call. 50 | func (b *SourceObjectKeySelectorApplyConfiguration) WithSelector(value *v1.LabelSelectorApplyConfiguration) *SourceObjectKeySelectorApplyConfiguration { 51 | b.Selector = value 52 | return b 53 | } 54 | 55 | // WithKey sets the Key field in the declarative configuration to the given value 56 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 57 | // If called multiple times, the Key field is set to the value of the last call. 58 | func (b *SourceObjectKeySelectorApplyConfiguration) WithKey(value string) *SourceObjectKeySelectorApplyConfiguration { 59 | b.Key = &value 60 | return b 61 | } 62 | 63 | // WithIncludeAllKeys sets the IncludeAllKeys field in the declarative configuration to the given value 64 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 65 | // If called multiple times, the IncludeAllKeys field is set to the value of the last call. 66 | func (b *SourceObjectKeySelectorApplyConfiguration) WithIncludeAllKeys(value bool) *SourceObjectKeySelectorApplyConfiguration { 67 | b.IncludeAllKeys = &value 68 | return b 69 | } 70 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trustmanager/v1alpha2/targetkeyvalue.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha2 19 | 20 | import ( 21 | trustmanagerv1alpha2 "github.com/cert-manager/trust-manager/pkg/apis/trustmanager/v1alpha2" 22 | ) 23 | 24 | // TargetKeyValueApplyConfiguration represents a declarative configuration of the TargetKeyValue type for use 25 | // with apply. 26 | type TargetKeyValueApplyConfiguration struct { 27 | Key *string `json:"key,omitempty"` 28 | Format *trustmanagerv1alpha2.BundleFormat `json:"format,omitempty"` 29 | PKCS12ApplyConfiguration `json:",inline"` 30 | } 31 | 32 | // TargetKeyValueApplyConfiguration constructs a declarative configuration of the TargetKeyValue type for use with 33 | // apply. 34 | func TargetKeyValue() *TargetKeyValueApplyConfiguration { 35 | return &TargetKeyValueApplyConfiguration{} 36 | } 37 | 38 | // WithKey sets the Key field in the declarative configuration to the given value 39 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 40 | // If called multiple times, the Key field is set to the value of the last call. 41 | func (b *TargetKeyValueApplyConfiguration) WithKey(value string) *TargetKeyValueApplyConfiguration { 42 | b.Key = &value 43 | return b 44 | } 45 | 46 | // WithFormat sets the Format field in the declarative configuration to the given value 47 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 48 | // If called multiple times, the Format field is set to the value of the last call. 49 | func (b *TargetKeyValueApplyConfiguration) WithFormat(value trustmanagerv1alpha2.BundleFormat) *TargetKeyValueApplyConfiguration { 50 | b.Format = &value 51 | return b 52 | } 53 | 54 | // WithPassword sets the Password field in the declarative configuration to the given value 55 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 56 | // If called multiple times, the Password field is set to the value of the last call. 57 | func (b *TargetKeyValueApplyConfiguration) WithPassword(value string) *TargetKeyValueApplyConfiguration { 58 | b.PKCS12ApplyConfiguration.Password = &value 59 | return b 60 | } 61 | 62 | // WithProfile sets the Profile field in the declarative configuration to the given value 63 | // and returns the receiver, so that objects can be built by chaining "With" function invocations. 64 | // If called multiple times, the Profile field is set to the value of the last call. 65 | func (b *TargetKeyValueApplyConfiguration) WithProfile(value trustmanagerv1alpha2.PKCS12Profile) *TargetKeyValueApplyConfiguration { 66 | b.PKCS12ApplyConfiguration.Profile = &value 67 | return b 68 | } 69 | -------------------------------------------------------------------------------- /pkg/applyconfigurations/trustmanager/v1alpha2/targetmetadata.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | // Code generated by applyconfiguration-gen. DO NOT EDIT. 17 | 18 | package v1alpha2 19 | 20 | // TargetMetadataApplyConfiguration represents a declarative configuration of the TargetMetadata type for use 21 | // with apply. 22 | type TargetMetadataApplyConfiguration struct { 23 | Annotations map[string]string `json:"annotations,omitempty"` 24 | Labels map[string]string `json:"labels,omitempty"` 25 | } 26 | 27 | // TargetMetadataApplyConfiguration constructs a declarative configuration of the TargetMetadata type for use with 28 | // apply. 29 | func TargetMetadata() *TargetMetadataApplyConfiguration { 30 | return &TargetMetadataApplyConfiguration{} 31 | } 32 | 33 | // WithAnnotations puts the entries into the Annotations field in the declarative configuration 34 | // and returns the receiver, so that objects can be build by chaining "With" function invocations. 35 | // If called multiple times, the entries provided by each call will be put on the Annotations field, 36 | // overwriting an existing map entries in Annotations field with the same key. 37 | func (b *TargetMetadataApplyConfiguration) WithAnnotations(entries map[string]string) *TargetMetadataApplyConfiguration { 38 | if b.Annotations == nil && len(entries) > 0 { 39 | b.Annotations = make(map[string]string, len(entries)) 40 | } 41 | for k, v := range entries { 42 | b.Annotations[k] = v 43 | } 44 | return b 45 | } 46 | 47 | // WithLabels puts the entries into the Labels field in the declarative configuration 48 | // and returns the receiver, so that objects can be build by chaining "With" function invocations. 49 | // If called multiple times, the entries provided by each call will be put on the Labels field, 50 | // overwriting an existing map entries in Labels field with the same key. 51 | func (b *TargetMetadataApplyConfiguration) WithLabels(entries map[string]string) *TargetMetadataApplyConfiguration { 52 | if b.Labels == nil && len(entries) > 0 { 53 | b.Labels = make(map[string]string, len(entries)) 54 | } 55 | for k, v := range entries { 56 | b.Labels[k] = v 57 | } 58 | return b 59 | } 60 | -------------------------------------------------------------------------------- /pkg/bundle/internal/ssa_client/bundle_status.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package ssa_client 18 | 19 | import ( 20 | "encoding/json" 21 | 22 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 23 | v1 "k8s.io/client-go/applyconfigurations/meta/v1" 24 | "sigs.k8s.io/controller-runtime/pkg/client" 25 | 26 | trustapi "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1" 27 | ) 28 | 29 | type bundleStatusApplyConfiguration struct { 30 | v1.TypeMetaApplyConfiguration `json:",inline"` 31 | *v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"` 32 | Status *trustapi.BundleStatus `json:"status,omitempty"` 33 | } 34 | 35 | func GenerateBundleStatusPatch( 36 | name string, 37 | status *trustapi.BundleStatus, 38 | ) (*trustapi.Bundle, client.Patch, error) { 39 | // This object is used to deduce the name & namespace + unmarshall the return value in 40 | bundle := &trustapi.Bundle{ 41 | ObjectMeta: metav1.ObjectMeta{Name: name}, 42 | } 43 | 44 | // This object is used to render the patch 45 | b := &bundleStatusApplyConfiguration{ 46 | ObjectMetaApplyConfiguration: &v1.ObjectMetaApplyConfiguration{}, 47 | } 48 | b.WithName(name) 49 | b.WithKind(trustapi.BundleKind) 50 | b.WithAPIVersion(trustapi.SchemeGroupVersion.Identifier()) 51 | b.Status = status 52 | 53 | encodedPatch, err := json.Marshal(b) 54 | if err != nil { 55 | return bundle, nil, err 56 | } 57 | 58 | return bundle, ApplyPatch{encodedPatch}, nil 59 | } 60 | -------------------------------------------------------------------------------- /pkg/bundle/internal/ssa_client/migrate.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package ssa_client 18 | 19 | import ( 20 | "context" 21 | 22 | "k8s.io/apimachinery/pkg/types" 23 | "k8s.io/apimachinery/pkg/util/sets" 24 | "k8s.io/client-go/util/csaupgrade" 25 | "sigs.k8s.io/controller-runtime/pkg/client" 26 | ) 27 | 28 | const ( 29 | // crRegressionFieldManager is the field manager that was introduced by a regression in controller-runtime 30 | // version 0.15.0; fixed in 15.1 and 0.16.0: https://github.com/kubernetes-sigs/controller-runtime/pull/2435 31 | // trust-manager 0.6.0 was released with this regression in controller-runtime, which means that we have to 32 | // take extra care when migrating from CSA to SSA. 33 | crRegressionFieldManager = "Go-http-client" 34 | ) 35 | 36 | // / MIGRATION: This is a migration function that migrates the ownership of 37 | // fields from the Update operation to the Apply operation. This is required 38 | // to ensure that the apply operations will also remove fields that were 39 | // created by the Update operation. 40 | func MigrateToApply(ctx context.Context, c client.Client, obj client.Object, opts ...csaupgrade.Option) (bool, error) { 41 | patch, err := csaupgrade.UpgradeManagedFieldsPatch(obj, sets.New(string(FieldManager), crRegressionFieldManager), string(FieldManager), opts...) 42 | if err != nil { 43 | return false, err 44 | } 45 | if patch != nil { 46 | return true, c.Patch(ctx, obj, client.RawPatch(types.JSONPatchType, patch)) 47 | } 48 | // No work to be done - already upgraded 49 | return false, nil 50 | } 51 | -------------------------------------------------------------------------------- /pkg/bundle/internal/ssa_client/patch.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package ssa_client 18 | 19 | import ( 20 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 | "k8s.io/apimachinery/pkg/types" 22 | "sigs.k8s.io/controller-runtime/pkg/client" 23 | "sigs.k8s.io/structured-merge-diff/fieldpath" 24 | ) 25 | 26 | const ( 27 | FieldManager = client.FieldOwner("trust-manager") 28 | ) 29 | 30 | type ApplyPatch struct { 31 | Patch []byte 32 | } 33 | 34 | var _ client.Patch = ApplyPatch{} 35 | 36 | func (p ApplyPatch) Data(_ client.Object) ([]byte, error) { 37 | return p.Patch, nil 38 | } 39 | 40 | func (p ApplyPatch) Type() types.PatchType { 41 | return types.ApplyPatchType 42 | } 43 | 44 | // ManagedFieldEntries is a test utility function creating managed field entries 45 | // for testing target configmaps and secrets. 46 | func ManagedFieldEntries(fields []string, dataFields []string) []metav1.ManagedFieldsEntry { 47 | fieldset := fieldpath.NewSet() 48 | for _, property := range fields { 49 | fieldset.Insert( 50 | fieldpath.MakePathOrDie("data", property), 51 | ) 52 | } 53 | for _, property := range dataFields { 54 | fieldset.Insert( 55 | fieldpath.MakePathOrDie("binaryData", property), 56 | ) 57 | } 58 | 59 | jsonFieldSet, err := fieldset.ToJSON() 60 | if err != nil { 61 | panic(err) 62 | } 63 | 64 | return []metav1.ManagedFieldsEntry{ 65 | { 66 | Manager: "trust-manager", 67 | Operation: metav1.ManagedFieldsOperationApply, 68 | FieldsV1: &metav1.FieldsV1{ 69 | Raw: jsonFieldSet, 70 | }, 71 | }, 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /pkg/bundle/internal/truststore/TestHTTPConnection.java: -------------------------------------------------------------------------------- 1 | import java.net.*; 2 | 3 | /* 4 | * This is a simple program to test SSL connections from a Java client. 5 | */ 6 | public class TestHTTPConnection { 7 | 8 | public static void main(String[] args) throws Exception { 9 | int argIndex; 10 | for (argIndex = 0; argIndex < args.length; ++argIndex) { 11 | String arg = args[argIndex]; 12 | 13 | if (!arg.startsWith("-")) 14 | break; 15 | else if ("--".equals(arg)) 16 | break; 17 | else if ("--help".equals(arg) || "-h".equals(arg) || "-help".equals(arg)) { 18 | usage(); 19 | System.exit(0); 20 | } else { 21 | System.err.println("Unrecognized option: " + arg); 22 | System.exit(1); 23 | } 24 | } 25 | 26 | URL url = null; 27 | if (argIndex == args.length - 1) { 28 | url = new URL(args[argIndex++]); 29 | } else if (argIndex < args.length) { 30 | System.err.println("Unexpected additional arguments: " 31 | + java.util.Arrays.asList(args).subList(argIndex + 1, args.length)); 32 | usage(); 33 | System.exit(1); 34 | } else { 35 | System.err.println("Expected url"); 36 | usage(); 37 | System.exit(1); 38 | } 39 | 40 | HttpURLConnection connection = (HttpURLConnection) url.openConnection(); 41 | connection.getInputStream().read(); 42 | System.out.println("Successfully connected to " + url); 43 | } 44 | 45 | private static void usage() { 46 | String command = TestHTTPConnection.class.getName(); 47 | 48 | System.out.println("Usage: java " + command + " [opts] url"); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /pkg/compat/negative_serial_number_godebug_test.go: -------------------------------------------------------------------------------- 1 | //go:build testnegativeserialon 2 | 3 | /* 4 | Copyright 2024 The cert-manager Authors. 5 | 6 | Licensed under the Apache License, Version 2.0 (the "License"); 7 | you may not use this file except in compliance with the License. 8 | You may obtain a copy of the License at 9 | 10 | http://www.apache.org/licenses/LICENSE-2.0 11 | 12 | Unless required by applicable law or agreed to in writing, software 13 | distributed under the License is distributed on an "AS IS" BASIS, 14 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | See the License for the specific language governing permissions and 16 | limitations under the License. 17 | */ 18 | 19 | // 2024-12-17: The gocheckcompilerdirectives linter hasn't been updated for 20 | // some time, and doesn't know about the go:debug directive and so must be 21 | // disabled in this file. 22 | // The nolint is here so that we still lint the go:build at the top of the file. 23 | //nolint:gocheckcompilerdirectives 24 | //go:debug x509negativeserial=1 25 | 26 | package compat 27 | 28 | // This file is built only with the testnegativeserialon tag so that we 29 | // can use go:debug. 30 | // If we didn't have the build tag, we'd get an error since we'd have two 31 | // tests duplicating the x509negativeserial go:debug constraint 32 | 33 | import ( 34 | "crypto/x509" 35 | "testing" 36 | ) 37 | 38 | func TestNegativeSerialNumberCASanityGoDebugOn(t *testing.T) { 39 | // Check that the special-cased CA doesn't produce any errors if 40 | // x509negativeserial is set to `1`. This lets us be confident that 41 | // ParseCertificate is only special casing the negative serial number err 42 | der := negativeSerialNumberCADER(t) 43 | 44 | // First, check that the stdlib ParseCertificate function works as expected 45 | x509Cert, x509Err := x509.ParseCertificate(der) 46 | if x509Err != nil { 47 | // use Errorf rather than Fatalf so we can compare the errors between 48 | // our implementation and x509.ParseCertificate 49 | t.Errorf("expected negativeSerialNumberCA to produce no error with x509negativeserial=1 using x509.ParseCertificate but got: %s", x509Err) 50 | } 51 | 52 | // Next, check that our wrapper works as expected 53 | cert, err := ParseCertificate(der) 54 | if err != nil { 55 | t.Errorf("expected negativeSerialNumberCA to produce no error with x509negativeserial=1 using compat.ParseCertificate but got: %s", err) 56 | } 57 | 58 | if x509Cert == nil && cert == nil { 59 | return 60 | } 61 | 62 | if !x509Cert.Equal(cert) { 63 | t.Errorf("expected certs from x509.ParseCertificate and compat.ParseCertificate to be equal but they differ") 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /pkg/compat/parse_cert.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2024 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package compat 18 | 19 | import ( 20 | "crypto/sha256" 21 | "crypto/x509" 22 | "encoding/hex" 23 | "errors" 24 | "fmt" 25 | "strings" 26 | ) 27 | 28 | // IsSkipError returns true if the error means the cert should be skipped over 29 | // rather than being a fatal error 30 | func IsSkipError(err error) bool { 31 | return errors.As(err, &Error{}) 32 | } 33 | 34 | // Error is returned when there's a certificate compatibility error which 35 | // implies that a certificate should be skipped 36 | type Error struct { 37 | Underlying error 38 | Message string 39 | } 40 | 41 | func (e Error) Unwrap() error { 42 | return e.Underlying 43 | } 44 | 45 | func (e Error) Error() string { 46 | return e.Message 47 | } 48 | 49 | // ParseCertificate parses a single certificate from the given ASN.1 DER data 50 | // This is a wrapper for the x509.ParseCertificate function, handling the 51 | // special case of a cert in a public trust bundle with a negative serial number 52 | // which produces an error by default in Go 1.23. 53 | // If using Go 1.22 or older, or if using Go 1.23 or newer and the GODEBUG 54 | // value `x509negativeserial` is set to `1`, that specific cert will parse 55 | // with no error. 56 | // Otherwise, a special Error value will be returned so that the certificate 57 | // can be skipped using IsSkipError 58 | func ParseCertificate(der []byte) (*x509.Certificate, error) { 59 | cert, err := x509.ParseCertificate(der) 60 | if err == nil { 61 | return cert, nil 62 | } 63 | 64 | // If there was an error, check if the cert is the special case 65 | fingerprintBytes := sha256.Sum256(der) 66 | fingerprint := hex.EncodeToString(fingerprintBytes[:]) 67 | 68 | if fingerprint == negativeSerialNumberCAFingerprint { 69 | // The cert was the special case; handle it differently 70 | return handleNegativeSerialNumberSpecialCase(cert, err) 71 | } 72 | 73 | // if the error is for a cert we have NOT special cased, return the 74 | // error as we received it (to avoid allowing negative serial numbers 75 | // for any other CAs, such as in private PKI) 76 | return cert, err 77 | } 78 | 79 | func handleNegativeSerialNumberSpecialCase(cert *x509.Certificate, err error) (*x509.Certificate, error) { 80 | // The cert was the special case; check if the error was due to a 81 | // negative serial number (to account for future changes to ParseCertificate 82 | // which could return a different error, although we do test that) 83 | if !strings.HasSuffix(err.Error(), negativeSerialNumberErr) { 84 | return cert, err 85 | } 86 | 87 | message := fmt.Sprintf("cert in bundle with CN=EC-ACC and fingerprint '%s' has negative serial number and will be skipped", negativeSerialNumberCAFingerprint) 88 | 89 | return nil, Error{Underlying: err, Message: message} 90 | } 91 | -------------------------------------------------------------------------------- /pkg/compat/util_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2024 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package compat 18 | 19 | import ( 20 | "encoding/pem" 21 | "testing" 22 | ) 23 | 24 | // This function is in a separate file so it can be shared between our tests 25 | // which set GODEBUG and have different tags 26 | 27 | func negativeSerialNumberCADER(t *testing.T) []byte { 28 | var block *pem.Block 29 | block, _ = pem.Decode([]byte(negativeSerialNumberCAPEM)) 30 | 31 | if block == nil { 32 | t.Fatalf("invalid test: negativeSerialNumberCA isn't valid PEM data") 33 | } 34 | 35 | return block.Bytes 36 | } 37 | -------------------------------------------------------------------------------- /pkg/fspkg/package_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package fspkg 18 | 19 | import ( 20 | "bytes" 21 | "encoding/json" 22 | "testing" 23 | 24 | "github.com/cert-manager/trust-manager/test/dummy" 25 | ) 26 | 27 | func quickJSONFromPackage(p Package) *bytes.Buffer { 28 | out, err := json.Marshal(p) 29 | if err != nil { 30 | panic("invalid test; failed to marshal JSON in quickJSONFromPackage") 31 | } 32 | 33 | return bytes.NewBuffer(out) 34 | } 35 | 36 | func Test_LoadPackage(t *testing.T) { 37 | // ensure that LoadPackage rejects invalid JSON, invalid certificate bundles, etc 38 | 39 | tests := map[string]struct { 40 | testData *bytes.Buffer 41 | expError bool 42 | }{ 43 | "invalid JSON is rejected": { 44 | testData: bytes.NewBufferString(`{"name: "asd"}`), 45 | expError: true, 46 | }, 47 | "package with empty name is rejected": { 48 | testData: quickJSONFromPackage(Package{ 49 | Name: "", 50 | Version: "123", 51 | Bundle: dummy.TestCertificate5, 52 | }), 53 | expError: true, 54 | }, 55 | "package with empty version is rejected": { 56 | testData: quickJSONFromPackage(Package{ 57 | Name: "asd", 58 | Version: "", 59 | Bundle: dummy.TestCertificate5, 60 | }), 61 | expError: true, 62 | }, 63 | "package with invalid cert is loaded without error": { 64 | testData: quickJSONFromPackage(Package{ 65 | Name: "asd", 66 | Version: "123", 67 | Bundle: "not-a-certificate", 68 | }), 69 | expError: false, 70 | }, 71 | "valid package is loaded without error": { 72 | testData: quickJSONFromPackage(Package{ 73 | Name: "asd", 74 | Version: "123", 75 | Bundle: dummy.TestCertificate5, 76 | }), 77 | expError: false, 78 | }, 79 | } 80 | 81 | for name, testSpec := range tests { 82 | t.Run(name, func(t *testing.T) { 83 | _, err := LoadPackage(testSpec.testData) 84 | if err != nil != testSpec.expError { 85 | t.Fatalf("expErr=%v, got=%v", testSpec.expError, err) 86 | } 87 | 88 | if testSpec.expError { 89 | return 90 | } 91 | }) 92 | } 93 | } 94 | -------------------------------------------------------------------------------- /pkg/util/cert_pool_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package util 18 | 19 | import ( 20 | "testing" 21 | 22 | "github.com/stretchr/testify/assert" 23 | 24 | "github.com/cert-manager/trust-manager/test/dummy" 25 | ) 26 | 27 | func TestNewCertPool(t *testing.T) { 28 | certPool := NewCertPool(WithFilteredExpiredCerts(false)) 29 | 30 | assert.NotNil(t, certPool) 31 | } 32 | 33 | func TestAppendCertFromPEM(t *testing.T) { 34 | tests := map[string]struct { 35 | pemData string 36 | filterExpired bool 37 | expError string 38 | expEmpty bool 39 | }{ 40 | "if single certificate, should return": { 41 | pemData: dummy.TestCertificate5, 42 | }, 43 | "if multiple certificates, should return": { 44 | pemData: dummy.JoinCerts(dummy.TestCertificate1, dummy.TestCertificate2, dummy.TestCertificate3), 45 | }, 46 | "if invalid certificate, should return empty bundle": { 47 | // invalid certificate 48 | pemData: `-----BEGIN CERTIFICATE----- 49 | MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw 50 | TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh 51 | cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 52 | WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu 53 | ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY 54 | MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc 55 | h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ 56 | 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U 57 | A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW`, 58 | expEmpty: true, 59 | }, 60 | "if invalid PEM data, should return empty bundle": { 61 | pemData: "qwerty", 62 | expEmpty: true, 63 | }, 64 | "if expired certificate, should return": { 65 | pemData: dummy.TestExpiredCertificate, 66 | }, 67 | "if expired certificate with filter expired enabled, should return empty bundle": { 68 | pemData: dummy.TestExpiredCertificate, 69 | filterExpired: true, 70 | expEmpty: true, 71 | }, 72 | } 73 | 74 | // populate certificates bundle 75 | for name, test := range tests { 76 | t.Run(name, func(t *testing.T) { 77 | t.Parallel() 78 | 79 | certPool := NewCertPool(WithFilteredExpiredCerts(test.filterExpired)) 80 | 81 | err := certPool.AddCertsFromPEM([]byte(test.pemData)) 82 | if test.expError != "" { 83 | assert.Error(t, err, test.expError) 84 | } else { 85 | assert.NoError(t, err) 86 | } 87 | 88 | certPEM := certPool.PEM() 89 | if len(certPEM) != 0 == (test.expEmpty) { 90 | t.Fatalf("error getting PEM certificates from pool: certificate data is nil") 91 | } 92 | }) 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /pkg/webhook/webhook.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package webhook 18 | 19 | import ( 20 | "fmt" 21 | 22 | "sigs.k8s.io/controller-runtime/pkg/builder" 23 | "sigs.k8s.io/controller-runtime/pkg/manager" 24 | 25 | trustapi "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1" 26 | ) 27 | 28 | // Register the webhook endpoints against the Manager. 29 | func Register(mgr manager.Manager) error { 30 | validator := &validator{} 31 | if err := builder.WebhookManagedBy(mgr). 32 | For(&trustapi.Bundle{}). 33 | WithValidator(validator). 34 | Complete(); err != nil { 35 | return fmt.Errorf("error registering webhook: %v", err) 36 | } 37 | if err := mgr.AddReadyzCheck("validator", mgr.GetWebhookServer().StartedChecker()); err != nil { 38 | return fmt.Errorf("error adding ready check: %v", err) 39 | } 40 | return nil 41 | } 42 | -------------------------------------------------------------------------------- /test/env/ginkgo.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package env 18 | 19 | import ( 20 | "os" 21 | "testing" 22 | "time" 23 | 24 | "github.com/onsi/ginkgo/v2" 25 | "github.com/onsi/gomega" 26 | "k8s.io/apimachinery/pkg/util/wait" 27 | ) 28 | 29 | func init() { 30 | wait.ForeverTestTimeout = time.Second * 60 31 | } 32 | 33 | func RunSuite(t *testing.T, suiteName, artifactDir string) { 34 | gomega.RegisterFailHandler(ginkgo.Fail) 35 | 36 | suiteConfig, reporterConfig := ginkgo.GinkgoConfiguration() 37 | 38 | // NB: CI is set in prow jobs 39 | // see: https://docs.prow.k8s.io/docs/jobs/#job-environment-variables 40 | if _, ci := os.LookupEnv("CI"); ci { 41 | reporterConfig.NoColor = true 42 | reporterConfig.Verbose = true 43 | } 44 | 45 | suiteConfig.RandomizeAllSpecs = true 46 | 47 | ginkgo.RunSpecs(t, suiteName, suiteConfig, reporterConfig) 48 | } 49 | -------------------------------------------------------------------------------- /test/gen/bundle.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package gen 18 | 19 | import ( 20 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 | "k8s.io/utils/ptr" 22 | 23 | trustapi "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1" 24 | ) 25 | 26 | // BundleModifier is used to modify a Bundle object in-line. Intended for 27 | // testing. 28 | type BundleModifier func(*trustapi.Bundle) 29 | 30 | // Bundle constructs a Bundle object with BundleModifiers which can be defined 31 | // in-line. Intended for testing. 32 | func Bundle(name string, mods ...BundleModifier) *trustapi.Bundle { 33 | bundle := &trustapi.Bundle{ 34 | TypeMeta: metav1.TypeMeta{Kind: "Bundle", APIVersion: "trust.cert-manager.io/v1alpha1"}, 35 | ObjectMeta: metav1.ObjectMeta{ 36 | Name: name, 37 | Annotations: make(map[string]string), 38 | Labels: make(map[string]string), 39 | }, 40 | } 41 | for _, mod := range mods { 42 | mod(bundle) 43 | } 44 | return bundle 45 | } 46 | 47 | // BundleFrom deep copies a Bundle object and applies the given 48 | // BundleModifiers. 49 | func BundleFrom(bundle *trustapi.Bundle, mods ...BundleModifier) *trustapi.Bundle { 50 | bundle = bundle.DeepCopy() 51 | for _, mod := range mods { 52 | mod(bundle) 53 | } 54 | return bundle 55 | } 56 | 57 | // SetBundleStatus sets the Bundle object's status as a BundleModifier. 58 | func SetBundleStatus(status trustapi.BundleStatus) BundleModifier { 59 | return func(bundle *trustapi.Bundle) { 60 | bundle.Status = status 61 | } 62 | } 63 | 64 | func SetBundleTargetAdditionalFormats(formats trustapi.AdditionalFormats) BundleModifier { 65 | return func(bundle *trustapi.Bundle) { 66 | bundle.Spec.Target.AdditionalFormats = &formats 67 | } 68 | } 69 | 70 | // SetResourceVersion sets the Bundle object's resource version as a 71 | // BundleModifier. 72 | func SetBundleResourceVersion(resourceVersion string) BundleModifier { 73 | return func(bundle *trustapi.Bundle) { 74 | bundle.ResourceVersion = resourceVersion 75 | } 76 | } 77 | 78 | // SetBundleTargetNamespaceSelectorMatchLabels sets the Bundle object's spec 79 | // target namespace selector. 80 | func SetBundleTargetNamespaceSelectorMatchLabels(matchLabels map[string]string) BundleModifier { 81 | return func(bundle *trustapi.Bundle) { 82 | bundle.Spec.Target.NamespaceSelector = &metav1.LabelSelector{ 83 | MatchLabels: matchLabels, 84 | } 85 | } 86 | } 87 | 88 | // AppendBundleUsesDefaultPackage appends a source to the bundle which requests the default bundle package. 89 | func AppendBundleUsesDefaultPackage() BundleModifier { 90 | return func(bundle *trustapi.Bundle) { 91 | bundle.Spec.Sources = append(bundle.Spec.Sources, trustapi.BundleSource{UseDefaultCAs: ptr.To(true)}) 92 | } 93 | } 94 | -------------------------------------------------------------------------------- /test/integration/bundle/integration_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package test 18 | 19 | import ( 20 | "testing" 21 | 22 | testenv "github.com/cert-manager/trust-manager/test/env" 23 | ) 24 | 25 | // Test_Integration runs the full suite of tests for the Bundle controller. 26 | func Test_Integration(t *testing.T) { 27 | testenv.RunSuite(t, "integration-bundle", "../../../_artifacts") 28 | } 29 | -------------------------------------------------------------------------------- /test/kind-cluster.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is used to set up a Kind cluster for smoke tests or demo environments. 2 | 3 | kind: Cluster 4 | apiVersion: kind.x-k8s.io/v1alpha4 5 | # WARNING: Makefile commands which interact with the cluster _require_ that it be called "trust" 6 | # Changing the name here will stop the cluster being able to be controlled via Make! 7 | name: trust 8 | nodes: 9 | - role: control-plane 10 | # Enable OwnerReferencesPermissionEnforcement to better match OpenShift environments in tests 11 | kubeadmConfigPatches: 12 | - | 13 | kind: ClusterConfiguration 14 | apiServer: 15 | extraArgs: 16 | enable-admission-plugins: OwnerReferencesPermissionEnforcement 17 | -------------------------------------------------------------------------------- /test/smoke/config/config.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package config 18 | 19 | import ( 20 | "flag" 21 | "fmt" 22 | "os" 23 | "path/filepath" 24 | 25 | "k8s.io/client-go/rest" 26 | "k8s.io/client-go/tools/clientcmd" 27 | ) 28 | 29 | type Config struct { 30 | kubeConfig string 31 | 32 | TrustNamespace string 33 | RestConfig *rest.Config 34 | } 35 | 36 | func New(fs *flag.FlagSet) *Config { 37 | return new(Config).addFlags(fs) 38 | } 39 | 40 | func (c *Config) Complete() error { 41 | if c.kubeConfig == "" { 42 | return fmt.Errorf("--kubeconfig-path must not be empty") 43 | } 44 | 45 | var err error 46 | c.RestConfig, err = clientcmd.BuildConfigFromFlags("", c.kubeConfig) 47 | if err != nil { 48 | return fmt.Errorf("failed to build kubernetes rest config from %q: %s", c.kubeConfig, err) 49 | } 50 | 51 | return nil 52 | } 53 | 54 | func (c *Config) addFlags(fs *flag.FlagSet) *Config { 55 | kubeConfigFile := os.Getenv(clientcmd.RecommendedConfigPathEnvVar) 56 | if kubeConfigFile == "" { 57 | homeDir, err := os.UserHomeDir() 58 | if err != nil { 59 | panic("Failed to get user home directory: " + err.Error()) 60 | } 61 | kubeConfigFile = filepath.Join(homeDir, clientcmd.RecommendedHomeDir, clientcmd.RecommendedFileName) 62 | } 63 | 64 | fs.StringVar(&c.kubeConfig, "kubeconfig-path", kubeConfigFile, "Path to config containing embedded authinfo for kubernetes. Default value is from environment variable "+clientcmd.RecommendedConfigPathEnvVar) 65 | fs.StringVar(&c.TrustNamespace, "trust-namespace", "cert-manager", "The trust namespace where trust-manager is deployed to") 66 | return c 67 | } 68 | -------------------------------------------------------------------------------- /test/smoke/smoke_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package smoke 18 | 19 | import ( 20 | "flag" 21 | "testing" 22 | 23 | "github.com/cert-manager/trust-manager/test/env" 24 | "github.com/cert-manager/trust-manager/test/smoke/config" 25 | 26 | . "github.com/onsi/ginkgo/v2" 27 | . "github.com/onsi/gomega" 28 | ) 29 | 30 | var ( 31 | cnf *config.Config 32 | ) 33 | 34 | func init() { 35 | // subtle: Flags need to be registered in an init function when Ginkgo is used. 36 | // If not, go test will call flag.Parse before ginkgo runs and our custom args will 37 | // not be respected 38 | cnf = config.New(flag.CommandLine) 39 | } 40 | 41 | var _ = BeforeSuite(func() { 42 | Expect(cnf.Complete()).NotTo(HaveOccurred()) 43 | }) 44 | 45 | // Test_Smoke runs the full suite of smoke tests against trust.cert-manager.io 46 | func Test_Smoke(t *testing.T) { 47 | env.RunSuite(t, "smoke-trust", "../../_artifacts") 48 | } 49 | -------------------------------------------------------------------------------- /trust-packages/README.md: -------------------------------------------------------------------------------- 1 | # trust-packages 2 | 3 | A trust package (or package) is a container which can be run as an init container, before the trust-manager controller, 4 | which writes a JSON package containing a list of PEM encoded certificates. 5 | 6 | trust-manager can then be configured - through a flag on startup - to load a bundle and designate it as the `defaultPackage`, 7 | which in turn can be referred to in `Bundle` resources as a new source. 8 | 9 | The main intended use of this feature is to enable easy use of 'public trust bundles', such as the Mozilla bundle which 10 | is packaged into most Linux distributions. The `defaultPackage` source then becomes shorthand for "trust the usual stuff". 11 | -------------------------------------------------------------------------------- /trust-packages/debian/LICENSES: -------------------------------------------------------------------------------- 1 | github.com/cert-manager/trust-manager/debian-bundle-static,https://github.com/cert-manager/trust-manager/blob/HEAD/debian-bundle-static/LICENSE,Apache-2.0 2 | -------------------------------------------------------------------------------- /trust-packages/debian/README.md: -------------------------------------------------------------------------------- 1 | # `cert-manager-package-debian` Trust Package 2 | 3 | For details on what trust packages are, see the [trust-packages README](../README.md). 4 | 5 | This trust package uses a Debian container to retrieve its trust package. Debian was chosen 6 | to be the first source for trust packages as it's also used as the base for the [distroless base images](https://github.com/GoogleContainerTools/distroless) 7 | which are used in the cert-manager project. 8 | 9 | Therefore, by using Debian again here, we're not adding any new entities we need to trust, since we already trust 10 | Debian extensively elsewhere. 11 | 12 | This package is used for both Debian Bookworm and Debian Bullseye 13 | -------------------------------------------------------------------------------- /trust-packages/debian/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/cert-manager/trust-manager/debian-bundle-static 2 | 3 | go 1.24.0 4 | -------------------------------------------------------------------------------- /trust-packages/debian/go.sum: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cert-manager/trust-manager/8f7585c62c79ff07dd3932ac94d02904678d633f/trust-packages/debian/go.sum --------------------------------------------------------------------------------