Merge remote-tracking branch 'origin/master' into controller-configur…

…ation-file

.github/workflows/scorecards.yml

@@ -0,0 +1,54 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: '43 13 * * 6'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge.
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # tag=v2.0.6
+        with:
+          results_file: results.sarif
+          results_format: sarif
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26
+        with:
+          sarif_file: results.sarif

.trivyignore

@@ -0,0 +1,7 @@
+# These vulns relate to issues with v1 of the AWS Golang SDK
+# These issues relate to S3 encryption issues which cert-manager is unlikely to hit
+# Fixing them requires upgrading to v2 of the AWS Golang SDK which is a potentially large task
+CVE-2020-8911
+CVE-2020-8912
+GHSA-7f33-f4f5-xwgw
+GHSA-f5pg-7wfw-84q9

Makefile

@@ -71,6 +71,7 @@ include make/licenses.mk
 include make/e2e-setup.mk
 include make/scan.mk
 include make/legacy.mk
+include make/ko.mk
 include make/help.mk
 
 .PHONY: clean

README.md

@@ -14,33 +14,31 @@
 <a href="https://goreportcard.com/report/github.com/cert-manager/cert-manager"><img alt="Go Report Card" src="https://goreportcard.com/badge/github.com/cert-manager/cert-manager" /></a>
 <br />
 <a href="https://artifacthub.io/packages/search?repo=cert-manager"><img alt="Artifact Hub" src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/cert-manager" /></a>
+<a href="https://api.securityscorecards.dev/projects/github.com/cert-manager/cert-manager"><img src="https://api.securityscorecards.dev/projects/github.com/cert-manager/cert-manager/badge" alt="Scorecard score"/></a>
 </p>
 
 # cert-manager
 
 cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.
 
-It can issue certificates from a variety of supported sources, including Let's Encrypt, HashiCorp Vault, and Venafi as well as private PKI, and it ensures certificates remain
-valid and up to date, attempting to renew certificates at an appropriate time before expiry.
+It supports issuing certificates from a variety of sources, including Let's Encrypt (ACME), HashiCorp Vault, and Venafi TPP / TLS Protect Cloud, as well as local in-cluster issuance.
 
-It is loosely based upon the work of [kube-lego](https://github.com/jetstack/kube-lego)
-and has borrowed some wisdom from other similar projects such as
-[kube-cert-manager](https://github.com/PalmStoneGames/kube-cert-manager).
+cert-manager also ensures certificates remain valid and up to date, attempting to renew certificates at an appropriate time before expiry to reduce the risk of outages and remove toil.
 
 ![cert-manager high level overview diagram](https://cert-manager.io/images/high-level-overview.svg)
 
 ## Documentation
 
 Documentation for cert-manager can be found at [cert-manager.io](https://cert-manager.io/docs/).
 
-Issues and PRs for documentation should be filed in the [website repo](https://github.com/cert-manager/website/).
-
 For the common use-case of automatically issuing TLS certificates for
 Ingress resources, see the [cert-manager nginx-ingress quick start guide](https://cert-manager.io/docs/tutorials/acme/nginx-ingress/).
 
+For a more comprensive guide to issuing your first certificate, see our [getting started guide](https://cert-manager.io/docs/getting-started/).
+
 ### Installation
 
-We document [installation](https://cert-manager.io/docs/installation/) on the website.
+[Installation](https://cert-manager.io/docs/installation/) is documented on the website, with a variety of supported methods.
 
 ## Troubleshooting
 
@@ -50,7 +48,7 @@ If you encounter any issues whilst using cert-manager, we have a number of ways
 - Our official [Kubernetes Slack channel](https://cert-manager.io/docs/contributing/#slack) - the quickest way to ask!
 - [Searching for an existing issue](https://github.com/cert-manager/cert-manager/issues).
 
-If you believe you've found a bug, and cannot find an existing issue, feel free to [open a new issue](https://github.com/cert-manager/cert-manager/issues)!
+If you believe you've found a bug and cannot find an existing issue, feel free to [open a new issue](https://github.com/cert-manager/cert-manager/issues)!
 Be sure to include as much information as you can about your environment.
 
 ## Community
@@ -105,4 +103,10 @@ Follow the instructions in [SECURITY.md](./SECURITY.md) to make a report.
 [Every release](https://github.com/cert-manager/cert-manager/releases) on GitHub has a changelog,
 and we also publish release notes on [the website](https://cert-manager.io/docs/release-notes/).
 
+## History
+
+cert-manager is loosely based upon the work of [kube-lego](https://github.com/jetstack/kube-lego)
+and has borrowed some wisdom from other similar projects such as [kube-cert-manager](https://github.com/PalmStoneGames/kube-cert-manager).
+
+
 <sub><sup>Logo design by [Zoe Paterson](https://zoepatersonmedia.com)</sup></sub>

ROADMAP.md

@@ -4,25 +4,25 @@ Roadmap
 The roadmap items are categorised into themes based on the larger goals we want to achieve with cert-manager.
 
 
-While this is a summary of the direction we want to go, we welcome all PRs, even if they don't fall under any of the roadmap items.
+While this is a summary of the direction we want to go we welcome all PRs, even if they don't fall under any of the roadmap items
+listed here. We unfortunately can't merge every change, and if you're looking to contribute a new feature you might want to
+check the [contributing guide](https://cert-manager.io/docs/contributing/) on the cert-manager website.
 
 
 ### Integration with other projects in the cloud-native landscape
 
 cert-manager should be able to deliver and manage X.509 certificates to popular
 projects in the cloud-native ecosystem.
 
-- Service Mesh Integration: While we have
-good Istio and Open Service Mesh integration, expand to other projects such as
-Linkerd, cilium
+- Service Mesh Integration: While we have good Istio and Open Service Mesh integration, expand to other projects such as Linkerd, cilium
 
 ### Adoption of upstream APIs
 
 Continue to support latest APIs for upstream K8s and related SIGs.
 
 - Kubernetes APIs: keep up to date with Kubernetes API changes and release cadence
 - CSR API: support the sig-auth CSR API for certificate requests in kubernetes
-- Trust Anchor Sets
+- [Trust Anchor Sets](https://github.com/kubernetes/enhancements/pull/3258)
 - Gateway API
 
 ### Extensibility
@@ -37,18 +37,18 @@ Widen the scope of integrations with cert-manager.
 
 Enable best-practice PKI management with cert-manager.
 
-- Handle CA cert being renewed: deal with the cases where the CA cert is renewed and allow for all signed certs to be renewed
+- Handle CA certs being renewed: deal with the cases where the CA cert is renewed and allow for all signed certs to be renewed
 - Make cert-manager a viable way to create and manage private PKI deployments at scale
-- Trust root distribution: handle distributing all trust roots within a cluster, allowing for certs to be verified within a cluster
+- Trust root distribution: handle distributing all trust roots within a cluster, solving trust for private and public certificates
 
-See also [cert-manager/trust](https://cert-manager.io/docs/projects/trust/)
+See also [trust-manager](https://cert-manager.io/docs/projects/trust/) for more on trust distribution.
 
 ### End-user experience
 
 - Graduate alpha / beta features in good time:
   - SIG-Auth CSR API support
   - SIG-Network Gateway API support
-- Easier diagnosis of problems: improve the cert-manager output to make the status clearer, and provide tools to aid debugging
+- Easier diagnosis of problems: improve cert-manager output to make status clearer, and provide tools to aid debugging
 - Improve the new contributor experience
 
 ### Developer experience

SECURITY.md

@@ -25,6 +25,24 @@ All that said, **if you're unsure** please reach out using this process before
 raising your issue through another channel. We'd rather err on the side of
 caution!
 
+### Explicitly Not Covered: Vulnerability Scanner Reports
+
+We do not accept reports which amount to copy and pasted output from a vulnerability
+scanning tool **unless** work has specifically been done to confirm that a vulnerability
+reported by the tool _actually exists_ in cert-manager or a cert-manager subproject.
+
+We make use of these tools ourselves and try to act on the output they produce; they
+can be useful! We tend to find, however, that when these reports are sent to our security
+mailing list they almost always represent false positives, since these tools tend to check
+for the presence of a library without considering how the library is used in context.
+
+If we receive a report which seems to simply be a vulnerability list from a scanner we
+reserve the right to ignore it.
+
+This applies especially when tools produce vulnerability identifiers which are not publicly
+visible or which are proprietary in some way. We can look up CVEs or other publicly-available
+identifiers for further details, but cannot do the same for proprietary identifiers.
+
 ## Security Contacts
 
 The people who should have access to read your security report are listed in

SECURITY_CONTACTS.md

@@ -14,3 +14,4 @@ SECURITY.md and report your vulnerability via e-mail.
 - [maelvls](https://github.com/maelvls)
 - [wallrj](https://github.com/wallrj)
 - [munnerz](https://github.com/munnerz)
+- [inteon](https://github.com/inteon)

cmd/acmesolver/app/app.go

@@ -22,7 +22,7 @@ import (
 
 	"github.com/spf13/cobra"
 
-	"github.com/cert-manager/cert-manager/cmd/util"
+	"github.com/cert-manager/cert-manager/internal/cmd/util"
 	"github.com/cert-manager/cert-manager/pkg/issuer/acme/http/solver"
 	logf "github.com/cert-manager/cert-manager/pkg/logs"
 )

cmd/acmesolver/main.go

@@ -21,7 +21,7 @@ import (
 	"os"
 
 	"github.com/cert-manager/cert-manager/cmd/acmesolver/app"
-	"github.com/cert-manager/cert-manager/cmd/util"
+	"github.com/cert-manager/cert-manager/internal/cmd/util"
 )
 
 // acmesolver solves ACME http-01 challenges. This is intended to run as a pod

cmd/cainjector/app/start.go

@@ -28,11 +28,16 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"golang.org/x/sync/errgroup"
+	apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	cmdutil "github.com/cert-manager/cert-manager/cmd/util"
+	cmdutil "github.com/cert-manager/cert-manager/internal/cmd/util"
 	"github.com/cert-manager/cert-manager/pkg/api"
 	"github.com/cert-manager/cert-manager/pkg/controller/cainjector"
 	logf "github.com/cert-manager/cert-manager/pkg/logs"
@@ -59,6 +64,10 @@ type InjectorControllerOptions struct {
 	// The profiler should never be exposed on a public address.
 	PprofAddr string
 
+	// WatchCerts detemines whether cainjector's control loops will watch
+	// cert-manager Certificate resources as potential sources of CA data.
+	WatchCerts bool
+
 	// logger to be used by this controller
 	log logr.Logger
 }
@@ -89,6 +98,7 @@ func (o *InjectorControllerOptions) AddFlags(fs *pflag.FlagSet) {
 		"of a leadership. This is only applicable if leader election is enabled.")
 
 	fs.BoolVar(&o.EnablePprof, "enable-profiling", cmdutil.DefaultEnableProfiling, "Enable profiling for cainjector")
+	fs.BoolVar(&o.WatchCerts, "watch-certificates", true, "Watch cert-manager.io Certificate resources as potential sources for CA data. Requires cert-manager.io Certificate CRD to be installed. It is not required to watch Certificates if you only use cainjector as cert-manager's internal components and in that case setting this flag to false might slightly reduce memory consumption.")
 	fs.StringVar(&o.PprofAddr, "profiler-address", cmdutil.DefaultProfilerAddr, "Address of the Go profiler (pprof) if enabled. This should never be exposed on a public interface.")
 
 	utilfeature.DefaultMutableFeatureGate.AddFlag(fs)
@@ -187,58 +197,45 @@ func (o InjectorControllerOptions) RunInjectorController(ctx context.Context) er
 		})
 	}
 
-	g.Go(func() (err error) {
-		defer func() {
-			o.log.Error(err, "manager goroutine exited")
-		}()
-
-		if err = mgr.Start(gctx); err != nil {
-			return fmt.Errorf("error running manager: %v", err)
+	// If cainjector has been configured to watch Certificate CRDs
+	// (--watch-certificates=true), poll kubeapiserver for 5 minutes or till
+	// certificate CRD is found.
+	if o.WatchCerts {
+		directClient, err := client.New(mgr.GetConfig(), client.Options{
+			Scheme: mgr.GetScheme(),
+			Mapper: mgr.GetRESTMapper(),
+		})
+		if err != nil {
+			return fmt.Errorf("failed to create client: %w", err)
 		}
-		return nil
-	})
-
-	select {
-	case <-gctx.Done(): // Exit early if we are shutting down or if the manager has exited with an error
-		// Wait for error group to complete and return
-		return g.Wait()
-	case <-mgr.Elected(): // Don't launch the controllers unless we have been elected leader
-		// Continue with setting up controller
-	}
-
-	// Retry the start up of the certificate based controller in case the
-	// cert-manager CRDs have not been installed yet or in case the CRD API is
-	// not working. E.g. The conversion webhook has not yet had its CA bundle
-	// injected by the secret based controller, which is launched in its own
-	// goroutine.
-	// When shutting down, return the last error if there is one.
-	// Never retry if the controller exits cleanly.
-	g.Go(func() (err error) {
-		for {
-			err = cainjector.RegisterCertificateBased(gctx, mgr)
-			if err == nil {
-				return
+		err = wait.PollImmediate(time.Second, time.Minute*5, func() (bool, error) {
+			certsCRDName := types.NamespacedName{Name: "certificates.cert-manager.io"}
+			certsCRD := apiext.CustomResourceDefinition{}
+			err := directClient.Get(ctx, certsCRDName, &certsCRD)
+			if apierrors.IsNotFound(err) {
+				o.log.Info("cainjector has been configured to watch certificates, but certificates.cert-manager.io CRD not found, retrying with a backoff...")
+				return false, nil
+			} else if err != nil {
+				o.log.Error(err, "error checking if certificates.cert-manager.io CRD is installed")
+				return false, err
 			}
-			o.log.Error(err, "Error registering certificate based controllers. Retrying after 5 seconds.")
-			select {
-			case <-time.After(time.Second * 5):
-			case <-gctx.Done():
-				return
-			}
-		}
-	})
-
-	// Secrets based controller is started in its own goroutine so that it can
-	// perform injection of the CA bundle into any webhooks required by the
-	// cert-manager CRD API.
-	// We do not retry this controller because it only interacts with core APIs
-	// which should always be in a working state.
-	g.Go(func() (err error) {
-		if err = cainjector.RegisterSecretBased(gctx, mgr); err != nil {
-			return fmt.Errorf("error registering secret controller: %v", err)
+			o.log.V(logf.DebugLevel).Info("certificates.cert-manager.io CRD found")
+			return true, nil
+		})
+		if err != nil {
+			o.log.Error(err, "error retrieving certificate.cert-manager.io CRDs")
+			return err
 		}
-		return
-	})
+	}
 
-	return g.Wait()
+	// TODO: make the controllers to be started optional
+	err = cainjector.RegisterAllInjectors(gctx, mgr, o.Namespace, o.WatchCerts)
+	if err != nil {
+		o.log.Error(err, "failed to register controllers", err)
+		return err
+	}
+	if err = mgr.Start(gctx); err != nil {
+		return fmt.Errorf("error running manager: %v", err)
+	}
+	return nil
 }

cmd/cainjector/main.go

@@ -25,7 +25,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	"github.com/cert-manager/cert-manager/cmd/cainjector/app"
-	"github.com/cert-manager/cert-manager/cmd/util"
+	"github.com/cert-manager/cert-manager/internal/cmd/util"
 	logf "github.com/cert-manager/cert-manager/pkg/logs"
 )
 

cmd/controller/app/controller.go

@@ -262,6 +262,7 @@ func buildControllerContextFactory(ctx context.Context, opts *config.ControllerC
 		return nil, fmt.Errorf("error parsing ACMEHTTP01SolverResourceLimitsMemory: %w", err)
 	}
 
+	ACMEHTTP01SolverRunAsNonRoot := opts.ACMEHTTP01SolverRunAsNonRoot
 	acmeAccountRegistry := accounts.NewDefaultRegistry()
 
 	ctxFactory, err := controller.NewContextFactory(ctx, controller.ContextOptions{
@@ -280,6 +281,7 @@ func buildControllerContextFactory(ctx context.Context, opts *config.ControllerC
 			HTTP01SolverResourceRequestMemory: http01SolverResourceRequestMemory,
 			HTTP01SolverResourceLimitsCPU:     http01SolverResourceLimitsCPU,
 			HTTP01SolverResourceLimitsMemory:  http01SolverResourceLimitsMemory,
+			ACMEHTTP01SolverRunAsNonRoot:      ACMEHTTP01SolverRunAsNonRoot,
 			HTTP01SolverImage:                 opts.ACMEHTTP01SolverImage,
 			// Allows specifying a list of custom nameservers to perform HTTP01 checks on.
 			HTTP01SolverNameservers: opts.ACMEHTTP01SolverNameservers,