Load clusterissuer secret from cert-manager namespace (#35)

Signed-off-by: Tamal Saha <[email protected]>

.config/api-rules/violation_exceptions.list

@@ -6,6 +6,7 @@ API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,CertificateS
 API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,CertificateSpec,EmailAddresses
 API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,CertificateSpec,IPAddresses
 API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,CertificateSpec,URIs
+API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,ClusterInfo,ClusterManagers
 API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,ImageInfo,Lineages
 API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,Lineage,Chain
 API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,Lineage,Containers

pkg/controllers/cacerts/caproviderclass_controller.go

@@ -22,7 +22,7 @@ import (
 	api "kubeops.dev/csi-driver-cacerts/apis/cacerts/v1alpha1"
 
 	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
-	core "k8s.io/api/core/v1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -65,7 +65,7 @@ func (r *CAProviderClassReconciler) SetupWithManager(mgr ctrl.Manager) error {
 			}
 			var req []reconcile.Request
 
-			var ns string
+			var refNamespace string
 			for _, p := range providers.Items {
 				for _, ref := range p.Spec.Refs {
 					var group string
@@ -78,12 +78,12 @@ func (r *CAProviderClassReconciler) SetupWithManager(mgr ctrl.Manager) error {
 						continue
 					}
 
-					ns = ref.Namespace
-					if ns == "" {
-						ns = p.Namespace
+					refNamespace = ref.Namespace
+					if refNamespace == "" && gk.Kind != "ClusterIssuer" {
+						refNamespace = p.Namespace
 					}
 
-					if a.GetNamespace() != "" && a.GetNamespace() != ns {
+					if a.GetNamespace() != "" && a.GetNamespace() != refNamespace {
 						continue
 					}
 
@@ -97,7 +97,7 @@ func (r *CAProviderClassReconciler) SetupWithManager(mgr ctrl.Manager) error {
 
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&api.CAProviderClass{}).
-		Watches(&core.Secret{}, handler.EnqueueRequestsFromMapFunc(mf(schema.GroupKind{Group: "", Kind: "Secret"}))).
+		Watches(&corev1.Secret{}, handler.EnqueueRequestsFromMapFunc(mf(schema.GroupKind{Group: "", Kind: "Secret"}))).
 		Watches(&cmapi.Issuer{}, handler.EnqueueRequestsFromMapFunc(mf(schema.GroupKind{Group: cmapi.SchemeGroupVersion.Group, Kind: "Issuer"}))).
 		Watches(&cmapi.ClusterIssuer{}, handler.EnqueueRequestsFromMapFunc(mf(schema.GroupKind{Group: cmapi.SchemeGroupVersion.Group, Kind: "ClusterIssuer"}))).
 		Complete(r)

pkg/providers/ca.go

@@ -27,6 +27,8 @@ import (
 	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	"gomodules.xyz/cert"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/tools/cache"
+	"kmodules.xyz/client-go/meta"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -37,20 +39,35 @@ type IssuerProvider struct {
 var _ lib.CAProvider = &IssuerProvider{}
 
 func (c *IssuerProvider) GetCAs(obj client.Object, _ string) ([]*x509.Certificate, error) {
+	kind := obj.GetObjectKind().GroupVersionKind().Kind
+	issuerKey, err := cache.MetaNamespaceKeyFunc(obj)
+	if err != nil {
+		return nil, err
+	}
+
 	issuer, ok := obj.(cmapi.GenericIssuer)
 	if !ok {
-		return nil, fmt.Errorf("%v %s/%s is not a GenericIssuer", obj.GetObjectKind().GroupVersionKind(), obj.GetNamespace(), obj.GetName())
+		return nil, fmt.Errorf("%s %s is not a GenericIssuer", kind, issuerKey)
 	}
+
 	if issuer.GetSpec().CA == nil {
-		return nil, fmt.Errorf("%v %s/%s does not have a CA", issuer.GetObjectKind().GroupVersionKind(), issuer.GetNamespace(), issuer.GetName())
+		return nil, fmt.Errorf("%s %s does not have a CA", kind, issuerKey)
 	}
 
 	var secret corev1.Secret
 	secretRef := client.ObjectKey{
-		Namespace: issuer.GetNamespace(),
-		Name:      issuer.GetSpec().CA.SecretName,
+		Namespace: func() string {
+			if kind == "ClusterIssuer" {
+				// cert-manager requires the ClusterIssuer ca secret to be in the same namespace where it is deployed.
+				// So, csi-driver must be in the same namespace where cert-manager is installed.
+				// ns will be defaulted to cert-manager namespace in standard deployments.
+				return meta.PodNamespace()
+			}
+			return issuer.GetNamespace()
+		}(),
+		Name: issuer.GetSpec().CA.SecretName,
 	}
-	err := c.Reader.Get(context.TODO(), secretRef, &secret)
+	err = c.Reader.Get(context.TODO(), secretRef, &secret)
 	if err != nil {
 		return nil, err
 	}
@@ -64,16 +81,16 @@ func (c *IssuerProvider) GetCAs(obj client.Object, _ string) ([]*x509.Certificat
 		return nil, err
 	}
 	if len(caCerts) == 0 {
-		return nil, fmt.Errorf("%v %s/%s signing certificate is not a CA", issuer.GetObjectKind().GroupVersionKind(), issuer.GetNamespace(), issuer.GetName())
+		return nil, fmt.Errorf("%s %s signing certificate is not a CA", kind, issuerKey)
 	}
 
 	now := time.Now()
 	for _, caCert := range caCerts {
 		if now.Before(caCert.NotBefore) {
-			return nil, fmt.Errorf("%v %s/%s points a CA cert not valid before %v, now: %s", issuer.GetObjectKind().GroupVersionKind(), issuer.GetNamespace(), issuer.GetName(), caCert.NotBefore, now)
+			return nil, fmt.Errorf("%s %s points a CA cert not valid before %v, now: %s", kind, issuerKey, caCert.NotBefore, now)
 		}
 		if now.After(caCert.NotAfter) {
-			return nil, fmt.Errorf("%v %s/%s points a CA cert expired at %v, now: %s", issuer.GetObjectKind().GroupVersionKind(), issuer.GetNamespace(), issuer.GetName(), caCert.NotAfter, now)
+			return nil, fmt.Errorf("%s %s points a CA cert expired at %v, now: %s", kind, issuerKey, caCert.NotAfter, now)
 		}
 	}