Skip to content

Commit

Permalink
Load clusterissuer secret from cert-manager namespace
Browse files Browse the repository at this point in the history 
Signed-off-by: Tamal Saha <[email protected]>
  • Loading branch information
@tamalsaha
tamalsaha committed Oct 24, 2024
1 parent 8d22138 commit df1cfdf
Show file tree
Hide file tree
Showing 4 changed files with 94 additions and 17 deletions.
1 change: 1 addition & 0 deletions .config/api-rules/violation_exceptions.list
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,CertificateS
API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,CertificateSpec,EmailAddresses
API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,CertificateSpec,IPAddresses
API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,CertificateSpec,URIs
API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,ClusterInfo,ClusterManagers
API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,ImageInfo,Lineages
API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,Lineage,Chain
API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,Lineage,Containers
Expand Down
80 changes: 73 additions & 7 deletions apis/cacerts/v1alpha1/openapi_generated.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 5 additions & 5 deletions pkg/controllers/cacerts/caproviderclass_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ func (r *CAProviderClassReconciler) SetupWithManager(mgr ctrl.Manager) error {
}
var req []reconcile.Request

var ns string
var refNamespace string
for _, p := range providers.Items {
for _, ref := range p.Spec.Refs {
var group string
Expand All @@ -78,12 +78,12 @@ func (r *CAProviderClassReconciler) SetupWithManager(mgr ctrl.Manager) error {
continue
}

ns = ref.Namespace
if ns == "" {
ns = p.Namespace
refNamespace = ref.Namespace
if refNamespace == "" && gk.Kind != "ClusterIssuer" {
refNamespace = p.Namespace
}

if a.GetNamespace() != "" && a.GetNamespace() != ns {
if a.GetNamespace() != "" && a.GetNamespace() != refNamespace {
continue
}

Expand Down
20 changes: 15 additions & 5 deletions pkg/providers/ca.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"gomodules.xyz/cert"
corev1 "k8s.io/api/core/v1"
"kmodules.xyz/client-go/meta"
"sigs.k8s.io/controller-runtime/pkg/client"
)

Expand All @@ -41,13 +42,22 @@ func (c *IssuerProvider) GetCAs(obj client.Object, _ string) ([]*x509.Certificat
if !ok {
return nil, fmt.Errorf("%v %s/%s is not a GenericIssuer", obj.GetObjectKind().GroupVersionKind(), obj.GetNamespace(), obj.GetName())
}

ns := issuer.GetNamespace()
if issuer.GetObjectKind().GroupVersionKind().Kind == "ClusterIssuer" {
// cert-manager requires the ClusterIssuer ca secret to be in the same namespace where it is deployed.
// So, csi-driver must be in the same namespace where cert-manager is installed.
// ns will be defaulted to cert-manager namespace in standard deployments.
ns = meta.PodNamespace()
}

if issuer.GetSpec().CA == nil {
return nil, fmt.Errorf("%v %s/%s does not have a CA", issuer.GetObjectKind().GroupVersionKind(), issuer.GetNamespace(), issuer.GetName())
return nil, fmt.Errorf("%v %s/%s does not have a CA", issuer.GetObjectKind().GroupVersionKind(), ns, issuer.GetName())
}

var secret corev1.Secret
secretRef := client.ObjectKey{
Namespace: issuer.GetNamespace(),
Namespace: ns,
Name: issuer.GetSpec().CA.SecretName,
}
err := c.Reader.Get(context.TODO(), secretRef, &secret)
Expand All @@ -64,16 +74,16 @@ func (c *IssuerProvider) GetCAs(obj client.Object, _ string) ([]*x509.Certificat
return nil, err
}
if len(caCerts) == 0 {
return nil, fmt.Errorf("%v %s/%s signing certificate is not a CA", issuer.GetObjectKind().GroupVersionKind(), issuer.GetNamespace(), issuer.GetName())
return nil, fmt.Errorf("%v %s/%s signing certificate is not a CA", issuer.GetObjectKind().GroupVersionKind(), ns, issuer.GetName())
}

now := time.Now()
for _, caCert := range caCerts {
if now.Before(caCert.NotBefore) {
return nil, fmt.Errorf("%v %s/%s points a CA cert not valid before %v, now: %s", issuer.GetObjectKind().GroupVersionKind(), issuer.GetNamespace(), issuer.GetName(), caCert.NotBefore, now)
return nil, fmt.Errorf("%v %s/%s points a CA cert not valid before %v, now: %s", issuer.GetObjectKind().GroupVersionKind(), ns, issuer.GetName(), caCert.NotBefore, now)
}
if now.After(caCert.NotAfter) {
return nil, fmt.Errorf("%v %s/%s points a CA cert expired at %v, now: %s", issuer.GetObjectKind().GroupVersionKind(), issuer.GetNamespace(), issuer.GetName(), caCert.NotAfter, now)
return nil, fmt.Errorf("%v %s/%s points a CA cert expired at %v, now: %s", issuer.GetObjectKind().GroupVersionKind(), ns, issuer.GetName(), caCert.NotAfter, now)
}
}

Expand Down

0 comments on commit df1cfdf

Please sign in to comment.