Skip to content

Commit

Permalink
Add support for the recent cert-manager
Browse files Browse the repository at this point in the history
  • Loading branch information
kayrus committed Jan 26, 2024
1 parent 1899b6d commit 7a77014
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 32 deletions.
1 change: 1 addition & 0 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ rules:
- list
- update
- watch
- patch
- apiGroups:
- cert-manager.io
resources:
Expand Down
63 changes: 32 additions & 31 deletions controllers/certmanager/certificaterequest_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,14 +80,15 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.R

// Fetch the CertificateRequest resource being reconciled.
// Just ignore the request if the certificate request has been deleted.
cr := new(cmapi.CertificateRequest)
if err := r.Client.Get(ctx, req.NamespacedName, cr); err != nil {
curCR := new(cmapi.CertificateRequest)
if err := r.Client.Get(ctx, req.NamespacedName, curCR); err != nil {
if apierrors.IsNotFound(err) {
return ctrl.Result{}, nil
}
log.Error(err, "failed to retrieve CertificateRequest resource")
return ctrl.Result{}, err
}
cr := curCR.DeepCopy()

// Check the CertificateRequest's issuerRef and if it does not match the api
// group name, log a message at a debug level and stop processing.
Expand All @@ -114,7 +115,7 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.R
err = r.Client.Get(ctx, issNamespaceName, iss)
if err != nil {
log.Error(err, "No DigicertIssuer resource found", "namespace", r.DefaultProviderNamespace, "name", cr.Spec.IssuerRef.Name)
_ = r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve DigicertIssuer resource %s: %v", issNamespaceName, err)
_ = r.setStatus(ctx, cr, curCR, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve DigicertIssuer resource %s: %v", issNamespaceName, err)
metricIssuerNotReady.WithLabelValues(issNamespaceName.String(), "issuer not found").Inc()
return ctrl.Result{}, err
}
Expand All @@ -123,7 +124,7 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.R
if !isDigicertIssuerReady(iss) {
log.Info("issuer is not ready", "name", issNamespaceName.String())
metricIssuerNotReady.WithLabelValues(issNamespaceName.String(), "issuer not ready").Inc()
if err := r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "DigicertIssuer resource %s is not Ready", issNamespaceName); err != nil {
if err := r.setStatus(ctx, cr, curCR, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "DigicertIssuer resource %s is not Ready", issNamespaceName); err != nil {
return ctrl.Result{}, err
}
return ctrl.Result{RequeueAfter: r.BackoffDurationProvisionerNotReady}, nil
Expand All @@ -134,7 +135,7 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.R
if !ok {
log.Info("provisioner not found", "name", issNamespaceName)
metricIssuerNotReady.WithLabelValues(issNamespaceName.String(), "provisioner not found").Inc()
if err := r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for DigicertIssuer resource %s", issNamespaceName); err != nil {
if err := r.setStatus(ctx, cr, curCR, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for DigicertIssuer resource %s", issNamespaceName); err != nil {
return ctrl.Result{}, err
}
return ctrl.Result{RequeueAfter: r.BackoffDurationProvisionerNotReady}, nil
Expand All @@ -147,20 +148,21 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.R

if err != nil || len(certPEM) < 1 {
log.V(4).Info("Download of pending certificate failed, reqeueing.", "name", cr.ObjectMeta.Name)
_ = r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Certificate request pending")
_ = r.setStatus(ctx, cr, curCR, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Certificate request pending")
metricRequestsPending.WithLabelValues(cr.ObjectMeta.Name,
cr.ObjectMeta.GetAnnotations()["cert-manager.io/certificate-name"],
cr.ObjectMeta.GetAnnotations()["cert-manager.io/private-key-secret-name"],
cr.ObjectMeta.GetAnnotations()["cert-manager.io/digicert-order-id"],
cr.ObjectMeta.GetAnnotations()["certmanager.cloud.sap/digicert-order-id"],
).Inc()

return ctrl.Result{Requeue: true, RequeueAfter: r.BackoffDurationRequestPending}, err
}

if len(caPEM) > 0 && !r.DisableRootCA {
cr.Status.CA = caPEM
}
cr.Status.Certificate = certPEM
err = r.setStatus(ctx, cr, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued")
err = r.setStatus(ctx, cr, curCR, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued")

return ctrl.Result{}, err
}
Expand All @@ -175,30 +177,33 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.R
cr.ObjectMeta.GetAnnotations()["cert-manager.io/private-key-secret-name"],
"Failed to sign certificate request",
).Inc()
return ctrl.Result{}, r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err)
return ctrl.Result{}, r.setStatus(ctx, cr, curCR, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err)
}

// Patch annotations.
annotations := cr.ObjectMeta.GetAnnotations()
annotations["certmanager.cloud.sap/digicert-issuer"] = "true"
if order.ID > 0 {
annotations := cr.ObjectMeta.GetAnnotations()
annotations["cert-manager.io/digicert-order-id"] = fmt.Sprintf("%d", order.ID)
cr.ObjectMeta.SetAnnotations(annotations)
annotations["certmanager.cloud.sap/digicert-order-id"] = fmt.Sprintf("%d", order.ID)
}

if order.CertificateID > 0 {
annotations := cr.ObjectMeta.GetAnnotations()
annotations["cert-manager.io/digicert-cert-id"] = fmt.Sprintf("%d", order.CertificateID)
cr.ObjectMeta.SetAnnotations(annotations)
annotations["certmanager.cloud.sap/digicert-cert-id"] = fmt.Sprintf("%d", order.CertificateID)
}
cr.ObjectMeta.SetAnnotations(annotations)
if err := r.Client.Patch(ctx, cr, client.MergeFrom(curCR)); err != nil {
log.Error(err, "failed to update certificate request annotations")
return ctrl.Result{}, err
}

// Update CertificateRequest status
if len(certPEM) > 0 {
if len(caPEM) > 0 && !r.DisableRootCA {
cr.Status.CA = caPEM
}
cr.Status.Certificate = certPEM
err = r.setStatus(ctx, cr, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued")
err = r.setStatus(ctx, cr, curCR, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued")
} else if order.CertificateID > 0 {
err = r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Certificate request pending")
r.Client.Update(ctx, cr) // Update annontations
err = r.setStatus(ctx, cr, curCR, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Certificate request pending")
return ctrl.Result{Requeue: true, RequeueAfter: r.BackoffDurationProvisionerNotReady}, err
} else {
metricRequestErrors.WithLabelValues(
Expand All @@ -207,17 +212,11 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.R
cr.ObjectMeta.GetAnnotations()["cert-manager.io/private-key-secret-name"],
"Certificate request failed",
).Inc()
if err = r.setStatus(ctx, cr, cmmeta.ConditionUnknown, cmapi.CertificateRequestReasonFailed, "Certificate request failed"); err != nil {
return ctrl.Result{}, err
}
}

// Update annotations.
if err := r.Client.Update(ctx, cr); err != nil {
return ctrl.Result{}, err
err = r.setStatus(ctx, cr, curCR, cmmeta.ConditionUnknown, cmapi.CertificateRequestReasonFailed, "Certificate request failed")
}

return ctrl.Result{}, nil
// return err from the "r.setStatus" call
return ctrl.Result{}, err
}

func isDigicertIssuerReady(issuer *certmanagerv1beta1.DigicertIssuer) bool {
Expand All @@ -237,9 +236,11 @@ func isDigicertIssuerReady(issuer *certmanagerv1beta1.DigicertIssuer) bool {

func isCertificateRequestPending(cr *cmapi.CertificateRequest) bool {
status := cr.Status
// this is a hack that allows digicert-issuer to distinguish fake ACME pending requests
digicertAcquired := cr.ObjectMeta.GetAnnotations()["certmanager.cloud.sap/digicert-issuer"] == "true"

for _, condition := range status.Conditions {
if condition.Reason == "Pending" {
if condition.Reason == "Pending" && digicertAcquired {
return true
}
}
Expand Down Expand Up @@ -269,7 +270,7 @@ func isCertificateRequestStatusTrue(cr *cmapi.CertificateRequest) bool {
return false
}

func (r *CertificateRequestReconciler) setStatus(ctx context.Context, cr *cmapi.CertificateRequest, status cmmeta.ConditionStatus, reason, message string, args ...interface{}) error {
func (r *CertificateRequestReconciler) setStatus(ctx context.Context, cr, curCR *cmapi.CertificateRequest, status cmmeta.ConditionStatus, reason, message string, args ...interface{}) error {
completeMessage := fmt.Sprintf(message, args...)
apiutil.SetCertificateRequestCondition(cr, cmapi.CertificateRequestConditionReady, status, reason, completeMessage)

Expand All @@ -280,5 +281,5 @@ func (r *CertificateRequestReconciler) setStatus(ctx context.Context, cr *cmapi.
}
r.recorder.Event(cr, eventType, reason, completeMessage)

return r.Client.Status().Update(ctx, cr)
return r.Client.Status().Patch(ctx, cr, client.MergeFrom(curCR))
}
2 changes: 1 addition & 1 deletion pkg/provisioners/certcentral.go
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ func (c *CertCentral) Sign(ctx context.Context, cr *certmanagerv1.CertificateReq
}

func (c *CertCentral) Download(ctx context.Context, cr *certmanagerv1.CertificateRequest) ([]byte, []byte, error) {
certID := cr.GetAnnotations()["cert-manager.io/digicert-cert-id"]
certID := cr.GetAnnotations()["certmanager.cloud.sap/digicert-cert-id"]
if certID == "" {
// TODO: get cert_id by order_id if missing
return nil, nil, fmt.Errorf("no cert id given for %s", cr.ObjectMeta.Name)
Expand Down

0 comments on commit 7a77014

Please sign in to comment.