feat: Adding wrapped issuers (#332)

* adding wrapped issuer

Signed-off-by: hjoshi123 <[email protected]>

* run 'make go-tidy'

Signed-off-by: Tim Ramlot <[email protected]>

* removing ignore issuers

Signed-off-by: hjoshi123 <[email protected]>

* fix: rename upstream example package to avoid workspace conflicts

Signed-off-by: Adam Talbot <[email protected]>

* feat: refactor example to use intree package

Signed-off-by: Adam Talbot <[email protected]>

* fix: go-tidy

Signed-off-by: Adam Talbot <[email protected]>

---------

Signed-off-by: hjoshi123 <[email protected]>
Signed-off-by: Tim Ramlot <[email protected]>
Signed-off-by: Adam Talbot <[email protected]>
Co-authored-by: Tim Ramlot <[email protected]>
Co-authored-by: Adam Talbot <[email protected]>

Author: 3 people

api/v1alpha1/issuer_interface.go

@@ -22,6 +22,7 @@ package v1alpha1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 type Issuer interface {
@@ -40,3 +41,9 @@ type Issuer interface {
 	// with an issuerName set to eg. "simpleclusterissuers.issuer.cert-manager.io/issuer1".
 	GetIssuerTypeIdentifier() string
 }
+
+// WrappedIssuer is an issuer type to support objects which are not directly of the type Issuer. This could include cert-manager issuers for example.
+type WrappedIssuer interface {
+	Issuer
+	Unwrap() client.Object
+}

controllers/combined_controller.go

@@ -118,7 +118,7 @@ func (r *CombinedController) SetupWithManager(ctx context.Context, mgr ctrl.Mana
 			PreSetupWithManager:  r.PreSetupWithManager,
 			PostSetupWithManager: r.PostSetupWithManager,
 		}).SetupWithManager(ctx, mgr); err != nil {
-			return fmt.Errorf("%T: %w", issuerType, err)
+			return fmt.Errorf("%T: %w", kubeutil.ObjectForIssuer(issuerType), err)
 		}
 	}
 

controllers/issuer_controller.go

@@ -94,7 +94,7 @@ func (r *IssuerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 
 	logger.V(2).Info("Got StatusPatch result", "result", result, "patch", issuerStatusPatch, "error", reconcileError)
 	if issuerStatusPatch != nil {
-		cr, patch, err := ssaclient.GenerateIssuerStatusPatch(r.ForObject, req.Name, req.Namespace, issuerStatusPatch)
+		cr, patch, err := ssaclient.GenerateIssuerStatusPatch(kubeutil.ObjectForIssuer(r.ForObject), req.Name, req.Namespace, issuerStatusPatch)
 		if err != nil {
 			return ctrl.Result{}, utilerrors.NewAggregate([]error{err, reconcileError})
 		}
@@ -135,7 +135,7 @@ func (r *IssuerReconciler) reconcileStatusPatch(
 	// calling IsInvalidated early to make sure the map is always cleared
 	reportedError := r.EventSource.HasReportedError(forObjectGvk, req.NamespacedName)
 
-	if err := r.Client.Get(ctx, req.NamespacedName, issuer); err != nil && apierrors.IsNotFound(err) {
+	if err := r.Client.Get(ctx, req.NamespacedName, kubeutil.ObjectForIssuer(issuer)); err != nil && apierrors.IsNotFound(err) {
 		logger.V(1).Info("Issuer not found. Ignoring.")
 		return result, nil, nil // done
 	} else if err != nil {
@@ -154,17 +154,6 @@ func (r *IssuerReconciler) reconcileStatusPatch(
 		return result, nil, nil // done
 	}
 
-	if r.IgnoreIssuer != nil {
-		ignore, err := r.IgnoreIssuer(ctx, issuer)
-		if err != nil {
-			return result, nil, fmt.Errorf("failed to check if issuer should be ignored: %v", err) // requeue with backoff
-		}
-		if ignore {
-			logger.V(1).Info("IgnoreIssuer() returned true. Ignoring.")
-			return result, nil, nil // done
-		}
-	}
-
 	// We now have a Issuer that belongs to us so we are responsible
 	// for updating its Status.
 	issuerStatusPatch = &v1alpha1.IssuerStatus{}
@@ -245,14 +234,14 @@ func (r *IssuerReconciler) reconcileStatusPatch(
 
 // SetupWithManager sets up the controller with the Manager.
 func (r *IssuerReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
-	if err := kubeutil.SetGroupVersionKind(mgr.GetScheme(), r.ForObject); err != nil {
+	if err := kubeutil.SetGroupVersionKind(mgr.GetScheme(), kubeutil.ObjectForIssuer(r.ForObject)); err != nil {
 		return err
 	}
 	forObjectGvk := r.ForObject.GetObjectKind().GroupVersionKind()
 
 	build := ctrl.NewControllerManagedBy(mgr).
 		For(
-			r.ForObject,
+			kubeutil.ObjectForIssuer(r.ForObject),
 			// we are only interested in changes to the .Spec part of the issuer
 			// this also prevents us to get in fast reconcile loop when setting the
 			// status to Pending causing the resource to update, while we only want

controllers/request_controller.go

@@ -91,8 +91,10 @@ type RequestController struct {
 	requestObjectHelperCreator RequestObjectHelperCreator
 }
 
-type MatchIssuerType func(client.Object) (v1alpha1.Issuer, client.ObjectKey, error)
-type RequestObjectHelperCreator func(client.Object) RequestObjectHelper
+type (
+	MatchIssuerType            func(client.Object) (v1alpha1.Issuer, client.ObjectKey, error)
+	RequestObjectHelperCreator func(client.Object) RequestObjectHelper
+)
 
 type IssuerType struct {
 	Type         v1alpha1.Issuer
@@ -232,7 +234,7 @@ func (r *RequestController) reconcileStatusPatch(
 		return result, statusPatch, nil // apply patch, done
 	}
 
-	if err := r.Client.Get(ctx, issuerName, issuerObject); err != nil && apierrors.IsNotFound(err) {
+	if err := r.Client.Get(ctx, issuerName, kubeutil.ObjectForIssuer(issuerObject)); err != nil && apierrors.IsNotFound(err) {
 		logger.V(1).Info("Issuer not found. Waiting for it to be created")
 		statusPatch.SetWaitingForIssuerExist(err)
 
@@ -360,7 +362,6 @@ func (r *RequestController) setAllIssuerTypesWithGroupVersionKind(scheme *runtim
 			Type:         issuer,
 			IsNamespaced: true,
 		})
-
 	}
 	for _, issuer := range r.ClusterIssuerTypes {
 		issuers = append(issuers, IssuerType{
@@ -370,7 +371,7 @@ func (r *RequestController) setAllIssuerTypesWithGroupVersionKind(scheme *runtim
 	}
 
 	for _, issuer := range issuers {
-		if err := kubeutil.SetGroupVersionKind(scheme, issuer.Type); err != nil {
+		if err := kubeutil.SetGroupVersionKind(scheme, kubeutil.ObjectForIssuer(issuer.Type)); err != nil {
 			return err
 		}
 	}
@@ -474,7 +475,7 @@ func (r *RequestController) SetupWithManager(
 		}
 
 		build = build.Watches(
-			issuerType.Type,
+			kubeutil.ObjectForIssuer(issuerType.Type),
 			resourceHandler,
 			builder.WithPredicates(
 				predicate.ResourceVersionChangedPredicate{},

docs/api.md

@@ -15,6 +15,7 @@ Package v1alpha1 contains API Schema definitions for the v1alpha1 API group \+ku
 - [type IssuerStatus](<#IssuerStatus>)
   - [func \(in \*IssuerStatus\) DeepCopy\(\) \*IssuerStatus](<#IssuerStatus.DeepCopy>)
   - [func \(in \*IssuerStatus\) DeepCopyInto\(out \*IssuerStatus\)](<#IssuerStatus.DeepCopyInto>)
+- [type WrappedIssuer](<#WrappedIssuer>)
 
 
 ## Constants
@@ -60,7 +61,7 @@ const (
 ```
 
 <a name="Issuer"></a>
-## type [Issuer](<https://github.com/cert-manager/issuer-lib/blob/main/api/v1alpha1/issuer_interface.go#L27-L42>)
+## type [Issuer](<https://github.com/cert-manager/issuer-lib/blob/main/api/v1alpha1/issuer_interface.go#L28-L43>)
 
 
 
@@ -117,4 +118,16 @@ func (in *IssuerStatus) DeepCopyInto(out *IssuerStatus)
 
 DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non\-nil.
 
+<a name="WrappedIssuer"></a>
+## type [WrappedIssuer](<https://github.com/cert-manager/issuer-lib/blob/main/api/v1alpha1/issuer_interface.go#L46-L49>)
+
+WrappedIssuer is an issuer type to support objects which are not directly of the type Issuer. This could include cert\-manager issuers for example.
+
+```go
+type WrappedIssuer interface {
+    Issuer
+    Unwrap() client.Object
+}
+```
+
 Generated by [gomarkdoc](<https://github.com/princjef/gomarkdoc>)

examples/upstream/controller/signer.go

@@ -0,0 +1,129 @@
+/*
+Copyright 2023 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"time"
+
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/cert-manager/issuer-lib/api/v1alpha1"
+	"github.com/cert-manager/issuer-lib/controllers"
+	"github.com/cert-manager/issuer-lib/controllers/signer"
+	"github.com/cert-manager/issuer-lib/intree"
+)
+
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificaterequests,verbs=get;list;watch
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificaterequests/status,verbs=patch
+
+// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=get;list;watch
+// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests/status,verbs=patch
+// +kubebuilder:rbac:groups=certificates.k8s.io,resources=signers,verbs=sign,resourceNames=issuers.cert-manager.io/*;clusterissuers.cert-manager.io/*
+
+// +kubebuilder:rbac:groups=cert-manager.io,resources=issuers;clusterissuers,verbs=get;list;watch
+// +kubebuilder:rbac:groups=cert-manager.io,resources=issuers/status;clusterissuers/status,verbs=patch
+
+// +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch
+
+type Signer struct {
+	client client.Client
+}
+
+func (s *Signer) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
+	s.client = mgr.GetClient()
+
+	return (&controllers.CombinedController{
+		IssuerTypes:        intree.Issuers,
+		ClusterIssuerTypes: intree.ClusterIssuers,
+
+		FieldOwner:       "selfsigned.cert-manager.io",
+		MaxRetryDuration: 1 * time.Minute,
+
+		// Ignore non self-signing certificate requests
+		IgnoreIssuer: s.IgnoreIssuer,
+
+		Sign:          s.Sign,
+		Check:         s.Check,
+		EventRecorder: mgr.GetEventRecorderFor("selfsigned.cert-manager.io"),
+	}).SetupWithManager(ctx, mgr)
+}
+
+func (Signer) IgnoreIssuer(ctx context.Context, issuerObject v1alpha1.Issuer) (bool, error) {
+	iss, ok := issuerObject.(intree.CMGenericIssuer)
+	if !ok {
+		return false, fmt.Errorf("issuer does not implement CMGenericIssuer")
+	}
+
+	return iss.IssuerSpec().SelfSigned == nil, nil
+}
+
+func (Signer) Check(ctx context.Context, issuerObject v1alpha1.Issuer) error {
+	return nil
+}
+
+func (Signer) Sign(ctx context.Context, cr signer.CertificateRequestObject, issuerObject v1alpha1.Issuer) (signer.PEMBundle, error) {
+	// generate random ca private key
+	caPrivateKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+	if err != nil {
+		return signer.PEMBundle{}, err
+	}
+
+	caCRT := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"Acme Co"},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour * 24 * 180),
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	// load client certificate request
+	certDetails, err := cr.GetCertificateDetails()
+	if err != nil {
+		return signer.PEMBundle{}, err
+	}
+
+	clientCRTTemplate, err := certDetails.CertificateTemplate()
+	if err != nil {
+		return signer.PEMBundle{}, err
+	}
+
+	// create client certificate from template and CA public key
+	clientCRTRaw, err := x509.CreateCertificate(rand.Reader, clientCRTTemplate, caCRT, clientCRTTemplate.PublicKey, caPrivateKey)
+	if err != nil {
+		panic(err)
+	}
+
+	clientCrt := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: clientCRTRaw})
+	return signer.PEMBundle{
+		ChainPEM: clientCrt,
+	}, nil
+}

examples/upstream/deploy/rbac/role.yaml

@@ -0,0 +1,66 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: issuer-controller-role
+rules:
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificaterequests
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificaterequests/status
+  verbs:
+  - patch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/status
+  verbs:
+  - patch
+- apiGroups:
+  - certificates.k8s.io
+  resourceNames:
+  - clusterissuers.cert-manager.io/*
+  - issuers.cert-manager.io/*
+  resources:
+  - signers
+  verbs:
+  - sign
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - clusterissuers/status
+  - issuers/status
+  verbs:
+  - patch

examples/upstream/deploy/static/01_namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: system

examples/upstream/deploy/static/02_rbac.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: controller-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: issuer-controller-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system