From 1cbfa7ada74d60122f306094033cf8594767cbf7 Mon Sep 17 00:00:00 2001
From: James Munnelly <james@munnelly.eu>
Date: Wed, 28 Nov 2018 17:01:15 +0000
Subject: [PATCH] Resync certificates on changes to their referenced issuers

Signed-off-by: James Munnelly <james@munnelly.eu>
---
 pkg/controller/certificates/checks.go     | 50 +++++++++++++++++++++++
 pkg/controller/certificates/controller.go |  2 +
 2 files changed, 52 insertions(+)

diff --git a/pkg/controller/certificates/checks.go b/pkg/controller/certificates/checks.go
index 07bbeaaf8..2711edc20 100644
--- a/pkg/controller/certificates/checks.go
+++ b/pkg/controller/certificates/checks.go
@@ -29,6 +29,28 @@ import (
 	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
 )
 
+func (c *Controller) handleGenericIssuer(obj interface{}) {
+	iss, ok := obj.(cmapi.GenericIssuer)
+	if !ok {
+		runtime.HandleError(fmt.Errorf("Object does not implement GenericIssuer %#v", obj))
+		return
+	}
+
+	certs, err := c.certificatesForGenericIssuer(iss)
+	if err != nil {
+		runtime.HandleError(fmt.Errorf("Error looking up Certificates observing Issuer/ClusterIssuer: %s/%s", iss.GetObjectMeta().Namespace, iss.GetObjectMeta().Name))
+		return
+	}
+	for _, crt := range certs {
+		key, err := keyFunc(crt)
+		if err != nil {
+			runtime.HandleError(err)
+			continue
+		}
+		c.queue.Add(key)
+	}
+}
+
 func (c *Controller) handleSecretResource(obj interface{}) {
 	var secret *corev1.Secret
 	var ok bool
@@ -72,6 +94,34 @@ func (c *Controller) certificatesForSecret(secret *corev1.Secret) ([]*cmapi.Cert
 	return affected, nil
 }
 
+func (c *Controller) certificatesForGenericIssuer(iss cmapi.GenericIssuer) ([]*cmapi.Certificate, error) {
+	crts, err := c.certificateLister.List(labels.NewSelector())
+
+	if err != nil {
+		return nil, fmt.Errorf("error listing certificiates: %s", err.Error())
+	}
+
+	_, isClusterIssuer := iss.(*cmapi.ClusterIssuer)
+
+	var affected []*cmapi.Certificate
+	for _, crt := range crts {
+		if isClusterIssuer && crt.Spec.IssuerRef.Kind != cmapi.ClusterIssuerKind {
+			continue
+		}
+		if !isClusterIssuer {
+			if crt.Namespace != iss.GetObjectMeta().Namespace {
+				continue
+			}
+		}
+		if crt.Spec.IssuerRef.Name != iss.GetObjectMeta().Name {
+			continue
+		}
+		affected = append(affected, crt)
+	}
+
+	return affected, nil
+}
+
 func (c *Controller) handleOwnedResource(obj interface{}) {
 	metaobj, ok := obj.(metav1.Object)
 	if !ok {
diff --git a/pkg/controller/certificates/controller.go b/pkg/controller/certificates/controller.go
index f76252442..0a947e6a5 100644
--- a/pkg/controller/certificates/controller.go
+++ b/pkg/controller/certificates/controller.go
@@ -73,10 +73,12 @@ func New(ctx *controllerpkg.Context) *Controller {
 	ctrl.syncedFuncs = append(ctrl.syncedFuncs, certificateInformer.Informer().HasSynced)
 
 	issuerInformer := ctrl.SharedInformerFactory.Certmanager().V1alpha1().Issuers()
+	issuerInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{WorkFunc: ctrl.handleGenericIssuer})
 	ctrl.issuerLister = issuerInformer.Lister()
 	ctrl.syncedFuncs = append(ctrl.syncedFuncs, issuerInformer.Informer().HasSynced)
 
 	clusterIssuerInformer := ctrl.SharedInformerFactory.Certmanager().V1alpha1().ClusterIssuers()
+	clusterIssuerInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{WorkFunc: ctrl.handleGenericIssuer})
 	ctrl.clusterIssuerLister = clusterIssuerInformer.Lister()
 	ctrl.syncedFuncs = append(ctrl.syncedFuncs, clusterIssuerInformer.Informer().HasSynced)