Merge pull request #819 from ccojocar/cert_secret_ref

Set the certificate as an owner of the secret
2018-11-26 15:06:33 +00:00 · 2018-11-26 15:06:33 +00:00 · 2c74eabb1c
commit 2c74eabb1c
parent bbd459f1bf 3766edcd12
5 changed files with 33 additions and 0 deletions
--- a/cmd/controller/app/controller.go
+++ b/cmd/controller/app/controller.go
@ -190,6 +190,9 @@ func buildControllerContext(opts *options.ControllerOptions) (*controller.Contex
 			DefaultACMEIssuerChallengeType:     opts.DefaultACMEIssuerChallengeType,
 			DefaultACMEIssuerDNS01ProviderName: opts.DefaultACMEIssuerDNS01ProviderName,
 		},
+		CertificateOptions: controller.CertificateOptions{
+			EnableOwnerRef: opts.EnableCertificateOwnerRef,
+		},
 	}, kubeCfg, nil
 }

--- a/cmd/controller/app/options/options.go
+++ b/cmd/controller/app/options/options.go
@ -65,6 +65,8 @@ type ControllerOptions struct {

 	// DNS01Nameservers allows specifying a list of custom nameservers to perform DNS checks
 	DNS01Nameservers []string
+
+	EnableCertificateOwnerRef bool
 }

 const (
@ -85,6 +87,7 @@ const (
 	defaultTLSACMEIssuerKind           = "Issuer"
 	defaultACMEIssuerChallengeType     = "http01"
 	defaultACMEIssuerDNS01ProviderName = ""
+	defaultEnableCertificateOwnerRef   = false
 )

 var (
@ -126,6 +129,7 @@ func NewControllerOptions() *ControllerOptions {
 		DefaultACMEIssuerChallengeType:     defaultACMEIssuerChallengeType,
 		DefaultACMEIssuerDNS01ProviderName: defaultACMEIssuerDNS01ProviderName,
 		DNS01Nameservers:                   []string{},
+		EnableCertificateOwnerRef:          defaultEnableCertificateOwnerRef,
 	}
 }

@ -201,6 +205,9 @@ func (s *ControllerOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringSliceVar(&s.DNS01Nameservers, "dns01-self-check-nameservers", []string{}, ""+
 		"A list of comma seperated DNS server endpoints used for DNS01 check requests. "+
 		"This should be a list containing IP address and port, for example: 8.8.8.8:53,8.8.4.4:53")
+	fs.BoolVar(&s.EnableCertificateOwnerRef, "enable-certificate-owner-ref", defaultEnableCertificateOwnerRef, ""+
+		"Whether to set the certificate resource as an owner of secret where the tls certificate is stored. "+
+		"When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted.")
 }

 func (o *ControllerOptions) Validate() error {
--- a/pkg/apis/certmanager/v1alpha1/types.go
+++ b/pkg/apis/certmanager/v1alpha1/types.go
@ -59,6 +59,7 @@ type ObjectReference struct {
 const (
 	ClusterIssuerKind = "ClusterIssuer"
 	IssuerKind        = "Issuer"
+	CertificateKind   = "Certificate"
 )

 type SecretKeySelector struct {
--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@ -253,6 +253,17 @@ func issuerKind(crt *v1alpha1.Certificate) string {
 	}
 }

+func ownerRef(crt *v1alpha1.Certificate) metav1.OwnerReference {
+	controller := true
+	return metav1.OwnerReference{
+		APIVersion: v1alpha1.SchemeGroupVersion.String(),
+		Kind:       v1alpha1.CertificateKind,
+		Name:       crt.Name,
+		UID:        crt.UID,
+		Controller: &controller,
+	}
+}
+
 func (c *Controller) updateSecret(crt *v1alpha1.Certificate, namespace string, cert, key, ca []byte) (*api.Secret, error) {
 	secret, err := c.Client.CoreV1().Secrets(namespace).Get(crt.Spec.SecretName, metav1.GetOptions{})
 	if err != nil && !k8sErrors.IsNotFound(err) {
@ -299,6 +310,10 @@ func (c *Controller) updateSecret(crt *v1alpha1.Certificate, namespace string, c

 	// if it is a new resource
 	if secret.SelfLink == "" {
+		enableOwner := c.CertificateOptions.EnableOwnerRef
+		if enableOwner {
+			secret.SetOwnerReferences(append(secret.GetOwnerReferences(), ownerRef(crt)))
+		}
 		secret, err = c.Client.CoreV1().Secrets(namespace).Create(secret)
 	} else {
 		secret, err = c.Client.CoreV1().Secrets(namespace).Update(secret)
--- a/pkg/controller/context.go
+++ b/pkg/controller/context.go
@ -50,6 +50,7 @@ type Context struct {
 	IssuerOptions
 	ACMEOptions
 	IngressShimOptions
+	CertificateOptions
 }

 func (c *Context) IssuerFactory() IssuerFactory {
@ -106,3 +107,9 @@ type IngressShimOptions struct {
 	DefaultACMEIssuerDNS01ProviderName string
 	DefaultAutoCertificateAnnotations  []string
 }
+
+type CertificateOptions struct {
+	// EnableOwnerRef controls wheter wheter the certificate is configured as an owner of
+	// secret where the effective TLS certificate is stored.
+	EnableOwnerRef bool
+}