From 32cf3242cc31163368cfc7f78b34e242ebd6da15 Mon Sep 17 00:00:00 2001
From: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
Date: Fri, 10 Aug 2018 15:13:16 +0200
Subject: [PATCH 1/5] Set the certificate as an owner of the secret

In this way, the secret will be garbage collected when a certificate is deleted.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
---
 pkg/apis/certmanager/v1alpha1/types.go |  1 +
 pkg/controller/certificates/sync.go    | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/pkg/apis/certmanager/v1alpha1/types.go b/pkg/apis/certmanager/v1alpha1/types.go
index 584ff50d7..8d80ced45 100644
--- a/pkg/apis/certmanager/v1alpha1/types.go
+++ b/pkg/apis/certmanager/v1alpha1/types.go
@@ -59,6 +59,7 @@ type ObjectReference struct {
 const (
 	ClusterIssuerKind = "ClusterIssuer"
 	IssuerKind        = "Issuer"
+	CertificateKind   = "Certificate"
 )
 
 type SecretKeySelector struct {
diff --git a/pkg/controller/certificates/sync.go b/pkg/controller/certificates/sync.go
index aa110a143..bfb943be9 100644
--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@@ -243,6 +243,17 @@ func issuerKind(crt *v1alpha1.Certificate) string {
 	}
 }
 
+func ownerRef(crt *v1alpha1.Certificate) metav1.OwnerReference {
+	controller := true
+	return metav1.OwnerReference{
+		APIVersion: v1alpha1.SchemeGroupVersion.String(),
+		Kind:       v1alpha1.CertificateKind,
+		Name:       crt.Name,
+		UID:        crt.UID,
+		Controller: &controller,
+	}
+}
+
 func (c *Controller) updateSecret(crt *v1alpha1.Certificate, namespace string, cert, key, ca []byte) (*api.Secret, error) {
 	secret, err := c.Client.CoreV1().Secrets(namespace).Get(crt.Spec.SecretName, metav1.GetOptions{})
 	if err != nil && !k8sErrors.IsNotFound(err) {
@@ -290,6 +301,7 @@ func (c *Controller) updateSecret(crt *v1alpha1.Certificate, namespace string, c
 	// if it is a new resource
 	if secret.SelfLink == "" {
 		secret, err = c.Client.CoreV1().Secrets(namespace).Create(secret)
+		secret.SetOwnerReferences(append(secret.GetOwnerReferences(), ownerRef(crt)))
 	} else {
 		secret, err = c.Client.CoreV1().Secrets(namespace).Update(secret)
 	}

From 5d36fba075123278a3371d340d5a6135996573f9 Mon Sep 17 00:00:00 2001
From: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
Date: Sun, 28 Oct 2018 19:54:26 +0100
Subject: [PATCH 2/5] Add a flag which controls whether the certificate is
 configured as an owner of the secret where the effective TLS certificate is
 stored

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
---
 cmd/controller/app/controller.go      | 3 +++
 cmd/controller/app/options/options.go | 7 +++++++
 pkg/controller/certificates/sync.go   | 5 ++++-
 pkg/controller/context.go             | 7 +++++++
 4 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/cmd/controller/app/controller.go b/cmd/controller/app/controller.go
index 932c1fed6..a8282c394 100644
--- a/cmd/controller/app/controller.go
+++ b/cmd/controller/app/controller.go
@@ -184,6 +184,9 @@ func buildControllerContext(opts *options.ControllerOptions) (*controller.Contex
 			DefaultACMEIssuerChallengeType:     opts.DefaultACMEIssuerChallengeType,
 			DefaultACMEIssuerDNS01ProviderName: opts.DefaultACMEIssuerDNS01ProviderName,
 		},
+		CertifcateOptions: controller.CertificateOptions{
+			EnableOwnerRef: opts.EnableCertificateOwnerRef,
+		},
 	}, kubeCfg, nil
 }
 
diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go
index 3246d3f36..d2810d877 100644
--- a/cmd/controller/app/options/options.go
+++ b/cmd/controller/app/options/options.go
@@ -63,6 +63,8 @@ type ControllerOptions struct {
 
 	// DNS01Nameservers allows specifying a list of custom nameservers to perform DNS checks
 	DNS01Nameservers []string
+
+	EnableCertificateOwnerRef bool
 }
 
 const (
@@ -83,6 +85,7 @@ const (
 	defaultTLSACMEIssuerKind           = "Issuer"
 	defaultACMEIssuerChallengeType     = "http01"
 	defaultACMEIssuerDNS01ProviderName = ""
+	defaultEnableCertificateOwnerRef   = true
 )
 
 var (
@@ -120,6 +123,7 @@ func NewControllerOptions() *ControllerOptions {
 		DefaultACMEIssuerChallengeType:     defaultACMEIssuerChallengeType,
 		DefaultACMEIssuerDNS01ProviderName: defaultACMEIssuerDNS01ProviderName,
 		DNS01Nameservers:                   []string{},
+		EnableCertificateOwnerRef:          defaultEnableCertificateOwnerRef,
 	}
 }
 
@@ -193,6 +197,9 @@ func (s *ControllerOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringSliceVar(&s.DNS01Nameservers, "dns01-self-check-nameservers", []string{}, ""+
 		"A list of comma seperated DNS server endpoints used for DNS01 check requests. "+
 		"This should be a list containing IP address and port, for example: 8.8.8.8:53,8.8.4.4:53")
+	fs.BoolVar(&s.EnableCertificateOwnerRef, "enable-certificate-owner-ref", defaultEnableCertificateOwnerRef, ""+
+		"Whether to set the certificate resource as an owner of secret where the tls certificate is stored. "+
+		"When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted.")
 }
 
 func (o *ControllerOptions) Validate() error {
diff --git a/pkg/controller/certificates/sync.go b/pkg/controller/certificates/sync.go
index bfb943be9..49db2c9d1 100644
--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@@ -301,7 +301,10 @@ func (c *Controller) updateSecret(crt *v1alpha1.Certificate, namespace string, c
 	// if it is a new resource
 	if secret.SelfLink == "" {
 		secret, err = c.Client.CoreV1().Secrets(namespace).Create(secret)
-		secret.SetOwnerReferences(append(secret.GetOwnerReferences(), ownerRef(crt)))
+		enableOwner := c.CertificateOptions.EnableOwnerRef
+		if enableOwner {
+			secret.SetOwnerReferences(append(secret.GetOwnerReferences(), ownerRef(crt)))
+		}
 	} else {
 		secret, err = c.Client.CoreV1().Secrets(namespace).Update(secret)
 	}
diff --git a/pkg/controller/context.go b/pkg/controller/context.go
index ee486ce1e..6048cf306 100644
--- a/pkg/controller/context.go
+++ b/pkg/controller/context.go
@@ -50,6 +50,7 @@ type Context struct {
 	IssuerOptions
 	ACMEOptions
 	IngressShimOptions
+	CertificateOptions
 }
 
 func (c *Context) IssuerFactory() IssuerFactory {
@@ -105,3 +106,9 @@ type IngressShimOptions struct {
 	DefaultACMEIssuerChallengeType     string
 	DefaultACMEIssuerDNS01ProviderName string
 }
+
+type CertificateOptions struct {
+	// EnableOwnerRef controls wheter wheter the certificate is configured as an owner of
+	// secret where the effective TLS certificate is stored.
+	EnableOwnerRef bool
+}

From 5be660ec9e905da63179797f87fc23d1bfad5b56 Mon Sep 17 00:00:00 2001
From: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
Date: Sun, 28 Oct 2018 20:08:36 +0100
Subject: [PATCH 3/5] Fix typo in filed name

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
---
 cmd/controller/app/controller.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/controller/app/controller.go b/cmd/controller/app/controller.go
index a8282c394..9d11287ba 100644
--- a/cmd/controller/app/controller.go
+++ b/cmd/controller/app/controller.go
@@ -184,7 +184,7 @@ func buildControllerContext(opts *options.ControllerOptions) (*controller.Contex
 			DefaultACMEIssuerChallengeType:     opts.DefaultACMEIssuerChallengeType,
 			DefaultACMEIssuerDNS01ProviderName: opts.DefaultACMEIssuerDNS01ProviderName,
 		},
-		CertifcateOptions: controller.CertificateOptions{
+		CertificateOptions: controller.CertificateOptions{
 			EnableOwnerRef: opts.EnableCertificateOwnerRef,
 		},
 	}, kubeCfg, nil

From 3dc4410913e76e3a9f87738b73bd2899020cbf9e Mon Sep 17 00:00:00 2001
From: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
Date: Wed, 7 Nov 2018 18:12:11 +0100
Subject: [PATCH 4/5] Configure the reference owner before creating the secret

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
---
 pkg/controller/certificates/sync.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/controller/certificates/sync.go b/pkg/controller/certificates/sync.go
index 49db2c9d1..6e84cd07c 100644
--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@@ -300,11 +300,11 @@ func (c *Controller) updateSecret(crt *v1alpha1.Certificate, namespace string, c
 
 	// if it is a new resource
 	if secret.SelfLink == "" {
-		secret, err = c.Client.CoreV1().Secrets(namespace).Create(secret)
 		enableOwner := c.CertificateOptions.EnableOwnerRef
 		if enableOwner {
 			secret.SetOwnerReferences(append(secret.GetOwnerReferences(), ownerRef(crt)))
 		}
+		secret, err = c.Client.CoreV1().Secrets(namespace).Create(secret)
 	} else {
 		secret, err = c.Client.CoreV1().Secrets(namespace).Update(secret)
 	}

From 3766edcd1221f625a84102925a0c7acdbf9cce86 Mon Sep 17 00:00:00 2001
From: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
Date: Mon, 26 Nov 2018 09:47:54 +0100
Subject: [PATCH 5/5] Set the default value of enable-certificate-owner-ref to
 false

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
---
 cmd/controller/app/options/options.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go
index d2810d877..15c4a4f88 100644
--- a/cmd/controller/app/options/options.go
+++ b/cmd/controller/app/options/options.go
@@ -85,7 +85,7 @@ const (
 	defaultTLSACMEIssuerKind           = "Issuer"
 	defaultACMEIssuerChallengeType     = "http01"
 	defaultACMEIssuerDNS01ProviderName = ""
-	defaultEnableCertificateOwnerRef   = true
+	defaultEnableCertificateOwnerRef   = false
 )
 
 var (