From 2da01a0a01ac3495cc7237fc9c0432d4c55d41f6 Mon Sep 17 00:00:00 2001
From: James Munnelly <james@munnelly.eu>
Date: Wed, 28 Nov 2018 19:16:00 +0000
Subject: [PATCH] Resync order resources when their issuers change

Signed-off-by: James Munnelly <james@munnelly.eu>
---
 pkg/controller/acmeorders/checks.go     | 58 ++++++++++++++++++++++++-
 pkg/controller/acmeorders/controller.go | 10 ++---
 2 files changed, 60 insertions(+), 8 deletions(-)

diff --git a/pkg/controller/acmeorders/checks.go b/pkg/controller/acmeorders/checks.go
index 46f7de17b..275b69b02 100644
--- a/pkg/controller/acmeorders/checks.go
+++ b/pkg/controller/acmeorders/checks.go
@@ -16,4 +16,60 @@ limitations under the License.
 
 package acmeorders
 
-// no checks for the acme orders controller yet
+import (
+	"fmt"
+
+	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/util/runtime"
+)
+
+func (c *Controller) handleGenericIssuer(obj interface{}) {
+	iss, ok := obj.(cmapi.GenericIssuer)
+	if !ok {
+		runtime.HandleError(fmt.Errorf("Object does not implement GenericIssuer %#v", obj))
+		return
+	}
+
+	certs, err := c.ordersForGenericIssuer(iss)
+	if err != nil {
+		runtime.HandleError(fmt.Errorf("Error looking up Orders observing Issuer/ClusterIssuer: %s/%s", iss.GetObjectMeta().Namespace, iss.GetObjectMeta().Name))
+		return
+	}
+	for _, crt := range certs {
+		key, err := keyFunc(crt)
+		if err != nil {
+			runtime.HandleError(err)
+			continue
+		}
+		c.queue.Add(key)
+	}
+}
+
+func (c *Controller) ordersForGenericIssuer(iss cmapi.GenericIssuer) ([]*cmapi.Order, error) {
+	orders, err := c.orderLister.List(labels.NewSelector())
+
+	if err != nil {
+		return nil, fmt.Errorf("error listing certificiates: %s", err.Error())
+	}
+
+	_, isClusterIssuer := iss.(*cmapi.ClusterIssuer)
+
+	var affected []*cmapi.Order
+	for _, o := range orders {
+		if isClusterIssuer && o.Spec.IssuerRef.Kind != cmapi.ClusterIssuerKind {
+			continue
+		}
+		if !isClusterIssuer {
+			if o.Namespace != iss.GetObjectMeta().Namespace {
+				continue
+			}
+		}
+		if o.Spec.IssuerRef.Name != iss.GetObjectMeta().Name {
+			continue
+		}
+		affected = append(affected, o)
+	}
+
+	return affected, nil
+}
diff --git a/pkg/controller/acmeorders/controller.go b/pkg/controller/acmeorders/controller.go
index ae980852c..ef2c59536 100644
--- a/pkg/controller/acmeorders/controller.go
+++ b/pkg/controller/acmeorders/controller.go
@@ -72,26 +72,22 @@ func New(ctx *controllerpkg.Context) *Controller {
 	ctrl.watchedInformers = append(ctrl.watchedInformers, orderInformer.Informer().HasSynced)
 	ctrl.orderLister = orderInformer.Lister()
 
-	// issuerInformer.Informer().AddEventHandler(&controllerpkg.QueuingEventHandler{Queue: ctrl.queue})
 	issuerInformer := ctrl.SharedInformerFactory.Certmanager().V1alpha1().Issuers()
+	issuerInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{WorkFunc: ctrl.handleGenericIssuer})
 	ctrl.watchedInformers = append(ctrl.watchedInformers, issuerInformer.Informer().HasSynced)
 	ctrl.issuerLister = issuerInformer.Lister()
 
-	// clusterIssuerInformer.Informer().AddEventHandler(&controllerpkg.QueuingEventHandler{Queue: ctrl.queue})
 	clusterIssuerInformer := ctrl.SharedInformerFactory.Certmanager().V1alpha1().ClusterIssuers()
+	clusterIssuerInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{WorkFunc: ctrl.handleGenericIssuer})
 	ctrl.watchedInformers = append(ctrl.watchedInformers, clusterIssuerInformer.Informer().HasSynced)
 	ctrl.clusterIssuerLister = clusterIssuerInformer.Lister()
 
-	// TODO: the same problem here as with Certificates creating Orders occurs.
-	// The informer notices the new challenge resources which causes a resync
-	// of the owning Order resource before the order.status.url field is set.
-	// we need to detect this and not sync the order again automatically to
-	// prevent another order being created with the acme server.
 	challengeInformer := ctrl.SharedInformerFactory.Certmanager().V1alpha1().Challenges()
 	challengeInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{WorkFunc: ctrl.handleOwnedResource})
 	ctrl.watchedInformers = append(ctrl.watchedInformers, challengeInformer.Informer().HasSynced)
 	ctrl.challengeLister = challengeInformer.Lister()
 
+	// TODO: detect changes to secrets referenced by order's issuers.
 	secretInformer := ctrl.KubeSharedInformerFactory.Core().V1().Secrets()
 	ctrl.watchedInformers = append(ctrl.watchedInformers, secretInformer.Informer().HasSynced)
 	ctrl.secretLister = secretInformer.Lister()