weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #3141 from hzhou97/reuse_acme_account

Browse Source 
Ability to disable generating new ACME account key for ACME issuers
This commit is contained in:
jetstack-bot 2020-08-21 09:40:43 +01:00 committed by GitHub
commit 3177185a89
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 107 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
deploy/crds/crd-clusterissuers.v1beta1.yaml
View File

@ -69,6 +69,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
@ -1074,6 +1077,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
@ -2081,6 +2087,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
@ -3088,6 +3097,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string

12
deploy/crds/crd-clusterissuers.yaml
View File

@ -69,6 +69,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
@ -1088,6 +1091,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
@ -2109,6 +2115,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
@ -3130,6 +3139,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string

12
deploy/crds/crd-issuers.v1beta1.yaml
View File

@ -69,6 +69,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
@ -1074,6 +1077,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
@ -2081,6 +2087,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
@ -3088,6 +3097,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string

12
deploy/crds/crd-issuers.yaml
View File

@ -69,6 +69,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
@ -1088,6 +1091,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
@ -2109,6 +2115,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
@ -3130,6 +3139,9 @@ spec:
- privateKeySecretRef
- server
properties:
disableAccountKeyGeneration:
description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
type: boolean
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string

9
pkg/apis/acme/v1/types_issuer.go
View File

@ -73,6 +73,15 @@ type ACMEIssuer struct {
// For more information, see: https://cert-manager.io/docs/configuration/acme/
// +optional
Solvers []ACMEChallengeSolver `json:"solvers,omitempty"`
// Enables or disables generating a new ACME account key.
// If true, the Issuer resource will *not* request a new account but will expect
// the account key to be supplied via an existing secret.
// If false, the cert-manager system will generate a new ACME account key
// for the Issuer.
// Defaults to false.
// +optional
DisableAccountKeyGeneration bool `json:"disableAccountKeyGeneration,omitempty"`
}
// ACMEExternalAccountBinding is a reference to a CA external account of the ACME

9
pkg/apis/acme/v1alpha2/types_issuer.go
View File

@ -73,6 +73,15 @@ type ACMEIssuer struct {
// For more information, see: https://cert-manager.io/docs/configuration/acme/
// +optional
Solvers []ACMEChallengeSolver `json:"solvers,omitempty"`
// Enables or disables generating a new ACME account key.
// If true, the Issuer resource will *not* request a new account but will expect
// the account key to be supplied via an existing secret.
// If false, the cert-manager system will generate a new ACME account key
// for the Issuer.
// Defaults to false.
// +optional
DisableAccountKeyGeneration bool `json:"disableAccountKeyGeneration,omitempty"`
}
// ACMEExternalAccountBinding is a reference to a CA external account of the ACME

9
pkg/apis/acme/v1alpha3/types_issuer.go
View File

@ -73,6 +73,15 @@ type ACMEIssuer struct {
// For more information, see: https://cert-manager.io/docs/configuration/acme/
// +optional
Solvers []ACMEChallengeSolver `json:"solvers,omitempty"`
// Enables or disables generating a new ACME account key.
// If true, the Issuer resource will *not* request a new account but will expect
// the account key to be supplied via an existing secret.
// If false, the cert-manager system will generate a new ACME account key
// for the Issuer.
// Defaults to false.
// +optional
DisableAccountKeyGeneration bool `json:"disableAccountKeyGeneration,omitempty"`
}
// ACMEExternalAccountBinding is a reference to a CA external account of the ACME

9
pkg/apis/acme/v1beta1/types_issuer.go
View File

@ -73,6 +73,15 @@ type ACMEIssuer struct {
// For more information, see: https://cert-manager.io/docs/configuration/acme/
// +optional
Solvers []ACMEChallengeSolver `json:"solvers,omitempty"`
// Enables or disables generating a new ACME account key.
// If true, the Issuer resource will *not* request a new account but will expect
// the account key to be supplied via an existing secret.
// If false, the cert-manager system will generate a new ACME account key
// for the Issuer.
// Defaults to false.
// +optional
DisableAccountKeyGeneration bool `json:"disableAccountKeyGeneration,omitempty"`
}
// ACMEExternalAccountBinding is a reference to a CA external account of the ACME

9
pkg/internal/apis/acme/types_issuer.go
View File

@ -69,6 +69,15 @@ type ACMEIssuer struct {
// from an ACME server.
// For more information, see: https://cert-manager.io/docs/configuration/acme/
Solvers []ACMEChallengeSolver
// Enables or disables generating a new ACME account key.
// If true, the Issuer resource will *not* request a new account but will expect
// the account key to be supplied via an existing secret.
// If false, the cert-manager system will generate a new ACME account key
// for the Issuer.
// Defaults to false.
// +optional
DisableAccountKeyGeneration bool `json:"disableAccountKeyGeneration,omitempty"`
}
// ACMEExternalAccountBinding is a reference to a CA external account of the ACME

2
pkg/internal/apis/acme/v1/zz_generated.conversion.go
View File

@ -692,6 +692,7 @@ func autoConvert_v1_ACMEIssuer_To_acme_ACMEIssuer(in *v1.ACMEIssuer, out *acme.A
return err
}
out.Solvers = *(*[]acme.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
return nil
}
@ -710,6 +711,7 @@ func autoConvert_acme_ACMEIssuer_To_v1_ACMEIssuer(in *acme.ACMEIssuer, out *v1.A
return err
}
out.Solvers = *(*[]v1.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
return nil
}

2
pkg/internal/apis/acme/v1alpha2/zz_generated.conversion.go
View File

@ -692,6 +692,7 @@ func autoConvert_v1alpha2_ACMEIssuer_To_acme_ACMEIssuer(in *v1alpha2.ACMEIssuer,
return err
}
out.Solvers = *(*[]acme.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
return nil
}
@ -710,6 +711,7 @@ func autoConvert_acme_ACMEIssuer_To_v1alpha2_ACMEIssuer(in *acme.ACMEIssuer, out
return err
}
out.Solvers = *(*[]v1alpha2.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
return nil
}

2
pkg/internal/apis/acme/v1alpha3/zz_generated.conversion.go
View File

@ -692,6 +692,7 @@ func autoConvert_v1alpha3_ACMEIssuer_To_acme_ACMEIssuer(in *v1alpha3.ACMEIssuer,
return err
}
out.Solvers = *(*[]acme.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
return nil
}
@ -710,6 +711,7 @@ func autoConvert_acme_ACMEIssuer_To_v1alpha3_ACMEIssuer(in *acme.ACMEIssuer, out
return err
}
out.Solvers = *(*[]v1alpha3.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
return nil
}

2
pkg/internal/apis/acme/v1beta1/zz_generated.conversion.go
View File

@ -692,6 +692,7 @@ func autoConvert_v1beta1_ACMEIssuer_To_acme_ACMEIssuer(in *v1beta1.ACMEIssuer, o
return err
}
out.Solvers = *(*[]acme.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
return nil
}
@ -710,6 +711,7 @@ func autoConvert_acme_ACMEIssuer_To_v1beta1_ACMEIssuer(in *acme.ACMEIssuer, out
return err
}
out.Solvers = *(*[]v1beta1.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
return nil
}

7
pkg/issuer/acme/setup.go
View File

@ -86,7 +86,7 @@ func (a *Acme) Setup(ctx context.Context) error {
privateKeySelector := acme.PrivateKeySelector(a.issuer.GetSpec().ACME.PrivateKey)
pk, err := kube.SecretTLSKeyRef(ctx, a.secretsLister, ns, privateKeySelector.Name, privateKeySelector.Key)
switch {
case apierrors.IsNotFound(err):
case !a.issuer.GetSpec().ACME.DisableAccountKeyGeneration && apierrors.IsNotFound(err):
log.V(logf.InfoLevel).Info("generating acme account private key")
pk, err = a.createAccountPrivateKey(privateKeySelector, ns)
if err != nil {
@ -97,6 +97,11 @@ func (a *Acme) Setup(ctx context.Context) error {
// We clear the ACME account URI as we have generated a new private key
a.issuer.GetStatus().ACMEStatus().URI = ""
case a.issuer.GetSpec().ACME.DisableAccountKeyGeneration && apierrors.IsNotFound(err):
wrapErr := fmt.Errorf(messageAccountVerificationFailed+"the ACME issuer config has 'disableAccountKeyGeneration' set to true, but the secret was not found: %w", err)
apiutil.SetIssuerCondition(a.issuer, v1.IssuerConditionReady, cmmeta.ConditionFalse, errorAccountVerificationFailed, wrapErr.Error())
return wrapErr
case errors.IsInvalidData(err):
apiutil.SetIssuerCondition(a.issuer, v1.IssuerConditionReady, cmmeta.ConditionFalse, errorAccountVerificationFailed, fmt.Sprintf("Account private key is invalid: %v", err))
return nil