Update CA issuer

Signed-off-by: James Munnelly <james@munnelly.eu>

pkg/issuer/ca/BUILD.bazel

@@ -14,13 +14,13 @@ go_library(
         "//pkg/apis/certmanager/v1alpha1:go_default_library",
         "//pkg/controller:go_default_library",
         "//pkg/issuer:go_default_library",
+        "//pkg/logs:go_default_library",
         "//pkg/util/errors:go_default_library",
         "//pkg/util/kube:go_default_library",
         "//pkg/util/pki:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
         "//vendor/k8s.io/client-go/listers/core/v1:go_default_library",
-        "//vendor/k8s.io/klog:go_default_library",
     ],
 )
 

pkg/issuer/ca/issue.go

@@ -21,10 +21,10 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/klog"
 
 	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
 	"github.com/jetstack/cert-manager/pkg/issuer"
+	logf "github.com/jetstack/cert-manager/pkg/logs"
 	"github.com/jetstack/cert-manager/pkg/util/errors"
 	"github.com/jetstack/cert-manager/pkg/util/kube"
 	"github.com/jetstack/cert-manager/pkg/util/pki"
@@ -44,12 +44,17 @@ const (
 // supporting resources, and to ensure we re-attempt issuance when these resources
 // are fixed, it always returns an error on any failure.
 func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (*issuer.IssueResponse, error) {
+	log := logf.FromContext(ctx, "issue")
+	log = logf.WithRelatedResourceName(log, crt.Spec.SecretName, crt.Namespace, "Secret")
+
 	// get a copy of the existing/currently issued Certificate's private key
 	signeeKey, err := kube.SecretTLSKey(c.secretsLister, crt.Namespace, crt.Spec.SecretName)
 	if k8sErrors.IsNotFound(err) || errors.IsInvalidData(err) {
+		log.Info("generating new private key")
 		// if one does not already exist, generate a new one
 		signeeKey, err = pki.GeneratePrivateKeyForCertificate(crt)
 		if err != nil {
+			log.Error(err, "error generating private key")
 			c.Recorder.Eventf(crt, corev1.EventTypeWarning, "PrivateKeyError", "Error generating certificate private key: %v", err)
 			// don't trigger a retry. An error from this function implies some
 			// invalid input parameters, and retrying without updating the
@@ -58,28 +63,30 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (*issuer.Issu
 		}
 	}
 	if err != nil {
-		klog.Errorf("Error getting private key %q for certificate: %v", crt.Spec.SecretName, err)
+		log.Error(err, "error getting private key for certificate")
 		return nil, err
 	}
 
 	// extract the public component of the key
 	signeePublicKey, err := pki.PublicKeyForPrivateKey(signeeKey)
 	if err != nil {
-		klog.Errorf("Error getting public key from private key: %v", err)
+		log.Error(err, "error getting public key from private key")
 		return nil, err
 	}
 
 	// get a copy of the CA certificate named on the Issuer
 	caCerts, caKey, err := kube.SecretTLSKeyPair(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
 	if err != nil {
-		klog.Errorf("Error getting signing CA for Issuer: %v", err)
+		log := logf.WithRelatedResourceName(log, c.issuer.GetSpec().CA.SecretName, c.resourceNamespace, "Secret")
+		log.Info("error getting signing CA for Issuer")
 		return nil, err
 	}
 
 	// generate a x509 certificate template for this Certificate
 	template, err := pki.GenerateTemplate(crt)
 	if err != nil {
-		c.Recorder.Eventf(crt, corev1.EventTypeWarning, "ErrorSigning", "Error signing certificate: %v", err)
+		log.Error(err, "error generating certificate template")
+		c.Recorder.Eventf(crt, corev1.EventTypeWarning, "ErrorSigning", "Error generating certificate template: %v", err)
 		return nil, err
 	}
 
@@ -88,6 +95,7 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (*issuer.Issu
 	// sign and encode the certificate
 	certPem, _, err := pki.SignCertificate(template, caCert, signeePublicKey, caKey)
 	if err != nil {
+		log.Error(err, "error signing certificate")
 		c.Recorder.Eventf(crt, corev1.EventTypeWarning, "ErrorSigning", "Error signing certificate: %v", err)
 		return nil, err
 	}
@@ -96,6 +104,7 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (*issuer.Issu
 	// TODO: replace caCerts with caCerts[1:]?
 	chainPem, err := pki.EncodeX509Chain(caCerts)
 	if err != nil {
+		log.Error(err, "error encoding x509 certificate chain")
 		return nil, err
 	}
 
@@ -104,6 +113,7 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (*issuer.Issu
 	// Encode output private key and CA cert ready for return
 	keyPem, err := pki.EncodePrivateKey(signeeKey)
 	if err != nil {
+		log.Error(err, "error encoding private key")
 		c.Recorder.Eventf(crt, corev1.EventTypeWarning, "ErrorPrivateKey", "Error encoding private key: %v", err)
 		return nil, err
 	}
@@ -111,10 +121,13 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (*issuer.Issu
 	// encode the CA certificate to be bundled in the output
 	caPem, err := pki.EncodeX509(caCerts[0])
 	if err != nil {
+		log.Error(err, "error encoding certificate")
 		c.Recorder.Eventf(crt, corev1.EventTypeWarning, "ErrorSigning", "Error encoding certificate: %v", err)
 		return nil, err
 	}
 
+	log.Info("certificate issued")
+
 	return &issuer.IssueResponse{
 		PrivateKey:  keyPem,
 		Certificate: certPem,

pkg/issuer/ca/setup.go

@@ -20,10 +20,10 @@ import (
 	"context"
 
 	"k8s.io/api/core/v1"
-	"k8s.io/klog"
 
 	apiutil "github.com/jetstack/cert-manager/pkg/api/util"
 	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
+	logf "github.com/jetstack/cert-manager/pkg/logs"
 	"github.com/jetstack/cert-manager/pkg/util/kube"
 )
 
@@ -40,10 +40,12 @@ const (
 )
 
 func (c *CA) Setup(ctx context.Context) error {
+	log := logf.FromContext(ctx, "setup")
+
 	cert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
 	if err != nil {
+		log.Error(err, "error getting signing CA TLS certificate")
 		s := messageErrorGetKeyPair + err.Error()
-		klog.Info(s)
 		c.Recorder.Event(c.issuer, v1.EventTypeWarning, errorGetKeyPair, s)
 		apiutil.SetIssuerCondition(c.issuer, v1alpha1.IssuerConditionReady, v1alpha1.ConditionFalse, errorGetKeyPair, s)
 		return err
@@ -51,23 +53,24 @@ func (c *CA) Setup(ctx context.Context) error {
 
 	_, err = kube.SecretTLSKey(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
 	if err != nil {
+		log.Error(err, "error getting signing CA private key")
 		s := messageErrorGetKeyPair + err.Error()
-		klog.Info(s)
 		c.Recorder.Event(c.issuer, v1.EventTypeWarning, errorGetKeyPair, s)
 		apiutil.SetIssuerCondition(c.issuer, v1alpha1.IssuerConditionReady, v1alpha1.ConditionFalse, errorGetKeyPair, s)
 		return err
 	}
 
+	log = logf.WithRelatedResourceName(log, c.issuer.GetSpec().CA.SecretName, c.resourceNamespace, "Secret")
 	if !cert.IsCA {
 		s := messageErrorGetKeyPair + "certificate is not a CA"
-		klog.Info(s)
+		log.Error(nil, "signing certificate is not a CA")
 		c.Recorder.Event(c.issuer, v1.EventTypeWarning, errorInvalidKeyPair, s)
 		apiutil.SetIssuerCondition(c.issuer, v1alpha1.IssuerConditionReady, v1alpha1.ConditionFalse, errorInvalidKeyPair, s)
 		// Don't return an error here as there is nothing more we can do
 		return nil
 	}
 
-	klog.Info(messageKeyPairVerified)
+	log.Info("signing CA verified")
 	c.Recorder.Event(c.issuer, v1.EventTypeNormal, successKeyPairVerified, messageKeyPairVerified)
 	apiutil.SetIssuerCondition(c.issuer, v1alpha1.IssuerConditionReady, v1alpha1.ConditionTrue, successKeyPairVerified, messageKeyPairVerified)