Add a flag which controls whether the certificate is configured as an owner of the secret where the effective TLS certificate is stored

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2018-10-28 19:54:26 +01:00 · 2018-10-28 19:54:26 +01:00 · 5d36fba075
commit 5d36fba075
parent 32cf3242cc
4 changed files with 21 additions and 1 deletions
--- a/cmd/controller/app/controller.go
+++ b/cmd/controller/app/controller.go
@ -184,6 +184,9 @@ func buildControllerContext(opts *options.ControllerOptions) (*controller.Contex
 			DefaultACMEIssuerChallengeType:     opts.DefaultACMEIssuerChallengeType,
 			DefaultACMEIssuerDNS01ProviderName: opts.DefaultACMEIssuerDNS01ProviderName,
 		},
+		CertifcateOptions: controller.CertificateOptions{
+			EnableOwnerRef: opts.EnableCertificateOwnerRef,
+		},
 	}, kubeCfg, nil
 }

--- a/cmd/controller/app/options/options.go
+++ b/cmd/controller/app/options/options.go
@ -63,6 +63,8 @@ type ControllerOptions struct {

 	// DNS01Nameservers allows specifying a list of custom nameservers to perform DNS checks
 	DNS01Nameservers []string
+
+	EnableCertificateOwnerRef bool
 }

 const (
@ -83,6 +85,7 @@ const (
 	defaultTLSACMEIssuerKind           = "Issuer"
 	defaultACMEIssuerChallengeType     = "http01"
 	defaultACMEIssuerDNS01ProviderName = ""
+	defaultEnableCertificateOwnerRef   = true
 )

 var (
@ -120,6 +123,7 @@ func NewControllerOptions() *ControllerOptions {
 		DefaultACMEIssuerChallengeType:     defaultACMEIssuerChallengeType,
 		DefaultACMEIssuerDNS01ProviderName: defaultACMEIssuerDNS01ProviderName,
 		DNS01Nameservers:                   []string{},
+		EnableCertificateOwnerRef:          defaultEnableCertificateOwnerRef,
 	}
 }

@ -193,6 +197,9 @@ func (s *ControllerOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringSliceVar(&s.DNS01Nameservers, "dns01-self-check-nameservers", []string{}, ""+
 		"A list of comma seperated DNS server endpoints used for DNS01 check requests. "+
 		"This should be a list containing IP address and port, for example: 8.8.8.8:53,8.8.4.4:53")
+	fs.BoolVar(&s.EnableCertificateOwnerRef, "enable-certificate-owner-ref", defaultEnableCertificateOwnerRef, ""+
+		"Whether to set the certificate resource as an owner of secret where the tls certificate is stored. "+
+		"When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted.")
 }

 func (o *ControllerOptions) Validate() error {
--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@ -301,7 +301,10 @@ func (c *Controller) updateSecret(crt *v1alpha1.Certificate, namespace string, c
 	// if it is a new resource
 	if secret.SelfLink == "" {
 		secret, err = c.Client.CoreV1().Secrets(namespace).Create(secret)
-		secret.SetOwnerReferences(append(secret.GetOwnerReferences(), ownerRef(crt)))
+		enableOwner := c.CertificateOptions.EnableOwnerRef
+		if enableOwner {
+			secret.SetOwnerReferences(append(secret.GetOwnerReferences(), ownerRef(crt)))
+		}
 	} else {
 		secret, err = c.Client.CoreV1().Secrets(namespace).Update(secret)
 	}
--- a/pkg/controller/context.go
+++ b/pkg/controller/context.go
@ -50,6 +50,7 @@ type Context struct {
 	IssuerOptions
 	ACMEOptions
 	IngressShimOptions
+	CertificateOptions
 }

 func (c *Context) IssuerFactory() IssuerFactory {
@ -105,3 +106,9 @@ type IngressShimOptions struct {
 	DefaultACMEIssuerChallengeType     string
 	DefaultACMEIssuerDNS01ProviderName string
 }
+
+type CertificateOptions struct {
+	// EnableOwnerRef controls wheter wheter the certificate is configured as an owner of
+	// secret where the effective TLS certificate is stored.
+	EnableOwnerRef bool
+}