diff --git a/cmd/controller/app/controller.go b/cmd/controller/app/controller.go index 932c1fed6..a8282c394 100644 --- a/cmd/controller/app/controller.go +++ b/cmd/controller/app/controller.go @@ -184,6 +184,9 @@ func buildControllerContext(opts *options.ControllerOptions) (*controller.Contex DefaultACMEIssuerChallengeType: opts.DefaultACMEIssuerChallengeType, DefaultACMEIssuerDNS01ProviderName: opts.DefaultACMEIssuerDNS01ProviderName, }, + CertifcateOptions: controller.CertificateOptions{ + EnableOwnerRef: opts.EnableCertificateOwnerRef, + }, }, kubeCfg, nil } diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go index 3246d3f36..d2810d877 100644 --- a/cmd/controller/app/options/options.go +++ b/cmd/controller/app/options/options.go @@ -63,6 +63,8 @@ type ControllerOptions struct { // DNS01Nameservers allows specifying a list of custom nameservers to perform DNS checks DNS01Nameservers []string + + EnableCertificateOwnerRef bool } const ( @@ -83,6 +85,7 @@ const ( defaultTLSACMEIssuerKind = "Issuer" defaultACMEIssuerChallengeType = "http01" defaultACMEIssuerDNS01ProviderName = "" + defaultEnableCertificateOwnerRef = true ) var ( @@ -120,6 +123,7 @@ func NewControllerOptions() *ControllerOptions { DefaultACMEIssuerChallengeType: defaultACMEIssuerChallengeType, DefaultACMEIssuerDNS01ProviderName: defaultACMEIssuerDNS01ProviderName, DNS01Nameservers: []string{}, + EnableCertificateOwnerRef: defaultEnableCertificateOwnerRef, } } @@ -193,6 +197,9 @@ func (s *ControllerOptions) AddFlags(fs *pflag.FlagSet) { fs.StringSliceVar(&s.DNS01Nameservers, "dns01-self-check-nameservers", []string{}, ""+ "A list of comma seperated DNS server endpoints used for DNS01 check requests. "+ "This should be a list containing IP address and port, for example: 8.8.8.8:53,8.8.4.4:53") + fs.BoolVar(&s.EnableCertificateOwnerRef, "enable-certificate-owner-ref", defaultEnableCertificateOwnerRef, ""+ + "Whether to set the certificate resource as an owner of secret where the tls certificate is stored. "+ + "When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted.") } func (o *ControllerOptions) Validate() error { diff --git a/pkg/controller/certificates/sync.go b/pkg/controller/certificates/sync.go index bfb943be9..49db2c9d1 100644 --- a/pkg/controller/certificates/sync.go +++ b/pkg/controller/certificates/sync.go @@ -301,7 +301,10 @@ func (c *Controller) updateSecret(crt *v1alpha1.Certificate, namespace string, c // if it is a new resource if secret.SelfLink == "" { secret, err = c.Client.CoreV1().Secrets(namespace).Create(secret) - secret.SetOwnerReferences(append(secret.GetOwnerReferences(), ownerRef(crt))) + enableOwner := c.CertificateOptions.EnableOwnerRef + if enableOwner { + secret.SetOwnerReferences(append(secret.GetOwnerReferences(), ownerRef(crt))) + } } else { secret, err = c.Client.CoreV1().Secrets(namespace).Update(secret) } diff --git a/pkg/controller/context.go b/pkg/controller/context.go index ee486ce1e..6048cf306 100644 --- a/pkg/controller/context.go +++ b/pkg/controller/context.go @@ -50,6 +50,7 @@ type Context struct { IssuerOptions ACMEOptions IngressShimOptions + CertificateOptions } func (c *Context) IssuerFactory() IssuerFactory { @@ -105,3 +106,9 @@ type IngressShimOptions struct { DefaultACMEIssuerChallengeType string DefaultACMEIssuerDNS01ProviderName string } + +type CertificateOptions struct { + // EnableOwnerRef controls wheter wheter the certificate is configured as an owner of + // secret where the effective TLS certificate is stored. + EnableOwnerRef bool +}