Fix issuer CA for ClusterIssuer resources

pkg/issuer/ca/ca.go

@@ -19,25 +19,28 @@ import (
 // A secret resource is used to store a CA public and private key that is then
 // used to sign certificates.
 type CA struct {
-	issuer        v1alpha1.GenericIssuer
-	cl            kubernetes.Interface
-	cmclient      clientset.Interface
-	recorder      record.EventRecorder
-	secretsLister corelisters.SecretLister
+	issuer            v1alpha1.GenericIssuer
+	cl                kubernetes.Interface
+	cmclient          clientset.Interface
+	recorder          record.EventRecorder
+	resourceNamespace string
+	secretsLister     corelisters.SecretLister
 }
 
 func NewCA(issuer v1alpha1.GenericIssuer,
 	cl kubernetes.Interface,
 	cmclient clientset.Interface,
 	recorder record.EventRecorder,
+	resourceNamespace string,
 	secretInformer cache.SharedIndexInformer) (issuer.Interface, error) {
 	secretsLister := corelisters.NewSecretLister(secretInformer.GetIndexer())
 	return &CA{
-		issuer:        issuer,
-		cl:            cl,
-		cmclient:      cmclient,
-		recorder:      recorder,
-		secretsLister: secretsLister,
+		issuer:            issuer,
+		cl:                cl,
+		cmclient:          cmclient,
+		recorder:          recorder,
+		resourceNamespace: resourceNamespace,
+		secretsLister:     secretsLister,
 	}, nil
 }
 
@@ -60,6 +63,7 @@ func init() {
 			ctx.Client,
 			ctx.CMClient,
 			ctx.Recorder,
+			resourceNamespace,
 			ctx.SharedInformerFactory.InformerFor(
 				informerNS,
 				metav1.GroupVersionKind{Version: "v1", Kind: "Secret"},

pkg/issuer/ca/issue.go

@@ -38,7 +38,7 @@ const (
 func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (v1alpha1.CertificateStatus, []byte, []byte, error) {
 	update := crt.DeepCopy()
 
-	signeeKey, err := kube.SecretTLSKey(c.secretsLister, c.issuer.GetObjectMeta().Namespace, crt.Spec.SecretName)
+	signeeKey, err := kube.SecretTLSKey(c.secretsLister, crt.Namespace, crt.Spec.SecretName)
 
 	if k8sErrors.IsNotFound(err) {
 		signeeKey, err = pki.GenerateRSAPrivateKey(2048)
@@ -64,13 +64,13 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (v1alpha1.Cer
 }
 
 func (c *CA) obtainCertificate(crt *v1alpha1.Certificate, signeeKey interface{}) ([]byte, error) {
-	signerCert, err := kube.SecretTLSCert(c.secretsLister, c.issuer.GetObjectMeta().Namespace, c.issuer.GetSpec().CA.SecretRef.Name)
+	signerCert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretRef.Name)
 
 	if err != nil {
 		return nil, fmt.Errorf("error getting issuer certificate: %s", err.Error())
 	}
 
-	signerKey, err := kube.SecretTLSKey(c.secretsLister, c.issuer.GetObjectMeta().Namespace, c.issuer.GetSpec().CA.SecretRef.Name)
+	signerKey, err := kube.SecretTLSKey(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretRef.Name)
 
 	if err != nil {
 		return nil, fmt.Errorf("error getting issuer private key: %s", err.Error())

pkg/issuer/ca/renew.go

@@ -21,7 +21,7 @@ const (
 func (c *CA) Renew(ctx context.Context, crt *v1alpha1.Certificate) (v1alpha1.CertificateStatus, []byte, []byte, error) {
 	update := crt.DeepCopy()
 
-	signeeKey, err := kube.SecretTLSKey(c.secretsLister, c.issuer.GetObjectMeta().Namespace, crt.Spec.SecretName)
+	signeeKey, err := kube.SecretTLSKey(c.secretsLister, crt.Namespace, crt.Spec.SecretName)
 
 	if err != nil {
 		s := messageErrorGetCertKeyPair + err.Error()

pkg/issuer/ca/setup.go

@@ -27,7 +27,7 @@ const (
 func (c *CA) Setup(ctx context.Context) (v1alpha1.IssuerStatus, error) {
 	update := c.issuer.Copy()
 
-	cert, err := kube.SecretTLSCert(c.secretsLister, update.GetObjectMeta().Namespace, update.GetSpec().CA.SecretRef.Name)
+	cert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, update.GetSpec().CA.SecretRef.Name)
 
 	if k8sErrors.IsNotFound(err) {
 		s := messageErrorGetKeyPair + err.Error()