From 7fffd67c8653a47a5d309a0cd9f8f4ffe2d03b8f Mon Sep 17 00:00:00 2001 From: James Munnelly Date: Fri, 22 Sep 2017 02:40:03 +0100 Subject: [PATCH] Fix issuer CA for ClusterIssuer resources --- pkg/issuer/ca/ca.go | 24 ++++++++++++++---------- pkg/issuer/ca/issue.go | 6 +++--- pkg/issuer/ca/renew.go | 2 +- pkg/issuer/ca/setup.go | 2 +- 4 files changed, 19 insertions(+), 15 deletions(-) diff --git a/pkg/issuer/ca/ca.go b/pkg/issuer/ca/ca.go index a9e9f1c16..ad331ef69 100644 --- a/pkg/issuer/ca/ca.go +++ b/pkg/issuer/ca/ca.go @@ -19,25 +19,28 @@ import ( // A secret resource is used to store a CA public and private key that is then // used to sign certificates. type CA struct { - issuer v1alpha1.GenericIssuer - cl kubernetes.Interface - cmclient clientset.Interface - recorder record.EventRecorder - secretsLister corelisters.SecretLister + issuer v1alpha1.GenericIssuer + cl kubernetes.Interface + cmclient clientset.Interface + recorder record.EventRecorder + resourceNamespace string + secretsLister corelisters.SecretLister } func NewCA(issuer v1alpha1.GenericIssuer, cl kubernetes.Interface, cmclient clientset.Interface, recorder record.EventRecorder, + resourceNamespace string, secretInformer cache.SharedIndexInformer) (issuer.Interface, error) { secretsLister := corelisters.NewSecretLister(secretInformer.GetIndexer()) return &CA{ - issuer: issuer, - cl: cl, - cmclient: cmclient, - recorder: recorder, - secretsLister: secretsLister, + issuer: issuer, + cl: cl, + cmclient: cmclient, + recorder: recorder, + resourceNamespace: resourceNamespace, + secretsLister: secretsLister, }, nil } @@ -60,6 +63,7 @@ func init() { ctx.Client, ctx.CMClient, ctx.Recorder, + resourceNamespace, ctx.SharedInformerFactory.InformerFor( informerNS, metav1.GroupVersionKind{Version: "v1", Kind: "Secret"}, diff --git a/pkg/issuer/ca/issue.go b/pkg/issuer/ca/issue.go index 2355b51a9..bed2cfdb4 100644 --- a/pkg/issuer/ca/issue.go +++ b/pkg/issuer/ca/issue.go @@ -38,7 +38,7 @@ const ( func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (v1alpha1.CertificateStatus, []byte, []byte, error) { update := crt.DeepCopy() - signeeKey, err := kube.SecretTLSKey(c.secretsLister, c.issuer.GetObjectMeta().Namespace, crt.Spec.SecretName) + signeeKey, err := kube.SecretTLSKey(c.secretsLister, crt.Namespace, crt.Spec.SecretName) if k8sErrors.IsNotFound(err) { signeeKey, err = pki.GenerateRSAPrivateKey(2048) @@ -64,13 +64,13 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (v1alpha1.Cer } func (c *CA) obtainCertificate(crt *v1alpha1.Certificate, signeeKey interface{}) ([]byte, error) { - signerCert, err := kube.SecretTLSCert(c.secretsLister, c.issuer.GetObjectMeta().Namespace, c.issuer.GetSpec().CA.SecretRef.Name) + signerCert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretRef.Name) if err != nil { return nil, fmt.Errorf("error getting issuer certificate: %s", err.Error()) } - signerKey, err := kube.SecretTLSKey(c.secretsLister, c.issuer.GetObjectMeta().Namespace, c.issuer.GetSpec().CA.SecretRef.Name) + signerKey, err := kube.SecretTLSKey(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretRef.Name) if err != nil { return nil, fmt.Errorf("error getting issuer private key: %s", err.Error()) diff --git a/pkg/issuer/ca/renew.go b/pkg/issuer/ca/renew.go index 8a1b6315d..333ccabe5 100644 --- a/pkg/issuer/ca/renew.go +++ b/pkg/issuer/ca/renew.go @@ -21,7 +21,7 @@ const ( func (c *CA) Renew(ctx context.Context, crt *v1alpha1.Certificate) (v1alpha1.CertificateStatus, []byte, []byte, error) { update := crt.DeepCopy() - signeeKey, err := kube.SecretTLSKey(c.secretsLister, c.issuer.GetObjectMeta().Namespace, crt.Spec.SecretName) + signeeKey, err := kube.SecretTLSKey(c.secretsLister, crt.Namespace, crt.Spec.SecretName) if err != nil { s := messageErrorGetCertKeyPair + err.Error() diff --git a/pkg/issuer/ca/setup.go b/pkg/issuer/ca/setup.go index 94bb1ac23..b60ec015b 100644 --- a/pkg/issuer/ca/setup.go +++ b/pkg/issuer/ca/setup.go @@ -27,7 +27,7 @@ const ( func (c *CA) Setup(ctx context.Context) (v1alpha1.IssuerStatus, error) { update := c.issuer.Copy() - cert, err := kube.SecretTLSCert(c.secretsLister, update.GetObjectMeta().Namespace, update.GetSpec().CA.SecretRef.Name) + cert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, update.GetSpec().CA.SecretRef.Name) if k8sErrors.IsNotFound(err) { s := messageErrorGetKeyPair + err.Error()