From 818df603f53a60fe1ab9f7cbcfbe8fed53818dd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= <joe@cloudeteer.de>
Date: Tue, 27 Feb 2024 12:24:57 +0100
Subject: [PATCH] Allow `cert-manager.io/allow-direct-injection` in annotations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
---
 internal/apis/certmanager/validation/certificate.go      | 2 +-
 internal/apis/certmanager/validation/certificate_test.go | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/internal/apis/certmanager/validation/certificate.go b/internal/apis/certmanager/validation/certificate.go
index 2090885b4..c79eeca7c 100644
--- a/internal/apis/certmanager/validation/certificate.go
+++ b/internal/apis/certmanager/validation/certificate.go
@@ -282,7 +282,7 @@ func validateSecretTemplateAnnotations(crt *internalcmapi.CertificateSpec, fldPa
 
 	secretTemplateAnnotationsPath := fldPath.Child("secretTemplate", "annotations")
 	for a := range crt.SecretTemplate.Annotations {
-		if strings.HasPrefix(a, "cert-manager.io/") {
+		if strings.HasPrefix(a, "cert-manager.io/") && a != "cert-manager.io/allow-direct-injection" {
 			el = append(el, field.Invalid(secretTemplateAnnotationsPath, a, "cert-manager.io/* annotations are not allowed"))
 		}
 	}
diff --git a/internal/apis/certmanager/validation/certificate_test.go b/internal/apis/certmanager/validation/certificate_test.go
index cb2927032..4f40648da 100644
--- a/internal/apis/certmanager/validation/certificate_test.go
+++ b/internal/apis/certmanager/validation/certificate_test.go
@@ -635,9 +635,10 @@ func TestValidateCertificate(t *testing.T) {
 					SecretName: "abc",
 					SecretTemplate: &internalcmapi.CertificateSecretTemplate{
 						Annotations: map[string]string{
-							"app.com/valid":                    "valid",
-							"cert-manager.io/alt-names":        "example.com",
-							"cert-manager.io/certificate-name": "selfsigned-cert",
+							"app.com/valid":                          "valid",
+							"cert-manager.io/alt-names":              "example.com",
+							"cert-manager.io/certificate-name":       "selfsigned-cert",
+							"cert-manager.io/allow-direct-injection": "true",
 						},
 					},
 					IssuerRef: cmmeta.ObjectReference{