Merge pull request #1945 from JoshVanL/cr-reporter

CertificateRequest event reporter + passing issuer to Sign
2019-08-01 16:02:27 +01:00 · 2019-08-01 16:02:27 +01:00 · 8fa48c2148
commit 8fa48c2148
parent 146c4c0178 8be302dc10
13 changed files with 305 additions and 97 deletions
--- a/BUILD.bazel
+++ b/BUILD.bazel
@ -60,6 +60,7 @@ filegroup(
        "//test/acme/dns:all-srcs",
        "//test/e2e:all-srcs",
        "//test/unit/gen:all-srcs",
+        "//test/unit/listers:all-srcs",
        "//test/util:all-srcs",
        "//third_party:all-srcs",
        "//vendor:all-srcs",
--- a/pkg/controller/certificaterequests/BUILD.bazel
+++ b/pkg/controller/certificaterequests/BUILD.bazel
@ -46,6 +46,7 @@ filegroup(
        ":package-srcs",
        "//pkg/controller/certificaterequests/ca:all-srcs",
        "//pkg/controller/certificaterequests/fake:all-srcs",
+        "//pkg/controller/certificaterequests/util:all-srcs",
    ],
    tags = ["automanaged"],
    visibility = ["//visibility:public"],
--- a/pkg/controller/certificaterequests/ca/BUILD.bazel
+++ b/pkg/controller/certificaterequests/ca/BUILD.bazel
@ -10,11 +10,12 @@ go_library(
        "//pkg/apis/certmanager/v1alpha1:go_default_library",
        "//pkg/controller:go_default_library",
        "//pkg/controller/certificaterequests:go_default_library",
+        "//pkg/controller/certificaterequests/util:go_default_library",
        "//pkg/issuer:go_default_library",
        "//pkg/logs:go_default_library",
+        "//pkg/util/errors:go_default_library",
        "//pkg/util/kube:go_default_library",
        "//pkg/util/pki:go_default_library",
-        "//vendor/k8s.io/api/core/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
        "//vendor/k8s.io/client-go/listers/core/v1:go_default_library",
        "//vendor/k8s.io/client-go/tools/record:go_default_library",
@ -46,8 +47,10 @@ go_test(
        "//pkg/issuer:go_default_library",
        "//pkg/util/pki:go_default_library",
        "//test/unit/gen:go_default_library",
+        "//test/unit/listers:go_default_library",
        "//vendor/k8s.io/api/core/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/client-go/listers/core/v1:go_default_library",
    ],
 )
--- a/pkg/controller/certificaterequests/ca/ca.go
+++ b/pkg/controller/certificaterequests/ca/ca.go
@ -20,7 +20,6 @@ import (
 	"context"
 	"fmt"

-	corev1 "k8s.io/api/core/v1"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	corelisters "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/record"
@ -29,8 +28,10 @@ import (
 	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
 	controllerpkg "github.com/jetstack/cert-manager/pkg/controller"
 	"github.com/jetstack/cert-manager/pkg/controller/certificaterequests"
+	crutil "github.com/jetstack/cert-manager/pkg/controller/certificaterequests/util"
 	issuerpkg "github.com/jetstack/cert-manager/pkg/issuer"
 	logf "github.com/jetstack/cert-manager/pkg/logs"
+	cmerrors "github.com/jetstack/cert-manager/pkg/util/errors"
 	"github.com/jetstack/cert-manager/pkg/util/kube"
 	"github.com/jetstack/cert-manager/pkg/util/pki"
 )
@ -76,60 +77,55 @@ func NewCA(ctx *controllerpkg.Context) *CA {
 	}
 }

-func (c *CA) Sign(ctx context.Context, cr *v1alpha1.CertificateRequest) (*issuerpkg.IssueResponse, error) {
+func (c *CA) Sign(ctx context.Context, cr *v1alpha1.CertificateRequest, issuerObj v1alpha1.GenericIssuer) (*issuerpkg.IssueResponse, error) {
 	log := logf.FromContext(ctx, "sign")
+	reporter := crutil.NewReporter(cr, c.recorder)

-	issuer, err := c.helper.GetGenericIssuer(cr.Spec.IssuerRef, cr.Namespace)
-	if k8sErrors.IsNotFound(err) {
-		apiutil.SetCertificateRequestCondition(cr, v1alpha1.CertificateRequestConditionReady,
-			v1alpha1.ConditionFalse, v1alpha1.CertificateRequestReasonPending,
-			fmt.Sprintf("Referenced %s not found", apiutil.IssuerKind(cr.Spec.IssuerRef)))
-
-		c.recorder.Event(cr, corev1.EventTypeWarning, v1alpha1.CertificateRequestReasonPending, err.Error())
-
-		log.WithValues(
-			logf.RelatedResourceNameKey, cr.Spec.IssuerRef.Name,
-			logf.RelatedResourceKindKey, cr.Spec.IssuerRef.Kind,
-		).Error(err, "failed to find referenced issuer")
-
-		return nil, nil
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	resourceNamespace := c.issuerOptions.ResourceNamespace(issuer)
+	secretName := issuerObj.GetSpec().CA.SecretName
+	resourceNamespace := c.issuerOptions.ResourceNamespace(issuerObj)

 	// get a copy of the CA certificate named on the Issuer
-	caCerts, caKey, err := kube.SecretTLSKeyPair(ctx, c.secretsLister, resourceNamespace, issuer.GetSpec().CA.SecretName)
-	if k8sErrors.IsNotFound(err) {
-		log := logf.WithRelatedResourceName(log, issuer.GetSpec().CA.SecretName, resourceNamespace, "Secret")
-		log.Info("error getting signing CA for Issuer")
-
-		c.recorder.Event(cr, corev1.EventTypeWarning, v1alpha1.CertificateRequestReasonPending, err.Error())
-
-		return nil, nil
-	}
+	caCerts, caKey, err := kube.SecretTLSKeyPair(ctx, c.secretsLister, resourceNamespace, issuerObj.GetSpec().CA.SecretName)
 	if err != nil {
+		log := logf.WithRelatedResourceName(log, issuerObj.GetSpec().CA.SecretName, resourceNamespace, "Secret")
+
+		if k8sErrors.IsNotFound(err) {
+			message := fmt.Sprintf("Referenced secret %s/%s not found", resourceNamespace, secretName)
+
+			reporter.Pending(err, "MissingSecret", message)
+			log.Error(err, message)
+
+			return nil, nil
+		}
+
+		if cmerrors.IsInvalidData(err) {
+			message := fmt.Sprintf("Failed to parse signing CA keypair from secret %s/%s", resourceNamespace, secretName)
+
+			reporter.Pending(err, "ErrorParsingSecret", message)
+			log.Error(err, message)
+			return nil, nil
+		}
+
+		// We are probably in a network error here so we should backoff and retry
+		message := fmt.Sprintf("Failed to get certificate key pair from secret %s/%s", resourceNamespace, secretName)
+		reporter.Pending(err, "ErrorGettingSecret", message)
+		log.Error(err, message)
 		return nil, err
 	}

 	template, err := pki.GenerateTemplateFromCertificateRequest(cr)
 	if err != nil {
-		apiutil.SetCertificateRequestCondition(cr, v1alpha1.CertificateRequestConditionReady,
-			v1alpha1.ConditionFalse, v1alpha1.CertificateRequestReasonFailed,
-			fmt.Sprintf("Failed to generate certificate template: %s", err))
-
-		// TODO: add mechanism here to handle invalid input errors which should result in a permanent failure
-		log.Error(err, "error generating certificate template")
-		c.recorder.Eventf(cr, corev1.EventTypeWarning, "ErrorSigning", "Error generating certificate template: %v", err)
+		message := "Error generating certificate template"
+		reporter.Failed(err, "ErrorSigning", message)
+		log.Error(err, message)
 		return nil, nil
 	}

 	certPEM, caPEM, err := pki.SignCSRTemplate(caCerts, caKey, template)
 	if err != nil {
-		log.Error(err, "error signing certificate")
-		c.recorder.Eventf(cr, corev1.EventTypeWarning, "ErrorSigning", "Error signing certificate: %v", err)
+		message := "Error signing certificate"
+		reporter.Failed(err, "ErrorSigning", message)
+		log.Error(err, message)
 		return nil, err
 	}

--- a/pkg/controller/certificaterequests/ca/ca_test.go
+++ b/pkg/controller/certificaterequests/ca/ca_test.go
@ -26,6 +26,7 @@ import (
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/pem"
+	"errors"
 	"reflect"
 	"testing"
 	"time"
@ -33,6 +34,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	clientcorev1 "k8s.io/client-go/listers/core/v1"

 	"github.com/jetstack/cert-manager/pkg/apis/certmanager"
 	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
@ -40,6 +42,7 @@ import (
 	"github.com/jetstack/cert-manager/pkg/issuer"
 	"github.com/jetstack/cert-manager/pkg/util/pki"
 	"github.com/jetstack/cert-manager/test/unit/gen"
+	testlisters "github.com/jetstack/cert-manager/test/unit/listers"
 )

 func generateRSAPrivateKey(t *testing.T) *rsa.PrivateKey {
@ -166,8 +169,13 @@ func TestSign(t *testing.T) {
 	rootRSANoKeySecret := rootRSACASecret.DeepCopy()
 	rootRSANoKeySecret.Data[corev1.TLSPrivateKeyKey] = make([]byte, 0)

+	basicIssuer := gen.Issuer("ca-issuer",
+		gen.SetIssuerCA(v1alpha1.CAIssuer{SecretName: "root-ca-secret"}),
+	)
+
 	tests := map[string]testT{
 		"sign a CertificateRequest": {
+			issuer: basicIssuer,
 			certificateRequest: gen.CertificateRequest("test-cr",
 				gen.SetCertificateRequestIsCA(true),
 				gen.SetCertificateRequestCSR(caCSR),
@ -178,17 +186,14 @@ func TestSign(t *testing.T) {
 				}),
 			),
 			builder: &testpkg.Builder{
-				KubeObjects: []runtime.Object{rootRSACASecret},
-				CertManagerObjects: []runtime.Object{
-					gen.Issuer("ca-issuer",
-						gen.SetIssuerCA(v1alpha1.CAIssuer{SecretName: "root-ca-secret"}),
-					),
-				},
+				KubeObjects:        []runtime.Object{rootRSACASecret},
+				CertManagerObjects: []runtime.Object{},
 				// we are not expecting key on response
 				CheckFn: noPrivateKeyFieldsSetCheck(rsaPEMCert),
 			},
 		},
 		"fail to find CA tls key pair": {
+			issuer: basicIssuer,
 			certificateRequest: gen.CertificateRequest("test-cr",
 				gen.SetCertificateRequestIsCA(true),
 				gen.SetCertificateRequestCSR(caCSR),
@ -199,17 +204,16 @@ func TestSign(t *testing.T) {
 				}),
 			),
 			builder: &testpkg.Builder{
-				KubeObjects: []runtime.Object{},
-				CertManagerObjects: []runtime.Object{gen.Issuer("ca-issuer",
-					gen.SetIssuerCA(v1alpha1.CAIssuer{SecretName: "root-ca-secret"}),
-				)},
+				KubeObjects:        []runtime.Object{},
+				CertManagerObjects: []runtime.Object{},
 				ExpectedEvents: []string{
-					`Warning Pending secret "root-ca-secret" not found`,
+					`Normal MissingSecret Referenced secret default-unit-test-ns/root-ca-secret not found: secret "root-ca-secret" not found`,
 				},
 				CheckFn: mustNoResponse,
 			},
 		},
 		"given bad CSR should fail Certificate generation": {
+			issuer: basicIssuer,
 			certificateRequest: gen.CertificateRequest("test-cr",
 				gen.SetCertificateRequestIsCA(true),
 				gen.SetCertificateRequestCSR([]byte("bad-csr")),
@ -220,10 +224,8 @@ func TestSign(t *testing.T) {
 				}),
 			),
 			builder: &testpkg.Builder{
-				KubeObjects: []runtime.Object{rootRSACASecret},
-				CertManagerObjects: []runtime.Object{gen.Issuer("ca-issuer",
-					gen.SetIssuerCA(v1alpha1.CAIssuer{SecretName: "root-ca-secret"}),
-				)},
+				KubeObjects:        []runtime.Object{rootRSACASecret},
+				CertManagerObjects: []runtime.Object{},
 				ExpectedEvents: []string{
 					`Warning ErrorSigning Error generating certificate template: failed to decode csr from certificate request resource default-unit-test-ns/test-cr`,
 				},
@ -231,6 +233,7 @@ func TestSign(t *testing.T) {
 			},
 		},
 		"no CA certificate should fail a signing": {
+			issuer: basicIssuer,
 			certificateRequest: gen.CertificateRequest("test-cr",
 				gen.SetCertificateRequestIsCA(true),
 				gen.SetCertificateRequestCSR(caCSR),
@ -241,22 +244,17 @@ func TestSign(t *testing.T) {
 				}),
 			),
 			builder: &testpkg.Builder{
-				KubeObjects: []runtime.Object{rootRSANoCASecret},
-				CertManagerObjects: []runtime.Object{gen.Issuer("ca-issuer",
-					gen.SetIssuerCA(v1alpha1.CAIssuer{SecretName: "root-ca-secret"}),
-				)},
-				CheckFn: func(builder *testpkg.Builder, args ...interface{}) {
-					err := args[1].(error)
-					badCAError := `error decoding cert PEM block`
-					if err == nil || err.Error() != badCAError {
-						t.Errorf("unexpected error, exp='%s' got='%+v'", badCAError, err)
-					}
-					mustNoResponse(builder, args...)
+				KubeObjects:        []runtime.Object{rootRSANoCASecret},
+				CertManagerObjects: []runtime.Object{},
+				ExpectedEvents: []string{
+					`Normal ErrorParsingSecret Failed to parse signing CA keypair from secret default-unit-test-ns/root-ca-secret: error decoding cert PEM block`,
 				},
+				CheckFn: mustNoResponse,
 			},
-			expectedErr: true,
+			expectedErr: false,
 		},
 		"no CA key should fail a signing": {
+			issuer: basicIssuer,
 			certificateRequest: gen.CertificateRequest("test-cr",
 				gen.SetCertificateRequestIsCA(true),
 				gen.SetCertificateRequestCSR(caCSR),
@ -267,18 +265,41 @@ func TestSign(t *testing.T) {
 				}),
 			),
 			builder: &testpkg.Builder{
-				KubeObjects: []runtime.Object{rootRSANoKeySecret},
-				CertManagerObjects: []runtime.Object{gen.Issuer("ca-issuer",
-					gen.SetIssuerCA(v1alpha1.CAIssuer{SecretName: "root-ca-secret"}),
-				)},
-				CheckFn: func(builder *testpkg.Builder, args ...interface{}) {
-					err := args[1].(error)
-					noKeyError := "error decoding private key PEM block"
-					if err == nil || err.Error() != noKeyError {
-						builder.T.Errorf("unexpected error, exp='%s' got='%+v'", noKeyError, err)
+				KubeObjects:        []runtime.Object{rootRSANoKeySecret},
+				CertManagerObjects: []runtime.Object{},
+				ExpectedEvents: []string{
+					`Normal ErrorParsingSecret Failed to parse signing CA keypair from secret default-unit-test-ns/root-ca-secret: error decoding private key PEM block`,
+				},
+				CheckFn: mustNoResponse,
+			},
+			expectedErr: false,
+		},
+		"a CertificateRequest that transiently fails a secret lookup should backoff error to retry": {
+			issuer: basicIssuer,
+			certificateRequest: gen.CertificateRequest("test-cr",
+				gen.SetCertificateRequestIsCA(true),
+				gen.SetCertificateRequestCSR(caCSR),
+				gen.SetCertificateRequestIssuer(v1alpha1.ObjectReference{
+					Name:  "ca-issuer",
+					Group: certmanager.GroupName,
+					Kind:  "Issuer",
+				}),
+			),
+			builder: &testpkg.Builder{
+				KubeObjects:        []runtime.Object{rootRSACASecret},
+				CertManagerObjects: []runtime.Object{},
+				CheckFn:            mustNoResponse,
+				ExpectedEvents: []string{
+					`Normal ErrorGettingSecret Failed to get certificate key pair from secret default-unit-test-ns/root-ca-secret: this is a network error`,
+				},
+			},
+			fakeLister: &testlisters.FakeSecretLister{
+				SecretsFn: func(namespace string) clientcorev1.SecretNamespaceLister {
+					return &testlisters.FakeSecretNamespaceLister{
+						GetFn: func(name string) (ret *corev1.Secret, err error) {
+							return nil, errors.New("this is a network error")
+						},
 					}
-
-					mustNoResponse(builder, args...)
 				},
 			},
 			expectedErr: true,
@ -295,9 +316,11 @@ func TestSign(t *testing.T) {
 type testT struct {
 	builder            *testpkg.Builder
 	certificateRequest *v1alpha1.CertificateRequest
+	issuer             v1alpha1.GenericIssuer

-	checkFn     func(*testpkg.Builder, ...interface{})
 	expectedErr bool
+
+	fakeLister *testlisters.FakeSecretLister
 }

 func runTest(t *testing.T, test testT) {
@ -306,9 +329,14 @@ func runTest(t *testing.T, test testT) {
 	defer test.builder.Stop()

 	c := NewCA(test.builder.Context)
+
+	if test.fakeLister != nil {
+		c.secretsLister = test.fakeLister
+	}
+
 	test.builder.Sync()

-	resp, err := c.Sign(context.Background(), test.certificateRequest)
+	resp, err := c.Sign(context.Background(), test.certificateRequest, test.issuer)
 	if err != nil && !test.expectedErr {
 		t.Errorf("expected to not get an error, but got: %v", err)
 	}
--- a/pkg/controller/certificaterequests/controller.go
+++ b/pkg/controller/certificaterequests/controller.go
@ -41,7 +41,7 @@ const (
 var keyFunc = controllerpkg.KeyFunc

 type Issuer interface {
-	Sign(ctx context.Context, cr *v1alpha1.CertificateRequest) (*issuer.IssueResponse, error)
+	Sign(context.Context, *v1alpha1.CertificateRequest, v1alpha1.GenericIssuer) (*issuer.IssueResponse, error)
 }

 type Controller struct {
--- a/pkg/controller/certificaterequests/fake/fake.go
+++ b/pkg/controller/certificaterequests/fake/fake.go
@ -24,11 +24,11 @@ import (
 )

 type Issuer struct {
-	FakeSign func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error)
+	FakeSign func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error)
 }

 // Sign attempts to issue a certificate as described by the CertificateRequest
 // resource given
-func (i *Issuer) Sign(ctx context.Context, cr *cmapi.CertificateRequest) (*issuer.IssueResponse, error) {
-	return i.FakeSign(ctx, cr)
+func (i *Issuer) Sign(ctx context.Context, cr *cmapi.CertificateRequest, issuerObj cmapi.GenericIssuer) (*issuer.IssueResponse, error) {
+	return i.FakeSign(ctx, cr, issuerObj)
 }
--- a/pkg/controller/certificaterequests/sync.go
+++ b/pkg/controller/certificaterequests/sync.go
@ -130,7 +130,7 @@ func (c *Controller) Sync(ctx context.Context, cr *v1alpha1.CertificateRequest)
 	dbg.Info("invoking sign function as existing certificate does not exist")

 	// Attempt to call the Sign function on our issuer
-	resp, err := c.issuer.Sign(ctx, crCopy)
+	resp, err := c.issuer.Sign(ctx, crCopy, issuerObj)
 	if err != nil {
 		log.Error(err, "error issuing certificate request")
 		return err
--- a/pkg/controller/certificaterequests/sync_test.go
+++ b/pkg/controller/certificaterequests/sync_test.go
@ -242,7 +242,7 @@ func TestSync(t *testing.T) {
 				}),
 			),
 			issuerImpl: &fake.Issuer{
-				FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) {
+				FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) {
 					// By not returning a response, we trigger a 'no-op' action which
 					// causes the certificate request controller to update the status of
 					// the CertificateRequest with !Ready - CertPending.
@ -267,7 +267,7 @@ func TestSync(t *testing.T) {
 		"should update the status with a freshly signed certificate only when one doesn't exist and group ref=''": {
 			certificateRequest: exampleCR,
 			issuerImpl: &fake.Issuer{
-				FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) {
+				FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) {
 					return &issuer.IssueResponse{
 						Certificate: certPEM,
 					}, nil
@ -295,7 +295,7 @@ func TestSync(t *testing.T) {
 		"should update the status with a freshly signed certificate only when one doesn't exist and issuer group ref='certmanager.k8s.io'": {
 			certificateRequest: exampleCRCorrectIssuerRefGroup,
 			issuerImpl: &fake.Issuer{
-				FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) {
+				FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) {
 					return &issuer.IssueResponse{
 						Certificate: certPEM,
 					}, nil
@ -324,7 +324,7 @@ func TestSync(t *testing.T) {
 		"should exit sync nil if issuerRef group does not match certmanager.k8s.io": {
 			certificateRequest: exampleCRWrongIssuerRefGroup,
 			issuerImpl: &fake.Issuer{
-				FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) {
+				FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) {
 					return nil, errors.New("unexpected sign call")
 				},
 			},
@ -344,7 +344,7 @@ func TestSync(t *testing.T) {
 		"should not update certificate request if certificate exists, even if out of date": {
 			certificateRequest: exampleSignedExpiredCR,
 			issuerImpl: &fake.Issuer{
-				FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) {
+				FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) {
 					return nil, errors.New("unexpected sign call")
 				},
 			},
@ -364,7 +364,7 @@ func TestSync(t *testing.T) {
 		"fail if bytes contains no certificate but len > 0": {
 			certificateRequest: exampleGarbageCertCR,
 			issuerImpl: &fake.Issuer{
-				FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) {
+				FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) {
 					return nil, errors.New("unexpected sign call")
 				},
 			},
@ -390,7 +390,7 @@ func TestSync(t *testing.T) {
 		"return nil if generic issuer doesn't exist, will sync when on ready": {
 			certificateRequest: exampleCR,
 			issuerImpl: &fake.Issuer{
-				FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) {
+				FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) {
 					return nil, errors.New("unexpected sign call")
 				},
 			},
@ -409,7 +409,7 @@ func TestSync(t *testing.T) {
 		"exit nil if we cannot determine the issuer type (probably not meant for us)": {
 			certificateRequest: exampleCR,
 			issuerImpl: &fake.Issuer{
-				FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) {
+				FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) {
 					return nil, errors.New("unexpected sign call")
 				},
 			},
@ -436,7 +436,7 @@ func TestSync(t *testing.T) {
 		"exit nil if the issuer type is not meant for us": {
 			certificateRequest: exampleCRWrongIssuerRefType,
 			issuerImpl: &fake.Issuer{
-				FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) {
+				FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) {
 					return nil, errors.New("unexpected sign call")
 				},
 			},
@ -456,7 +456,7 @@ func TestSync(t *testing.T) {
 		"exit if we fail validation during a sync": {
 			certificateRequest: exampleEmptyCSRCR,
 			issuerImpl: &fake.Issuer{
-				FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) {
+				FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) {
 					return nil, errors.New("unexpected sign call")
 				},
 			},
@ -483,7 +483,7 @@ func TestSync(t *testing.T) {
 		"should exit sync nil if condition is failed": {
 			certificateRequest: exampleFailedCR,
 			issuerImpl: &fake.Issuer{
-				FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) {
+				FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) {
 					return nil, errors.New("unexpected sign call")
 				},
 			},
--- a/pkg/controller/certificaterequests/util/BUILD.bazel
+++ b/pkg/controller/certificaterequests/util/BUILD.bazel
@ -0,0 +1,28 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["reporter.go"],
+    importpath = "github.com/jetstack/cert-manager/pkg/controller/certificaterequests/util",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/api/util:go_default_library",
+        "//pkg/apis/certmanager/v1alpha1:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/client-go/tools/record:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
--- a/pkg/controller/certificaterequests/util/reporter.go
+++ b/pkg/controller/certificaterequests/util/reporter.go
@ -0,0 +1,49 @@
+/*
+Copyright 2019 The Jetstack cert-manager contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/tools/record"
+
+	apiutil "github.com/jetstack/cert-manager/pkg/api/util"
+	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
+)
+
+type Reporter struct {
+	cr       *v1alpha1.CertificateRequest
+	recorder record.EventRecorder
+}
+
+func NewReporter(cr *v1alpha1.CertificateRequest, recorder record.EventRecorder) *Reporter {
+	return &Reporter{
+		cr:       cr,
+		recorder: recorder,
+	}
+}
+
+func (r *Reporter) Failed(err error, reason, message string) {
+	r.recorder.Event(r.cr, corev1.EventTypeWarning, reason, fmt.Sprintf("%s: %v", message, err))
+	apiutil.SetCertificateRequestCondition(r.cr, v1alpha1.CertificateRequestReasonFailed, v1alpha1.ConditionFalse, reason, message)
+}
+
+func (r *Reporter) Pending(err error, reason, message string) {
+	r.recorder.Event(r.cr, corev1.EventTypeNormal, reason, fmt.Sprintf("%s: %v", message, err))
+	apiutil.SetCertificateRequestCondition(r.cr, v1alpha1.CertificateRequestReasonPending, v1alpha1.ConditionFalse, reason, message)
+}
--- a/test/unit/listers/BUILD.bazel
+++ b/test/unit/listers/BUILD.bazel
@ -0,0 +1,27 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["secret.go"],
+    importpath = "github.com/jetstack/cert-manager/test/unit/listers",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
+        "//vendor/k8s.io/client-go/listers/core/v1:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
--- a/test/unit/listers/secret.go
+++ b/test/unit/listers/secret.go
@ -0,0 +1,75 @@
+/*
+Copyright 2019 The Jetstack cert-manager contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package lister
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	clientcorev1 "k8s.io/client-go/listers/core/v1"
+)
+
+var _ clientcorev1.SecretLister = &FakeSecretLister{}
+var _ clientcorev1.SecretNamespaceLister = &FakeSecretNamespaceLister{}
+
+type FakeSecretLister struct {
+	ListFn    func(selector labels.Selector) (ret []*corev1.Secret, err error)
+	SecretsFn func(namespace string) clientcorev1.SecretNamespaceLister
+}
+
+type FakeSecretNamespaceLister struct {
+	ListFn func(selector labels.Selector) (ret []*corev1.Secret, err error)
+	GetFn  func(name string) (ret *corev1.Secret, err error)
+}
+
+func NewFakeSecretLister() *FakeSecretLister {
+	return &FakeSecretLister{
+		ListFn: func(selector labels.Selector) (ret []*corev1.Secret, err error) {
+			return nil, nil
+		},
+
+		SecretsFn: func(namespace string) clientcorev1.SecretNamespaceLister {
+			return nil
+		},
+	}
+}
+
+func NewFakeSecretNamespaceLister() *FakeSecretNamespaceLister {
+	return &FakeSecretNamespaceLister{
+		ListFn: func(selector labels.Selector) (ret []*corev1.Secret, err error) {
+			return nil, nil
+		},
+		GetFn: func(name string) (ret *corev1.Secret, err error) {
+			return nil, nil
+		},
+	}
+}
+
+func (f *FakeSecretLister) List(selector labels.Selector) (ret []*corev1.Secret, err error) {
+	return f.ListFn(selector)
+}
+
+func (f *FakeSecretLister) Secrets(namespace string) clientcorev1.SecretNamespaceLister {
+	return f.SecretsFn(namespace)
+}
+
+func (f *FakeSecretNamespaceLister) List(selector labels.Selector) (ret []*corev1.Secret, err error) {
+	return f.ListFn(selector)
+}
+
+func (f *FakeSecretNamespaceLister) Get(name string) (*corev1.Secret, error) {
+	return f.GetFn(name)
+}