diff --git a/deploy/charts/cert-manager/crds/clusterissuers.yaml b/deploy/charts/cert-manager/crds/clusterissuers.yaml index de897a606..0c4343d55 100644 --- a/deploy/charts/cert-manager/crds/clusterissuers.yaml +++ b/deploy/charts/cert-manager/crds/clusterissuers.yaml @@ -1525,6 +1525,14 @@ spec: required: - secretName properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + type: array + items: + type: string secretName: description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. @@ -1533,6 +1541,10 @@ spec: type: object properties: crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. type: array items: type: string diff --git a/deploy/charts/cert-manager/crds/issuers.yaml b/deploy/charts/cert-manager/crds/issuers.yaml index 50d62d2ba..b48502b69 100644 --- a/deploy/charts/cert-manager/crds/issuers.yaml +++ b/deploy/charts/cert-manager/crds/issuers.yaml @@ -1525,6 +1525,14 @@ spec: required: - secretName properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + type: array + items: + type: string secretName: description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. @@ -1533,6 +1541,10 @@ spec: type: object properties: crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. type: array items: type: string diff --git a/deploy/manifests/00-crds.yaml b/deploy/manifests/00-crds.yaml index 3dba08045..9f4432384 100644 --- a/deploy/manifests/00-crds.yaml +++ b/deploy/manifests/00-crds.yaml @@ -3675,6 +3675,14 @@ spec: required: - secretName properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + type: array + items: + type: string secretName: description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. @@ -3683,6 +3691,10 @@ spec: type: object properties: crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. type: array items: type: string @@ -5434,6 +5446,14 @@ spec: required: - secretName properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + type: array + items: + type: string secretName: description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. @@ -5442,6 +5462,10 @@ spec: type: object properties: crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. type: array items: type: string diff --git a/pkg/apis/certmanager/v1alpha2/types_issuer.go b/pkg/apis/certmanager/v1alpha2/types_issuer.go index 8fd58c7e6..4b78fd2b6 100644 --- a/pkg/apis/certmanager/v1alpha2/types_issuer.go +++ b/pkg/apis/certmanager/v1alpha2/types_issuer.go @@ -148,6 +148,10 @@ type VenafiCloud struct { } type SelfSignedIssuer struct { + // The CRL distribution points is an X.509 v3 certificate extension which identifies + // the location of the CRL from which the revocation of this certificate can be checked. + // If not set certificate will be issued without CDP. Values are strings. + // +optional CRLDistributionPoints []string `json:"crlDistributionPoints,omitempty"` } @@ -220,6 +224,12 @@ type CAIssuer struct { // SecretName is the name of the secret used to sign Certificates issued // by this Issuer. SecretName string `json:"secretName"` + + // The CRL distribution points is an X.509 v3 certificate extension which identifies + // the location of the CRL from which the revocation of this certificate can be checked. + // If not set certificate will be issued without CDP. Values are strings. + // +optional + CRLDistributionPoints []string `json:"crlDistributionPoints,omitempty"` } // IssuerStatus contains status information about an Issuer diff --git a/pkg/apis/certmanager/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/certmanager/v1alpha2/zz_generated.deepcopy.go index 80ad41dcb..3e0d15e6d 100644 --- a/pkg/apis/certmanager/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/certmanager/v1alpha2/zz_generated.deepcopy.go @@ -30,6 +30,11 @@ import ( // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CAIssuer) DeepCopyInto(out *CAIssuer) { *out = *in + if in.CRLDistributionPoints != nil { + in, out := &in.CRLDistributionPoints, &out.CRLDistributionPoints + *out = make([]string, len(*in)) + copy(*out, *in) + } return } @@ -482,7 +487,7 @@ func (in *IssuerConfig) DeepCopyInto(out *IssuerConfig) { if in.CA != nil { in, out := &in.CA, &out.CA *out = new(CAIssuer) - **out = **in + (*in).DeepCopyInto(*out) } if in.Vault != nil { in, out := &in.Vault, &out.Vault diff --git a/pkg/apis/certmanager/v1alpha3/types_issuer.go b/pkg/apis/certmanager/v1alpha3/types_issuer.go index 2bb8cf3a2..d730c7b48 100644 --- a/pkg/apis/certmanager/v1alpha3/types_issuer.go +++ b/pkg/apis/certmanager/v1alpha3/types_issuer.go @@ -148,6 +148,10 @@ type VenafiCloud struct { } type SelfSignedIssuer struct { + // The CRL distribution points is an X.509 v3 certificate extension which identifies + // the location of the CRL from which the revocation of this certificate can be checked. + // If not set certificate will be issued without CDP. Values are strings. + // +optional CRLDistributionPoints []string `json:"crlDistributionPoints,omitempty"` } @@ -220,6 +224,12 @@ type CAIssuer struct { // SecretName is the name of the secret used to sign Certificates issued // by this Issuer. SecretName string `json:"secretName"` + + // The CRL distribution points is an X.509 v3 certificate extension which identifies + // the location of the CRL from which the revocation of this certificate can be checked. + // If not set certificate will be issued without CDP. Values are strings. + // +optional + CRLDistributionPoints []string `json:"crlDistributionPoints,omitempty"` } // IssuerStatus contains status information about an Issuer diff --git a/pkg/apis/certmanager/v1alpha3/zz_generated.deepcopy.go b/pkg/apis/certmanager/v1alpha3/zz_generated.deepcopy.go index 89667a7fd..d4764cf22 100644 --- a/pkg/apis/certmanager/v1alpha3/zz_generated.deepcopy.go +++ b/pkg/apis/certmanager/v1alpha3/zz_generated.deepcopy.go @@ -30,6 +30,11 @@ import ( // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CAIssuer) DeepCopyInto(out *CAIssuer) { *out = *in + if in.CRLDistributionPoints != nil { + in, out := &in.CRLDistributionPoints, &out.CRLDistributionPoints + *out = make([]string, len(*in)) + copy(*out, *in) + } return } @@ -477,7 +482,7 @@ func (in *IssuerConfig) DeepCopyInto(out *IssuerConfig) { if in.CA != nil { in, out := &in.CA, &out.CA *out = new(CAIssuer) - **out = **in + (*in).DeepCopyInto(*out) } if in.Vault != nil { in, out := &in.Vault, &out.Vault diff --git a/pkg/controller/certificaterequests/ca/ca.go b/pkg/controller/certificaterequests/ca/ca.go index 6be376bcf..a349d4210 100644 --- a/pkg/controller/certificaterequests/ca/ca.go +++ b/pkg/controller/certificaterequests/ca/ca.go @@ -111,6 +111,8 @@ func (c *CA) Sign(ctx context.Context, cr *cmapi.CertificateRequest, issuerObj c return nil, nil } + template.CRLDistributionPoints = issuerObj.GetSpec().CA.CRLDistributionPoints + certPEM, caPEM, err := pki.SignCSRTemplate(caCerts, caKey, template) if err != nil { message := "Error signing certificate" diff --git a/pkg/internal/apis/certmanager/types_issuer.go b/pkg/internal/apis/certmanager/types_issuer.go index 2c93662cd..c9f488182 100644 --- a/pkg/internal/apis/certmanager/types_issuer.go +++ b/pkg/internal/apis/certmanager/types_issuer.go @@ -127,7 +127,11 @@ type VenafiCloud struct { } type SelfSignedIssuer struct { - CRLDistributionPoints []string `json:"crlDistributionPoints,omitempty"` + // The CRL distribution points is an X.509 v3 certificate extension which identifies + // the location of the CRL from which the revocation of this certificate can be checked. + // If not set certificate will be issued without CDP. Values are strings. + // +optional + CRLDistributionPoints []string } type VaultIssuer struct { @@ -197,6 +201,12 @@ type CAIssuer struct { // SecretName is the name of the secret used to sign Certificates issued // by this Issuer. SecretName string + + // The CRL distribution points is an X.509 v3 certificate extension which identifies + // the location of the CRL from which the revocation of this certificate can be checked. + // If not set certificate will be issued without CDP. Values are strings. + // +optional + CRLDistributionPoints []string } // IssuerStatus contains status information about an Issuer diff --git a/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go b/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go index 61220ee80..21f2e14ae 100644 --- a/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go +++ b/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go @@ -326,6 +326,7 @@ func RegisterConversions(s *runtime.Scheme) error { func autoConvert_v1alpha2_CAIssuer_To_certmanager_CAIssuer(in *v1alpha2.CAIssuer, out *certmanager.CAIssuer, s conversion.Scope) error { out.SecretName = in.SecretName + out.CRLDistributionPoints = *(*[]string)(unsafe.Pointer(&in.CRLDistributionPoints)) return nil } @@ -336,6 +337,7 @@ func Convert_v1alpha2_CAIssuer_To_certmanager_CAIssuer(in *v1alpha2.CAIssuer, ou func autoConvert_certmanager_CAIssuer_To_v1alpha2_CAIssuer(in *certmanager.CAIssuer, out *v1alpha2.CAIssuer, s conversion.Scope) error { out.SecretName = in.SecretName + out.CRLDistributionPoints = *(*[]string)(unsafe.Pointer(&in.CRLDistributionPoints)) return nil } diff --git a/pkg/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go b/pkg/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go index 303ea5fc3..88bc9276a 100644 --- a/pkg/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go +++ b/pkg/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go @@ -326,6 +326,7 @@ func RegisterConversions(s *runtime.Scheme) error { func autoConvert_v1alpha3_CAIssuer_To_certmanager_CAIssuer(in *v1alpha3.CAIssuer, out *certmanager.CAIssuer, s conversion.Scope) error { out.SecretName = in.SecretName + out.CRLDistributionPoints = *(*[]string)(unsafe.Pointer(&in.CRLDistributionPoints)) return nil } @@ -336,6 +337,7 @@ func Convert_v1alpha3_CAIssuer_To_certmanager_CAIssuer(in *v1alpha3.CAIssuer, ou func autoConvert_certmanager_CAIssuer_To_v1alpha3_CAIssuer(in *certmanager.CAIssuer, out *v1alpha3.CAIssuer, s conversion.Scope) error { out.SecretName = in.SecretName + out.CRLDistributionPoints = *(*[]string)(unsafe.Pointer(&in.CRLDistributionPoints)) return nil } diff --git a/pkg/internal/apis/certmanager/zz_generated.deepcopy.go b/pkg/internal/apis/certmanager/zz_generated.deepcopy.go index d7e264c2e..0dbd3d0fc 100644 --- a/pkg/internal/apis/certmanager/zz_generated.deepcopy.go +++ b/pkg/internal/apis/certmanager/zz_generated.deepcopy.go @@ -30,6 +30,11 @@ import ( // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CAIssuer) DeepCopyInto(out *CAIssuer) { *out = *in + if in.CRLDistributionPoints != nil { + in, out := &in.CRLDistributionPoints, &out.CRLDistributionPoints + *out = make([]string, len(*in)) + copy(*out, *in) + } return } @@ -477,7 +482,7 @@ func (in *IssuerConfig) DeepCopyInto(out *IssuerConfig) { if in.CA != nil { in, out := &in.CA, &out.CA *out = new(CAIssuer) - **out = **in + (*in).DeepCopyInto(*out) } if in.Vault != nil { in, out := &in.Vault, &out.Vault