diff --git a/internal/apis/certmanager/validation/certificate.go b/internal/apis/certmanager/validation/certificate.go index 3bba759ce..ac308952b 100644 --- a/internal/apis/certmanager/validation/certificate.go +++ b/internal/apis/certmanager/validation/certificate.go @@ -233,7 +233,20 @@ func validateIssuerRef(issuerRef cmmeta.ObjectReference, fldPath *field.Path) fi // do nothing default: - el = append(el, field.Invalid(issuerRefPath.Child("kind"), issuerRef.Kind, "must be one of Issuer or ClusterIssuer")) + kindPath := issuerRefPath.Child("kind") + errMsg := "must be one of Issuer or ClusterIssuer" + + if issuerRef.Group == "" { + // Sometimes the user sets a kind for an external issuer (e.g. "AWSPCAClusterIssuer" or "VenafiIssuer") but forgets + // to set the group (an easy mistake to make - see https://github.com/cert-manager/csi-driver/issues/197). + // If the users forgets the group but otherwise has a correct Kind set for an external issuer, we can give a hint + // as to what they need to do to fix. + + // If the user explicitly set the group to the cert-manager group though, we don't give the hint + errMsg += fmt.Sprintf(" (did you forget to set %s?)", kindPath.Child("group").String()) + } + + el = append(el, field.Invalid(kindPath, issuerRef.Kind, errMsg)) } } diff --git a/internal/apis/certmanager/validation/certificate_test.go b/internal/apis/certmanager/validation/certificate_test.go index 1e6f67fa9..b41635cfe 100644 --- a/internal/apis/certmanager/validation/certificate_test.go +++ b/internal/apis/certmanager/validation/certificate_test.go @@ -135,7 +135,7 @@ func TestValidateCertificate(t *testing.T) { }, a: someAdmissionRequest, errs: []*field.Error{ - field.Invalid(fldPath.Child("issuerRef", "kind"), "AWSPCAClusterIssuer", "must be one of Issuer or ClusterIssuer"), + field.Invalid(fldPath.Child("issuerRef", "kind"), "AWSPCAClusterIssuer", "must be one of Issuer or ClusterIssuer (did you forget to set spec.issuerRef.kind.group?)"), }, }, "valid with external issuerRef kind and external group": {