Fix signernames to allow clusterissuers with dots in name

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>

pkg/apis/experimental/doc.go

@@ -17,7 +17,7 @@ limitations under the License.
 // +groupName=experimental.cert-manager.io
 // +groupGoName=Experimental
 
-// Package experimental is the internal version of the API.
+// Package experimental contains the group containing experimental APIs.
 package experimental
 
 const GroupName = "experimental.cert-manager.io"

pkg/controller/certificatesigningrequests/controller_test.go

@@ -390,42 +390,6 @@ func TestController(t *testing.T) {
 				},
 			},
 		},
-		"if CertificateSigningRequest references a clusterissuers signer but the signer name contains a namespace, should update with failed": {
-			signerType: apiutil.IssuerCA,
-			existingCSR: gen.CertificateSigningRequest("csr-1",
-				gen.SetCertificateSigningRequestSignerName("clusterissuers.cert-manager.io/hello.world"),
-				gen.SetCertificateSigningRequestStatusCondition(certificatesv1.CertificateSigningRequestCondition{
-					Type:    certificatesv1.CertificateApproved,
-					Status:  corev1.ConditionTrue,
-					Reason:  "ApprovedReason",
-					Message: "Approved message",
-				}),
-			),
-			signerImpl:  signerExpectNoCall,
-			sarReaction: sarReactionExpectNoCall,
-			existingIssuer: gen.ClusterIssuer("world",
-				gen.SetIssuerCA(cmapi.CAIssuer{
-					SecretName: "tls",
-				}),
-			),
-			wantEvent: "Warning BadSignerName Signer clusterissuers may not be referenced with namespace (hello)",
-			wantConditions: []certificatesv1.CertificateSigningRequestCondition{
-				{
-					Type:    certificatesv1.CertificateApproved,
-					Status:  corev1.ConditionTrue,
-					Reason:  "ApprovedReason",
-					Message: "Approved message",
-				},
-				{
-					Type:               certificatesv1.CertificateFailed,
-					Status:             corev1.ConditionTrue,
-					Reason:             "BadSignerName",
-					Message:            "Signer clusterissuers may not be referenced with namespace (hello)",
-					LastTransitionTime: metaFixedClockStart,
-					LastUpdateTime:     metaFixedClockStart,
-				},
-			},
-		},
 		"if CertificateSigningRequest references a issuers signer but the Issuer is not ready, fire event not Ready": {
 			signerType: apiutil.IssuerCA,
 			existingCSR: gen.CertificateSigningRequest("csr-1",

pkg/controller/certificatesigningrequests/sync.go

@@ -106,12 +106,12 @@ func (c *Controller) Sync(ctx context.Context, csr *certificatesv1.CertificateSi
 		return nil
 	}
 
-	switch kind {
-	case cmapi.IssuerKind:
+	if kind == cmapi.IssuerKind {
 		ok, err := c.userCanReferenceSigner(ctx, csr, ref.Namespace, ref.Name)
 		if err != nil {
 			return err
 		}
+
 		if !ok {
 			message := fmt.Sprintf("Requester may not reference Namespaced Issuer %s/%s", ref.Namespace, ref.Name)
 			c.recorder.Event(csr, corev1.EventTypeWarning, "DeniedReference", message)
@@ -120,17 +120,6 @@ func (c *Controller) Sync(ctx context.Context, csr *certificatesv1.CertificateSi
 				return err
 			}
 
-			return nil
-		}
-	case cmapi.ClusterIssuerKind:
-		// Namespace not valid for a clusterissuer
-		if len(ref.Namespace) > 0 {
-			message := fmt.Sprintf("Signer clusterissuers may not be referenced with namespace (%s)", ref.Namespace)
-			c.recorder.Event(csr, corev1.EventTypeWarning, "BadSignerName", message)
-			util.CertificateSigningRequestSetFailed(csr, "BadSignerName", message)
-			if _, err := c.certClient.UpdateStatus(ctx, csr, metav1.UpdateOptions{}); err != nil {
-				return err
-			}
 			return nil
 		}
 	}

pkg/controller/certificatesigningrequests/util/signername.go

@@ -50,6 +50,17 @@ func SignerIssuerRefFromSignerName(name string) (SignerIssuerRef, bool) {
 		}, true
 
 	default:
+		// ClusterIssuers do not have Namespaces
+		if signerTypeSplit[0] == "clusterissuers" {
+			return SignerIssuerRef{
+				Namespace: "",
+				Name:      strings.Join(signerNameSplit[0:], "."),
+				Type:      signerTypeSplit[0],
+				Group:     signerTypeSplit[1],
+			}, true
+		}
+
+		// Non Cluster Scoped issuers always have Namespaces
 		return SignerIssuerRef{
 			Namespace: signerNameSplit[0],
 			Name:      strings.Join(signerNameSplit[1:], "."),

pkg/controller/certificatesigningrequests/util/signername_test.go

@@ -102,6 +102,16 @@ func TestIssuerRefFromSignerName(t *testing.T) {
 			},
 			expOK: true,
 		},
+		"a clusterissuers reference with 4 domains and multiple names should return no Namespace and multiple domain name": {
+			inpName: "clusterissuers.bar.abc.dbc/hello.world.123.456",
+			expSignerIssuerRef: SignerIssuerRef{
+				Namespace: "",
+				Name:      "hello.world.123.456",
+				Type:      "clusterissuers",
+				Group:     "bar.abc.dbc",
+			},
+			expOK: true,
+		},
 	}
 
 	for name, test := range tests {

pkg/util/pki/kube_test.go

@@ -55,10 +55,10 @@ func TestGenerateTemplateFromCertificateSigningRequest(t *testing.T) {
 		},
 		"a CSR that contains invalid usages should return an error": {
 			csr: gen.CertificateSigningRequest("",
-				gen.SetCertificateSigningRequestDuration("bad-duration"),
+				gen.SetCertificateSigningRequestDuration("10m"),
 				gen.SetCertificateSigningRequestUsages([]certificatesv1.KeyUsage{
 					certificatesv1.UsageKeyEncipherment,
-					certificatesv1.UsageDigitalSignature,
+					certificatesv1.KeyUsage("bad-usage"),
 				}),
 				gen.SetCertificateSigningRequestRequest(csr),
 			),