Update Issuer CloudDNS config service account to use a SecretKeySelector

docs/acme-issuer.yaml

@@ -12,7 +12,9 @@ spec:
       providers:
       - name: clouddns
         clouddns:
-          serviceAccount: clouddns-service-account
+          serviceAccount:
+            name: clouddns-service-account
+            key: service-account.json
           project: jetstack-sandbox
 ---
 apiVersion: certmanager.k8s.io/v1alpha1
@@ -29,5 +31,7 @@ spec:
       providers:
       - name: clouddns
         clouddns:
-          serviceAccount: clouddns-service-account
+          serviceAccount:
+            name: clouddns-service-account
+            key: service-account.json
           project: jetstack-sandbox

pkg/apis/certmanager/types.go

@@ -83,7 +83,7 @@ type ACMEIssuerDNS01Provider struct {
 // ACMEIssuerDNS01ProviderCloudDNS is a structure containing the DNS
 // configuration for Google Cloud DNS
 type ACMEIssuerDNS01ProviderCloudDNS struct {
-	ServiceAccount string
+	ServiceAccount SecretKeySelector
 	Project        string
 }
 
@@ -157,3 +157,17 @@ type ACMEDomainAuthorization struct {
 	Domain string
 	URI    string
 }
+
+type LocalObjectReference struct {
+	// Name of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	// TODO: Add other useful fields. apiVersion, kind, uid?
+	Name string
+}
+
+type SecretKeySelector struct {
+	// The name of the secret in the pod's namespace to select from.
+	LocalObjectReference
+	// The key of the secret to select from.  Must be a valid secret key.
+	Key string
+}

pkg/apis/certmanager/v1alpha1/types.go

@@ -102,14 +102,14 @@ func (a *ACMEIssuerDNS01Config) Provider(name string) (*ACMEIssuerDNS01Provider,
 type ACMEIssuerDNS01Provider struct {
 	Name string `json:"name"`
 
-	CloudDNS *ACMEIssuerDNS01ProviderCloudDNS `json:"clouddns"`
+	CloudDNS *ACMEIssuerDNS01ProviderCloudDNS `json:"clouddns,omitempty"`
 }
 
 // ACMEIssuerDNS01ProviderCloudDNS is a structure containing the DNS
 // configuration for Google Cloud DNS
 type ACMEIssuerDNS01ProviderCloudDNS struct {
-	ServiceAccount string `json:"serviceAccount"`
-	Project        string `json:"project"`
+	ServiceAccount SecretKeySelector `json:"serviceAccount"`
+	Project        string            `json:"project"`
 }
 
 // +genclient=true
@@ -213,3 +213,17 @@ type ACMEDomainAuthorization struct {
 	Domain string `json:"domain"`
 	URI    string `json:"uri"`
 }
+
+type LocalObjectReference struct {
+	// Name of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	// TODO: Add other useful fields. apiVersion, kind, uid?
+	Name string `json:"name,omitempty"`
+}
+
+type SecretKeySelector struct {
+	// The name of the secret in the pod's namespace to select from.
+	LocalObjectReference `json:",inline" protobuf:"bytes,1,opt,name=localObjectReference"`
+	// The key of the secret to select from.  Must be a valid secret key.
+	Key string `json:"key" protobuf:"bytes,2,opt,name=key"`
+}

pkg/apis/certmanager/v1alpha1/zz_generated.conversion.go

@@ -73,6 +73,10 @@ func RegisterConversions(scheme *runtime.Scheme) error {
 		Convert_certmanager_IssuerSpec_To_v1alpha1_IssuerSpec,
 		Convert_v1alpha1_IssuerStatus_To_certmanager_IssuerStatus,
 		Convert_certmanager_IssuerStatus_To_v1alpha1_IssuerStatus,
+		Convert_v1alpha1_LocalObjectReference_To_certmanager_LocalObjectReference,
+		Convert_certmanager_LocalObjectReference_To_v1alpha1_LocalObjectReference,
+		Convert_v1alpha1_SecretKeySelector_To_certmanager_SecretKeySelector,
+		Convert_certmanager_SecretKeySelector_To_v1alpha1_SecretKeySelector,
 	)
 }
 
@@ -265,7 +269,9 @@ func Convert_certmanager_ACMEIssuerDNS01Provider_To_v1alpha1_ACMEIssuerDNS01Prov
 }
 
 func autoConvert_v1alpha1_ACMEIssuerDNS01ProviderCloudDNS_To_certmanager_ACMEIssuerDNS01ProviderCloudDNS(in *ACMEIssuerDNS01ProviderCloudDNS, out *certmanager.ACMEIssuerDNS01ProviderCloudDNS, s conversion.Scope) error {
-	out.ServiceAccount = in.ServiceAccount
+	if err := Convert_v1alpha1_SecretKeySelector_To_certmanager_SecretKeySelector(&in.ServiceAccount, &out.ServiceAccount, s); err != nil {
+		return err
+	}
 	out.Project = in.Project
 	return nil
 }
@@ -276,7 +282,9 @@ func Convert_v1alpha1_ACMEIssuerDNS01ProviderCloudDNS_To_certmanager_ACMEIssuerD
 }
 
 func autoConvert_certmanager_ACMEIssuerDNS01ProviderCloudDNS_To_v1alpha1_ACMEIssuerDNS01ProviderCloudDNS(in *certmanager.ACMEIssuerDNS01ProviderCloudDNS, out *ACMEIssuerDNS01ProviderCloudDNS, s conversion.Scope) error {
-	out.ServiceAccount = in.ServiceAccount
+	if err := Convert_certmanager_SecretKeySelector_To_v1alpha1_SecretKeySelector(&in.ServiceAccount, &out.ServiceAccount, s); err != nil {
+		return err
+	}
 	out.Project = in.Project
 	return nil
 }
@@ -537,3 +545,49 @@ func autoConvert_certmanager_IssuerStatus_To_v1alpha1_IssuerStatus(in *certmanag
 func Convert_certmanager_IssuerStatus_To_v1alpha1_IssuerStatus(in *certmanager.IssuerStatus, out *IssuerStatus, s conversion.Scope) error {
 	return autoConvert_certmanager_IssuerStatus_To_v1alpha1_IssuerStatus(in, out, s)
 }
+
+func autoConvert_v1alpha1_LocalObjectReference_To_certmanager_LocalObjectReference(in *LocalObjectReference, out *certmanager.LocalObjectReference, s conversion.Scope) error {
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_v1alpha1_LocalObjectReference_To_certmanager_LocalObjectReference is an autogenerated conversion function.
+func Convert_v1alpha1_LocalObjectReference_To_certmanager_LocalObjectReference(in *LocalObjectReference, out *certmanager.LocalObjectReference, s conversion.Scope) error {
+	return autoConvert_v1alpha1_LocalObjectReference_To_certmanager_LocalObjectReference(in, out, s)
+}
+
+func autoConvert_certmanager_LocalObjectReference_To_v1alpha1_LocalObjectReference(in *certmanager.LocalObjectReference, out *LocalObjectReference, s conversion.Scope) error {
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_certmanager_LocalObjectReference_To_v1alpha1_LocalObjectReference is an autogenerated conversion function.
+func Convert_certmanager_LocalObjectReference_To_v1alpha1_LocalObjectReference(in *certmanager.LocalObjectReference, out *LocalObjectReference, s conversion.Scope) error {
+	return autoConvert_certmanager_LocalObjectReference_To_v1alpha1_LocalObjectReference(in, out, s)
+}
+
+func autoConvert_v1alpha1_SecretKeySelector_To_certmanager_SecretKeySelector(in *SecretKeySelector, out *certmanager.SecretKeySelector, s conversion.Scope) error {
+	if err := Convert_v1alpha1_LocalObjectReference_To_certmanager_LocalObjectReference(&in.LocalObjectReference, &out.LocalObjectReference, s); err != nil {
+		return err
+	}
+	out.Key = in.Key
+	return nil
+}
+
+// Convert_v1alpha1_SecretKeySelector_To_certmanager_SecretKeySelector is an autogenerated conversion function.
+func Convert_v1alpha1_SecretKeySelector_To_certmanager_SecretKeySelector(in *SecretKeySelector, out *certmanager.SecretKeySelector, s conversion.Scope) error {
+	return autoConvert_v1alpha1_SecretKeySelector_To_certmanager_SecretKeySelector(in, out, s)
+}
+
+func autoConvert_certmanager_SecretKeySelector_To_v1alpha1_SecretKeySelector(in *certmanager.SecretKeySelector, out *SecretKeySelector, s conversion.Scope) error {
+	if err := Convert_certmanager_LocalObjectReference_To_v1alpha1_LocalObjectReference(&in.LocalObjectReference, &out.LocalObjectReference, s); err != nil {
+		return err
+	}
+	out.Key = in.Key
+	return nil
+}
+
+// Convert_certmanager_SecretKeySelector_To_v1alpha1_SecretKeySelector is an autogenerated conversion function.
+func Convert_certmanager_SecretKeySelector_To_v1alpha1_SecretKeySelector(in *certmanager.SecretKeySelector, out *SecretKeySelector, s conversion.Scope) error {
+	return autoConvert_certmanager_SecretKeySelector_To_v1alpha1_SecretKeySelector(in, out, s)
+}

pkg/apis/certmanager/v1alpha1/zz_generated.deepcopy.go

@@ -111,6 +111,14 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
 			in.(*IssuerStatus).DeepCopyInto(out.(*IssuerStatus))
 			return nil
 		}, InType: reflect.TypeOf(&IssuerStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LocalObjectReference).DeepCopyInto(out.(*LocalObjectReference))
+			return nil
+		}, InType: reflect.TypeOf(&LocalObjectReference{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SecretKeySelector).DeepCopyInto(out.(*SecretKeySelector))
+			return nil
+		}, InType: reflect.TypeOf(&SecretKeySelector{})},
 	)
 }
 
@@ -309,6 +317,7 @@ func (x *ACMEIssuerDNS01Provider) DeepCopy() *ACMEIssuerDNS01Provider {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ACMEIssuerDNS01ProviderCloudDNS) DeepCopyInto(out *ACMEIssuerDNS01ProviderCloudDNS) {
 	*out = *in
+	out.ServiceAccount = in.ServiceAccount
 	return
 }
 
@@ -589,3 +598,36 @@ func (x *IssuerStatus) DeepCopy() *IssuerStatus {
 	x.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LocalObjectReference) DeepCopyInto(out *LocalObjectReference) {
+	*out = *in
+	return
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, creating a new LocalObjectReference.
+func (x *LocalObjectReference) DeepCopy() *LocalObjectReference {
+	if x == nil {
+		return nil
+	}
+	out := new(LocalObjectReference)
+	x.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) {
+	*out = *in
+	out.LocalObjectReference = in.LocalObjectReference
+	return
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector.
+func (x *SecretKeySelector) DeepCopy() *SecretKeySelector {
+	if x == nil {
+		return nil
+	}
+	out := new(SecretKeySelector)
+	x.DeepCopyInto(out)
+	return out
+}

pkg/apis/certmanager/zz_generated.deepcopy.go

@@ -111,6 +111,14 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
 			in.(*IssuerStatus).DeepCopyInto(out.(*IssuerStatus))
 			return nil
 		}, InType: reflect.TypeOf(&IssuerStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LocalObjectReference).DeepCopyInto(out.(*LocalObjectReference))
+			return nil
+		}, InType: reflect.TypeOf(&LocalObjectReference{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SecretKeySelector).DeepCopyInto(out.(*SecretKeySelector))
+			return nil
+		}, InType: reflect.TypeOf(&SecretKeySelector{})},
 	)
 }
 
@@ -309,6 +317,7 @@ func (x *ACMEIssuerDNS01Provider) DeepCopy() *ACMEIssuerDNS01Provider {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ACMEIssuerDNS01ProviderCloudDNS) DeepCopyInto(out *ACMEIssuerDNS01ProviderCloudDNS) {
 	*out = *in
+	out.ServiceAccount = in.ServiceAccount
 	return
 }
 
@@ -589,3 +598,36 @@ func (x *IssuerStatus) DeepCopy() *IssuerStatus {
 	x.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LocalObjectReference) DeepCopyInto(out *LocalObjectReference) {
+	*out = *in
+	return
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, creating a new LocalObjectReference.
+func (x *LocalObjectReference) DeepCopy() *LocalObjectReference {
+	if x == nil {
+		return nil
+	}
+	out := new(LocalObjectReference)
+	x.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) {
+	*out = *in
+	out.LocalObjectReference = in.LocalObjectReference
+	return
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector.
+func (x *SecretKeySelector) DeepCopy() *SecretKeySelector {
+	if x == nil {
+		return nil
+	}
+	out := new(SecretKeySelector)
+	x.DeepCopyInto(out)
+	return out
+}

pkg/issuer/acme/dns/dns.go

@@ -108,11 +108,11 @@ func (s *Solver) solverFor(crt *v1alpha1.Certificate, domain string) (solver, er
 	var impl solver
 	switch {
 	case providerConfig.CloudDNS != nil:
-		saSecret, err := s.secretLister.Secrets(s.issuer.Namespace).Get(providerConfig.CloudDNS.ServiceAccount)
+		saSecret, err := s.secretLister.Secrets(s.issuer.Namespace).Get(providerConfig.CloudDNS.ServiceAccount.Name)
 		if err != nil {
 			return nil, fmt.Errorf("error getting clouddns service account: %s", err.Error())
 		}
-		saBytes := saSecret.Data[cloudDNSServiceAccountKey]
+		saBytes := saSecret.Data[providerConfig.CloudDNS.ServiceAccount.Key]
 
 		impl, err = clouddns.NewDNSProviderServiceAccountBytes(providerConfig.CloudDNS.Project, saBytes)
 		if err != nil {