Make vault issuer to point to resource namespace over certificaterequest

Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>

pkg/controller/certificaterequests/vault/vault.go

@@ -37,6 +37,7 @@ const (
 )
 
 type Vault struct {
+	issuerOptions controllerpkg.IssuerOptions
 	secretsLister corelisters.SecretLister
 	reporter      *crutil.Reporter
 
@@ -54,6 +55,7 @@ func init() {
 
 func NewVault(ctx *controllerpkg.Context) *Vault {
 	return &Vault{
+		issuerOptions:      ctx.IssuerOptions,
 		secretsLister:      ctx.KubeSharedInformerFactory.Core().V1().Secrets().Lister(),
 		reporter:           crutil.NewReporter(ctx.Clock, ctx.Recorder),
 		vaultClientBuilder: vaultinternal.New,
@@ -64,7 +66,9 @@ func (v *Vault) Sign(ctx context.Context, cr *v1alpha2.CertificateRequest, issue
 	log := logf.FromContext(ctx, "sign")
 	log = logf.WithRelatedResource(log, issuerObj)
 
-	client, err := v.vaultClientBuilder(cr.Namespace, v.secretsLister, issuerObj)
+	resourceNamespace := v.issuerOptions.ResourceNamespace(issuerObj)
+
+	client, err := v.vaultClientBuilder(resourceNamespace, v.secretsLister, issuerObj)
 	if k8sErrors.IsNotFound(err) {
 		message := "Required secret resource not found"
 

test/e2e/suite/issuers/vault/certificate/approle.go

@@ -23,7 +23,7 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 
-	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
+	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 	"github.com/jetstack/cert-manager/test/e2e/framework"
 	"github.com/jetstack/cert-manager/test/e2e/framework/addon/tiller"
@@ -32,7 +32,15 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() {
+var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole)", func() {
+	runVaultAppRoleTests(cmapi.IssuerKind)
+})
+
+var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole)", func() {
+	runVaultAppRoleTests(cmapi.ClusterIssuerKind)
+})
+
+func runVaultAppRoleTests(issuerKind string) {
 	f := framework.NewDefaultFramework("create-vault-certificate")
 	h := f.Helper()
 
@@ -68,6 +76,14 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() {
 	var secretId string
 	var vaultInit *vaultaddon.VaultInitializer
 
+	var vaultSecretNamespace string
+
+	if issuerKind == cmapi.IssuerKind {
+		vaultSecretNamespace = f.Namespace.Name
+	} else {
+		vaultSecretNamespace = "kube-system"
+	}
+
 	BeforeEach(func() {
 		By("Configuring the Vault server")
 		vaultInit = &vaultaddon.VaultInitializer{
@@ -83,15 +99,21 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() {
 		Expect(err).NotTo(HaveOccurred())
 		roleId, secretId, err = vaultInit.CreateAppRole()
 		Expect(err).NotTo(HaveOccurred())
-		_, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId))
+		_, err = f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId))
 		Expect(err).NotTo(HaveOccurred())
 	})
 
 	JustAfterEach(func() {
 		By("Cleaning up")
 		Expect(vaultInit.Clean()).NotTo(HaveOccurred())
-		f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil)
-		f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(vaultSecretAppRoleName, nil)
+
+		if issuerKind == cmapi.IssuerKind {
+			f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil)
+		} else {
+			f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Delete(issuerName, nil)
+		}
+
+		f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Delete(vaultSecretAppRoleName, nil)
 	})
 
 	It("should generate a new valid certificate", func() {
@@ -100,21 +122,37 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() {
 
 		certClient := f.CertManagerClientSet.CertmanagerV1alpha2().Certificates(f.Namespace.Name)
 
-		_, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+		var err error
+		if issuerKind == cmapi.IssuerKind {
+			_, err = f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+		} else {
+			_, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(util.NewCertManagerVaultClusterIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+		}
 
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Waiting for Issuer to become Ready")
-		err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name),
-			issuerName,
-			v1alpha2.IssuerCondition{
-				Type:   v1alpha2.IssuerConditionReady,
-				Status: cmmeta.ConditionTrue,
-			})
+
+		if issuerKind == cmapi.IssuerKind {
+			err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name),
+				issuerName,
+				cmapi.IssuerCondition{
+					Type:   cmapi.IssuerConditionReady,
+					Status: cmmeta.ConditionTrue,
+				})
+		} else {
+			err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers(),
+				issuerName,
+				cmapi.IssuerCondition{
+					Type:   cmapi.IssuerConditionReady,
+					Status: cmmeta.ConditionTrue,
+				})
+		}
+
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Creating a Certificate")
-		_, err = certClient.Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha2.IssuerKind, nil, nil))
+		_, err = certClient.Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, issuerKind, nil, nil))
 		Expect(err).NotTo(HaveOccurred())
 
 		err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
@@ -159,20 +197,37 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() {
 		v := v
 		It("should generate a new certificate "+v.label, func() {
 			By("Creating an Issuer")
-			_, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+
+			var err error
+			if issuerKind == cmapi.IssuerKind {
+				_, err = f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+			} else {
+				_, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(util.NewCertManagerVaultClusterIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+			}
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Waiting for Issuer to become Ready")
-			err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name),
-				issuerName,
-				v1alpha2.IssuerCondition{
-					Type:   v1alpha2.IssuerConditionReady,
-					Status: cmmeta.ConditionTrue,
-				})
+
+			if issuerKind == cmapi.IssuerKind {
+				err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name),
+					issuerName,
+					cmapi.IssuerCondition{
+						Type:   cmapi.IssuerConditionReady,
+						Status: cmmeta.ConditionTrue,
+					})
+			} else {
+				err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers(),
+					issuerName,
+					cmapi.IssuerCondition{
+						Type:   cmapi.IssuerConditionReady,
+						Status: cmmeta.ConditionTrue,
+					})
+			}
+
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Creating a Certificate")
-			cert, err := f.CertManagerClientSet.CertmanagerV1alpha2().Certificates(f.Namespace.Name).Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha2.IssuerKind, v.inputDuration, v.inputRenewBefore))
+			cert, err := f.CertManagerClientSet.CertmanagerV1alpha2().Certificates(f.Namespace.Name).Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, issuerKind, v.inputDuration, v.inputRenewBefore))
 			Expect(err).NotTo(HaveOccurred())
 
 			err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
@@ -182,4 +237,4 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() {
 			f.CertificateDurationValid(cert, v.expectedDuration, time.Second*30)
 		})
 	}
-})
+}

test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go

@@ -23,7 +23,7 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 
-	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
+	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 	"github.com/jetstack/cert-manager/test/e2e/framework"
 	"github.com/jetstack/cert-manager/test/e2e/framework/addon/tiller"
@@ -31,7 +31,15 @@ import (
 	"github.com/jetstack/cert-manager/test/e2e/util"
 )
 
-var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom mount path)", func() {
+var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole with a custom mount path)", func() {
+	runVaultCustomAppRoleTests(cmapi.IssuerKind)
+})
+
+var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole with a custom mount path)", func() {
+	runVaultCustomAppRoleTests(cmapi.ClusterIssuerKind)
+})
+
+func runVaultCustomAppRoleTests(issuerKind string) {
 	f := framework.NewDefaultFramework("create-vault-certificate")
 	h := f.Helper()
 
@@ -68,6 +76,13 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom
 
 	var vaultInit *vaultaddon.VaultInitializer
 
+	var vaultSecretNamespace string
+	if issuerKind == cmapi.IssuerKind {
+		vaultSecretNamespace = f.Namespace.Name
+	} else {
+		vaultSecretNamespace = "kube-system"
+	}
+
 	BeforeEach(func() {
 		By("Configuring the Vault server")
 		vaultInit = &vaultaddon.VaultInitializer{
@@ -83,15 +98,21 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom
 		Expect(err).NotTo(HaveOccurred())
 		roleId, secretId, err = vaultInit.CreateAppRole()
 		Expect(err).NotTo(HaveOccurred())
-		_, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId))
+		_, err = f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId))
 		Expect(err).NotTo(HaveOccurred())
 	})
 
 	JustAfterEach(func() {
 		By("Cleaning up")
 		Expect(vaultInit.Clean()).NotTo(HaveOccurred())
-		f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil)
-		f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(vaultSecretAppRoleName, nil)
+
+		if issuerKind == cmapi.IssuerKind {
+			f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil)
+		} else {
+			f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Delete(issuerName, nil)
+		}
+
+		f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Delete(vaultSecretAppRoleName, nil)
 	})
 
 	It("should generate a new valid certificate", func() {
@@ -100,23 +121,39 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom
 
 		certClient := f.CertManagerClientSet.CertmanagerV1alpha2().Certificates(f.Namespace.Name)
 
-		_, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+		var err error
+		if issuerKind == cmapi.IssuerKind {
+			_, err = f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+		} else {
+			_, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(util.NewCertManagerVaultClusterIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+		}
+
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Waiting for Issuer to become Ready")
-		err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name),
-			issuerName,
-			v1alpha2.IssuerCondition{
-				Type:   v1alpha2.IssuerConditionReady,
-				Status: cmmeta.ConditionTrue,
-			})
+		if issuerKind == cmapi.IssuerKind {
+			err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name),
+				issuerName,
+				cmapi.IssuerCondition{
+					Type:   cmapi.IssuerConditionReady,
+					Status: cmmeta.ConditionTrue,
+				})
+		} else {
+			err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers(),
+				issuerName,
+				cmapi.IssuerCondition{
+					Type:   cmapi.IssuerConditionReady,
+					Status: cmmeta.ConditionTrue,
+				})
+		}
+
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Creating a Certificate")
-		_, err = certClient.Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha2.IssuerKind, nil, nil))
+		_, err = certClient.Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, issuerKind, nil, nil))
 		Expect(err).NotTo(HaveOccurred())
 
 		err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
 		Expect(err).NotTo(HaveOccurred())
 	})
-})
+}

test/e2e/suite/issuers/vault/certificaterequest/approle.go

@@ -26,7 +26,7 @@ import (
 	. "github.com/onsi/gomega"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
+	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 	"github.com/jetstack/cert-manager/test/e2e/framework"
 	"github.com/jetstack/cert-manager/test/e2e/framework/addon/tiller"
@@ -34,7 +34,15 @@ import (
 	"github.com/jetstack/cert-manager/test/e2e/util"
 )
 
-var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole)", func() {
+var _ = framework.CertManagerDescribe("Vault Issuer CertificateRequest (AppRole)", func() {
+	runVaultAppRoleTests(cmapi.IssuerKind)
+})
+
+var _ = framework.CertManagerDescribe("Vault ClusterIssuer CertificateRequest (AppRole)", func() {
+	runVaultAppRoleTests(cmapi.ClusterIssuerKind)
+})
+
+func runVaultAppRoleTests(issuerKind string) {
 	f := framework.NewDefaultFramework("create-vault-certificaterequest")
 	h := f.Helper()
 
@@ -75,6 +83,13 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole)", func
 	var secretId string
 	var vaultInit *vaultaddon.VaultInitializer
 
+	var vaultSecretNamespace string
+	if issuerKind == cmapi.IssuerKind {
+		vaultSecretNamespace = f.Namespace.Name
+	} else {
+		vaultSecretNamespace = "kube-system"
+	}
+
 	BeforeEach(func() {
 		By("Configuring the Vault server")
 		vaultInit = &vaultaddon.VaultInitializer{
@@ -90,15 +105,21 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole)", func
 		Expect(err).NotTo(HaveOccurred())
 		roleId, secretId, err = vaultInit.CreateAppRole()
 		Expect(err).NotTo(HaveOccurred())
-		_, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId))
+		_, err = f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId))
 		Expect(err).NotTo(HaveOccurred())
 	})
 
 	JustAfterEach(func() {
 		By("Cleaning up")
 		Expect(vaultInit.Clean()).NotTo(HaveOccurred())
-		f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil)
-		f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(vaultSecretAppRoleName, nil)
+
+		if issuerKind == cmapi.IssuerKind {
+			f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil)
+		} else {
+			f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Delete(issuerName, nil)
+		}
+
+		f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Delete(vaultSecretAppRoleName, nil)
 	})
 
 	It("should generate a new valid certificate", func() {
@@ -107,21 +128,35 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole)", func
 
 		crClient := f.CertManagerClientSet.CertmanagerV1alpha2().CertificateRequests(f.Namespace.Name)
 
-		_, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
-
+		var err error
+		if issuerKind == cmapi.IssuerKind {
+			_, err = f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+		} else {
+			_, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(util.NewCertManagerVaultClusterIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+		}
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Waiting for Issuer to become Ready")
-		err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name),
-			issuerName,
-			v1alpha2.IssuerCondition{
-				Type:   v1alpha2.IssuerConditionReady,
-				Status: cmmeta.ConditionTrue,
-			})
+		if issuerKind == cmapi.IssuerKind {
+			err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name),
+				issuerName,
+				cmapi.IssuerCondition{
+					Type:   cmapi.IssuerConditionReady,
+					Status: cmmeta.ConditionTrue,
+				})
+		} else {
+			err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers(),
+				issuerName,
+				cmapi.IssuerCondition{
+					Type:   cmapi.IssuerConditionReady,
+					Status: cmmeta.ConditionTrue,
+				})
+		}
+
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Creating a CertificateRequest")
-		cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName, v1alpha2.IssuerKind,
+		cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName, issuerKind,
 			&metav1.Duration{
 				Duration: time.Hour * 24 * 90,
 			},
@@ -167,23 +202,32 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole)", func
 		v := v
 		It("should generate a new certificate "+v.label, func() {
 			By("Creating an Issuer")
-			_, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+
+			var err error
+			if issuerKind == cmapi.IssuerKind {
+				_, err = f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+			} else {
+				_, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(util.NewCertManagerVaultClusterIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+			}
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Waiting for Issuer to become Ready")
-			err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name),
-				issuerName,
-				v1alpha2.IssuerCondition{
-					Type:   v1alpha2.IssuerConditionReady,
-					Status: cmmeta.ConditionTrue,
-				})
+			if issuerKind == cmapi.IssuerKind {
+				err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers(),
+					issuerName,
+					cmapi.IssuerCondition{
+						Type:   cmapi.IssuerConditionReady,
+						Status: cmmeta.ConditionTrue,
+					})
+			} else {
+			}
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Creating a CertificateRequest")
 			crClient := f.CertManagerClientSet.CertmanagerV1alpha2().CertificateRequests(f.Namespace.Name)
 
 			cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName,
-				v1alpha2.IssuerKind, v.inputDuration, crDNSNames, crIPAddresses, nil, x509.RSA)
+				issuerKind, v.inputDuration, crDNSNames, crIPAddresses, nil, x509.RSA)
 			Expect(err).NotTo(HaveOccurred())
 			_, err = crClient.Create(cr)
 			Expect(err).NotTo(HaveOccurred())
@@ -197,4 +241,4 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole)", func
 			f.CertificateRequestDurationValid(cr, v.expectedDuration+(30*time.Second))
 		})
 	}
-})
+}

test/e2e/suite/issuers/vault/certificaterequest/approle_custom_mount.go

@@ -26,7 +26,7 @@ import (
 	. "github.com/onsi/gomega"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
+	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 	"github.com/jetstack/cert-manager/test/e2e/framework"
 	"github.com/jetstack/cert-manager/test/e2e/framework/addon/tiller"
@@ -34,7 +34,15 @@ import (
 	"github.com/jetstack/cert-manager/test/e2e/util"
 )
 
-var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole with a custom mount path)", func() {
+var _ = framework.CertManagerDescribe("Vault Issuer CertificateRequest (AppRole with a custom mount path)", func() {
+	runVaultCustomAppRoleTests(cmapi.IssuerKind)
+})
+
+var _ = framework.CertManagerDescribe("Vault ClusterIssuer CertificateRequest (AppRole with a custom mount path)", func() {
+	runVaultCustomAppRoleTests(cmapi.ClusterIssuerKind)
+})
+
+func runVaultCustomAppRoleTests(issuerKind string) {
 	f := framework.NewDefaultFramework("create-vault-certificaterequest")
 	h := f.Helper()
 
@@ -76,6 +84,13 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole with a
 
 	var vaultInit *vaultaddon.VaultInitializer
 
+	var vaultSecretNamespace string
+	if issuerKind == cmapi.IssuerKind {
+		vaultSecretNamespace = f.Namespace.Name
+	} else {
+		vaultSecretNamespace = "kube-system"
+	}
+
 	BeforeEach(func() {
 		By("Configuring the Vault server")
 		vaultInit = &vaultaddon.VaultInitializer{
@@ -91,15 +106,21 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole with a
 		Expect(err).NotTo(HaveOccurred())
 		roleId, secretId, err = vaultInit.CreateAppRole()
 		Expect(err).NotTo(HaveOccurred())
-		_, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId))
+		_, err = f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId))
 		Expect(err).NotTo(HaveOccurred())
 	})
 
 	JustAfterEach(func() {
 		By("Cleaning up")
 		Expect(vaultInit.Clean()).NotTo(HaveOccurred())
-		f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil)
-		f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(vaultSecretAppRoleName, nil)
+
+		if issuerKind == cmapi.IssuerKind {
+			f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil)
+		} else {
+			f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Delete(issuerName, nil)
+		}
+
+		f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Delete(vaultSecretAppRoleName, nil)
 	})
 
 	It("should generate a new valid certificate", func() {
@@ -108,21 +129,37 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole with a
 
 		crClient := f.CertManagerClientSet.CertmanagerV1alpha2().CertificateRequests(f.Namespace.Name)
 
-		_, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+		var err error
+		if issuerKind == cmapi.IssuerKind {
+			_, err = f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+		} else {
+			_, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(util.NewCertManagerVaultClusterIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
+		}
+
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Waiting for Issuer to become Ready")
-		err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name),
-			issuerName,
-			v1alpha2.IssuerCondition{
-				Type:   v1alpha2.IssuerConditionReady,
-				Status: cmmeta.ConditionTrue,
-			})
+		if issuerKind == cmapi.IssuerKind {
+			err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name),
+				issuerName,
+				cmapi.IssuerCondition{
+					Type:   cmapi.IssuerConditionReady,
+					Status: cmmeta.ConditionTrue,
+				})
+		} else {
+			err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers(),
+				issuerName,
+				cmapi.IssuerCondition{
+					Type:   cmapi.IssuerConditionReady,
+					Status: cmmeta.ConditionTrue,
+				})
+		}
+
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Creating a CertificateRequest")
 		cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName,
-			v1alpha2.IssuerKind, &metav1.Duration{
+			issuerKind, &metav1.Duration{
 				Duration: time.Hour * 24 * 90,
 			},
 			crDNSNames, crIPAddresses, nil, x509.RSA)
@@ -133,4 +170,4 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole with a
 		err = h.WaitCertificateRequestIssuedValid(f.Namespace.Name, certificateRequestName, time.Minute*5, key)
 		Expect(err).NotTo(HaveOccurred())
 	})
-})
+}

test/e2e/util/util.go

@@ -490,21 +490,34 @@ func NewCertManagerVaultIssuerAppRole(name, vaultURL, vaultPath, roleId, vaultSe
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
 		},
-		Spec: v1alpha2.IssuerSpec{
-			IssuerConfig: v1alpha2.IssuerConfig{
-				Vault: &v1alpha2.VaultIssuer{
-					Server:   vaultURL,
-					Path:     vaultPath,
-					CABundle: caBundle,
-					Auth: v1alpha2.VaultAuth{
-						AppRole: &v1alpha2.VaultAppRole{
-							Path:   authPath,
-							RoleId: roleId,
-							SecretRef: cmmeta.SecretKeySelector{
-								Key: "secretkey",
-								LocalObjectReference: cmmeta.LocalObjectReference{
-									Name: vaultSecretAppRole,
-								},
+		Spec: newCertManagerVaultIssuerSpecAppRole(vaultURL, vaultPath, roleId, vaultSecretAppRole, authPath, caBundle),
+	}
+}
+
+func NewCertManagerVaultClusterIssuerAppRole(name, vaultURL, vaultPath, roleId, vaultSecretAppRole string, authPath string, caBundle []byte) *v1alpha2.ClusterIssuer {
+	return &v1alpha2.ClusterIssuer{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Spec: newCertManagerVaultIssuerSpecAppRole(vaultURL, vaultPath, roleId, vaultSecretAppRole, authPath, caBundle),
+	}
+}
+
+func newCertManagerVaultIssuerSpecAppRole(vaultURL, vaultPath, roleId, vaultSecretAppRole string, authPath string, caBundle []byte) v1alpha2.IssuerSpec {
+	return v1alpha2.IssuerSpec{
+		IssuerConfig: v1alpha2.IssuerConfig{
+			Vault: &v1alpha2.VaultIssuer{
+				Server:   vaultURL,
+				Path:     vaultPath,
+				CABundle: caBundle,
+				Auth: v1alpha2.VaultAuth{
+					AppRole: &v1alpha2.VaultAppRole{
+						Path:   authPath,
+						RoleId: roleId,
+						SecretRef: cmmeta.SecretKeySelector{
+							Key: "secretkey",
+							LocalObjectReference: cmmeta.LocalObjectReference{
+								Name: vaultSecretAppRole,
 							},
 						},
 					},