weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Implement feedback

Browse Source 
Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
This commit is contained in:
Maartje Eyskens 2020-11-17 17:53:08 +01:00
parent 66f787ef33
commit d705838e83
16 changed files with 151 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
deploy/crds/crd-clusterissuers.v1beta1.yaml
View File

@ -75,6 +75,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -121,9 +124,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string
@ -1090,6 +1090,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -1136,9 +1139,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string
@ -2107,6 +2107,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -2153,9 +2156,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string
@ -3124,6 +3124,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -3170,9 +3173,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string

24
deploy/crds/crd-clusterissuers.yaml
View File

@ -75,6 +75,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -121,9 +124,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string
@ -1104,6 +1104,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -1150,9 +1153,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string
@ -2135,6 +2135,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -2181,9 +2184,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string
@ -3166,6 +3166,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -3212,9 +3215,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string

24
deploy/crds/crd-issuers.v1beta1.yaml
View File

@ -75,6 +75,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -121,9 +124,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string
@ -1090,6 +1090,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -1136,9 +1139,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string
@ -2107,6 +2107,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -2153,9 +2156,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string
@ -3124,6 +3124,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -3170,9 +3173,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string

24
deploy/crds/crd-issuers.yaml
View File

@ -75,6 +75,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -121,9 +124,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string
@ -1104,6 +1104,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -1150,9 +1153,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string
@ -2135,6 +2135,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -2181,9 +2184,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string
@ -3166,6 +3166,9 @@ spec:
email:
description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
type: string
enableDurationFeature:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
externalAccountBinding:
description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
type: object
@ -3212,9 +3215,6 @@ spec:
name:
description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
requestDuration:
description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
type: boolean
server:
description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
type: string

2
pkg/apis/acme/v1/types_issuer.go
View File

@ -100,7 +100,7 @@ type ACMEIssuer struct {
// it it will create an error on the Order.
// Defaults to false.
// +optional
RequestDuration bool `json:"requestDuration,omitempty"`
EnableDurationFeature bool `json:"enableDurationFeature,omitempty"`
}
// ACMEExternalAccountBinding is a reference to a CA external account of the ACME

2
pkg/apis/acme/v1alpha2/types_issuer.go
View File

@ -100,7 +100,7 @@ type ACMEIssuer struct {
// it it will create an error on the Order.
// Defaults to false.
// +optional
RequestDuration bool `json:"requestDuration,omitempty"`
EnableDurationFeature bool `json:"enableDurationFeature,omitempty"`
}
// ACMEExternalAccountBinding is a reference to a CA external account of the ACME

2
pkg/apis/acme/v1alpha3/types_issuer.go
View File

@ -100,7 +100,7 @@ type ACMEIssuer struct {
// it it will create an error on the Order.
// Defaults to false.
// +optional
RequestDuration bool `json:"requestDuration,omitempty"`
EnableDurationFeature bool `json:"enableDurationFeature,omitempty"`
}
// ACMEExternalAccountBinding is a reference to a CA external account of the ACME

2
pkg/apis/acme/v1beta1/types_issuer.go
View File

@ -100,7 +100,7 @@ type ACMEIssuer struct {
// it it will create an error on the Order.
// Defaults to false.
// +optional
RequestDuration bool `json:"requestDuration,omitempty"`
EnableDurationFeature bool `json:"enableDurationFeature,omitempty"`
}
// ACMEExternalAccountBinding is a reference to a CA external account of the ACME

6
pkg/controller/certificaterequests/acme/acme.go
View File

@ -105,7 +105,7 @@ func (a *ACME) Sign(ctx context.Context, cr *v1.CertificateRequest, issuer v1.Ge
}
// If we fail to build the order we have to hard fail.
expectedOrder, err := buildOrder(cr, csr, issuer)
expectedOrder, err := buildOrder(cr, csr, issuer.GetSpec().ACME.EnableDurationFeature)
if err != nil {
message := "Failed to build order"
@ -199,7 +199,7 @@ func (a *ACME) Sign(ctx context.Context, cr *v1.CertificateRequest, issuer v1.Ge
}
// Build order. If we error here it is a terminating failure.
func buildOrder(cr *v1.CertificateRequest, csr *x509.CertificateRequest, issuer v1.GenericIssuer) (*cmacme.Order, error) {
func buildOrder(cr *v1.CertificateRequest, csr *x509.CertificateRequest, enableDurationFeature bool) (*cmacme.Order, error) {
var ipAddresses []string
for _, ip := range csr.IPAddresses {
ipAddresses = append(ipAddresses, ip.String())
@ -218,7 +218,7 @@ func buildOrder(cr *v1.CertificateRequest, csr *x509.CertificateRequest, issuer
IPAddresses: ipAddresses,
}
if issuer.GetSpec().ACME.RequestDuration {
if enableDurationFeature {
spec.Duration = cr.Spec.Duration
}

80
pkg/controller/certificaterequests/acme/acme_test.go
View File

@ -25,6 +25,7 @@ import (
"encoding/pem"
"errors"
"net"
"reflect"
"testing"
"time"
@ -37,6 +38,7 @@ import (
cmacme "github.com/jetstack/cert-manager/pkg/apis/acme/v1"
"github.com/jetstack/cert-manager/pkg/apis/certmanager"
cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
v1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
cmacmelisters "github.com/jetstack/cert-manager/pkg/client/listers/acme/v1"
"github.com/jetstack/cert-manager/pkg/controller/certificaterequests"
@ -148,12 +150,12 @@ func TestSign(t *testing.T) {
t.Fatal(err)
}
ipBaseCR := gen.CertificateRequestFrom(baseCR, gen.SetCertificateRequestCSR(ipCSRPEM))
ipBaseOrder, err := buildOrder(ipBaseCR, ipCSR, baseIssuer)
ipBaseOrder, err := buildOrder(ipBaseCR, ipCSR, baseIssuer.GetSpec().ACME.EnableDurationFeature)
if err != nil {
t.Fatalf("failed to build order during testing: %s", err)
}
baseOrder, err := buildOrder(baseCR, csr, baseIssuer)
baseOrder, err := buildOrder(baseCR, csr, baseIssuer.GetSpec().ACME.EnableDurationFeature)
if err != nil {
t.Fatalf("failed to build order during testing: %s", err)
}
@ -518,3 +520,77 @@ func runTest(t *testing.T, test testT) {
test.builder.CheckAndFinish(err)
}
func Test_buildOrder(t *testing.T) {
sk, err := pki.GenerateRSAPrivateKey(2048)
if err != nil {
t.Fatal(err)
}
csrPEM := generateCSR(t, sk, "example.com", "example.com")
csr, err := pki.DecodeX509CertificateRequestBytes(csrPEM)
if err != nil {
t.Fatal(err)
}
cr := gen.CertificateRequest("test", gen.SetCertificateRequestDuration(&metav1.Duration{Duration: time.Hour}), gen.SetCertificateRequestCSR(csrPEM))
type args struct {
cr *v1.CertificateRequest
csr *x509.CertificateRequest
enableDurationFeature bool
}
tests := []struct {
name string
args args
want *cmacme.Order
wantErr bool
}{
{
name: "Normal building of order",
args: args{
cr: cr,
csr: csr,
enableDurationFeature: false,
},
want: &cmacme.Order{
Spec: cmacme.OrderSpec{
Request: csrPEM,
CommonName: "example.com",
DNSNames: []string{"example.com"},
},
},
wantErr: false,
},
{
name: "Building with enableDurationFeature",
args: args{
cr: cr,
csr: csr,
enableDurationFeature: true,
},
want: &cmacme.Order{
Spec: cmacme.OrderSpec{
Request: csrPEM,
CommonName: "example.com",
DNSNames: []string{"example.com"},
Duration: &metav1.Duration{Duration: time.Hour},
},
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := buildOrder(tt.args.cr, tt.args.csr, tt.args.enableDurationFeature)
if (err != nil) != tt.wantErr {
t.Errorf("buildOrder() error = %v, wantErr %v", err, tt.wantErr)
return
}
// for the current purpose we only test the spec
if !reflect.DeepEqual(got.Spec, tt.want.Spec) {
t.Errorf("buildOrder() got = %v, want %v", got.Spec, tt.want.Spec)
}
})
}
}

2
pkg/internal/apis/acme/types_issuer.go
View File

@ -91,7 +91,7 @@ type ACMEIssuer struct {
// like Let's Encrypt. If set to true when the ACME server does not support
// it it will create an error on the Order.
// Defaults to false.
RequestDuration bool `json:"requestDuration,omitempty"`
EnableDurationFeature bool `json:"enableDurationFeature,omitempty"`
}
// ACMEExternalAccountBinding is a reference to a CA external account of the ACME

4
pkg/internal/apis/acme/v1/zz_generated.conversion.go
View File

@ -694,7 +694,7 @@ func autoConvert_v1_ACMEIssuer_To_acme_ACMEIssuer(in *v1.ACMEIssuer, out *acme.A
}
out.Solvers = *(*[]acme.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
out.RequestDuration = in.RequestDuration
out.EnableDurationFeature = in.EnableDurationFeature
return nil
}
@ -715,7 +715,7 @@ func autoConvert_acme_ACMEIssuer_To_v1_ACMEIssuer(in *acme.ACMEIssuer, out *v1.A
}
out.Solvers = *(*[]v1.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
out.RequestDuration = in.RequestDuration
out.EnableDurationFeature = in.EnableDurationFeature
return nil
}

4
pkg/internal/apis/acme/v1alpha2/zz_generated.conversion.go
View File

@ -694,7 +694,7 @@ func autoConvert_v1alpha2_ACMEIssuer_To_acme_ACMEIssuer(in *v1alpha2.ACMEIssuer,
}
out.Solvers = *(*[]acme.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
out.RequestDuration = in.RequestDuration
out.EnableDurationFeature = in.EnableDurationFeature
return nil
}
@ -715,7 +715,7 @@ func autoConvert_acme_ACMEIssuer_To_v1alpha2_ACMEIssuer(in *acme.ACMEIssuer, out
}
out.Solvers = *(*[]v1alpha2.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
out.RequestDuration = in.RequestDuration
out.EnableDurationFeature = in.EnableDurationFeature
return nil
}

4
pkg/internal/apis/acme/v1alpha3/zz_generated.conversion.go
View File

@ -694,7 +694,7 @@ func autoConvert_v1alpha3_ACMEIssuer_To_acme_ACMEIssuer(in *v1alpha3.ACMEIssuer,
}
out.Solvers = *(*[]acme.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
out.RequestDuration = in.RequestDuration
out.EnableDurationFeature = in.EnableDurationFeature
return nil
}
@ -715,7 +715,7 @@ func autoConvert_acme_ACMEIssuer_To_v1alpha3_ACMEIssuer(in *acme.ACMEIssuer, out
}
out.Solvers = *(*[]v1alpha3.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
out.RequestDuration = in.RequestDuration
out.EnableDurationFeature = in.EnableDurationFeature
return nil
}

4
pkg/internal/apis/acme/v1beta1/zz_generated.conversion.go
View File

@ -694,7 +694,7 @@ func autoConvert_v1beta1_ACMEIssuer_To_acme_ACMEIssuer(in *v1beta1.ACMEIssuer, o
}
out.Solvers = *(*[]acme.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
out.RequestDuration = in.RequestDuration
out.EnableDurationFeature = in.EnableDurationFeature
return nil
}
@ -715,7 +715,7 @@ func autoConvert_acme_ACMEIssuer_To_v1beta1_ACMEIssuer(in *acme.ACMEIssuer, out
}
out.Solvers = *(*[]v1beta1.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers))
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
out.RequestDuration = in.RequestDuration
out.EnableDurationFeature = in.EnableDurationFeature
return nil
}

16
test/e2e/suite/issuers/acme/certificate/notafter.go
View File

@ -21,19 +21,20 @@ import (
"fmt"
"time"
"github.com/jetstack/cert-manager/pkg/util/pki"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
cmacme "github.com/jetstack/cert-manager/pkg/apis/acme/v1"
v1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
"github.com/jetstack/cert-manager/pkg/util/pki"
"github.com/jetstack/cert-manager/test/e2e/framework"
frameworkutil "github.com/jetstack/cert-manager/test/e2e/framework/util"
"github.com/jetstack/cert-manager/test/e2e/util"
"github.com/jetstack/cert-manager/test/unit/gen"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01 + Not After)", func() {
@ -50,8 +51,8 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01 + Not After)", f
BeforeEach(func() {
acmeIssuer := util.NewCertManagerACMEIssuer(issuerName, f.Config.Addons.ACMEServer.URL, testingACMEEmail, testingACMEPrivateKey)
// Enable NotAfter feature
acmeIssuer.Spec.ACME.RequestDuration = true
// Enable Duration feature to set NotAfter
acmeIssuer.Spec.ACME.EnableDurationFeature = true
acmeIssuer.Spec.ACME.Solvers = []cmacme.ACMEChallengeSolver{
{
HTTP01: &cmacme.ACMEChallengeSolverHTTP01{
@ -143,7 +144,8 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01 + Not After)", f
crt, err := pki.DecodeX509CertificateBytes(crtPEM)
Expect(err).NotTo(HaveOccurred(), "failed to get decode signed certificate data")
// checking losely to tot hit too many timing issues as the date is defined in the controller
// checking loosely to not hit too many timing issues as the date is defined in the controller
// pebble issues a 5 year cert by default
if crt.NotAfter.After(time.Now().Add(time.Hour)) {
Fail(fmt.Sprintf("Certificate has a NotAfter time after more than 1 hour (requested duration), got %s, current time %s", crt.NotAfter.String(), time.Now().String()))
}