diff --git a/deploy/crds/crd-clusterissuers.v1beta1.yaml b/deploy/crds/crd-clusterissuers.v1beta1.yaml index a4e0475c8..cfc47992f 100644 --- a/deploy/crds/crd-clusterissuers.v1beta1.yaml +++ b/deploy/crds/crd-clusterissuers.v1beta1.yaml @@ -75,6 +75,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -121,9 +124,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string @@ -1090,6 +1090,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -1136,9 +1139,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string @@ -2107,6 +2107,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -2153,9 +2156,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string @@ -3124,6 +3124,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -3170,9 +3173,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string diff --git a/deploy/crds/crd-clusterissuers.yaml b/deploy/crds/crd-clusterissuers.yaml index 6376c91a0..464aced0d 100644 --- a/deploy/crds/crd-clusterissuers.yaml +++ b/deploy/crds/crd-clusterissuers.yaml @@ -75,6 +75,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -121,9 +124,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string @@ -1104,6 +1104,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -1150,9 +1153,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string @@ -2135,6 +2135,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -2181,9 +2184,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string @@ -3166,6 +3166,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -3212,9 +3215,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string diff --git a/deploy/crds/crd-issuers.v1beta1.yaml b/deploy/crds/crd-issuers.v1beta1.yaml index 24542abcb..b4f05e0d6 100644 --- a/deploy/crds/crd-issuers.v1beta1.yaml +++ b/deploy/crds/crd-issuers.v1beta1.yaml @@ -75,6 +75,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -121,9 +124,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string @@ -1090,6 +1090,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -1136,9 +1139,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string @@ -2107,6 +2107,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -2153,9 +2156,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string @@ -3124,6 +3124,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -3170,9 +3173,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string diff --git a/deploy/crds/crd-issuers.yaml b/deploy/crds/crd-issuers.yaml index 0b89aa8ef..0b91dbe04 100644 --- a/deploy/crds/crd-issuers.yaml +++ b/deploy/crds/crd-issuers.yaml @@ -75,6 +75,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -121,9 +124,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string @@ -1104,6 +1104,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -1150,9 +1153,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string @@ -2135,6 +2135,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -2181,9 +2184,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string @@ -3166,6 +3166,9 @@ spec: email: description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean externalAccountBinding: description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. type: object @@ -3212,9 +3215,6 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string - requestDuration: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean server: description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string diff --git a/pkg/apis/acme/v1/types_issuer.go b/pkg/apis/acme/v1/types_issuer.go index 612f581cf..d2b0e7bd4 100644 --- a/pkg/apis/acme/v1/types_issuer.go +++ b/pkg/apis/acme/v1/types_issuer.go @@ -100,7 +100,7 @@ type ACMEIssuer struct { // it it will create an error on the Order. // Defaults to false. // +optional - RequestDuration bool `json:"requestDuration,omitempty"` + EnableDurationFeature bool `json:"enableDurationFeature,omitempty"` } // ACMEExternalAccountBinding is a reference to a CA external account of the ACME diff --git a/pkg/apis/acme/v1alpha2/types_issuer.go b/pkg/apis/acme/v1alpha2/types_issuer.go index 4842afe14..af685a8e6 100644 --- a/pkg/apis/acme/v1alpha2/types_issuer.go +++ b/pkg/apis/acme/v1alpha2/types_issuer.go @@ -100,7 +100,7 @@ type ACMEIssuer struct { // it it will create an error on the Order. // Defaults to false. // +optional - RequestDuration bool `json:"requestDuration,omitempty"` + EnableDurationFeature bool `json:"enableDurationFeature,omitempty"` } // ACMEExternalAccountBinding is a reference to a CA external account of the ACME diff --git a/pkg/apis/acme/v1alpha3/types_issuer.go b/pkg/apis/acme/v1alpha3/types_issuer.go index 2cf100cd1..1850cd8e2 100644 --- a/pkg/apis/acme/v1alpha3/types_issuer.go +++ b/pkg/apis/acme/v1alpha3/types_issuer.go @@ -100,7 +100,7 @@ type ACMEIssuer struct { // it it will create an error on the Order. // Defaults to false. // +optional - RequestDuration bool `json:"requestDuration,omitempty"` + EnableDurationFeature bool `json:"enableDurationFeature,omitempty"` } // ACMEExternalAccountBinding is a reference to a CA external account of the ACME diff --git a/pkg/apis/acme/v1beta1/types_issuer.go b/pkg/apis/acme/v1beta1/types_issuer.go index d0b661cc4..766a0dca4 100644 --- a/pkg/apis/acme/v1beta1/types_issuer.go +++ b/pkg/apis/acme/v1beta1/types_issuer.go @@ -100,7 +100,7 @@ type ACMEIssuer struct { // it it will create an error on the Order. // Defaults to false. // +optional - RequestDuration bool `json:"requestDuration,omitempty"` + EnableDurationFeature bool `json:"enableDurationFeature,omitempty"` } // ACMEExternalAccountBinding is a reference to a CA external account of the ACME diff --git a/pkg/controller/certificaterequests/acme/acme.go b/pkg/controller/certificaterequests/acme/acme.go index e8926d68f..fe437c9ed 100644 --- a/pkg/controller/certificaterequests/acme/acme.go +++ b/pkg/controller/certificaterequests/acme/acme.go @@ -105,7 +105,7 @@ func (a *ACME) Sign(ctx context.Context, cr *v1.CertificateRequest, issuer v1.Ge } // If we fail to build the order we have to hard fail. - expectedOrder, err := buildOrder(cr, csr, issuer) + expectedOrder, err := buildOrder(cr, csr, issuer.GetSpec().ACME.EnableDurationFeature) if err != nil { message := "Failed to build order" @@ -199,7 +199,7 @@ func (a *ACME) Sign(ctx context.Context, cr *v1.CertificateRequest, issuer v1.Ge } // Build order. If we error here it is a terminating failure. -func buildOrder(cr *v1.CertificateRequest, csr *x509.CertificateRequest, issuer v1.GenericIssuer) (*cmacme.Order, error) { +func buildOrder(cr *v1.CertificateRequest, csr *x509.CertificateRequest, enableDurationFeature bool) (*cmacme.Order, error) { var ipAddresses []string for _, ip := range csr.IPAddresses { ipAddresses = append(ipAddresses, ip.String()) @@ -218,7 +218,7 @@ func buildOrder(cr *v1.CertificateRequest, csr *x509.CertificateRequest, issuer IPAddresses: ipAddresses, } - if issuer.GetSpec().ACME.RequestDuration { + if enableDurationFeature { spec.Duration = cr.Spec.Duration } diff --git a/pkg/controller/certificaterequests/acme/acme_test.go b/pkg/controller/certificaterequests/acme/acme_test.go index 706d60dc4..5886de25a 100644 --- a/pkg/controller/certificaterequests/acme/acme_test.go +++ b/pkg/controller/certificaterequests/acme/acme_test.go @@ -25,6 +25,7 @@ import ( "encoding/pem" "errors" "net" + "reflect" "testing" "time" @@ -37,6 +38,7 @@ import ( cmacme "github.com/jetstack/cert-manager/pkg/apis/acme/v1" "github.com/jetstack/cert-manager/pkg/apis/certmanager" cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" + v1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" cmacmelisters "github.com/jetstack/cert-manager/pkg/client/listers/acme/v1" "github.com/jetstack/cert-manager/pkg/controller/certificaterequests" @@ -148,12 +150,12 @@ func TestSign(t *testing.T) { t.Fatal(err) } ipBaseCR := gen.CertificateRequestFrom(baseCR, gen.SetCertificateRequestCSR(ipCSRPEM)) - ipBaseOrder, err := buildOrder(ipBaseCR, ipCSR, baseIssuer) + ipBaseOrder, err := buildOrder(ipBaseCR, ipCSR, baseIssuer.GetSpec().ACME.EnableDurationFeature) if err != nil { t.Fatalf("failed to build order during testing: %s", err) } - baseOrder, err := buildOrder(baseCR, csr, baseIssuer) + baseOrder, err := buildOrder(baseCR, csr, baseIssuer.GetSpec().ACME.EnableDurationFeature) if err != nil { t.Fatalf("failed to build order during testing: %s", err) } @@ -518,3 +520,77 @@ func runTest(t *testing.T, test testT) { test.builder.CheckAndFinish(err) } + +func Test_buildOrder(t *testing.T) { + sk, err := pki.GenerateRSAPrivateKey(2048) + if err != nil { + t.Fatal(err) + } + + csrPEM := generateCSR(t, sk, "example.com", "example.com") + csr, err := pki.DecodeX509CertificateRequestBytes(csrPEM) + if err != nil { + t.Fatal(err) + } + + cr := gen.CertificateRequest("test", gen.SetCertificateRequestDuration(&metav1.Duration{Duration: time.Hour}), gen.SetCertificateRequestCSR(csrPEM)) + type args struct { + cr *v1.CertificateRequest + csr *x509.CertificateRequest + enableDurationFeature bool + } + tests := []struct { + name string + args args + want *cmacme.Order + wantErr bool + }{ + { + name: "Normal building of order", + args: args{ + cr: cr, + csr: csr, + enableDurationFeature: false, + }, + want: &cmacme.Order{ + Spec: cmacme.OrderSpec{ + Request: csrPEM, + CommonName: "example.com", + DNSNames: []string{"example.com"}, + }, + }, + wantErr: false, + }, + { + name: "Building with enableDurationFeature", + args: args{ + cr: cr, + csr: csr, + enableDurationFeature: true, + }, + want: &cmacme.Order{ + Spec: cmacme.OrderSpec{ + Request: csrPEM, + CommonName: "example.com", + DNSNames: []string{"example.com"}, + Duration: &metav1.Duration{Duration: time.Hour}, + }, + }, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := buildOrder(tt.args.cr, tt.args.csr, tt.args.enableDurationFeature) + if (err != nil) != tt.wantErr { + t.Errorf("buildOrder() error = %v, wantErr %v", err, tt.wantErr) + return + } + + // for the current purpose we only test the spec + if !reflect.DeepEqual(got.Spec, tt.want.Spec) { + t.Errorf("buildOrder() got = %v, want %v", got.Spec, tt.want.Spec) + } + }) + } +} diff --git a/pkg/internal/apis/acme/types_issuer.go b/pkg/internal/apis/acme/types_issuer.go index a91c105ff..8bc16e437 100644 --- a/pkg/internal/apis/acme/types_issuer.go +++ b/pkg/internal/apis/acme/types_issuer.go @@ -91,7 +91,7 @@ type ACMEIssuer struct { // like Let's Encrypt. If set to true when the ACME server does not support // it it will create an error on the Order. // Defaults to false. - RequestDuration bool `json:"requestDuration,omitempty"` + EnableDurationFeature bool `json:"enableDurationFeature,omitempty"` } // ACMEExternalAccountBinding is a reference to a CA external account of the ACME diff --git a/pkg/internal/apis/acme/v1/zz_generated.conversion.go b/pkg/internal/apis/acme/v1/zz_generated.conversion.go index f0140f353..7bec881bf 100644 --- a/pkg/internal/apis/acme/v1/zz_generated.conversion.go +++ b/pkg/internal/apis/acme/v1/zz_generated.conversion.go @@ -694,7 +694,7 @@ func autoConvert_v1_ACMEIssuer_To_acme_ACMEIssuer(in *v1.ACMEIssuer, out *acme.A } out.Solvers = *(*[]acme.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers)) out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration - out.RequestDuration = in.RequestDuration + out.EnableDurationFeature = in.EnableDurationFeature return nil } @@ -715,7 +715,7 @@ func autoConvert_acme_ACMEIssuer_To_v1_ACMEIssuer(in *acme.ACMEIssuer, out *v1.A } out.Solvers = *(*[]v1.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers)) out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration - out.RequestDuration = in.RequestDuration + out.EnableDurationFeature = in.EnableDurationFeature return nil } diff --git a/pkg/internal/apis/acme/v1alpha2/zz_generated.conversion.go b/pkg/internal/apis/acme/v1alpha2/zz_generated.conversion.go index f8df40945..de9913ecc 100644 --- a/pkg/internal/apis/acme/v1alpha2/zz_generated.conversion.go +++ b/pkg/internal/apis/acme/v1alpha2/zz_generated.conversion.go @@ -694,7 +694,7 @@ func autoConvert_v1alpha2_ACMEIssuer_To_acme_ACMEIssuer(in *v1alpha2.ACMEIssuer, } out.Solvers = *(*[]acme.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers)) out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration - out.RequestDuration = in.RequestDuration + out.EnableDurationFeature = in.EnableDurationFeature return nil } @@ -715,7 +715,7 @@ func autoConvert_acme_ACMEIssuer_To_v1alpha2_ACMEIssuer(in *acme.ACMEIssuer, out } out.Solvers = *(*[]v1alpha2.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers)) out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration - out.RequestDuration = in.RequestDuration + out.EnableDurationFeature = in.EnableDurationFeature return nil } diff --git a/pkg/internal/apis/acme/v1alpha3/zz_generated.conversion.go b/pkg/internal/apis/acme/v1alpha3/zz_generated.conversion.go index fe12ea712..e475ed92d 100644 --- a/pkg/internal/apis/acme/v1alpha3/zz_generated.conversion.go +++ b/pkg/internal/apis/acme/v1alpha3/zz_generated.conversion.go @@ -694,7 +694,7 @@ func autoConvert_v1alpha3_ACMEIssuer_To_acme_ACMEIssuer(in *v1alpha3.ACMEIssuer, } out.Solvers = *(*[]acme.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers)) out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration - out.RequestDuration = in.RequestDuration + out.EnableDurationFeature = in.EnableDurationFeature return nil } @@ -715,7 +715,7 @@ func autoConvert_acme_ACMEIssuer_To_v1alpha3_ACMEIssuer(in *acme.ACMEIssuer, out } out.Solvers = *(*[]v1alpha3.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers)) out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration - out.RequestDuration = in.RequestDuration + out.EnableDurationFeature = in.EnableDurationFeature return nil } diff --git a/pkg/internal/apis/acme/v1beta1/zz_generated.conversion.go b/pkg/internal/apis/acme/v1beta1/zz_generated.conversion.go index 6e3961c94..df80e914b 100644 --- a/pkg/internal/apis/acme/v1beta1/zz_generated.conversion.go +++ b/pkg/internal/apis/acme/v1beta1/zz_generated.conversion.go @@ -694,7 +694,7 @@ func autoConvert_v1beta1_ACMEIssuer_To_acme_ACMEIssuer(in *v1beta1.ACMEIssuer, o } out.Solvers = *(*[]acme.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers)) out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration - out.RequestDuration = in.RequestDuration + out.EnableDurationFeature = in.EnableDurationFeature return nil } @@ -715,7 +715,7 @@ func autoConvert_acme_ACMEIssuer_To_v1beta1_ACMEIssuer(in *acme.ACMEIssuer, out } out.Solvers = *(*[]v1beta1.ACMEChallengeSolver)(unsafe.Pointer(&in.Solvers)) out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration - out.RequestDuration = in.RequestDuration + out.EnableDurationFeature = in.EnableDurationFeature return nil } diff --git a/test/e2e/suite/issuers/acme/certificate/notafter.go b/test/e2e/suite/issuers/acme/certificate/notafter.go index fffe656b5..941c466e7 100644 --- a/test/e2e/suite/issuers/acme/certificate/notafter.go +++ b/test/e2e/suite/issuers/acme/certificate/notafter.go @@ -21,19 +21,20 @@ import ( "fmt" "time" - "github.com/jetstack/cert-manager/pkg/util/pki" + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" cmacme "github.com/jetstack/cert-manager/pkg/apis/acme/v1" v1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" + "github.com/jetstack/cert-manager/pkg/util/pki" "github.com/jetstack/cert-manager/test/e2e/framework" frameworkutil "github.com/jetstack/cert-manager/test/e2e/framework/util" "github.com/jetstack/cert-manager/test/e2e/util" "github.com/jetstack/cert-manager/test/unit/gen" - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01 + Not After)", func() { @@ -50,8 +51,8 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01 + Not After)", f BeforeEach(func() { acmeIssuer := util.NewCertManagerACMEIssuer(issuerName, f.Config.Addons.ACMEServer.URL, testingACMEEmail, testingACMEPrivateKey) - // Enable NotAfter feature - acmeIssuer.Spec.ACME.RequestDuration = true + // Enable Duration feature to set NotAfter + acmeIssuer.Spec.ACME.EnableDurationFeature = true acmeIssuer.Spec.ACME.Solvers = []cmacme.ACMEChallengeSolver{ { HTTP01: &cmacme.ACMEChallengeSolverHTTP01{ @@ -143,7 +144,8 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01 + Not After)", f crt, err := pki.DecodeX509CertificateBytes(crtPEM) Expect(err).NotTo(HaveOccurred(), "failed to get decode signed certificate data") - // checking losely to tot hit too many timing issues as the date is defined in the controller + // checking loosely to not hit too many timing issues as the date is defined in the controller + // pebble issues a 5 year cert by default if crt.NotAfter.After(time.Now().Add(time.Hour)) { Fail(fmt.Sprintf("Certificate has a NotAfter time after more than 1 hour (requested duration), got %s, current time %s", crt.NotAfter.String(), time.Now().String())) }