Support Certificates referencing ClusterIssuers

2017-09-22 01:37:41 +01:00 · 2017-09-22 01:37:41 +01:00 · dc608f709d
commit dc608f709d
parent 852e250a69
4 changed files with 42 additions and 6 deletions
--- a/pkg/apis/certmanager/v1alpha1/helpers.go
+++ b/pkg/apis/certmanager/v1alpha1/helpers.go
@ -96,6 +96,18 @@ func (iss *Issuer) UpdateStatusCondition(conditionType IssuerConditionType, stat
 	}
 }

+func (iss *ClusterIssuer) HasCondition(condition IssuerCondition) bool {
+	if len(iss.Status.Conditions) == 0 {
+		return false
+	}
+	for _, cond := range iss.Status.Conditions {
+		if condition.Type == cond.Type && condition.Status == cond.Status {
+			return true
+		}
+	}
+	return false
+}
+
 func (iss *ClusterIssuer) UpdateStatusCondition(conditionType IssuerConditionType, status ConditionStatus, reason, message string) {
 	newCondition := IssuerCondition{
 		Type:    conditionType,
@ -176,6 +188,7 @@ type GenericIssuer interface {
 	GetSpec() *IssuerSpec
 	GetStatus() *IssuerStatus
 	UpdateStatusCondition(conditionType IssuerConditionType, status ConditionStatus, reason, message string)
+	HasCondition(condition IssuerCondition) bool
 	Copy() GenericIssuer
 }

--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@ -63,7 +63,7 @@ const (

 func (c *Controller) Sync(ctx context.Context, crt *v1alpha1.Certificate) (err error) {
 	// step zero: check if the referenced issuer exists and is ready
-	issuerObj, err := c.issuerLister.Issuers(crt.Namespace).Get(crt.Spec.IssuerRef.Name)
+	issuerObj, err := c.getGenericIssuer(crt)

 	if err != nil {
 		s := fmt.Sprintf(messageIssuerNotFound, err.Error())
@ -78,7 +78,7 @@ func (c *Controller) Sync(ctx context.Context, crt *v1alpha1.Certificate) (err e
 	})

 	if !issuerReady {
-		s := fmt.Sprintf(messageIssuerNotReady, issuerObj.Name)
+		s := fmt.Sprintf(messageIssuerNotReady, issuerObj.GetObjectMeta().Name)
 		glog.Info(s)
 		c.recorder.Event(crt, api.EventTypeWarning, errorIssuerNotReady, s)
 		return fmt.Errorf(s)
@ -139,6 +139,17 @@ func (c *Controller) Sync(ctx context.Context, crt *v1alpha1.Certificate) (err e
 	return nil
 }

+func (c *Controller) getGenericIssuer(crt *v1alpha1.Certificate) (v1alpha1.GenericIssuer, error) {
+	switch {
+	case crt.Spec.IssuerRef.Namespace == nil:
+		return c.issuerLister.Issuers(crt.Namespace).Get(crt.Spec.IssuerRef.Name)
+	case *crt.Spec.IssuerRef.Namespace == api.NamespaceAll:
+		return c.clusterIssuerLister.Get(crt.Spec.IssuerRef.Name)
+	default:
+		return nil, fmt.Errorf(`invalid value '%s' for certificate issuer namespace. Must be nil or ""`, *crt.Spec.IssuerRef.Namespace)
+	}
+}
+
 func needsRenew(cert *x509.Certificate) bool {
 	durationUntilExpiry := cert.NotAfter.Sub(time.Now())
 	renewIn := durationUntilExpiry - renewBefore
--- a/pkg/issuer/acme/acme.go
+++ b/pkg/issuer/acme/acme.go
@ -88,9 +88,13 @@ func (a *Acme) solverFor(challengeType string) (solver, error) {
 // Register this Issuer with the issuer factory
 func init() {
 	issuer.Register(issuer.IssuerACME, func(i v1alpha1.GenericIssuer, ctx *issuer.Context) (issuer.Interface, error) {
+		// We do this little dance because of the way our SharedInformerFactory is
+		// written. It'd be great if this weren't necessary.
 		resourceNamespace := i.GetObjectMeta().Namespace
+		informerNS := ctx.Namespace
 		if resourceNamespace == "" {
 			resourceNamespace = ctx.ClusterResourceNamespace
+			informerNS = ctx.ClusterResourceNamespace
 		}
 		return New(
 			i,
@ -99,9 +103,9 @@ func init() {
 			ctx.Recorder,
 			resourceNamespace,
 			ctx.SharedInformerFactory.InformerFor(
-				ctx.Namespace,
+				informerNS,
 				metav1.GroupVersionKind{Version: "v1", Kind: "Secret"},
-				coreinformers.NewSecretInformer(ctx.Client, ctx.Namespace, time.Second*30, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})),
+				coreinformers.NewSecretInformer(ctx.Client, resourceNamespace, time.Second*30, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})),
 		)
 	})
 }
--- a/pkg/issuer/ca/ca.go
+++ b/pkg/issuer/ca/ca.go
@ -47,15 +47,23 @@ const (

 func init() {
 	issuer.Register(ControllerName, func(issuer v1alpha1.GenericIssuer, ctx *issuer.Context) (issuer.Interface, error) {
+		// We do this little dance because of the way our SharedInformerFactory is
+		// written. It'd be great if this weren't necessary.
+		resourceNamespace := issuer.GetObjectMeta().Namespace
+		informerNS := ctx.Namespace
+		if resourceNamespace == "" {
+			resourceNamespace = ctx.ClusterResourceNamespace
+			informerNS = ctx.ClusterResourceNamespace
+		}
 		return NewCA(
 			issuer,
 			ctx.Client,
 			ctx.CMClient,
 			ctx.Recorder,
 			ctx.SharedInformerFactory.InformerFor(
-				ctx.Namespace,
+				informerNS,
 				metav1.GroupVersionKind{Version: "v1", Kind: "Secret"},
-				coreinformers.NewSecretInformer(ctx.Client, ctx.Namespace, time.Second*30, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})),
+				coreinformers.NewSecretInformer(ctx.Client, resourceNamespace, time.Second*30, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})),
 		)
 	})
 }