Merge pull request #1006 from kinolaev/http01-ingress-class-annotation

Add certmanager.k8s.io/acme-http01-ingress-class annotation
2018-10-26 00:20:40 +01:00 · 2018-10-26 00:20:40 +01:00 · f0f8ca8646
commit f0f8ca8646
parent 7b35295f60 f2add649e7
3 changed files with 70 additions and 1 deletions
--- a/docs/reference/ingress-shim.rst
+++ b/docs/reference/ingress-shim.rst
@ -86,6 +86,14 @@ Certificate resources to be automatically created:
  cert-manager which DNS provider (as configured on the specified Issuer resource)
  should be used. This field is required if the challenge type is set to DNS01.

+* ``certmanager.k8s.io/acme-http01-ingress-class`` - if the ACME challenge type has
+  been set to http01, this annotation allows you to configure ingress class
+  that will be used to solve challenges for this ingress. Customising this is useful
+  when you are trying to secure internal services, and need to solve challenges
+  using different ingress class to that of the ingress. If not specified and
+  the 'acme-http01-edit-in-place' annotation is not set, this defaults to the ingress
+  class of the ingress resource.
+
 * ``kubernetes.io/tls-acme: "true"`` - this annotation requires additional
  configuration of the ingress-shim (see above). Namely, a default issuer must be
  specified as arguments to the ingress-shim container.
--- a/pkg/controller/ingress-shim/sync.go
+++ b/pkg/controller/ingress-shim/sync.go
@ -54,6 +54,9 @@ const (
 	// acmeIssuerDNS01ProviderNameAnnotation can be used to override the default dns01 provider
 	// configured on the issuer if the challenge type is set to dns01
 	acmeIssuerDNS01ProviderNameAnnotation = "certmanager.k8s.io/acme-dns01-provider"
+	// acmeIssuerHTTP01IngressClassAnnotation can be used to override the http01 ingressClass
+	// if the challenge type is set to http01
+	acmeIssuerHTTP01IngressClassAnnotation = "certmanager.k8s.io/acme-http01-ingress-class"

 	ingressClassAnnotation = class.IngressKey
 )
@ -229,9 +232,14 @@ func (c *Controller) setIssuerSpecificConfig(crt *v1alpha1.Certificate, issuer v
 			if ok && editInPlace == "true" {
 				domainCfg.HTTP01.Ingress = ing.Name
 			} else {
-				ingressClass, ok := ingAnnotations[ingressClassAnnotation]
+				ingressClass, ok := ingAnnotations[acmeIssuerHTTP01IngressClassAnnotation]
 				if ok {
 					domainCfg.HTTP01.IngressClass = &ingressClass
+				} else {
+					ingressClass, ok := ingAnnotations[ingressClassAnnotation]
+					if ok {
+						domainCfg.HTTP01.IngressClass = &ingressClass
+					}
 				}
 			}
 		case "dns01":
--- a/pkg/controller/ingress-shim/sync_test.go
+++ b/pkg/controller/ingress-shim/sync_test.go
@ -245,6 +245,59 @@ func TestBuildCertificates(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name: "return a single HTTP01 Certificate for an ingress with a single valid TLS entry and HTTP01 annotations with a certificate ingress class",
+			Ingress: &extv1beta1.Ingress{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "ingress-name",
+					Namespace: "ingress-namespace",
+					Annotations: map[string]string{
+						clusterIssuerNameAnnotation:            "issuer-name",
+						acmeIssuerChallengeTypeAnnotation:      "http01",
+						acmeIssuerHTTP01IngressClassAnnotation: "cert-ing",
+						ingressClassAnnotation:                 "nginx-ing",
+					},
+				},
+				Spec: extv1beta1.IngressSpec{
+					TLS: []extv1beta1.IngressTLS{
+						{
+							Hosts:      []string{"example.com", "www.example.com"},
+							SecretName: "example-com-tls",
+						},
+					},
+				},
+			},
+			ClusterIssuerLister: []*v1alpha1.ClusterIssuer{buildACMEClusterIssuer("issuer-name")},
+			ExpectedCreate: []*v1alpha1.Certificate{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:            "example-com-tls",
+						Namespace:       "ingress-namespace",
+						OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(buildIngress("ingress-name", "ingress-namespace", nil), ingressGVK)},
+					},
+					Spec: v1alpha1.CertificateSpec{
+						DNSNames:   []string{"example.com", "www.example.com"},
+						SecretName: "example-com-tls",
+						IssuerRef: v1alpha1.ObjectReference{
+							Name: "issuer-name",
+							Kind: "ClusterIssuer",
+						},
+						ACME: &v1alpha1.ACMECertificateConfig{
+							Config: []v1alpha1.DomainSolverConfig{
+								{
+									Domains: []string{"example.com", "www.example.com"},
+									SolverConfig: v1alpha1.SolverConfig{
+										HTTP01: &v1alpha1.HTTP01SolverConfig{
+											IngressClass: strPtr("cert-ing"),
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			Name: "edit-in-place set to false should not trigger editing the ingress in-place",
 			Ingress: &extv1beta1.Ingress{