From f2add649e7d455f9f67081786bf7f26e3d3a958a Mon Sep 17 00:00:00 2001
From: Sergej Nikolaev <nikolaevsa@minbank.ru>
Date: Thu, 25 Oct 2018 18:45:24 +0300
Subject: [PATCH] add certmanager.k8s.io/acme-http01-ingress-class annotation

Signed-off-by: Sergej Nikolaev <kinolaev@gmail.com>
---
 docs/reference/ingress-shim.rst          |  8 ++++
 pkg/controller/ingress-shim/sync.go      | 10 ++++-
 pkg/controller/ingress-shim/sync_test.go | 53 ++++++++++++++++++++++++
 3 files changed, 70 insertions(+), 1 deletion(-)

diff --git a/docs/reference/ingress-shim.rst b/docs/reference/ingress-shim.rst
index eef29a188..11551d284 100644
--- a/docs/reference/ingress-shim.rst
+++ b/docs/reference/ingress-shim.rst
@@ -86,6 +86,14 @@ Certificate resources to be automatically created:
   cert-manager which DNS provider (as configured on the specified Issuer resource)
   should be used. This field is required if the challenge type is set to DNS01.
 
+* ``certmanager.k8s.io/acme-http01-ingress-class`` - if the ACME challenge type has
+  been set to http01, this annotation allows you to configure ingress class
+  that will be used to solve challenges for this ingress. Customising this is useful
+  when you are trying to secure internal services, and need to solve challenges
+  using different ingress class to that of the ingress. If not specified and
+  the 'acme-http01-edit-in-place' annotation is not set, this defaults to the ingress
+  class of the ingress resource.
+
 * ``kubernetes.io/tls-acme: "true"`` - this annotation requires additional
   configuration of the ingress-shim (see above). Namely, a default issuer must be
   specified as arguments to the ingress-shim container.
diff --git a/pkg/controller/ingress-shim/sync.go b/pkg/controller/ingress-shim/sync.go
index ea4df67c6..6996e8930 100644
--- a/pkg/controller/ingress-shim/sync.go
+++ b/pkg/controller/ingress-shim/sync.go
@@ -54,6 +54,9 @@ const (
 	// acmeIssuerDNS01ProviderNameAnnotation can be used to override the default dns01 provider
 	// configured on the issuer if the challenge type is set to dns01
 	acmeIssuerDNS01ProviderNameAnnotation = "certmanager.k8s.io/acme-dns01-provider"
+	// acmeIssuerHTTP01IngressClassAnnotation can be used to override the http01 ingressClass
+	// if the challenge type is set to http01
+	acmeIssuerHTTP01IngressClassAnnotation = "certmanager.k8s.io/acme-http01-ingress-class"
 
 	ingressClassAnnotation = class.IngressKey
 )
@@ -229,9 +232,14 @@ func (c *Controller) setIssuerSpecificConfig(crt *v1alpha1.Certificate, issuer v
 			if ok && editInPlace == "true" {
 				domainCfg.HTTP01.Ingress = ing.Name
 			} else {
-				ingressClass, ok := ingAnnotations[ingressClassAnnotation]
+				ingressClass, ok := ingAnnotations[acmeIssuerHTTP01IngressClassAnnotation]
 				if ok {
 					domainCfg.HTTP01.IngressClass = &ingressClass
+				} else {
+					ingressClass, ok := ingAnnotations[ingressClassAnnotation]
+					if ok {
+						domainCfg.HTTP01.IngressClass = &ingressClass
+					}
 				}
 			}
 		case "dns01":
diff --git a/pkg/controller/ingress-shim/sync_test.go b/pkg/controller/ingress-shim/sync_test.go
index f9d8130c6..37543d8f5 100644
--- a/pkg/controller/ingress-shim/sync_test.go
+++ b/pkg/controller/ingress-shim/sync_test.go
@@ -245,6 +245,59 @@ func TestBuildCertificates(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name: "return a single HTTP01 Certificate for an ingress with a single valid TLS entry and HTTP01 annotations with a certificate ingress class",
+			Ingress: &extv1beta1.Ingress{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "ingress-name",
+					Namespace: "ingress-namespace",
+					Annotations: map[string]string{
+						clusterIssuerNameAnnotation:            "issuer-name",
+						acmeIssuerChallengeTypeAnnotation:      "http01",
+						acmeIssuerHTTP01IngressClassAnnotation: "cert-ing",
+						ingressClassAnnotation:                 "nginx-ing",
+					},
+				},
+				Spec: extv1beta1.IngressSpec{
+					TLS: []extv1beta1.IngressTLS{
+						{
+							Hosts:      []string{"example.com", "www.example.com"},
+							SecretName: "example-com-tls",
+						},
+					},
+				},
+			},
+			ClusterIssuerLister: []*v1alpha1.ClusterIssuer{buildACMEClusterIssuer("issuer-name")},
+			ExpectedCreate: []*v1alpha1.Certificate{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:            "example-com-tls",
+						Namespace:       "ingress-namespace",
+						OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(buildIngress("ingress-name", "ingress-namespace", nil), ingressGVK)},
+					},
+					Spec: v1alpha1.CertificateSpec{
+						DNSNames:   []string{"example.com", "www.example.com"},
+						SecretName: "example-com-tls",
+						IssuerRef: v1alpha1.ObjectReference{
+							Name: "issuer-name",
+							Kind: "ClusterIssuer",
+						},
+						ACME: &v1alpha1.ACMECertificateConfig{
+							Config: []v1alpha1.DomainSolverConfig{
+								{
+									Domains: []string{"example.com", "www.example.com"},
+									SolverConfig: v1alpha1.SolverConfig{
+										HTTP01: &v1alpha1.HTTP01SolverConfig{
+											IngressClass: strPtr("cert-ing"),
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			Name: "edit-in-place set to false should not trigger editing the ingress in-place",
 			Ingress: &extv1beta1.Ingress{