diff --git a/README.md b/README.md index 1d03ded..42d6d97 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,11 @@ A [cert-manager](https://cert-manager.io) external issuer to be used with [FreeI - kubernetes - cert-manager **1.0+** - [kustomize](https://github.com/kubernetes-sigs/kustomize) +<<<<<<< HEAD - optional: Kubernetes worker nodes adopted into FreeIPA domain (for use with self signed certificate) +======= +- Kubernetes worker nodes adopted into FreeIPA domain (for use with self signed certificate) +>>>>>>> a179b56acb7b66fcf662597e8313bbc5c6d38128 ## Install diff --git a/controllers/certificaterequest.go b/controllers/certificaterequest.go index 219b1d8..5de99f1 100644 --- a/controllers/certificaterequest.go +++ b/controllers/certificaterequest.go @@ -121,7 +121,6 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req reconc log.Info("validation ok") var issNamespaceName types.NamespacedName - if cr.Spec.IssuerRef.Kind == "Issuer" { iss := api.Issuer{} issNamespaceName = types.NamespacedName{ @@ -145,12 +144,11 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req reconc } } else if cr.Spec.IssuerRef.Kind == "ClusterIssuer" { issNamespaceName = types.NamespacedName{ - Namespace: "", Name: cr.Spec.IssuerRef.Name, } } - log.WithValues("issuer", issNamespaceName).Info("process") + log.WithValues("issuer", issNamespaceName).WithValues("issuerRef", cr.Spec.IssuerRef).Info("process") // Load the provisioner that will sign the CertificateRequest p, ok := provisioners.Load(issNamespaceName) diff --git a/controllers/clusterissuer_controller.go b/controllers/clusterissuer_controller.go index be7cae4..36dc1c6 100644 --- a/controllers/clusterissuer_controller.go +++ b/controllers/clusterissuer_controller.go @@ -72,6 +72,8 @@ func (r *ClusterIssuerReconciler) Reconcile(ctx context.Context, req reconcile.R } provisioners.Store(req.NamespacedName, p) + msg := fmt.Sprintf("Successfully stored cluster issuer as provisioner with name %s" , req.NamespacedName) + log.Info(msg) return reconcile.Result{}, r.setStatus(ctx, iss, api.ConditionTrue, "Verified", "ClusterIssuer verified and ready to sign certificates") } diff --git a/go.mod b/go.mod index 99c6a54..05230a6 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/jetstack/cert-manager v1.3.1 github.com/onsi/ginkgo v1.14.1 github.com/onsi/gomega v1.10.2 - github.com/tehwalris/go-freeipa v0.0.0-20200322083409-e462fc554b76 + github.com/stefanabl/go-freeipa v0.0.0-20210412144615-15b9e9ae4429 k8s.io/api v0.19.2 k8s.io/apimachinery v0.19.2 k8s.io/client-go v0.19.2 diff --git a/go.sum b/go.sum index 47dc8dd..e464b0c 100644 --- a/go.sum +++ b/go.sum @@ -478,6 +478,10 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= +github.com/stefanabl/go-freeipa v0.0.0-20200322083409-e462fc554b76 h1:tKOofL0RSBS6nwWXTChvL3BFXRgJ8bkgEkVb/o6YDTc= +github.com/stefanabl/go-freeipa v0.0.0-20200322083409-e462fc554b76/go.mod h1:lW/f994IOdHNZi8qOhMEFI/rHUf5lQknpDMegsOz588= +github.com/stefanabl/go-freeipa v0.0.0-20210412144615-15b9e9ae4429 h1:UE5CFDuAVZpkYogjkr+4aHIXRhda+ayMUOjnWSus1SA= +github.com/stefanabl/go-freeipa v0.0.0-20210412144615-15b9e9ae4429/go.mod h1:lW/f994IOdHNZi8qOhMEFI/rHUf5lQknpDMegsOz588= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= diff --git a/provisionners/freeipa.go b/provisionners/freeipa.go index 8e69b0b..49e3d64 100644 --- a/provisionners/freeipa.go +++ b/provisionners/freeipa.go @@ -11,7 +11,7 @@ import ( api "github.com/guilhem/freeipa-issuer/api/v1beta1" certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" "github.com/jetstack/cert-manager/pkg/util/pki" - "github.com/tehwalris/go-freeipa/freeipa" + "github.com/stefanabl/go-freeipa/freeipa" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/log" ) @@ -51,6 +51,7 @@ func New(namespacedName types.NamespacedName, spec *api.IssuerSpec, user, passwo // Load returns a provisioner by NamespacedName. func Load(namespacedName types.NamespacedName) (*FreeIPAPKI, bool) { + fmt.Printf("Attempting to load privisioner with name %s", namespacedName) v, ok := collection.Load(namespacedName) if !ok { return nil, ok @@ -61,6 +62,7 @@ func Load(namespacedName types.NamespacedName) (*FreeIPAPKI, bool) { // Store adds a new provisioner to the collection by NamespacedName. func Store(namespacedName types.NamespacedName, provisioner *FreeIPAPKI) { + fmt.Printf("Stored provisioner with name %s", namespacedName) collection.Store(namespacedName, provisioner) } @@ -114,10 +116,19 @@ func (s *FreeIPAPKI) Sign(ctx context.Context, cr *certmanager.CertificateReques if err != nil { if !s.spec.IgnoreError { - return nil, nil, fmt.Errorf("fail listing services: %v", err) + //return nil, nil, fmt.Errorf("fail listing services: %v", err) } } else if svcList.Count == 0 { - if _, err := s.client.ServiceAdd(&freeipa.ServiceAddArgs{Krbcanonicalname: name}, &freeipa.ServiceAddOptionalArgs{Force: freeipa.Bool(true)}); err != nil && !s.spec.IgnoreError { + optionalArgs := &freeipa.ServiceAddOptionalArgs{Force: freeipa.Bool(true)} + //if a host with the same FQDN does not exist the service cannot be created without the skipHostCheck flag set + if !s.spec.AddHost { + optionalArgs = &freeipa.ServiceAddOptionalArgs{ + Force: freeipa.Bool(true), + SkipHostCheck: freeipa.Bool(true), + } + } + + if _, err := s.client.ServiceAdd(&freeipa.ServiceAddArgs{Krbcanonicalname: name}, optionalArgs); err != nil && !s.spec.IgnoreError { return nil, nil, fmt.Errorf("fail adding service: %v", err) } }