-
Notifications
You must be signed in to change notification settings - Fork 2k
/
checks.go
122 lines (106 loc) · 4.07 KB
/
checks.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
/*
Copyright 2022 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package selfsigned
import (
"fmt"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
k8sErrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/util/workqueue"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
cmdoc "github.com/cert-manager/cert-manager/pkg/apis/certmanager"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
clientv1 "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
controllerpkg "github.com/cert-manager/cert-manager/pkg/controller"
"github.com/cert-manager/cert-manager/pkg/issuer"
logf "github.com/cert-manager/cert-manager/pkg/logs"
)
// handleSecretReferenceWorkFunc is a function that returns am informer event
// handler work function, which is used to sync CertificateRequests that
// reference the synced Secret through the
// "cert-manager.io/private-key-secret-name" annotation.
func handleSecretReferenceWorkFunc(log logr.Logger,
lister clientv1.CertificateRequestLister,
helper issuer.Helper,
queue workqueue.RateLimitingInterface,
) func(obj any) {
return func(obj any) {
log := log.WithName("handleSecretReference")
secret, ok := controllerpkg.ToSecret(obj)
if !ok {
log.Error(nil, "object is not a secret", "object", obj)
return
}
log = logf.WithResource(log, secret)
requests, err := certificateRequestsForSecret(log, lister, helper, secret)
if err != nil {
log.Error(err, "failed to determine affected certificate requests")
return
}
for _, request := range requests {
log := logf.WithRelatedResource(log, request)
key, err := controllerpkg.KeyFunc(request)
if err != nil {
log.Error(err, "error computing key for resource")
continue
}
queue.Add(key)
}
}
}
// certificateRequestsForSecret returns a list of CertificateRequests in the
// same Namespace as the given Secret, reference the given Secret via the
// "cert-manager.io/private-key-secret-name" annotation, and the request
// targets a SelfSigned Issuer or Cluster Issuer.
func certificateRequestsForSecret(log logr.Logger,
lister clientv1.CertificateRequestLister,
helper issuer.Helper,
secret *corev1.Secret,
) ([]*cmapi.CertificateRequest, error) {
dbg := log.V(logf.DebugLevel)
requests, err := lister.CertificateRequests(secret.Namespace).List(labels.Everything())
if err != nil {
return nil, fmt.Errorf("failed to list certificate requests: %w", err)
}
dbg.Info("checking if self signed certificate requests reference secret")
var affected []*cmapi.CertificateRequest
for _, request := range requests {
if request.Spec.IssuerRef.Group != cmdoc.GroupName {
dbg.Info("skipping SelfSigned secret reference checks since issuer has external group", "group", request.Spec.IssuerRef.Group)
continue
}
issuerObj, err := helper.GetGenericIssuer(request.Spec.IssuerRef, request.Namespace)
if k8sErrors.IsNotFound(err) {
dbg.Info("issuer not found, skipping")
continue
}
if err != nil {
log.Error(err, "failed to get issuer")
return nil, err
}
dbg = logf.WithRelatedResource(dbg, issuerObj)
dbg.Info("ensuring issuer type matches this controller")
issuerType, err := apiutil.NameForIssuer(issuerObj)
if err != nil {
dbg.Error(err, "failed to determine issuer type, skipping")
continue
}
if issuerType == apiutil.IssuerSelfSigned &&
request.GetAnnotations()[cmapi.CertificateRequestPrivateKeyAnnotationKey] == secret.Name {
dbg.Info("certificate request references secret, syncing")
affected = append(affected, request)
}
}
return affected, nil
}