Merge pull request #1934 from JoshVanL/cr-vault

Vault CertificateRequest controller

BUILD.bazel

@@ -52,6 +52,7 @@ filegroup(
         "//pkg/client/listers/certmanager/v1alpha1:all-srcs",
         "//pkg/controller:all-srcs",
         "//pkg/feature:all-srcs",
+        "//pkg/internal:all-srcs",
         "//pkg/issuer:all-srcs",
         "//pkg/logs:all-srcs",
         "//pkg/metrics:all-srcs",

WORKSPACE

@@ -78,17 +78,26 @@ container_pull(
 )
 
 # Load and define targets defined in //hack/bin
-load("//hack/bin:deps.bzl", install_hack_bin = "install")
+load(
+    "//hack/bin:deps.bzl",
+    install_hack_bin = "install",
+)
 
 install_hack_bin()
 
 # Load and define targets defined in //hack/bin
-load("//test/e2e:images.bzl", install_e2e_images = "install")
+load(
+    "//test/e2e:images.bzl",
+    install_e2e_images = "install",
+)
 
 install_e2e_images()
 
 # Load and define targets used for reference doc generation
-load("//docs/generated/reference:deps.bzl", install_docs_dependencies = "install")
+load(
+    "//docs/generated/reference:deps.bzl",
+    install_docs_dependencies = "install",
+)
 
 install_docs_dependencies()
 

cmd/controller/app/BUILD.bazel

@@ -13,6 +13,7 @@ go_library(
         "//pkg/controller:go_default_library",
         "//pkg/controller/certificaterequests/ca:go_default_library",
         "//pkg/controller/certificaterequests/selfsigned:go_default_library",
+        "//pkg/controller/certificaterequests/vault:go_default_library",
         "//pkg/controller/certificates:go_default_library",
         "//pkg/controller/clusterissuers:go_default_library",
         "//pkg/feature:go_default_library",

cmd/controller/app/controller.go

@@ -44,6 +44,7 @@ import (
 	"github.com/jetstack/cert-manager/pkg/controller"
 	crcacontroller "github.com/jetstack/cert-manager/pkg/controller/certificaterequests/ca"
 	crselfsignedcontroller "github.com/jetstack/cert-manager/pkg/controller/certificaterequests/selfsigned"
+	crvaultcontroller "github.com/jetstack/cert-manager/pkg/controller/certificaterequests/vault"
 	certificatescontroller "github.com/jetstack/cert-manager/pkg/controller/certificates"
 	"github.com/jetstack/cert-manager/pkg/controller/clusterissuers"
 	"github.com/jetstack/cert-manager/pkg/feature"
@@ -81,6 +82,7 @@ func Run(opts *options.ControllerOptions, stopCh <-chan struct{}) {
 		opts.EnabledControllers = append(opts.EnabledControllers, []string{
 			crcacontroller.CRControllerName,
 			crselfsignedcontroller.CRControllerName,
+			crvaultcontroller.CRControllerName,
 			certificatescontroller.ExperimentalControllerName,
 		}...)
 	}

pkg/apis/certmanager/validation/BUILD.bazel

@@ -15,6 +15,7 @@ go_library(
         "//pkg/api/util:go_default_library",
         "//pkg/apis/certmanager/v1alpha1:go_default_library",
         "//pkg/apis/certmanager/validation/util:go_default_library",
+        "//pkg/util/api:go_default_library",
         "//pkg/util/pki:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",

pkg/apis/certmanager/validation/certificate.go

@@ -23,6 +23,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
+	"github.com/jetstack/cert-manager/pkg/util/api"
 )
 
 // Validation functions for cert-manager v1alpha1 Certificate types
@@ -200,10 +201,7 @@ func ValidateHTTP01SolverConfig(a *v1alpha1.HTTP01SolverConfig, fldPath *field.P
 func ValidateDuration(crt *v1alpha1.CertificateSpec, fldPath *field.Path) field.ErrorList {
 	el := field.ErrorList{}
 
-	duration := v1alpha1.DefaultCertificateDuration
-	if crt.Duration != nil {
-		duration = crt.Duration.Duration
-	}
+	duration := api.DefaultCertDuration(crt.Duration)
 	renewBefore := v1alpha1.DefaultRenewBefore
 	if crt.RenewBefore != nil {
 		renewBefore = crt.RenewBefore.Duration

pkg/controller/certificaterequests/BUILD.bazel

@@ -69,7 +69,9 @@ filegroup(
         "//pkg/controller/certificaterequests/ca:all-srcs",
         "//pkg/controller/certificaterequests/fake:all-srcs",
         "//pkg/controller/certificaterequests/selfsigned:all-srcs",
+        "//pkg/controller/certificaterequests/test:all-srcs",
         "//pkg/controller/certificaterequests/util:all-srcs",
+        "//pkg/controller/certificaterequests/vault:all-srcs",
     ],
     tags = ["automanaged"],
     visibility = ["//visibility:public"],

pkg/controller/certificaterequests/ca/BUILD.bazel

@@ -21,20 +21,6 @@ go_library(
     ],
 )
 
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [":package-srcs"],
-    tags = ["automanaged"],
-    visibility = ["//visibility:public"],
-)
-
 go_test(
     name = "go_default_test",
     srcs = ["ca_test.go"],
@@ -53,3 +39,17 @@ go_test(
         "//vendor/k8s.io/client-go/listers/core/v1:go_default_library",
     ],
 )
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

pkg/controller/certificaterequests/ca/ca_test.go

@@ -54,7 +54,7 @@ func generateRSAPrivateKey(t *testing.T) *rsa.PrivateKey {
 	return pk
 }
 
-func generateCSR(t *testing.T, secretKey crypto.Signer) ([]byte, error) {
+func generateCSR(t *testing.T, secretKey crypto.Signer) []byte {
 	asn1Subj, _ := asn1.Marshal(pkix.Name{
 		CommonName: "test",
 	}.ToRDNSequence())
@@ -65,12 +65,13 @@ func generateCSR(t *testing.T, secretKey crypto.Signer) ([]byte, error) {
 
 	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey)
 	if err != nil {
-		return nil, err
+		t.Error(err)
+		t.FailNow()
 	}
 
 	csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
 
-	return csr, nil
+	return csr
 }
 
 func generateSelfSignedCertFromCR(t *testing.T, cr *v1alpha1.CertificateRequest, key crypto.Signer,
@@ -139,11 +140,7 @@ func TestSign(t *testing.T) {
 	rsaPK := generateRSAPrivateKey(t)
 	rsaPKBytes := pki.EncodePKCS1PrivateKey(rsaPK)
 
-	caCSR, err := generateCSR(t, rsaPK)
-	if err != nil {
-		t.Errorf("failed to generate CA CSR: %s", err)
-		t.FailNow()
-	}
+	caCSR := generateCSR(t, rsaPK)
 
 	rootRSACR := gen.CertificateRequest("test-root-ca",
 		gen.SetCertificateRequestCSR(caCSR),

pkg/controller/certificaterequests/test/BUILD.bazel

@@ -0,0 +1,26 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["util.go"],
+    importpath = "github.com/jetstack/cert-manager/pkg/controller/certificaterequests/test",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/controller/test:go_default_library",
+        "//pkg/issuer:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

pkg/controller/certificaterequests/test/util.go

@@ -0,0 +1,70 @@
+/*
+Copyright 2019 The Jetstack cert-manager contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package test
+
+import (
+	"reflect"
+
+	testpkg "github.com/jetstack/cert-manager/pkg/controller/test"
+	"github.com/jetstack/cert-manager/pkg/issuer"
+)
+
+// Ensure issuer response from test is nil.
+func MustNoResponse(builder *testpkg.Builder, args ...interface{}) {
+	resp, ok := args[0].(*issuer.IssueResponse)
+	if !ok {
+		builder.T.Errorf("unexpected argument to be of type IssuerResponse: %+v", args[0])
+	}
+
+	if resp != nil {
+		builder.T.Errorf("unexpected response, exp='nil' got='%+v'", resp)
+	}
+}
+
+// Ensure no private key exists in test response.
+// Ensure no signed certificate or CA	certificate in test response.
+func NoPrivateKeyCertificatesFieldsSetCheck(expectedCA []byte) func(builder *testpkg.Builder, args ...interface{}) {
+	return func(builder *testpkg.Builder, args ...interface{}) {
+		resp := args[0].(*issuer.IssueResponse)
+
+		if resp == nil {
+			builder.T.Errorf("no response given, got=%s", resp)
+			return
+		}
+
+		if len(resp.PrivateKey) > 0 {
+			builder.T.Errorf("expected no new private key to be generated but got: %s",
+				resp.PrivateKey)
+		}
+
+		CertificatesFieldsSetCheck(expectedCA)(builder, args...)
+	}
+}
+
+// Ensure no signed certificate or CA	certificate in test response.
+func CertificatesFieldsSetCheck(expectedCA []byte) func(builder *testpkg.Builder, args ...interface{}) {
+	return func(builder *testpkg.Builder, args ...interface{}) {
+		resp := args[0].(*issuer.IssueResponse)
+
+		if resp.Certificate == nil {
+			builder.T.Errorf("expected new certificate to be issued")
+		}
+		if resp.CA == nil || !reflect.DeepEqual(expectedCA, resp.CA) {
+			builder.T.Errorf("expected CA certificate to be returned")
+		}
+	}
+}

pkg/controller/certificaterequests/vault/BUILD.bazel

@@ -0,0 +1,55 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["vault.go"],
+    importpath = "github.com/jetstack/cert-manager/pkg/controller/certificaterequests/vault",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/api/util:go_default_library",
+        "//pkg/apis/certmanager/v1alpha1:go_default_library",
+        "//pkg/controller:go_default_library",
+        "//pkg/controller/certificaterequests:go_default_library",
+        "//pkg/controller/certificaterequests/util:go_default_library",
+        "//pkg/internal/vault:go_default_library",
+        "//pkg/issuer:go_default_library",
+        "//pkg/logs:go_default_library",
+        "//pkg/util/api:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/client-go/listers/core/v1:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["vault_test.go"],
+    embed = [":go_default_library"],
+    deps = [
+        "//pkg/apis/certmanager:go_default_library",
+        "//pkg/apis/certmanager/v1alpha1:go_default_library",
+        "//pkg/controller/certificaterequests/test:go_default_library",
+        "//pkg/controller/test:go_default_library",
+        "//pkg/internal/vault:go_default_library",
+        "//pkg/internal/vault/fake:go_default_library",
+        "//pkg/util/pki:go_default_library",
+        "//test/unit/gen:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/client-go/listers/core/v1:go_default_library",
+    ],
+)