TPP Allowed Domains can cause valid certificate to error

[hawksight]

Describe the bug:

When setting TPP domain whitelisting inside a policy, sometimes people put .<domain> in the "Allowed Domains" field. This works and is valid in TPP and works with vcert when requesting or renewing certificates. But when cert-manager tries to request against the same policy, you get an error to the effect of:

Failed to request venafi certificate: common name peter.sitaram-iyer-gcp.jetstacker.net is not allowed in this policy: [^([\p{L}\p{N}-*]+\.)*pfiddes\.svc\.cluster\.local$ ^([\p{L}\p{N}-*]+\.)*dev\.peter-fiddes-gcp\.jetstacker\.net$ ^([\p{L}\p{N}-*]+\.)*\.sitaram-iyer-gcp\.jetstacker\.net$]

Picture of policy domain settings in my test setup:

So when set to .sitaram-iyer-gcp.jetstacker.net you get the message in the cert / cr in cluster.
When set to just sitaram-iyer-gcp.jetstacker.net then everything works as expected in cert-manager / in cluster.

Both cases work for TPP and vcert though,

Expected behaviour:

Both cases should work with cert-manager.

Steps to reproduce the bug:

1. Create policy in TPP with whitelisting and add a domain in the format .<domain>.
2. Request a certificate on a subdomain of that eg. test.<domain>
3. See error in certificate description / certificate request resources.

Anything else we need to know?:

You won't see anything in the certificate log in TPP for this even though it appears as a TPP policy rejection.

Environment details::

• Kubernetes version: Server Version: v1.21.10
• Cloud-provider/provisioner: Kind
• cert-manager version: 1.8.0
• Install method: helm

/kind bug

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[hawksight]

/remove-lifecycle stale

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[hawksight]

/remove-lifecycle stale

[antstacks]

/remove-lifecycle stale

[antstacks]

Confirmed this is still an issue in Cert-manager v1.11.0 with Venafi Enhanced Issuer installed as well.

test domain: .vendev

From: venafi-enhanced-issuer.jetstack.io

Failed to sign CertificateRequest, will retry: failed to request venafi certificate: common name certificate5.vendev is not allowed in this policy: [^([\p{L}\p{N}-*]+\.)*\.vendev$]

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[jetstack-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

[jetstack-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

[jetstack-bot]

@jetstack-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.