Support labelling of cert manager created secrets

[Evesy]

/kind feature

This might play in to #328 a little bit.

Currently secrets generated by cert manager are fairly indistinguishable from other secrets, making it difficult to target those secrets specifically. Use case being we want to backup resources based on labels, and we'd like frequent backups of cert manager secrets (Since we'd hit LE rate limiting if we lost them all.)

Being able to specify a list of labels somewhere that will be applied to secrets generated would be hugely beneficial

i.e.
Argument to cert manager

--default-labels={app:provisioner, label:value}

Certificate spec

spec:
  labels:
  - provisioner=cert-manager
  - label=value

Ingress shim

certmanager.k8s.io/labels: provisioner=cert-manager,label=value

[kragniz]

we do create annotations (see #388), is this useful for your backup use-case?

[Evesy]

Unfortunately I don't think so; using ark as an example it only supports selecting via labels

Backing up everything serves as a workaround, would just be nice to have cert specific backups (Since those are one of few things that can't simply be re-provisioned all at once)

[addisonbair]

Here's a quick workaround that I have discovered when attempting to use custom annotations with cert-manager tls secrets:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: star-example-com
  namespace: kube-system
spec:
  secretName: star-example-com-tls
  issuerRef:
    name: letsencrypt-cluster-issuer
    kind: ClusterIssuer
  commonName: ""
  dnsNames:
  - "*.example.com"
  acme:
    config:
    - dns01:
        provider: gcloud
      domains:
      - "*.example.com"
---
apiVersion: v1
type: kubernetes.io/tls
kind: Secret
metadata:
  annotations:
    custom-key: custom-value
  name: star-example-com-tls
  namespace: kube-system
data:
  tls.crt: ""
  tls.key: ""

The resulting secret will be updated to have a real tls.crt and tls.key with the certmanager annotations and your own custom annotations. Hope this helps!

[Evesy]

Cheers @addisonbair, I appreciate the help!

Unfortunately we don't centrally control creating certificates so it'd be difficult to create a secret resource in advance for every domain, as we don't know what will be created in advance

[munnerz]

I think we could consider setting labels instead of/as well as annotations on the created resources, although it may have to be a subset of values as there are limitations on label values that do not apply to annotations.

Would it help if we were to set a label indicating the Certificate name that the secret is generated for? Something like certmanager.k8s.io/certificate-name: certificate-resource-name? This should be possible in all cases as the same limitation is set on resource names as label values.

[Evesy]

I've tested & Ark supports "Backup resources with label foo regardless of its actual value"; since certmanager.k8s.io/certificate-name isn't used as a label elsewhere, I can backup all the certmanager secrets based purely on the presence of that label

So it'd definitely help for our use case 👍

[kfox1111]

I'm interested in this along with kubed to synchronize the generated certificates to other namespaces/clusters. kubed requires particular annotations on the secret to work.

Can this please be reopened?

[EronWright]

One reason to support labels on the generated secret is to work better with the Application CRD (ref), which uses labels to identify the component resources of an application. In other words, the ask is to put user-defined labels onto the secret, no cert-manager-defined labels (certmanager.k8s.io/certificate-name).

One solution would be for the Certificate spec to have a secretTemplate field to act as a template for the secret (containing labels, annotations, other data items, etc.).

A problem with the workaround suggested by @addisonbair is that any pod that uses the secret would start up more eagerly. Aggravates the 'temp cert' issue for programs that don't support hot-refresh.

[bitscuit]

Is this a feature that is still under consideration?

[Evesy]

@bitscuit Feature is available by using a secret template on your certificate resources: https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources

[bitscuit]

@Evesy thanks, I missed that