New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add self signed Issuer type #637
Conversation
/assign @wallrj |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good @munnerz
I left a couple of comments. Please address or answer those and then feel free to merge.
@@ -9,7 +9,7 @@ Welcome to cert-manager's documentation! | |||
|
|||
cert-manager is a native Kubernetes_ certificate management controller. | |||
It can help with issuing certificates from a variety of sources, such as | |||
`Let's Encrypt`_, `HashiCorp Vault`_ or a simple signing keypair. | |||
`Let's Encrypt`_, `HashiCorp Vault`_, a simple signing keypair, or self signed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❓ Maybe link to the new self signed
issuer page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As the other services do not link to internal pages (but to the website of the respective service/app), I decided not to here in favour of having links below.
docs/reference/issuers.rst
Outdated
+-----------------------------------------------+----------------------------------------------------------------------+ | ||
| :doc:`Vault <issuers/vault/index>` | Supports issuing certificates using HashiCorp Vault. | | ||
+-----------------------------------------------+----------------------------------------------------------------------+ | ||
| :doc:`Self signed <issuers/selfsigned/index>` | Supports issuing self signed Certificates | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Certificates/certificates/
The presence of the ``selfSigned: {}`` line is enough to indicate that this Issuer | ||
is of type 'self signed'. | ||
|
||
Once created, you should be able to Issue certificates like normal by |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Issue/issue/
CA *CAIssuer `json:"ca,omitempty"` | ||
Vault *VaultIssuer `json:"vault,omitempty"` | ||
SelfSigned *SelfSignedIssuer `json:"selfSigned,omitempty"` | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❓ Should there be validation to ensure that only one of these attributes is used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes - #478 introduces validation with a validating webhook, however in order to make setting this up seamless, we need a selfsigned issuer type too, causing a bit of a dependency cycle on our PRs 😄
s := messageErrorGetCertKeyPair + err.Error() | ||
crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorGetCertKeyPair, s, false) | ||
return nil, nil, err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❓ This error handling doesn't seem quite right.
- If
k8sErrors.IsNotFound(err) == true
, which seems to be an expected condition, we still return the error. - If
errors.IsInvalidData(err) == true
, we generate a new private key, but why would the returned secret have invalid data? Maybe add an explanatory comment above this code, if it is correct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If k8sErrors.IsNotFound(err) == true, which seems to be an expected condition, we still return the error.
We won't return an error in this case, so long as generating the private key is successful (as GenerateRSAPrivateKey
will return an error, or nil, which will be captured into err
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If errors.IsInvalidData(err) == true, we generate a new private key, but why would the returned secret have invalid data? Maybe add an explanatory comment above this code, if it is correct.
There may be invalid data if a user has manually modified the Secret/private key (or something has happened causing it to not be parse-able)
crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionTrue, successCertRenewed, messageCertRenewed, true) | ||
|
||
return pki.EncodePKCS1PrivateKey(signeeKey), certPem, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
This adds a basic self signed Issuer type, for issuing self signed Certificates.
This will be used for automatic setup of resource validation in #478
Which issue this PR fixes: fixes #84
Release note: