Add handling of updates to ACME email field in Issuers #1763
Conversation
jetstack-bot
added
release-note
jetstack-bot
added
area/acme
jetstack-bot
added
the
area/deploy
pkg/issuer/acme/setup.go
Outdated
| @@ -166,6 +166,11 @@ func (a *Acme) Setup(ctx context.Context) error { | |||
|
|
|||
| // registerAccount will also verify the account exists if it already | |||
| // exists. | |||
| if a.issuer.GetStatus().ACME.LastRegisteredEmail == a.issuer.GetSpec().ACME.Email { | |||
There was a problem hiding this comment.
I'm unsure whether we want to explicitly bail out/stop processing here just if the status == the spec (i.e. what if the users private key was deleted? In this instance we should be generating a new private key and re-registering an account).
Also, the proper way to 'handle' updating the email field is for us to actually update the email address associated with the ACME account. You can see the actual method you can use to do this here: https://github.com/jetstack/cert-manager/blob/9c6d81a92a192eb95be90084956dc04c0cb7552c/third_party/crypto/acme/acme.go#L371-L373
In terms of how the issuer's status.registeredEmail field is set, I think to make things clearer and easier to keep consistent, this field should always be set to the value on the Account object returned from the ACME server, instead of setting it to the value of spec.acme.email (as it could fall out of sync and we could be incorrectly reporting the status).
There was a problem hiding this comment.
I'll have another look, thanks!
…t registered ACME account Signed-off-by: Michael Tsang <michael.tsang@jetstack.io>
Signed-off-by: Michael Tsang <michael.tsang@jetstack.io>
jetstack-bot
added
size/M
cheukwing
changed the title
jetstack-bot
added
the
do-not-merge/work-in-progress
Signed-off-by: Michael Tsang <michael.tsang@jetstack.io>
cheukwing
changed the title
jetstack-bot
added
area/testing
|
I've rewritten it and added an e2e test too. |
pkg/issuer/acme/setup.go
Outdated
| // if we got an account successfully, we must check if the registered | ||
| // email is the same as in the issuer spec | ||
| registeredEmail := "" | ||
| if err == nil { |
There was a problem hiding this comment.
Instead of wrapping this block in if err == nil, can we move it to after the err != nil check and thus assume that it is nil? We can then throw a distinct warning that updating the account failed if err != nil from: account, err = cl.UpdateAccount(ctx, account).
There was a problem hiding this comment.
I wrote it before the err != nil block as it seemed that we would probably want to handle any errors from updating in a similar fashion to any from registering.
Should errors from updating just log a message and return the error, or should it behave as before but with all instances of verify changed to update?
There was a problem hiding this comment.
Yeah I think we should duplicate the logic and update the messages.
We can also log an event to say we are updating the email address here too, which will help users be sure that the email address has been updated.
There was a problem hiding this comment.
We should also keep the existing error code checking logic to handle known ACME error codes and skip retrying, to save DoSing the ACME API.
| @@ -195,6 +218,7 @@ func (a *Acme) Setup(ctx context.Context) error { | |||
| log.Info("verified existing registration with ACME server") | |||
| apiutil.SetIssuerCondition(a.issuer, v1alpha1.IssuerConditionReady, v1alpha1.ConditionTrue, successAccountRegistered, messageAccountRegistered) | |||
| a.issuer.GetStatus().ACMEStatus().URI = account.URL | |||
| a.issuer.GetStatus().ACMEStatus().LastRegisteredEmail = registeredEmail | |||
There was a problem hiding this comment.
👍 great, this means we will only ever set LastRegisteredEmail to the value received from the ACME server.
pkg/issuer/acme/setup.go
Outdated
| } | ||
|
|
||
| // if they are different, we update the account | ||
| if registeredEmail != a.issuer.GetSpec().ACME.Email { |
There was a problem hiding this comment.
Maybe an edge case, but just calling it out to be sure you've considered it... if a user does not specify an email address at all, I guess the len(account.Contact) will be 0, meaning registeredEmail == "", meaning this whole thing should be skipped as expected. Fairly certain that is the case (especially now I've written it out here 😉), but just calling it out. Perhaps copy and paste some of this description into a comment? I know that future-us will appreciate it 😄
There was a problem hiding this comment.
Yep, since "" is the zero-value of spec.acme.email.
I shall add a comment.
Signed-off-by: Michael Tsang <michael.tsang@jetstack.io>
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cheukwing, munnerz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
approved
|
/retest |
Signed-off-by: Michael Tsang michael.tsang@jetstack.io
What this PR does / why we need it:
When the
emailin thespec.acmefield of an Issuer changes, compares this with the newly added fieldlastRegisteredEmailinstatus.acme.If they are different then the registering process is begun, otherwise nothing.
On success the field is updated to the spec value, otherwise on failure or no difference it is kept the same.
As the
statushas changed thenupdateIssuerStatuswill be called, and changes should be made to the actual Issuer.Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #1667Release note: