New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add handling of updates to ACME email field in Issuers #1763
Conversation
pkg/issuer/acme/setup.go
Outdated
@@ -166,6 +166,11 @@ func (a *Acme) Setup(ctx context.Context) error { | |||
|
|||
// registerAccount will also verify the account exists if it already | |||
// exists. | |||
if a.issuer.GetStatus().ACME.LastRegisteredEmail == a.issuer.GetSpec().ACME.Email { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm unsure whether we want to explicitly bail out/stop processing here just if the status == the spec (i.e. what if the users private key was deleted? In this instance we should be generating a new private key and re-registering an account).
Also, the proper way to 'handle' updating the email field is for us to actually update the email address associated with the ACME account. You can see the actual method you can use to do this here: https://github.com/jetstack/cert-manager/blob/9c6d81a92a192eb95be90084956dc04c0cb7552c/third_party/crypto/acme/acme.go#L371-L373
In terms of how the issuer's status.registeredEmail
field is set, I think to make things clearer and easier to keep consistent, this field should always be set to the value on the Account
object returned from the ACME server, instead of setting it to the value of spec.acme.email
(as it could fall out of sync and we could be incorrectly reporting the status).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll have another look, thanks!
…t registered ACME account Signed-off-by: Michael Tsang <michael.tsang@jetstack.io>
Signed-off-by: Michael Tsang <michael.tsang@jetstack.io>
Signed-off-by: Michael Tsang <michael.tsang@jetstack.io>
I've rewritten it and added an e2e test too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks brilliant 😄 a few comments, mostly small and non-functional!
pkg/issuer/acme/setup.go
Outdated
// if we got an account successfully, we must check if the registered | ||
// email is the same as in the issuer spec | ||
registeredEmail := "" | ||
if err == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of wrapping this block in if err == nil
, can we move it to after the err != nil
check and thus assume that it is nil? We can then throw a distinct warning that updating the account failed if err != nil
from: account, err = cl.UpdateAccount(ctx, account)
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wrote it before the err != nil
block as it seemed that we would probably want to handle any errors from updating in a similar fashion to any from registering.
Should errors from updating just log a message and return the error, or should it behave as before but with all instances of verify
changed to update
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I think we should duplicate the logic and update the messages.
We can also log an event to say we are updating the email address here too, which will help users be sure that the email address has been updated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also keep the existing error code checking logic to handle known ACME error codes and skip retrying, to save DoSing the ACME API.
@@ -195,6 +218,7 @@ func (a *Acme) Setup(ctx context.Context) error { | |||
log.Info("verified existing registration with ACME server") | |||
apiutil.SetIssuerCondition(a.issuer, v1alpha1.IssuerConditionReady, v1alpha1.ConditionTrue, successAccountRegistered, messageAccountRegistered) | |||
a.issuer.GetStatus().ACMEStatus().URI = account.URL | |||
a.issuer.GetStatus().ACMEStatus().LastRegisteredEmail = registeredEmail |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 great, this means we will only ever set LastRegisteredEmail
to the value received from the ACME server.
pkg/issuer/acme/setup.go
Outdated
} | ||
|
||
// if they are different, we update the account | ||
if registeredEmail != a.issuer.GetSpec().ACME.Email { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe an edge case, but just calling it out to be sure you've considered it... if a user does not specify an email address at all, I guess the len(account.Contact)
will be 0, meaning registeredEmail == ""
, meaning this whole thing should be skipped as expected. Fairly certain that is the case (especially now I've written it out here 😉), but just calling it out. Perhaps copy and paste some of this description into a comment? I know that future-us will appreciate it 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, since ""
is the zero-value of spec.acme.email
.
I shall add a comment.
Signed-off-by: Michael Tsang <michael.tsang@jetstack.io>
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cheukwing, munnerz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
Signed-off-by: Michael Tsang michael.tsang@jetstack.io
What this PR does / why we need it:
When the
email
in thespec.acme
field of an Issuer changes, compares this with the newly added fieldlastRegisteredEmail
instatus.acme
.If they are different then the registering process is begun, otherwise nothing.
On success the field is updated to the spec value, otherwise on failure or no difference it is kept the same.
As the
status
has changed thenupdateIssuerStatus
will be called, and changes should be made to the actual Issuer.Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged): fixes #1667Release note: