New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ctl experimental create certificatesigningrequest #4106
ctl experimental create certificatesigningrequest #4106
Conversation
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
usages Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
1e652aa
to
331e178
Compare
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me and seems like a really useful command
I've read through the code and also tested the new command by:
- Building the plugin with
bazel build //cmd/ctl
and adding to path - Deploying cert-manager
v1.4
with the experimental csr feature gate enabled - Creating a csr with the kubectl plugin using the example commands
- Manually approving the csr (Do we intend to have a default approver for CSRs like we do with CRs? There may have been a discussion about this that I've forgotten about)
- Observing the X.509 certificate added to csr's status/written to a file
I had a couple of issues along the way, so added a few minor suggestions.
cmd/ctl/pkg/create/certificatesigningrequest/certificatesigningrequest.go
Outdated
Show resolved
Hide resolved
cmd/ctl/pkg/create/certificatesigningrequest/certificatesigningrequest.go
Outdated
Show resolved
Hide resolved
cmd/ctl/pkg/create/certificatesigningrequest/certificatesigningrequest.go
Outdated
Show resolved
Hide resolved
cmd/ctl/pkg/create/certificatesigningrequest/certificatesigningrequest.go
Outdated
Show resolved
Hide resolved
cmd/ctl/pkg/create/certificatesigningrequest/certificatesigningrequest.go
Outdated
Show resolved
Hide resolved
cmd/ctl/pkg/create/certificatesigningrequest/certificatesigningrequest.go
Outdated
Show resolved
Hide resolved
cmd/ctl/pkg/create/certificatesigningrequest/certificatesigningrequest.go
Show resolved
Hide resolved
cmd/ctl/pkg/create/certificatesigningrequest/certificatesigningrequest.go
Outdated
Show resolved
Hide resolved
Not today we don't. It would be a nice chance for us to not have a blanket auto-approver. I've mentioned before that it does make me nervous that we have an internal auto-approver which is simple to forget to disable. Not disabling that auto-approver makes any other approver pointless. |
removing error wraping Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me!
Thanks for the changes, I've tested that namespace is now defaulted if not provided and panic no longer thrown.
I realized that we don't apply defaults or validate the certificate template, specifically the duration (i.e I could issue myself an X.509 cert with a duration 1s with the CA issuer).
I guess it might be ok for this, since the certs aren't going to be auto-renewed.
Going to lgtm with a hold in case @maelvls too wants to leave a review
/hold
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: irbekrm, JoshVanL The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I would love to have an option |
/unhold |
/kind feature |
This PR adds the command:
ctl experimental create certificatesigningrequest
ctl x create csr
This behaves the same as the
ctl create certificaterequest
command, expect that it creates Kubernetes CertificateSigningRequest resources, rather than CertificateRequest resources.Note that the
signerName
is built using the discovery API to determine whether the signer is namespaced or not.Documentation: cert-manager/website#615
/milestone v1.5