Skip to content

Post Issuance Check: Certificate's AdditionalOutputFormats #4813

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jetstack-bot merged 7 commits into from
Feb 9, 2022
Merged

Post Issuance Check: Certificate's AdditionalOutputFormats #4813

jetstack-bot merged 7 commits into from
Feb 9, 2022

Conversation

@JoshVanL
Copy link
Contributor

@JoshVanL JoshVanL commented Feb 1, 2022
edited by maelvls
Loading

This PR adds two Post Issuances checks which are carried out by the secrets manager (issuing controller). Together, they verify that the Certificate's AdditionalOutputFormats are correctly reflected on the target secret; they only exist if they should, they contain the correct values, and they must exist if defined on the Certificate.

As the same with the Certificate's SecretTemplate, any violation to the rule will have the Secret re-applied, and the correct key/values added/removed/modified.

These checks are not gated behind a feature gate. They don't need to be- the API is only available when that feature gate is enabled. If somehow the Certificate does contain AdditionalOutputFormats when the feature gate is disabled, any violation would cause a re-apply of the Secret and the resulting state reflects no output formats (since the gate is disabled). Any further re-reconcile will not cause a loop- since applying with no state changes does not cause a informer event.

cert-manager now properly updates the content of the data keys `tls-combined.pem` and `key.der` on Secret resources that are associated to Certificate resources that use the field `additionalOutputFormats`. The field `additionalOutputFormat` is an alpha feature and can be enabled by passing the flag `--feature-gates=AdditionalCertificateOutputFormats=true` to the cert-manager controller.

/kind feature
/milestone v1.8
/area api

@jetstack-bot jetstack-bot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Feb 1, 2022
@jetstack-bot jetstack-bot added this to the v1.8 milestone Feb 1, 2022
@jetstack-bot jetstack-bot added kind/feature Categorizes issue or PR as related to a new feature. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. area/api Indicates a PR directly modifies the 'pkg/apis' directory size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. area/testing Issues relating to testing approved Indicates a PR has been approved by an approver from all required OWNERS files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Feb 1, 2022
jahrlin
jahrlin reviewed Feb 7, 2022
View reviewed changes
Copy link
Contributor

@jahrlin jahrlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but for the two comments describing the policy checks

@JoshVanL
Adds PostIssuanceChecks for Certificate's AdditionalOutputFormats
fdf7743 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
@JoshVanL
Add tests to secret manager for additional output formats
9ca869c 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
@JoshVanL
Adds integration tests for additional output formats
ab45d64 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
@JoshVanL
Adds e2e tests for additional output formats
d5365af 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
@JoshVanL
Add AdditionalCertificateOutputFormats=true to FEATURE_GATES default
079f2b0 
value in /devel/run-e2e.sh

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
@JoshVanL JoshVanL force-pushed the controllers-post-issuance-additional-output-formats branch from 27901ac to f932e80 Compare February 7, 2022 14:45
@jetstack-bot
Copy link
Contributor

jetstack-bot commented Feb 7, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoshVanL

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 7, 2022
@JoshVanL JoshVanL force-pushed the controllers-post-issuance-additional-output-formats branch from f932e80 to 19b68c9 Compare February 7, 2022 15:01
@JoshVanL
Update SecretTemplate comments on policy checks
19b68c9 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
@JoshVanL
Updates comments to read better
4de248e 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
@jahrlin
Copy link
Contributor

jahrlin commented Feb 9, 2022

Thanks @JoshVanL!

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Feb 9, 2022
@jetstack-bot jetstack-bot merged commit 2c25454 into cert-manager:master Feb 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jahrlin jahrlin jahrlin left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@jahrlin jahrlin

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/api Indicates a PR directly modifies the 'pkg/apis' directory area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

v1.8

Development

Successfully merging this pull request may close these issues.

3 participants

@JoshVanL @jetstack-bot @jahrlin