add most remaining annotations and improve integration/e2e tests

Signed-off-by: Ashley Davis <[email protected]>
cert-manager · Oct 1, 2024 · fa0ac3f · fa0ac3f
1 parent fc5e1f7
commit fa0ac3f
Show file tree

Hide file tree

Showing 4 changed files with 1,349 additions and 32 deletions.
diff --git a/internal/controller/sync.go b/internal/controller/sync.go
@@ -239,14 +239,36 @@ func (r *RouteController) getCertificateForRoute(ctx context.Context, route *rou
 
 // buildNextCert generates the manifest of a Certificate that is needed for a given Route (based on the annotations)
 func (r *RouteController) buildNextCert(ctx context.Context, route *routev1.Route) (*cmapi.Certificate, error) {
+	var issuerName string
+	if metav1.HasAnnotation(route.ObjectMeta, cmapi.IngressIssuerNameAnnotationKey) {
+		issuerName = route.Annotations[cmapi.IngressIssuerNameAnnotationKey]
+	} else {
+		issuerName = route.Annotations[cmapi.IssuerNameAnnotationKey]
+	}
+
+	if issuerName == "" {
+		return nil, fmt.Errorf("missing issuer-name annotation on %s/%s", route.Namespace, route.Name)
+	}
+
 	// Extract various pieces of information from the Route annotations
 	duration, err := certDurationFromRoute(route)
 	if err != nil {
 		r.log.V(1).Error(err, "the duration annotation is invalid",
 			"object", route.Namespace+"/"+route.Name, cmapi.DurationAnnotationKey,
 			route.Annotations[cmapi.DurationAnnotationKey])
 		r.eventRecorder.Event(route, corev1.EventTypeWarning, ReasonInvalidKey, "annotation "+cmapi.DurationAnnotationKey+": "+route.Annotations[cmapi.DurationAnnotationKey]+" is not a valid duration")
-		return nil, fmt.Errorf("Invalid duration annotation on Route %s/%s", route.Namespace, route.Name)
+		return nil, fmt.Errorf("invalid duration annotation on Route %s/%s", route.Namespace, route.Name)
+	}
+
+	var renewBefore time.Duration
+	if metav1.HasAnnotation(route.ObjectMeta, cmapi.RenewBeforeAnnotationKey) {
+		renewBeforeAnnotation := route.Annotations[cmapi.RenewBeforeAnnotationKey]
+
+		var err error
+		renewBefore, err = time.ParseDuration(renewBeforeAnnotation)
+		if err != nil {
+			return nil, fmt.Errorf("invalid renew-before annotation %q on Route %s/%s", renewBeforeAnnotation, route.Namespace, route.Name)
+		}
 	}
 
 	var privateKeyAlgorithm cmapi.PrivateKeyAlgorithm
@@ -263,7 +285,7 @@ func (r *RouteController) buildNextCert(ctx context.Context, route *routev1.Rout
 	case "ed25519":
 		privateKeyAlgorithm = cmapi.Ed25519KeyAlgorithm
 	default:
-		r.log.Info("unknown private key algorithm, defaulting to RSA", "algorithm", privateKeyAlgorithmStrRaw)
+		r.log.V(1).Info("unknown private key algorithm, defaulting to RSA", "algorithm", privateKeyAlgorithmStrRaw)
 		privateKeyAlgorithm = cmapi.RSAKeyAlgorithm
 	}
 
@@ -273,10 +295,20 @@ func (r *RouteController) buildNextCert(ctx context.Context, route *routev1.Rout
 		privateKeySize, err = strconv.Atoi(privateKeySizeStr)
 		if err != nil {
 			r.eventRecorder.Event(route, corev1.EventTypeWarning, ReasonInvalidPrivateKeySize, "invalid private key size:"+privateKeySizeStr)
-			return nil, fmt.Errorf("invalid private key size, %s: %v", privateKeySizeStr, err)
+			return nil, fmt.Errorf("invalid private key size annotation %q on %s/%s", privateKeySizeStr, route.Namespace, route.Name)
 		}
 	}
 
+	var privateKeyRotationPolicy cmapi.PrivateKeyRotationPolicy
+
+	if metav1.HasAnnotation(route.ObjectMeta, cmapi.PrivateKeyRotationPolicyAnnotationKey) {
+		// Don't validate the policy here because that would mean we'd need to update this codebase
+		// if cert-manager adds new values. Just rely on cert-manager validation when the cert is
+		// created
+		// This is brittle; ideally, cert-manager should expose a function for this
+		privateKeyRotationPolicy = cmapi.PrivateKeyRotationPolicy(route.Annotations[cmapi.PrivateKeyRotationPolicyAnnotationKey])
+	}
+
 	var dnsNames []string
 	// Get the canonical hostname(s) of the Route (from .spec.host or .spec.subdomain)
 	dnsNames = getRouteHostnames(route)
@@ -327,6 +359,7 @@ func (r *RouteController) buildNextCert(ctx context.Context, route *routev1.Rout
 	if metav1.HasAnnotation(route.ObjectMeta, cmapi.EmailsAnnotationKey) {
 		emailAddresses = strings.Split(route.Annotations[cmapi.EmailsAnnotationKey], ",")
 	}
+
 	var organizations []string
 	if metav1.HasAnnotation(route.ObjectMeta, cmapi.SubjectOrganizationsAnnotationKey) {
 		subjectOrganizations, err := cmutil.SplitWithEscapeCSV(route.Annotations[cmapi.SubjectOrganizationsAnnotationKey])
@@ -340,6 +373,7 @@ func (r *RouteController) buildNextCert(ctx context.Context, route *routev1.Rout
 			return nil, err
 		}
 	}
+
 	var organizationalUnits []string
 	if metav1.HasAnnotation(route.ObjectMeta, cmapi.SubjectOrganizationalUnitsAnnotationKey) {
 		subjectOrganizationalUnits, err := cmutil.SplitWithEscapeCSV(route.Annotations[cmapi.SubjectOrganizationalUnitsAnnotationKey])
@@ -354,6 +388,7 @@ func (r *RouteController) buildNextCert(ctx context.Context, route *routev1.Rout
 		}
 
 	}
+
 	var countries []string
 	if metav1.HasAnnotation(route.ObjectMeta, cmapi.SubjectCountriesAnnotationKey) {
 		subjectCountries, err := cmutil.SplitWithEscapeCSV(route.Annotations[cmapi.SubjectCountriesAnnotationKey])
@@ -367,6 +402,7 @@ func (r *RouteController) buildNextCert(ctx context.Context, route *routev1.Rout
 			return nil, err
 		}
 	}
+
 	var provinces []string
 	if metav1.HasAnnotation(route.ObjectMeta, cmapi.SubjectProvincesAnnotationKey) {
 		subjectProvinces, err := cmutil.SplitWithEscapeCSV(route.Annotations[cmapi.SubjectProvincesAnnotationKey])
@@ -380,6 +416,7 @@ func (r *RouteController) buildNextCert(ctx context.Context, route *routev1.Rout
 			return nil, err
 		}
 	}
+
 	var localities []string
 	if metav1.HasAnnotation(route.ObjectMeta, cmapi.SubjectLocalitiesAnnotationKey) {
 		subjectLocalities, err := cmutil.SplitWithEscapeCSV(route.Annotations[cmapi.SubjectLocalitiesAnnotationKey])
@@ -393,6 +430,7 @@ func (r *RouteController) buildNextCert(ctx context.Context, route *routev1.Rout
 			return nil, err
 		}
 	}
+
 	var postalCodes []string
 	if metav1.HasAnnotation(route.ObjectMeta, cmapi.SubjectPostalCodesAnnotationKey) {
 		subjectPostalCodes, err := cmutil.SplitWithEscapeCSV(route.Annotations[cmapi.SubjectPostalCodesAnnotationKey])
@@ -406,6 +444,7 @@ func (r *RouteController) buildNextCert(ctx context.Context, route *routev1.Rout
 			return nil, err
 		}
 	}
+
 	var streetAddresses []string
 	if metav1.HasAnnotation(route.ObjectMeta, cmapi.SubjectStreetAddressesAnnotationKey) {
 		subjectStreetAddresses, err := cmutil.SplitWithEscapeCSV(route.Annotations[cmapi.SubjectStreetAddressesAnnotationKey])
@@ -419,15 +458,23 @@ func (r *RouteController) buildNextCert(ctx context.Context, route *routev1.Rout
 			return nil, err
 		}
 	}
+
 	var serialNumber string
 	if metav1.HasAnnotation(route.ObjectMeta, cmapi.SubjectSerialNumberAnnotationKey) {
 		serialNumber = route.Annotations[cmapi.SubjectSerialNumberAnnotationKey]
 	}
-	var issuerName string
-	if metav1.HasAnnotation(route.ObjectMeta, cmapi.IngressIssuerNameAnnotationKey) {
-		issuerName = route.Annotations[cmapi.IngressIssuerNameAnnotationKey]
-	} else {
-		issuerName = route.Annotations[cmapi.IssuerNameAnnotationKey]
+
+	var revisionHistoryLimit *int32
+	if metav1.HasAnnotation(route.ObjectMeta, cmapi.RevisionHistoryLimitAnnotationKey) {
+		historyLimitRaw := route.Annotations[cmapi.RevisionHistoryLimitAnnotationKey]
+
+		parsedLimit, err := strconv.ParseInt(historyLimitRaw, 10, 32)
+		if err != nil {
+			return nil, fmt.Errorf("invalid revision-history-limit annotation %q on %s/%s", historyLimitRaw, route.Namespace, route.Name)
+		}
+
+		typedLimit := int32(parsedLimit)
+		revisionHistoryLimit = &typedLimit
 	}
 
 	secretName := route.Name + "-tls-cert"
@@ -446,12 +493,11 @@ func (r *RouteController) buildNextCert(ctx context.Context, route *routev1.Rout
 			},
 		},
 		Spec: cmapi.CertificateSpec{
-			SecretName:     secretName,
-			Duration:       &metav1.Duration{Duration: duration},
-			EmailAddresses: emailAddresses,
-			// RenewBefore?
-			// RevisionHistoryLimit?
-			CommonName: route.Annotations[cmapi.CommonNameAnnotationKey],
+			SecretName:           secretName,
+			Duration:             &metav1.Duration{Duration: duration},
+			RenewBefore:          &metav1.Duration{Duration: renewBefore},
+			RevisionHistoryLimit: revisionHistoryLimit,
+			CommonName:           route.Annotations[cmapi.CommonNameAnnotationKey],
 			Subject: &cmapi.X509Subject{
 				Countries:           countries,
 				Localities:          localities,
@@ -463,13 +509,14 @@ func (r *RouteController) buildNextCert(ctx context.Context, route *routev1.Rout
 				StreetAddresses:     streetAddresses,
 			},
 			PrivateKey: &cmapi.CertificatePrivateKey{
-				Algorithm: privateKeyAlgorithm,
-				Size:      privateKeySize,
-				// RotationPolicy?
+				Algorithm:      privateKeyAlgorithm,
+				Size:           privateKeySize,
+				RotationPolicy: privateKeyRotationPolicy,
 			},
-			DNSNames:    dnsNames,
-			URIs:        uriSANs,
-			IPAddresses: ipSANs,
+			EmailAddresses: emailAddresses,
+			DNSNames:       dnsNames,
+			URIs:           uriSANs,
+			IPAddresses:    ipSANs,
 			IssuerRef: cmmeta.ObjectReference{
 				Name:  issuerName,
 				Kind:  route.Annotations[cmapi.IssuerKindAnnotationKey],