Merge pull request #37 from cert-manager/add_ignore_options

Add functions to ignore certain issuers and/or CertificateRequests, Kubernetes CSRs

Author: jetstack-bot

controllers/certificaterequest_controller.go

@@ -62,6 +62,9 @@ type CertificateRequestReconciler struct {
 	client.Client
 	// Sign connects to a CA and returns a signed certificate for the supplied CertificateRequest.
 	signer.Sign
+	// IgnoreCertificateRequest is an optional function that can prevent the CertificateRequest
+	// and Kubernetes CSR controllers from reconciling a CertificateRequest resource.
+	signer.IgnoreCertificateRequest
 
 	// EventRecorder is used for creating Kubernetes events on resources.
 	EventRecorder record.EventRecorder
@@ -166,6 +169,17 @@ func (r *CertificateRequestReconciler) reconcileStatusPatch(
 		return result, nil, nil // done
 	}
 
+	if r.IgnoreCertificateRequest != nil {
+		ignore, err := r.IgnoreCertificateRequest(ctx, signer.CertificateRequestObjectFromCertificateRequest(&cr), issuerGvk, issuerName)
+		if err != nil {
+			return result, nil, fmt.Errorf("failed to check if CertificateRequest should be ignored: %v", err) // retry
+		}
+		if ignore {
+			logger.V(1).Info("Ignoring CertificateRequest")
+			return result, nil, nil // done
+		}
+	}
+
 	// We now have a CertificateRequest that belongs to us so we are responsible
 	// for updating its Status.
 	crStatusPatch = &cmapi.CertificateRequestStatus{}

controllers/certificatesigningrequest_controller.go

@@ -64,6 +64,9 @@ type CertificateSigningRequestReconciler struct {
 	client.Client
 	// Sign connects to a CA and returns a signed certificate for the supplied CertificateRequest.
 	signer.Sign
+	// IgnoreCertificateRequest is an optional function that can prevent the CertificateRequest
+	// and Kubernetes CSR controllers from reconciling a CertificateRequest resource.
+	signer.IgnoreCertificateRequest
 
 	// EventRecorder is used for creating Kubernetes events on resources.
 	EventRecorder record.EventRecorder
@@ -150,6 +153,17 @@ func (r *CertificateSigningRequestReconciler) reconcileStatusPatch(
 		return result, nil, nil // done
 	}
 
+	if r.IgnoreCertificateRequest != nil {
+		ignore, err := r.IgnoreCertificateRequest(ctx, signer.CertificateRequestObjectFromCertificateSigningRequest(&csr), issuerGvk, issuerName)
+		if err != nil {
+			return result, nil, fmt.Errorf("failed to check if CertificateSigningRequest should be ignored: %v", err) // retry
+		}
+		if ignore {
+			logger.V(1).Info("Ignoring CertificateSigningRequest")
+			return result, nil, nil // done
+		}
+	}
+
 	// We now have a CertificateSigningRequestStatus that belongs to us so we are responsible
 	// for updating its Status.
 	csrStatusPatch = &certificatesv1.CertificateSigningRequestStatus{}

controllers/combined_controller.go

@@ -45,6 +45,13 @@ type CombinedController struct {
 	// Sign connects to a CA and returns a signed certificate for the supplied CertificateRequest.
 	signer.Sign
 
+	// IgnoreCertificateRequest is an optional function that can prevent the CertificateRequest
+	// and Kubernetes CSR controllers from reconciling a CertificateRequest resource.
+	signer.IgnoreCertificateRequest
+	// IgnoreIssuer is an optional function that can prevent the issuer controllers from
+	// reconciling an issuer resource.
+	signer.IgnoreIssuer
+
 	// EventRecorder is used for creating Kubernetes events on resources.
 	EventRecorder record.EventRecorder
 
@@ -79,6 +86,7 @@ func (r *CombinedController) SetupWithManager(ctx context.Context, mgr ctrl.Mana
 
 			Client:        cl,
 			Check:         r.Check,
+			IgnoreIssuer:  r.IgnoreIssuer,
 			EventRecorder: r.EventRecorder,
 			Clock:         r.Clock,
 
@@ -96,10 +104,11 @@ func (r *CombinedController) SetupWithManager(ctx context.Context, mgr ctrl.Mana
 		MaxRetryDuration: r.MaxRetryDuration,
 		EventSource:      eventSource,
 
-		Client:        cl,
-		Sign:          r.Sign,
-		EventRecorder: r.EventRecorder,
-		Clock:         r.Clock,
+		Client:                   cl,
+		Sign:                     r.Sign,
+		IgnoreCertificateRequest: r.IgnoreCertificateRequest,
+		EventRecorder:            r.EventRecorder,
+		Clock:                    r.Clock,
 
 		SetCAOnCertificateRequest: r.SetCAOnCertificateRequest,
 
@@ -116,10 +125,11 @@ func (r *CombinedController) SetupWithManager(ctx context.Context, mgr ctrl.Mana
 		MaxRetryDuration: r.MaxRetryDuration,
 		EventSource:      eventSource,
 
-		Client:        cl,
-		Sign:          r.Sign,
-		EventRecorder: r.EventRecorder,
-		Clock:         r.Clock,
+		Client:                   cl,
+		Sign:                     r.Sign,
+		IgnoreCertificateRequest: r.IgnoreCertificateRequest,
+		EventRecorder:            r.EventRecorder,
+		Clock:                    r.Clock,
 
 		PostSetupWithManager: r.PostSetupWithManager,
 	}).SetupWithManager(ctx, mgr); err != nil {

controllers/issuer_controller.go

@@ -56,6 +56,9 @@ type IssuerReconciler struct {
 	client.Client
 	// Check connects to a CA and checks if it is available
 	signer.Check
+	// IgnoreIssuer is an optional function that can prevent the issuer controllers from
+	// reconciling an issuer resource.
+	signer.IgnoreIssuer
 
 	// EventRecorder is used for creating Kubernetes events on resources.
 	EventRecorder record.EventRecorder
@@ -125,6 +128,17 @@ func (r *IssuerReconciler) reconcileStatusPatch(
 		return result, nil, nil // done
 	}
 
+	if r.IgnoreIssuer != nil {
+		ignore, err := r.IgnoreIssuer(ctx, issuer)
+		if err != nil {
+			return result, nil, fmt.Errorf("failed to check if issuer should be ignored: %v", err) // retry
+		}
+		if ignore {
+			logger.V(1).Info("Ignoring issuer")
+			return result, nil, nil // done
+		}
+	}
+
 	// We now have a Issuer that belongs to us so we are responsible
 	// for updating its Status.
 	issuerStatusPatch = &v1alpha1.IssuerStatus{}

controllers/signer/interface.go

@@ -24,6 +24,8 @@ import (
 	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	"github.com/cert-manager/cert-manager/pkg/util/pki"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/cert-manager/issuer-lib/api/v1alpha1"
 )
@@ -60,3 +62,27 @@ type CertificateRequestObject interface {
 
 	GetConditions() []cmapi.CertificateRequestCondition
 }
+
+// IgnoreIssuer is an optional function that can prevent the issuer controllers from
+// reconciling an issuer resource. By default, the controllers will reconcile all
+// issuer resources that match the owned types.
+// This function will be called by the issuer reconcile loops for each type that matches
+// the owned types. If the function returns true, the controller will not reconcile the
+// issuer resource.
+type IgnoreIssuer func(
+	ctx context.Context,
+	issuerObject v1alpha1.Issuer,
+) (bool, error)
+
+// IgnoreCertificateRequest is an optional function that can prevent the CertificateRequest
+// and Kubernetes CSR controllers from reconciling a CertificateRequest resource. By default,
+// the controllers will reconcile all CertificateRequest resources that match the issuerRef type.
+// This function will be called by the CertificateRequest reconcile loop and the Kubernetes CSR
+// reconcile loop for each type that matches the issuerRef type. If the function returns true,
+// the controller will not reconcile the CertificateRequest resource.
+type IgnoreCertificateRequest func(
+	ctx context.Context,
+	cr CertificateRequestObject,
+	issuerGvk schema.GroupVersionKind,
+	issuerName types.NamespacedName,
+) (bool, error)