Skip to content

bug(controller): fix missing ignore issuers logic #350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

bug(controller): fix missing ignore issuers logic #350

wants to merge 1 commit into from

Conversation

@hjoshi123
Copy link
Contributor

@hjoshi123 hjoshi123 commented Nov 6, 2025

This PR addresses an already existing features but there was missing logic that made the functionality moot. Ignore issuer's value was not being consumed anywhere leading to not actually working. This is required for migrating in-tree issuers as we would need those controllers to ignore anything that doesn't match the CM GenericIssuer.

@cert-manager-prow cert-manager-prow bot added the dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. label Nov 6, 2025
@cert-manager-prow
Copy link
Contributor

cert-manager-prow bot commented Nov 6, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sgtcodfish for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Nov 6, 2025
@hjoshi123
Copy link
Contributor Author

hjoshi123 commented Nov 11, 2025

/cc @ThatsMrTalbot. Could you review it whenever you are free?

@ThatsMrTalbot
Copy link
Contributor

ThatsMrTalbot commented Nov 11, 2025

IDK if I should review since I helped write this bit 😂

inteon
inteon reviewed Nov 12, 2025
View reviewed changes
controllers/request_controller.go
if err := r.Client.Get(ctx, issuerName, kubeutil.ObjectForIssuer(issuerObject)); err != nil && apierrors.IsNotFound(err) {
logger.V(1).Info("Issuer not found. Waiting for it to be created")
statusPatch.SetWaitingForIssuerExist(err)
if r.IgnoreIssuer == nil {
Copy link
Member

@inteon inteon Nov 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In case r.IgnoreIssuer is nil, statusPatch.SetWaitingForIssuerExist will never be called, this is not right.

Originally, my thinking was that issuers could be ignored using IgnoreIssuer for the check command and IgnoreCertificateRequest for the sign command. WDYT cc @ThatsMrTalbot

Copy link
Contributor

@ThatsMrTalbot ThatsMrTalbot Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I was writing an example to check the UX of issuer-lib for internal issuers IgnoreCertificateRequest was a pain.

For each CertificateRequest you have to check if its an Issuer or a ClusterIssuer, load the correct type, then check if its one we care about.

Having IgnoreIssuer apply to the signer controller makes this so much easier

Copy link
Member

@inteon inteon Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hjoshi123 Sorry, I was unclear in my original message, I updated my comment: "In case r.IgnoreIssuer is nil, statusPatch.SetWaitingForIssuerExist will never be called, this is not right."

Copy link
Contributor Author

@hjoshi123 hjoshi123 Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@inteon sorry I got confused now 😅. Do you mean when r.IgnoreIssuer is not nil the statusPatch.SetWaitingForIssuerExist will never be called?

I didnt think of that.. thank you for pointing that out.. I feel it makes sense to call the SetWaitingForIssuerExist irrespective of the IgnoreIssuer right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ThatsMrTalbot ThatsMrTalbot ThatsMrTalbot left review comments

@inteon inteon inteon left review comments

Assignees

No one assigned

Labels

dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hjoshi123 @ThatsMrTalbot @inteon