change: ensure that we only renew the original Acorn TLS (wildcard) c…

…ertificate (#2235)

pkg/controller/routes.go

@@ -128,7 +128,7 @@ func routes(router *router.Router, cfg *rest.Config, registryTransport http.Roun
 	router.Type(&netv1.Ingress{}).Selector(managedSelector).Namespace(system.ImagesNamespace).HandlerFunc(gc.GCOrphans)
 	router.Type(&corev1.Secret{}).Selector(managedSelector).Name(system.DNSSecretName).Namespace(system.Namespace).HandlerFunc(secrets.HandleDNSSecret)
 	router.Type(&netv1.Ingress{}).Selector(managedSelector).Name(system.DNSIngressName).Namespace(system.Namespace).Middleware(ingress.RequireLBs).Handler(ingress.NewDNSHandler())
-	router.Type(&corev1.Secret{}).Selector(managedSelector).Middleware(tls.RequireSecretTypeTLS).HandlerFunc(tls.RenewCert) // renew (expired) TLS certificates, including the oss-acorn.io wildcard cert
+	router.Type(&corev1.Secret{}).Selector(managedSelector).Name(system.TLSSecretName).Namespace(system.Namespace).Middleware(tls.RequireSecretTypeTLS).HandlerFunc(tls.RenewCert) // renew (expired) TLS certificate
 	router.Type(&storagev1.StorageClass{}).HandlerFunc(volume.SyncVolumeClasses)
 	router.Type(&corev1.Service{}).Selector(managedSelector).HandlerFunc(networkpolicy.ForService)
 	router.Type(&netv1.Ingress{}).Selector(managedSelector).HandlerFunc(networkpolicy.ForIngress)

pkg/controller/service/testdata/ingress/basic/expected.golden

@@ -144,6 +144,9 @@ data:
   tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcG4xSkhVT3NHUTZZcklTQTVqR1FtQVdvWG1KRW8waGdGL3ZHUXV2dXB6T0czbHNTCnAxTk9UTXo5TjdURHNOK3pJaGZWb2VDWXkweEUzQTJtaHd6QitOQXNnYWR0WGd5bUpJOWFieXUwOEQzUGtOcmcKWTdKalk5cDBrUzdCS1VRU2RhQy9PeTdGdThnclVQbUtBbTRtM0d1ZDRudFVwbWRrczdnOWVHSDhZZFZyL3p5bApXejNwRzF6YmNmelBPQXo1cHlUM2hZZ0JIOVk5U2J4SnFlM0hhd1p1UVRlcm5yVFBRcStXVTZXMWk1TjRIYTRhCmQ0RGF1Y2xjcy80YnplVHB5d3JXaGVpVEZGc3pzcmFPbDIxNnVBMnpWQU9ZWXQ0YVdzb1lyUisxOGhqdkNTU3MKZnZndkd5aGtyVEE2NlhmT1g3Z2h1M0hBRXR5aDZCYWdsRnpTUndJREFRQUJBb0lCQUhwaGNkTXZJVnd4M0l4RAp3alJ6anFRUTFKaThoMU8zS2R1M1dSOXNLanVCcHN2Z0NqQXhEa2RxRDJCWllkZXNPQk1CamltMTNOcmpyMkpLCkxuVHJMZEpsdzdGeWp2UXBQQjkzdUxRclhvK1IvL2VzekhDOGVrNjJFQ1dBUnNDOHB3ME1Ja1d3dGV5NDBRNXUKdjhIVmtuOUlKQUNOUThZbURtSUZOam85WExYVWFoaEhHQVpvSnBsVzR2WkpRelhIMWRjK3dLSGY0cjhjZ0laRgppMmh5TkdzRUEyRFBOemNCNHQzaitEZXNrUzNIOW1PSTVld1V2c1BUdStFWVdMbjhEOTRKOUlNNlZ5QW8vcFRaCjhNS2orTUxTUkFnNGJjMUVZbUM0VVg2dVl2VVpZSmkvY3QyMWtrRFc3ZEtlZU9OdjEwVkV2VkIrMUlES3krMGkKN0t5alZ1RUNnWUVBMW9OMUIxeTUvWEZnV1hZTHZGb3ovY0NKdFJjSnNxUWRxRXRoZG9BYUdVRTJBU3BCL3lHNgpQR3M1UXdsRjhTUmdERXRKRzlOMEU4TXBtaXplTWc0MFI3cDJoZ2lXN0xQWWM4VE84Y0I1SDdNMzFOTGNVL0VaCm9qTEVPOUVYdlJBTThVVmJ0TUQzdXpJbTFJckRBdGI1dnJ6MmF3SFd6VG9TVm1WZDFxR3A4RDhDZ1lFQXhyQW8KMTM2K0xiM3F0dkxWQ2hKUzVBanVwZ1pLMTRHdithTlFVM0h3M0ZDYXhlL0NpcXNUN0NFOUFkbFc4N0pOeWVlaQpJWEZab3FwTS9VN0RMdnFPRjZkcU0rb3daempRWW1SU0dSbk5OeHpocHJiK08yUU9ZUnZSYnRlaHVJV1BHZ09DCjJHZC9QRzNhQUdia1BFMSsrS21YTFVaOXVmKzVqVVJ0QUNka20va0NnWUVBcjhDdTNxUlRZbHBFNWFjNUFFNHIKY01rU1NvT2dsM090Tk5qbDlwQUlVZzdDcjN1dTdOajJYRkJCYnpJbTB1YkpwdWo3OGtkeVFFclRTQlZneTBRbQpBMnE3ZHgrTWdFenRtQlIwdFUvTUxYUEoxNTRYbE5MaC9LbDVhOFRwblNhTVpCVStpTDdkZWNzaVUxdUpZVWMvCkFjNlNXcVA4R05OdWVNaStkSDZwM0VNQ2dZQmFnNllYaGdYZGtNZDgwT044MHh3d0JtR3lBT3ZYZ1oxSmZMejcKUnMwVGtTVHhSMmk1QTNidis3UnZRelA1a1NFZStnZENkUUVBdWRTWkVXaVoza3NkTzRlR1h3bnQvRlB5ZndGbgpyZmx2UWhrS2VoTVh1MTFSbi9xcEpGTG9YTy8wU2VVeDhQUmw4eVY5U1dKd2xsMWhxdURVSDJqbmN6aDB3dGRsCldvemJBUUtCZ1FDMWJEaTVJV1dDODhBcmNVa0hZcmVKdHQyWGQ5dGczY2RKcjJTMkNCT2RKNkt1T2xvMml4c0oKWDBtZ25HbGpLb1JrTjhScWc1anlBK29tOVN6TWlmZzF4dGQ4cHp1VlJ2QVFnMXRua3RJNTFoV1pQOXpvdklESwpBK3lTQVE0dG1zb0lrRW9URXE0Zkxva0ZvSGRpcTl6bi9TamJRamNhUmxiZlFUVFFDQzhNd2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
 kind: Secret
 metadata:
+  annotations:
+    acorn.io/secret-source-name: test-tls
+    acorn.io/secret-source-namespace: app-namespace
   creationTimestamp: null
   labels:
     acorn.io/app-name: app-name

pkg/controller/service/testdata/ingress/customdomainwithcerts/expected.golden

@@ -134,6 +134,9 @@ data:
   tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcG4xSkhVT3NHUTZZcklTQTVqR1FtQVdvWG1KRW8waGdGL3ZHUXV2dXB6T0czbHNTCnAxTk9UTXo5TjdURHNOK3pJaGZWb2VDWXkweEUzQTJtaHd6QitOQXNnYWR0WGd5bUpJOWFieXUwOEQzUGtOcmcKWTdKalk5cDBrUzdCS1VRU2RhQy9PeTdGdThnclVQbUtBbTRtM0d1ZDRudFVwbWRrczdnOWVHSDhZZFZyL3p5bApXejNwRzF6YmNmelBPQXo1cHlUM2hZZ0JIOVk5U2J4SnFlM0hhd1p1UVRlcm5yVFBRcStXVTZXMWk1TjRIYTRhCmQ0RGF1Y2xjcy80YnplVHB5d3JXaGVpVEZGc3pzcmFPbDIxNnVBMnpWQU9ZWXQ0YVdzb1lyUisxOGhqdkNTU3MKZnZndkd5aGtyVEE2NlhmT1g3Z2h1M0hBRXR5aDZCYWdsRnpTUndJREFRQUJBb0lCQUhwaGNkTXZJVnd4M0l4RAp3alJ6anFRUTFKaThoMU8zS2R1M1dSOXNLanVCcHN2Z0NqQXhEa2RxRDJCWllkZXNPQk1CamltMTNOcmpyMkpLCkxuVHJMZEpsdzdGeWp2UXBQQjkzdUxRclhvK1IvL2VzekhDOGVrNjJFQ1dBUnNDOHB3ME1Ja1d3dGV5NDBRNXUKdjhIVmtuOUlKQUNOUThZbURtSUZOam85WExYVWFoaEhHQVpvSnBsVzR2WkpRelhIMWRjK3dLSGY0cjhjZ0laRgppMmh5TkdzRUEyRFBOemNCNHQzaitEZXNrUzNIOW1PSTVld1V2c1BUdStFWVdMbjhEOTRKOUlNNlZ5QW8vcFRaCjhNS2orTUxTUkFnNGJjMUVZbUM0VVg2dVl2VVpZSmkvY3QyMWtrRFc3ZEtlZU9OdjEwVkV2VkIrMUlES3krMGkKN0t5alZ1RUNnWUVBMW9OMUIxeTUvWEZnV1hZTHZGb3ovY0NKdFJjSnNxUWRxRXRoZG9BYUdVRTJBU3BCL3lHNgpQR3M1UXdsRjhTUmdERXRKRzlOMEU4TXBtaXplTWc0MFI3cDJoZ2lXN0xQWWM4VE84Y0I1SDdNMzFOTGNVL0VaCm9qTEVPOUVYdlJBTThVVmJ0TUQzdXpJbTFJckRBdGI1dnJ6MmF3SFd6VG9TVm1WZDFxR3A4RDhDZ1lFQXhyQW8KMTM2K0xiM3F0dkxWQ2hKUzVBanVwZ1pLMTRHdithTlFVM0h3M0ZDYXhlL0NpcXNUN0NFOUFkbFc4N0pOeWVlaQpJWEZab3FwTS9VN0RMdnFPRjZkcU0rb3daempRWW1SU0dSbk5OeHpocHJiK08yUU9ZUnZSYnRlaHVJV1BHZ09DCjJHZC9QRzNhQUdia1BFMSsrS21YTFVaOXVmKzVqVVJ0QUNka20va0NnWUVBcjhDdTNxUlRZbHBFNWFjNUFFNHIKY01rU1NvT2dsM090Tk5qbDlwQUlVZzdDcjN1dTdOajJYRkJCYnpJbTB1YkpwdWo3OGtkeVFFclRTQlZneTBRbQpBMnE3ZHgrTWdFenRtQlIwdFUvTUxYUEoxNTRYbE5MaC9LbDVhOFRwblNhTVpCVStpTDdkZWNzaVUxdUpZVWMvCkFjNlNXcVA4R05OdWVNaStkSDZwM0VNQ2dZQmFnNllYaGdYZGtNZDgwT044MHh3d0JtR3lBT3ZYZ1oxSmZMejcKUnMwVGtTVHhSMmk1QTNidis3UnZRelA1a1NFZStnZENkUUVBdWRTWkVXaVoza3NkTzRlR1h3bnQvRlB5ZndGbgpyZmx2UWhrS2VoTVh1MTFSbi9xcEpGTG9YTy8wU2VVeDhQUmw4eVY5U1dKd2xsMWhxdURVSDJqbmN6aDB3dGRsCldvemJBUUtCZ1FDMWJEaTVJV1dDODhBcmNVa0hZcmVKdHQyWGQ5dGczY2RKcjJTMkNCT2RKNkt1T2xvMml4c0oKWDBtZ25HbGpLb1JrTjhScWc1anlBK29tOVN6TWlmZzF4dGQ4cHp1VlJ2QVFnMXRua3RJNTFoV1pQOXpvdklESwpBK3lTQVE0dG1zb0lrRW9URXE0Zkxva0ZvSGRpcTl6bi9TamJRamNhUmxiZlFUVFFDQzhNd2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
 kind: Secret
 metadata:
+  annotations:
+    acorn.io/secret-source-name: test-tls
+    acorn.io/secret-source-namespace: app-namespace
   creationTimestamp: null
   labels:
     acorn.io/app-name: app-name

pkg/controller/service/testdata/ingress/letsencrypt/expected.golden

@@ -94,6 +94,9 @@ data:
   tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcG4xSkhVT3NHUTZZcklTQTVqR1FtQVdvWG1KRW8waGdGL3ZHUXV2dXB6T0czbHNTCnAxTk9UTXo5TjdURHNOK3pJaGZWb2VDWXkweEUzQTJtaHd6QitOQXNnYWR0WGd5bUpJOWFieXUwOEQzUGtOcmcKWTdKalk5cDBrUzdCS1VRU2RhQy9PeTdGdThnclVQbUtBbTRtM0d1ZDRudFVwbWRrczdnOWVHSDhZZFZyL3p5bApXejNwRzF6YmNmelBPQXo1cHlUM2hZZ0JIOVk5U2J4SnFlM0hhd1p1UVRlcm5yVFBRcStXVTZXMWk1TjRIYTRhCmQ0RGF1Y2xjcy80YnplVHB5d3JXaGVpVEZGc3pzcmFPbDIxNnVBMnpWQU9ZWXQ0YVdzb1lyUisxOGhqdkNTU3MKZnZndkd5aGtyVEE2NlhmT1g3Z2h1M0hBRXR5aDZCYWdsRnpTUndJREFRQUJBb0lCQUhwaGNkTXZJVnd4M0l4RAp3alJ6anFRUTFKaThoMU8zS2R1M1dSOXNLanVCcHN2Z0NqQXhEa2RxRDJCWllkZXNPQk1CamltMTNOcmpyMkpLCkxuVHJMZEpsdzdGeWp2UXBQQjkzdUxRclhvK1IvL2VzekhDOGVrNjJFQ1dBUnNDOHB3ME1Ja1d3dGV5NDBRNXUKdjhIVmtuOUlKQUNOUThZbURtSUZOam85WExYVWFoaEhHQVpvSnBsVzR2WkpRelhIMWRjK3dLSGY0cjhjZ0laRgppMmh5TkdzRUEyRFBOemNCNHQzaitEZXNrUzNIOW1PSTVld1V2c1BUdStFWVdMbjhEOTRKOUlNNlZ5QW8vcFRaCjhNS2orTUxTUkFnNGJjMUVZbUM0VVg2dVl2VVpZSmkvY3QyMWtrRFc3ZEtlZU9OdjEwVkV2VkIrMUlES3krMGkKN0t5alZ1RUNnWUVBMW9OMUIxeTUvWEZnV1hZTHZGb3ovY0NKdFJjSnNxUWRxRXRoZG9BYUdVRTJBU3BCL3lHNgpQR3M1UXdsRjhTUmdERXRKRzlOMEU4TXBtaXplTWc0MFI3cDJoZ2lXN0xQWWM4VE84Y0I1SDdNMzFOTGNVL0VaCm9qTEVPOUVYdlJBTThVVmJ0TUQzdXpJbTFJckRBdGI1dnJ6MmF3SFd6VG9TVm1WZDFxR3A4RDhDZ1lFQXhyQW8KMTM2K0xiM3F0dkxWQ2hKUzVBanVwZ1pLMTRHdithTlFVM0h3M0ZDYXhlL0NpcXNUN0NFOUFkbFc4N0pOeWVlaQpJWEZab3FwTS9VN0RMdnFPRjZkcU0rb3daempRWW1SU0dSbk5OeHpocHJiK08yUU9ZUnZSYnRlaHVJV1BHZ09DCjJHZC9QRzNhQUdia1BFMSsrS21YTFVaOXVmKzVqVVJ0QUNka20va0NnWUVBcjhDdTNxUlRZbHBFNWFjNUFFNHIKY01rU1NvT2dsM090Tk5qbDlwQUlVZzdDcjN1dTdOajJYRkJCYnpJbTB1YkpwdWo3OGtkeVFFclRTQlZneTBRbQpBMnE3ZHgrTWdFenRtQlIwdFUvTUxYUEoxNTRYbE5MaC9LbDVhOFRwblNhTVpCVStpTDdkZWNzaVUxdUpZVWMvCkFjNlNXcVA4R05OdWVNaStkSDZwM0VNQ2dZQmFnNllYaGdYZGtNZDgwT044MHh3d0JtR3lBT3ZYZ1oxSmZMejcKUnMwVGtTVHhSMmk1QTNidis3UnZRelA1a1NFZStnZENkUUVBdWRTWkVXaVoza3NkTzRlR1h3bnQvRlB5ZndGbgpyZmx2UWhrS2VoTVh1MTFSbi9xcEpGTG9YTy8wU2VVeDhQUmw4eVY5U1dKd2xsMWhxdURVSDJqbmN6aDB3dGRsCldvemJBUUtCZ1FDMWJEaTVJV1dDODhBcmNVa0hZcmVKdHQyWGQ5dGczY2RKcjJTMkNCT2RKNkt1T2xvMml4c0oKWDBtZ25HbGpLb1JrTjhScWc1anlBK29tOVN6TWlmZzF4dGQ4cHp1VlJ2QVFnMXRua3RJNTFoV1pQOXpvdklESwpBK3lTQVE0dG1zb0lrRW9URXE0Zkxva0ZvSGRpcTl6bi9TamJRamNhUmxiZlFUVFFDQzhNd2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
 kind: Secret
 metadata:
+  annotations:
+    acorn.io/secret-source-name: test-tls
+    acorn.io/secret-source-namespace: app-namespace
   creationTimestamp: null
   labels:
     acorn.io/app-name: app-name

pkg/controller/tls/certs.go

@@ -53,6 +53,12 @@ func RequireSecretTypeTLS(h router.Handler) router.Handler {
 func RenewCert(req router.Request, resp router.Response) error {
 	sec := req.Object.(*corev1.Secret)
 
+	// Do not renew if this is a copy of another secret - only the original secret will be renewed
+	if sec.Annotations[labels.AcornSecretSourceName] != "" {
+		logrus.Debugf("not renewing certificate in secret %s/%s: it's a copy of %s/%s", sec.Namespace, sec.Name, sec.Annotations[labels.AcornSecretSourceNamespace], sec.Annotations[labels.AcornSecretSourceName])
+		return nil
+	}
+
 	leUser, err := ensureLEUser(req.Ctx, req.Client)
 	if err != nil {
 		logrus.Errorf("failed to get/create lets-encrypt account in RenewCert: %v", err)

pkg/publish/cert.go

@@ -110,10 +110,13 @@ func copySecretsForCerts(req router.Request, svc *v1.ServiceInstance, filteredTL
 		secretName := name.SafeConcatName(tlsCert.SecretName, svc.Name, string(originalSecret.UID)[:12])
 		objs = append(objs, &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:        secretName,
-				Namespace:   svc.Namespace,
-				Labels:      labels.Merge(originalSecret.Labels, labels.ManagedByApp(svc.Spec.AppNamespace, svc.Spec.AppName)),
-				Annotations: originalSecret.Annotations,
+				Name:      secretName,
+				Namespace: svc.Namespace,
+				Labels:    labels.Merge(originalSecret.Labels, labels.ManagedByApp(svc.Spec.AppNamespace, svc.Spec.AppName)),
+				Annotations: labels.Merge(originalSecret.Annotations, map[string]string{
+					labels.AcornSecretSourceNamespace: originalSecret.Namespace,
+					labels.AcornSecretSourceName:      originalSecret.Name,
+				}),
 			},
 			Type: corev1.SecretTypeTLS,
 			Data: originalSecret.Data,