feat: use issuer-lib

Refactor this project to utilize cert-manager's issuer-lib packages for
creating external issuers that follow the best practices and implied
behavior for issuers.

This changeset also adds support for Kubernetes 1.19
CertificateSigningRequests as a side effect of utilizing issuer-lib.

Bug: #161

cmd/controller/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"net/http"
 	"os"
 	"time"
@@ -15,13 +16,10 @@ import (
 	"github.com/spf13/pflag"
 	"k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
-	"k8s.io/utils/clock"
-	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
 func main() {
@@ -75,59 +73,19 @@ func main() {
 		os.Exit(1)
 	}
 
-	err = builder.
-		ControllerManagedBy(mgr).
-		For(&v1.OriginIssuer{}).
-		Complete(reconcile.AsReconciler(mgr.GetClient(), &controllers.OriginIssuerController{
-			Client: mgr.GetClient(),
-			Reader: mgr.GetAPIReader(),
-			Clock:  clock.RealClock{},
-			Log:    log.WithName("controllers").WithName("OriginIssuer"),
-		}))
+	ctx, cancel := context.WithCancel(signals.SetupSignalHandler())
+	defer cancel()
 
-	if err != nil {
-		log.Error(err, "could not create origin issuer controller")
-		os.Exit(1)
-	}
-
-	err = builder.
-		ControllerManagedBy(mgr).
-		For(&v1.ClusterOriginIssuer{}).
-		Complete(reconcile.AsReconciler(mgr.GetClient(), &controllers.ClusterOriginIssuerController{
-			Client:                   mgr.GetClient(),
-			Reader:                   mgr.GetAPIReader(),
-			ClusterResourceNamespace: o.ClusterResourceNamespace,
-			Clock:                    clock.RealClock{},
-			Log:                      log.WithName("controllers").WithName("ClusterOriginIssuer"),
-		}))
-
-	if err != nil {
-		log.Error(err, "could not create cluster origin issuer controller")
-		os.Exit(1)
-	}
-
-	err = builder.
-		ControllerManagedBy(mgr).
-		For(&certmanager.CertificateRequest{}).
-		Complete(reconcile.AsReconciler(mgr.GetClient(), &controllers.CertificateRequestController{
-			Client:                   mgr.GetClient(),
-			Reader:                   mgr.GetAPIReader(),
-			ClusterResourceNamespace: o.ClusterResourceNamespace,
-			Builder: cfapi.NewBuilder().WithClient(&http.Client{
-				Timeout: 30 * time.Second,
-			}),
-			Log: log.WithName("controllers").WithName("CertificateRequest"),
-
-			Clock:                  clock.RealClock{},
-			CheckApprovedCondition: !o.DisableApprovedCheck,
-		}))
-
-	if err != nil {
-		log.Error(err, "could not create certificaterequest controller")
-		os.Exit(1)
+	signer := &controllers.Signer{
+		Reader:                   mgr.GetAPIReader(),
+		ClusterResourceNamespace: o.ClusterResourceNamespace,
+		Builder: cfapi.NewBuilder().WithClient(&http.Client{
+			Timeout: 30 * time.Second,
+		}),
 	}
+	signer.SetupWithManager(ctx, mgr)
 
-	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
+	if err := mgr.Start(ctx); err != nil {
 		log.Error(err, "could not start manager")
 		os.Exit(1)
 	}

deploy/crds/cert-manager.k8s.cloudflare.com_clusteroriginissuers.yaml

@@ -99,11 +99,11 @@ spec:
             properties:
               conditions:
                 description: |-
-                  List of status conditions to indicate the status of an OriginIssuer
+                  List of status conditions to indicate the status of an Issuer.
                   Known condition types are `Ready`.
                 items:
-                  description: OriginIssuerCondition contains condition information
-                    for the OriginIssuer.
+                  description: IssuerCondition contains condition information for
+                    an Issuer.
                   properties:
                     lastTransitionTime:
                       description: |-
@@ -114,31 +114,41 @@ spec:
                     message:
                       description: |-
                         Message is a human readable description of the details of the last
-                        transition1, complementing reason.
+                        transition, complementing reason.
                       type: string
+                    observedGeneration:
+                      description: |-
+                        If set, this represents the .metadata.generation that the condition was
+                        set based upon.
+                        For instance, if .metadata.generation is currently 12, but the
+                        .status.condition[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the Issuer.
+                      format: int64
+                      type: integer
                     reason:
                       description: |-
                         Reason is a brief machine readable explanation for the condition's last
                         transition.
                       type: string
                     status:
-                      description: Status of the condition, one of ('True', 'False',
-                        'Unknown')
+                      description: Status of the condition, one of (`True`, `False`,
+                        `Unknown`).
                       enum:
                       - "True"
                       - "False"
                       - Unknown
                       type: string
                     type:
-                      description: Type of the condition, known values are ('Ready')
-                      enum:
-                      - Ready
+                      description: Type of the condition, known values are (`Ready`).
                       type: string
                   required:
                   - status
                   - type
                   type: object
                 type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
             type: object
         type: object
     served: true

deploy/crds/cert-manager.k8s.cloudflare.com_originissuers.yaml

@@ -98,11 +98,11 @@ spec:
             properties:
               conditions:
                 description: |-
-                  List of status conditions to indicate the status of an OriginIssuer
+                  List of status conditions to indicate the status of an Issuer.
                   Known condition types are `Ready`.
                 items:
-                  description: OriginIssuerCondition contains condition information
-                    for the OriginIssuer.
+                  description: IssuerCondition contains condition information for
+                    an Issuer.
                   properties:
                     lastTransitionTime:
                       description: |-
@@ -113,31 +113,41 @@ spec:
                     message:
                       description: |-
                         Message is a human readable description of the details of the last
-                        transition1, complementing reason.
+                        transition, complementing reason.
                       type: string
+                    observedGeneration:
+                      description: |-
+                        If set, this represents the .metadata.generation that the condition was
+                        set based upon.
+                        For instance, if .metadata.generation is currently 12, but the
+                        .status.condition[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the Issuer.
+                      format: int64
+                      type: integer
                     reason:
                       description: |-
                         Reason is a brief machine readable explanation for the condition's last
                         transition.
                       type: string
                     status:
-                      description: Status of the condition, one of ('True', 'False',
-                        'Unknown')
+                      description: Status of the condition, one of (`True`, `False`,
+                        `Unknown`).
                       enum:
                       - "True"
                       - "False"
                       - Unknown
                       type: string
                     type:
-                      description: Type of the condition, known values are ('Ready')
-                      enum:
-                      - Ready
+                      description: Type of the condition, known values are (`Ready`).
                       type: string
                   required:
                   - status
                   - type
                   type: object
                 type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
             type: object
         type: object
     served: true

deploy/rbac/role.yaml

@@ -26,23 +26,19 @@ rules:
   verbs:
   - get
   - list
-  - update
   - watch
 - apiGroups:
   - cert-manager.io
   resources:
   - certificaterequests/status
   verbs:
-  - get
   - patch
-  - update
 - apiGroups:
   - cert-manager.k8s.cloudflare.com
   resources:
   - clusteroriginissuers
   - originissuers
   verbs:
-  - create
   - get
   - list
   - watch
@@ -52,6 +48,27 @@ rules:
   - clusteroriginissuers/status
   - originissuers/status
   verbs:
+  - patch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
   - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/status
+  verbs:
   - patch
-  - update
+- apiGroups:
+  - certificates.k8s.io
+  resourceNames:
+  - clusteroriginissuers.cert-manager.k8s.cloudflare.com/*
+  - originissuers.cert-manager.k8s.cloudflare.com/*
+  resources:
+  - signers
+  verbs:
+  - sign

go.mod

@@ -6,9 +6,8 @@ toolchain go1.23.1
 
 require (
 	github.com/cert-manager/cert-manager v1.15.3
-	github.com/go-logr/logr v1.4.2
+	github.com/cert-manager/issuer-lib v0.8.0
 	github.com/go-logr/zerologr v1.2.3
-	github.com/google/go-cmp v0.6.0
 	github.com/rs/zerolog v1.29.0
 	github.com/spf13/pflag v1.0.5
 	gopkg.in/dnaeon/go-vcr.v4 v4.0.1
@@ -34,6 +33,7 @@ require (
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.6 // indirect
 	github.com/go-ldap/ldap/v3 v3.4.8 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
@@ -43,6 +43,7 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect

go.sum

@@ -8,6 +8,8 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/cert-manager/cert-manager v1.15.3 h1:/u9T0griwd5MegPfWbB7v0KcVcT9OJrEvPNhc9tl7xQ=
 github.com/cert-manager/cert-manager v1.15.3/go.mod h1:stBge/DTvrhfQMB/93+Y62s+gQgZBsfL1o0C/4AL/mI=
+github.com/cert-manager/issuer-lib v0.8.0 h1:eOU+P3EQkEKcZc823iLqMH8/Ithkg0Zs8vsXe0lHH4g=
+github.com/cert-manager/issuer-lib v0.8.0/go.mod h1:UjE2o4BAboql9XV2VuFz2zfL8qrKEPwuQwLFqjL5pK8=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=