diff --git a/config/crd/bases/certmanager.step.sm_stepclusterissuers.yaml b/config/crd/bases/certmanager.step.sm_stepclusterissuers.yaml index ed3865e335aea28a2eea455fe7e395e2a0c814f6..2eda0a35d14c5904a308eba6efdc431498084b5c 100644 --- a/config/crd/bases/certmanager.step.sm_stepclusterissuers.yaml +++ b/config/crd/bases/certmanager.step.sm_stepclusterissuers.yaml @@ -22,10 +22,14 @@ spec: description: StepClusterIssuer is the Schema for the stepclusterissuers API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -33,11 +37,14 @@ spec: description: StepClusterIssuerSpec defines the desired state of StepClusterIssuer properties: caBundle: - description: CABundle is a base64 encoded TLS certificate used to verify connections to the step certificates server. If not set the system root certificates are used to validate the TLS connection. + description: CABundle is a base64 encoded TLS certificate used to + verify connections to the step certificates server. If not set the + system root certificates are used to validate the TLS connection. format: byte type: string provisioner: - description: Provisioner contains the step certificates provisioner configuration. + description: Provisioner contains the step certificates provisioner + configuration. properties: kid: description: KeyID is the kid property of the JWK provisioner. @@ -46,16 +53,21 @@ spec: description: Names is the name of the JWK provisioner. type: string passwordRef: - description: PasswordRef is a reference to a Secret containing the provisioner password used to decrypt the provisioner private key. + description: PasswordRef is a reference to a Secret containing + the provisioner password used to decrypt the provisioner private + key. properties: key: - description: The key of the secret to select from. Must be a valid secret key. + description: The key of the secret to select from. Must be + a valid secret key. type: string name: - description: The name of the secret in the pod's namespace to select from. + description: The name of the secret in the pod's namespace + to select from. type: string namespace: - description: The namespace of the secret in the pod's namespace to select from. + description: The namespace of the secret in the pod's namespace + to select from. type: string required: - name @@ -78,17 +90,21 @@ spec: properties: conditions: items: - description: StepClusterIssuerCondition contains condition information for the step issuer. + description: StepClusterIssuerCondition contains condition information + for the step issuer. properties: lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. format: date-time type: string message: - description: Message is a human readable description of the details of the last transition, complementing reason. + description: Message is a human readable description of the + details of the last transition, complementing reason. type: string reason: - description: Reason is a brief machine readable explanation for the condition's last transition. + description: Reason is a brief machine readable explanation + for the condition's last transition. type: string status: allOf: @@ -100,7 +116,8 @@ spec: - "True" - "False" - Unknown - description: Status of the condition, one of ('True', 'False', 'Unknown'). + description: Status of the condition, one of ('True', 'False', + 'Unknown'). type: string type: description: Type of the condition, currently ('Ready'). diff --git a/config/crd/bases/certmanager.step.sm_stepissuers.yaml b/config/crd/bases/certmanager.step.sm_stepissuers.yaml index 3c7f1ff3b94b7cf2bcccbc3233ebd286c099b79b..3d883661b62115f265fc35cc415ee8b7896c8487 100644 --- a/config/crd/bases/certmanager.step.sm_stepissuers.yaml +++ b/config/crd/bases/certmanager.step.sm_stepissuers.yaml @@ -22,10 +22,14 @@ spec: description: StepIssuer is the Schema for the stepissuers API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -33,11 +37,14 @@ spec: description: StepIssuerSpec defines the desired state of StepIssuer properties: caBundle: - description: CABundle is a base64 encoded TLS certificate used to verify connections to the step certificates server. If not set the system root certificates are used to validate the TLS connection. + description: CABundle is a base64 encoded TLS certificate used to + verify connections to the step certificates server. If not set the + system root certificates are used to validate the TLS connection. format: byte type: string provisioner: - description: Provisioner contains the step certificates provisioner configuration. + description: Provisioner contains the step certificates provisioner + configuration. properties: kid: description: KeyID is the kid property of the JWK provisioner. @@ -46,13 +53,17 @@ spec: description: Names is the name of the JWK provisioner. type: string passwordRef: - description: PasswordRef is a reference to a Secret containing the provisioner password used to decrypt the provisioner private key. + description: PasswordRef is a reference to a Secret containing + the provisioner password used to decrypt the provisioner private + key. properties: key: - description: The key of the secret to select from. Must be a valid secret key. + description: The key of the secret to select from. Must be + a valid secret key. type: string name: - description: The name of the secret in the pod's namespace to select from. + description: The name of the secret in the pod's namespace + to select from. type: string required: - name @@ -74,17 +85,21 @@ spec: properties: conditions: items: - description: StepIssuerCondition contains condition information for the step issuer. + description: StepIssuerCondition contains condition information + for the step issuer. properties: lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. format: date-time type: string message: - description: Message is a human readable description of the details of the last transition, complementing reason. + description: Message is a human readable description of the + details of the last transition, complementing reason. type: string reason: - description: Reason is a brief machine readable explanation for the condition's last transition. + description: Reason is a brief machine readable explanation + for the condition's last transition. type: string status: allOf: @@ -96,7 +111,8 @@ spec: - "True" - "False" - Unknown - description: Status of the condition, one of ('True', 'False', 'Unknown'). + description: Status of the condition, one of ('True', 'False', + 'Unknown'). type: string type: description: Type of the condition, currently ('Ready'). diff --git a/controllers/certificaterequest_controller.go b/controllers/certificaterequest_controller.go index 9eb1e22e949a7cf8443962097dc8c3cf4a7c7393..7d622a44e57cf57392f7307523c1c180278891ab 100644 --- a/controllers/certificaterequest_controller.go +++ b/controllers/certificaterequest_controller.go @@ -113,7 +113,7 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.R iss := api.StepClusterIssuer{} issNamespaceName := types.NamespacedName{ Namespace: "", - Name: cr.Spec.IssuerRef.Name, + Name: cr.Spec.IssuerRef.Name, } if err := r.Client.Get(ctx, issNamespaceName, &iss); err != nil { @@ -121,7 +121,7 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.R _ = r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve StepClusterIssuer resource %s: %v", issNamespaceName, err) return ctrl.Result{}, err } - + // Check if the StepClusterIssuer resource has been marked Ready if !stepClusterIssuerHasCondition(iss, api.StepClusterIssuerCondition{Type: api.ConditionReady, Status: api.ConditionTrue}) { err := fmt.Errorf("resource %s is not ready", issNamespaceName) @@ -129,7 +129,7 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.R _ = r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "StepClusterIssuer resource %s is not Ready", issNamespaceName) return ctrl.Result{}, err } - + // Load the provisioner that will sign the CertificateRequest provisioner, ok := provisioners.Load(issNamespaceName) if !ok { @@ -138,7 +138,7 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.R _ = r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for StepClusterIssuer resource %s", issNamespaceName) return ctrl.Result{}, err } - + // Sign CertificateRequest signedPEM, trustedCAs, err := provisioner.Sign(ctx, cr) if err != nil { @@ -147,14 +147,14 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.R } cr.Status.Certificate = signedPEM cr.Status.CA = trustedCAs - + return ctrl.Result{}, r.setStatus(ctx, cr, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued") } else { iss := api.StepIssuer{} issNamespaceName := types.NamespacedName{ - Namespace: req.Namespace, - Name: cr.Spec.IssuerRef.Name, - } + Namespace: req.Namespace, + Name: cr.Spec.IssuerRef.Name, + } if err := r.Client.Get(ctx, issNamespaceName, &iss); err != nil { log.Error(err, "failed to retrieve StepIssuer resource", "namespace", req.Namespace, "name", cr.Spec.IssuerRef.Name)