Self signed issuer #228

RaphaelVogel · 2024-07-23T14:16:38Z

What this PR does / why we need it:
Create a self signed certificate was already possible using a CA issuer. Using this approach you need to manually create a self-signed certificate using openssl, create a secret out of it and reference this secret in your CA issuer.

To simplify this manual process a new issuer of type selfSigned is created, which creates a self signed certificate.

In addition two additional features are added:

The certificate resource can now define a duration (lifetime of the certificate). This field may be ignored by the issuer (especially Let's encrypt)
Specifying a csr is now possible with issuers of type selfSigned and ca

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Release note:

gardener-prow · 2024-07-23T14:16:41Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

gardener-prow · 2024-07-24T07:09:12Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from martinweindel. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

MartinWeindel

Thanks for your contribution.
I have some requests for improvement:

duration should also be handled by CA and ACME issuers
creating a CA certificate with .spec.csr does not yet work correctly

pkg/apis/cert/v1alpha1/types.go

pkg/cert/legobridge/certificate.go

pkg/cert/utils/issuerinfo.go

pkg/controller/issuer/certificate/reconciler.go

pkg/controller/issuer/core/const.go

pkg/apis/cert/crds/zz_generated_crds.go

MartinWeindel

Found some nits.

pkg/controller/issuer/ca/handler.go

pkg/controller/issuer/certificate/reconciler.go

pkg/controller/issuer/selfSigned/handler.go

RaphaelVogel · 2024-09-13T07:29:12Z

/test all

Co-authored-by: Martin Weindel <martin.weindel@sap.com>

gardener-prow bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Jul 23, 2024

gardener-prow bot requested a review from MartinWeindel July 23, 2024 14:16

gardener-prow bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. labels Jul 23, 2024

RaphaelVogel force-pushed the self-signed-issuer branch from f60c915 to 9c51ce4 Compare July 23, 2024 14:59

gardener-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jul 23, 2024

gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jul 23, 2024

gardener-robot-ci-1 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jul 23, 2024

RaphaelVogel force-pushed the self-signed-issuer branch from 9c51ce4 to 4f9cd53 Compare July 23, 2024 15:16

gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jul 23, 2024

gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jul 23, 2024

RaphaelVogel force-pushed the self-signed-issuer branch from 4f9cd53 to b226841 Compare July 23, 2024 15:41

gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jul 23, 2024

MartinWeindel self-assigned this Jul 24, 2024

gardener-prow bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 24, 2024

gardener-robot-ci-1 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jul 24, 2024

MartinWeindel requested changes Jul 24, 2024

View reviewed changes

gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jul 24, 2024

gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jul 24, 2024

RaphaelVogel force-pushed the self-signed-issuer branch from b8ef76c to 4d2ac6f Compare September 11, 2024 15:13

gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Sep 11, 2024

RaphaelVogel force-pushed the self-signed-issuer branch from 4d2ac6f to 3a42098 Compare September 11, 2024 15:15

gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Sep 11, 2024

gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Sep 11, 2024

RaphaelVogel added 5 commits September 11, 2024 17:19

implement selfSigned issuer

eb1d228

enable cert duration for ca issuer

bd28a45

enable cert duration for acme issuer

b0980ee

checks for isCA and duration

10b68eb

set requests per day to MaxInt for CA and self-signed issuer

da5537b

RaphaelVogel force-pushed the self-signed-issuer branch from 3a42098 to da5537b Compare September 11, 2024 15:19

gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Sep 11, 2024

MartinWeindel reviewed Sep 12, 2024

View reviewed changes

gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Sep 13, 2024

gardener-robot-ci-1 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Sep 13, 2024

gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Sep 13, 2024

RaphaelVogel force-pushed the self-signed-issuer branch from 4aa16d9 to 3d49116 Compare September 13, 2024 07:25

gardener-robot-ci-1 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Sep 13, 2024

Update pkg/controller/issuer/ca/handler.go

32bd917

Co-authored-by: Martin Weindel <martin.weindel@sap.com>

RaphaelVogel force-pushed the self-signed-issuer branch from 3d49116 to 32bd917 Compare September 13, 2024 07:30

gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Sep 13, 2024

RaphaelVogel marked this pull request as ready for review September 13, 2024 07:57

gardener-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 13, 2024

gardener-prow bot requested a review from MartinWeindel September 13, 2024 07:57

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Self signed issuer #228

Self signed issuer #228

RaphaelVogel commented Jul 23, 2024 •

edited

Loading

gardener-prow bot commented Jul 23, 2024

gardener-prow bot commented Jul 24, 2024

MartinWeindel left a comment

MartinWeindel left a comment

RaphaelVogel commented Sep 13, 2024

Self signed issuer #228

Are you sure you want to change the base?

Self signed issuer #228

Conversation

RaphaelVogel commented Jul 23, 2024 • edited Loading

gardener-prow bot commented Jul 23, 2024

gardener-prow bot commented Jul 24, 2024

MartinWeindel left a comment

Choose a reason for hiding this comment

MartinWeindel left a comment

Choose a reason for hiding this comment

RaphaelVogel commented Sep 13, 2024

RaphaelVogel commented Jul 23, 2024 •

edited

Loading