implement issuance of temporary certificate when using VirtualServer …

…cert-manager integration (#4408)
nginxinc · Oct 12, 2023 · 6a8633b · 6a8633b
1 parent 732d174
commit 6a8633b
Show file tree

Hide file tree

Showing 8 changed files with 55 additions and 6 deletions.
diff --git a/deployments/common/crds/k8s.nginx.org_virtualservers.yaml b/deployments/common/crds/k8s.nginx.org_virtualservers.yaml
@@ -535,6 +535,8 @@ spec:
                           type: string
                         duration:
                           type: string
+                        issue-temp-cert:
+                          type: boolean
                         issuer:
                           type: string
                         issuer-group:

diff --git a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md
@@ -127,6 +127,7 @@ cert-manager:
 |``duration`` | This field allows you to configure spec.duration field for the Certificate to be generated. Must be specified using a [Go time.Duration](https://pkg.go.dev/time#ParseDuration) string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. | ``string`` | No |
 |``renew-before`` |  this annotation allows you to configure spec.renewBefore field for the Certificate to be generated. Must be specified using a [Go time.Duration](https://pkg.go.dev/time#ParseDuration) string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. | ``string`` | No |
 |``usages`` |  This field allows you to configure spec.usages field for the Certificate to be generated. Pass a string with comma-separated values i.e. ``key agreement,digital signature, server auth``. An exhaustive list of supported key usages can be found in the [the cert-manager api documentation](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.KeyUsage). | ``string`` | No |
+|``issue-temp-cert`` | When ``true``, ask cert-manager for a [temporary self-signed certificate](https://cert-manager.io/docs/usage/certificate/#temporary-certificates-while-issuing) pending the issuance of the Certificate. This allows HTTPS-only servers to use ACME HTTP01 challenges when the TLS secret does not exist yet. | ``boolean`` | No |
 {{% /table %}}
 
 ### VirtualServer.Listener

diff --git a/internal/certmanager/helper.go b/internal/certmanager/helper.go
@@ -41,6 +41,7 @@ var (
 	issuerKindCmField          = "tls.cert-manager.issuer-kind"
 	renewBeforeCmField         = "tls.cert-manager.renew-before"
 	usagesCmField              = "tls.cert-manager.usages"
+	certMgrTempCertAnnotation  = "cert-manager.io/issue-temporary-certificate"
 )
 
 // translateVsSpec updates the Certificate spec using the VS TLS Cert-Manager
@@ -115,6 +116,14 @@ func translateVsSpec(crt *cmapi.Certificate, vsCmSpec *vsapi.CertManager) error
 		}
 		crt.Spec.Usages = newUsages
 	}
+
+	if vsCmSpec.IssueTempCert {
+		if crt.ObjectMeta.Annotations == nil {
+			crt.ObjectMeta.Annotations = make(map[string]string)
+		}
+		crt.ObjectMeta.Annotations[certMgrTempCertAnnotation] = "true"
+	}
+
 	if len(errs) > 0 {
 		return errors.New(strings.Join(errs, ", "))
 	}

diff --git a/internal/certmanager/helper_test.go b/internal/certmanager/helper_test.go
@@ -44,6 +44,14 @@ func Test_translateVsSpec(t *testing.T) {
 		Usages:      "server auth,signing",
 	}
 
+	validSpecWithTempCert := vsapi.CertManager{
+		CommonName:    "www.example.com",
+		Duration:      "168h", // 1 week
+		RenewBefore:   "24h",
+		Usages:        "server auth,signing",
+		IssueTempCert: true,
+	}
+
 	invalidDuration := vsapi.CertManager{
 		Duration: "un-parsable duration",
 	}
@@ -71,6 +79,17 @@ func Test_translateVsSpec(t *testing.T) {
 				a.Equal([]cmapi.KeyUsage{cmapi.UsageServerAuth, cmapi.UsageSigning}, crt.Spec.Usages)
 			},
 		},
+		"success with temp cert": {
+			crt:    gen.Certificate("example-cert"),
+			cmspec: &validSpecWithTempCert,
+			check: func(a *assert.Assertions, crt *cmapi.Certificate) {
+				a.Equal("www.example.com", crt.Spec.CommonName)
+				a.Equal(&metav1.Duration{Duration: time.Hour * 24 * 7}, crt.Spec.Duration)
+				a.Equal(&metav1.Duration{Duration: time.Hour * 24}, crt.Spec.RenewBefore)
+				a.Equal([]cmapi.KeyUsage{cmapi.UsageServerAuth, cmapi.UsageSigning}, crt.Spec.Usages)
+				a.Equal("true", crt.ObjectMeta.Annotations[certMgrTempCertAnnotation])
+			},
+		},
 		"nil cm spec": {
 			crt:    gen.Certificate("example-cert"),
 			cmspec: nil,

diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go
@@ -300,6 +300,7 @@ type CertManager struct {
 	Duration      string `json:"duration"`
 	RenewBefore   string `json:"renew-before"`
 	Usages        string `json:"usages"`
+	IssueTempCert bool   `json:"issue-temp-cert"`
 }
 
 // VirtualServerStatus defines the status for the VirtualServer resource.

diff --git a/pkg/apis/configuration/v1/zz_generated.deepcopy.go b/pkg/apis/configuration/v1/zz_generated.deepcopy.go
diff --git a/pkg/client/clientset/versioned/doc.go b/pkg/client/clientset/versioned/doc.go
diff --git a/pkg/client/informers/externalversions/factory.go b/pkg/client/informers/externalversions/factory.go