Certificates: preventing CertificateRequest creation runaway

[JoshVanL]

Fixes #4846

PR adds a new Condition type to Certificates DuplicateSecretName. This condition is managed by a new DuplicateSecretName controller, and sets this condition on Certificates which have the same spec.secretName as that as another Certificate in the same Namespace. This condition blocks issuance.

/kind feature
/milestone v1.11

Certificates: Adds a new DuplicateSecretName condition on Certificate resources which will be set when the Certificate has a `spec.secretName` value of that of another Certificate in the same Namespace. This condition will block issuance of that Certificate. The condition will be removed once the duplication of secretName has been fixed, and normal issuance can continue. This condition is used to both prevent CertificateRequest runaway, as well as make it clear what the problem is to users.

You can check that this PR works by installing the below manifests, and view it is currently broken on master but fixed with this PR.

$ cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ca
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: foo
spec:
  commonName: test
  secretName: hello
  privateKey:
    algorithm: RSA
    rotationPolicy: Always
  issuerRef:
    name: ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: bar
spec:
  commonName: test2
  secretName: hello
  issuerRef:
    name: ca
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
EOF
$ kubectl get cr --watch

[JoshVanL]

Implementation is still not quite right.. we shouldn't fail on a duplicate secret name, and instead just block on the issuance. Triggering a new issuance on a non-failed Certificate which no longer has a duplicate secret name should happen right away, so the e2e tests are correctly failing.

[jsoref]

Does this need a negation?

[SgtCoDFish]

This won't make 1.11. I was asked to take a look at this but haven't had a chance. Pushing to 1.12!

[vinzent]

Looking forward to this feature. We already faced the "certificate secret race" multiple times. Issued about 40'000 certificates from our on-premise ACME server.

[maelvls]

Hi @JoshVanL! Just to let you know, we will have a code freeze for 1.12 starting Wed 19 April 2023. The code freeze will be waived after the release of 1.12 on Wed 26 April 2023.

[inteon]

/retest

[jetstack-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from inteon. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[drewwells]

Why does this need a controller? We can check if secret's ownerReference matches the certificates resource ID

[inteon]

@drewwells

Why does this need a controller? We can check if secret's ownerReference matches the certificates resource ID

ownerReferences can be disabled (and probably should be in a production environment): https://cert-manager.io/docs/installation/upgrading/#reinstalling-cert-manager

[inteon]

I updated the PR:

• The DuplicateSecretName condition is renamed ot InConflict.
• Now the Ready condition is set to False when there is an InConflict condition.

The new behavior looks as follows:

$ kubectl -n test get cert | grep True | wc -l
0
$ kubectl -n test get cert -o yaml | grep "secretName: ca-key-pair$" | wc -l
31

$ _bin/cmctl/cmctl-linux-amd64 renew -n test a9
Manually triggered issuance of Certificate test/a9

$ kubectl -n test get cert a9 -o yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  creationTimestamp: "2023-10-04T08:51:11Z"
  generation: 1
  name: a9
  namespace: test
  resourceVersion: "3469"
  uid: f7c8d2ff-d3c6-4489-b183-2d8329a494fc
spec:
  commonName: test
  issuerRef:
    name: ca
  privateKey:
    algorithm: RSA
    rotationPolicy: Always
  secretName: ca-key-pair
status:
  conditions:
  - lastTransitionTime: "2023-10-04T08:51:11Z"
    message: 'Certificate shares the same Secret name as the following Certificates
      in this Namespace: [ a1, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a2,
      a20, a21, a22, a23, a24, a25, a26, a27, a28, a29, a3, a30, a31, a4, a5, a6,
      a7, a8 ]. Issuance will block until this is resolved to prevent CertificateRequest
      creation runaway.'
    observedGeneration: 1
    reason: a1,a10,a11,a12,a13,a14,a15,a16,a17,a18,a19,a2,a20,a21,a22,a23,a24,a25,a26,a27,a28,a29,a3,a30,a31,a4,a5,a6,a7,a8
    status: "True"
    type: InConflict
  - lastTransitionTime: "2023-10-04T08:51:11Z"
    message: Not ready because Certificate has a "InConflict" condition
    observedGeneration: 1
    reason: InConflict
    status: "False"
    type: Ready
  - lastTransitionTime: "2023-10-04T08:51:57Z"
    message: The certificate has been successfully issued
    observedGeneration: 1
    reason: Issued
    status: "False"
    type: Issuing
  notAfter: "2024-01-02T08:51:57Z"
  notBefore: "2023-10-04T08:51:57Z"
  renewalTime: "2023-12-03T08:51:57Z"
  revision: 1

$ kubectl -n test get cert a8 -oyaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  creationTimestamp: "2023-10-04T08:51:10Z"
  generation: 1
  name: a8
  namespace: test
  resourceVersion: "3436"
  uid: 6add6307-d79d-4e8e-a9e8-15cbfb275a4b
spec:
  commonName: test
  issuerRef:
    name: ca
  privateKey:
    algorithm: RSA
    rotationPolicy: Always
  secretName: ca-key-pair
status:
  conditions:
  - lastTransitionTime: "2023-10-04T08:51:10Z"
    message: 'Certificate shares the same Secret name as the following Certificates
      in this Namespace: [ a1, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a2,
      a20, a21, a22, a23, a24, a25, a26, a27, a28, a29, a3, a30, a31, a4, a5, a6,
      a7, a9 ]. Issuance will block until this is resolved to prevent CertificateRequest
      creation runaway.'
    observedGeneration: 1
    reason: a1,a10,a11,a12,a13,a14,a15,a16,a17,a18,a19,a2,a20,a21,a22,a23,a24,a25,a26,a27,a28,a29,a3,a30,a31,a4,a5,a6,a7,a9
    status: "True"
    type: InConflict
  - lastTransitionTime: "2023-10-04T08:51:10Z"
    message: Not ready because Certificate has a "InConflict" condition
    observedGeneration: 1
    reason: InConflict
    status: "False"
    type: Ready
  notAfter: "2024-01-02T08:51:57Z"
  notBefore: "2023-10-04T08:51:57Z"
  renewalTime: "2023-12-03T08:51:57Z"

This is the script I used to generate the certs

#!/bin/bash

kubectl create ns test

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
    name: ca
    namespace: test
spec:
    selfSigned: {}
EOF

for i in {1..31}; do

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
    name: a$i
    namespace: test
spec:
    commonName: test$i
    secretName: ca-key-pair
    privateKey:
        algorithm: RSA
        rotationPolicy: Always
    issuerRef:
        name: ca
EOF

done

[maelvls]

Note: In api-conventions.md, the reason field is described as "a one-word CamelCase reason for the condition's last transition"

[inteon]

Thanks, currently, the reason is used to store what certs are in conflict & this value is actually used by the controller.
As discussed in today's standup, we probably can implement a solution that does not require this.

[inteon]

NOTE: the current implementation makes all conflicting certificates not ready.
A future improvement might be to have 1 certificate (the first created) that continues to work correctly, and only fail the others.

everything breaks (current master)
all conflicting certificates break (this PR)
only the additional certificates break (future PR)

[inteon]

fixed in #6406