Add Venafi custom field support to cert-shim by k0da · Pull Request #6146 · cert-manager/cert-manager

k0da · 2023-06-13T10:04:25Z

Some setups have a requirement to have custom-field annotation set on Certificate object.

This commit adds support for scraping Venafi custom-fields annotation from ingressLike objects and pass them to Certificate object.

Pull Request Motivation

This PR adds support for Venafi custom-field annotation from ingLike resources

Kind

Feature

Release Note

NONE

Some setups have a requirement to have custom-field annotation set on Certificate object. This commit adds support for scraping Venafi custom-fields annotation from ingressLike objects and pass them to Certificate object. Signed-off-by: Dinar Valeev <k0da@opensuse.org>

jetstack-bot · 2023-06-13T10:04:36Z

Hi @k0da. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k0da · 2023-06-16T09:14:04Z

/cc @inteon
HI, @inteon could you please review?

k0da · 2023-06-16T09:15:24Z

/cc @wallrj

inteon · 2023-06-16T09:22:04Z

/hold
I don't think we should be reading issuer-specific annotations for the certificate shim, what do you think @wallrj.
Ideally we have a more general solution for this.

k0da · 2023-06-16T09:32:16Z

@inteon I thought first to get all annotations as is. But then decided to narrow down a change to a specific usecase.

inteon · 2023-06-22T07:50:18Z

@inteon I thought first to get all annotations as is. But then decided to narrow down a change to a specific use case.

I think this is the best way forward, we would still have to filter the annotations (eg. only copy annotations with a specific prefix). It would be great if we could create something that aligns with our existing annotation-copying solutions (haven't had the time to investigate this yet).

wallrj

We discussed this PR in our Wednesday standup and my contributions to the discussion were:

I was initially opposed to adding more annotations to ingress-shim because we will end up having to create an annotation for every field of the Certificate, which is a maintenance burden. 1. Instead users with special Certificate requirements should not use ingress-shim and should pre-provision a Certificate resource with their required settings.
However I can see two arguments in favour of this change:
1. Some platform engineers prefer Ingress and ingress-shim because they don't want application engineers to have to learn about and use the cert-manager custom resources directly.
2. By configuring Ingress certificates using only annotations, the application manifests do not have a dependency on the cert-manager CRDs so applications and cert-manager can be installed in any order. Although @hawksight argued that cert-manager is necessarily part of the cluster platform and will usually be deployed in an earlier phase than the applications.
3. I was conflating this PR with previous PRs which have introduced Ingress annotations for Certificate.Spec fields. This PR is about copying Certificate annotations, so I guess it seems reasonable that all the supported Certificate annotations can also be added to an Ingress and copied to the generated Certificate by ingress-shim.

@k0da Please also create a cert-manager website PR, documenting how this new feature will work and link it to this PR.

k0da · 2023-06-23T12:35:55Z

@wallrj Thanks for the review. Will do website change.

I have an implementation question though, should we take all annotations as is, like we do for Labels given Certificate is created out of IngLike object I feel natural to take them as is.

inteon · 2023-07-14T13:34:09Z

@wallrj Thanks for the review. Will do website change.

I have an implementation question though, should we take all annotations as is, like we do for Labels given Certificate is created out of IngLike object I feel natural to take them as is.

I'm not sure I understand your question.

jetstack-bot · 2023-10-12T13:49:05Z

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

jetstack-bot · 2023-11-11T13:50:21Z

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

jetstack-bot · 2023-12-11T14:21:02Z

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

jetstack-bot · 2023-12-11T14:21:06Z

@jetstack-bot: Closed this PR.

Details

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

inteon · 2023-12-11T14:59:00Z

/remove-lifecycle rotten
/reopen

jetstack-bot · 2023-12-11T14:59:04Z

@inteon: Reopened this PR.

Details

In response to this:

/remove-lifecycle rotten
/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jetstack-bot · 2023-12-11T14:59:07Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign irbekrm for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

jetstack-bot · 2024-03-10T15:02:32Z

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

hawksight · 2024-03-11T07:53:18Z

/remove-lifecycle stale

jetstack-bot · 2024-03-14T18:59:05Z

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jetstack-bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jun 13, 2023

jetstack-bot requested a review from inteon June 16, 2023 09:14

jetstack-bot requested a review from wallrj June 16, 2023 09:15

jetstack-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 16, 2023

wallrj requested changes Jun 23, 2023

View reviewed changes

jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 12, 2023

jetstack-bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 11, 2023

jetstack-bot closed this Dec 11, 2023

jetstack-bot reopened this Dec 11, 2023

jetstack-bot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Dec 11, 2023

jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 10, 2024

jetstack-bot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 11, 2024

k0da closed this Jun 9, 2024

k0da mentioned this pull request Jun 9, 2024

ingress-shim: optionally copy specific annotation #7083

Merged

Conversation

k0da commented Jun 13, 2023

Pull Request Motivation

Kind

Release Note

Uh oh!

jetstack-bot commented Jun 13, 2023

Uh oh!

k0da commented Jun 16, 2023

Uh oh!

k0da commented Jun 16, 2023

Uh oh!

inteon commented Jun 16, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

k0da commented Jun 16, 2023

Uh oh!

inteon commented Jun 22, 2023

Uh oh!

wallrj left a comment

Choose a reason for hiding this comment

Uh oh!

k0da commented Jun 23, 2023

Uh oh!

inteon commented Jul 14, 2023

Uh oh!

jetstack-bot commented Oct 12, 2023

Uh oh!

jetstack-bot commented Nov 11, 2023

Uh oh!

jetstack-bot commented Dec 11, 2023

Uh oh!

jetstack-bot commented Dec 11, 2023

Uh oh!

inteon commented Dec 11, 2023

Uh oh!

jetstack-bot commented Dec 11, 2023

Uh oh!

jetstack-bot commented Dec 11, 2023

Uh oh!

jetstack-bot commented Mar 10, 2024

Uh oh!

hawksight commented Mar 11, 2024

Uh oh!

jetstack-bot commented Mar 14, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

inteon commented Jun 16, 2023 •

edited

Loading