venafi: Process custom fields annotations on Issuer

[k0da]

When processing custom fields on CSR take into consideration annotation on Issuer and use them as base, whith
override/append on CSR level.

Pull Request Motivation

We have 200+ clusters with more that 4000 applications. With Venafi custom field enforcement, it would be nice to have and ability to define "global" custom fields on Issuer level with override/append on CSR level.

Kind

/kind feature

Release Note

For Venafi provider, read `venafi.cert-manager.io/custom-fields` annotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level.

CyberArk tracker: VC-47691

[cert-manager-prow]

Hi @k0da. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[wallrj-cyberark]

/ok-to-test

[Copilot]

Pull request overview

This PR adds support for reading the venafi.cert-manager.io/custom-fields annotation from Issuer/ClusterIssuer resources, enabling "global" custom fields that can be overridden or extended at the CertificateRequest level. This addresses a use case for large-scale deployments (200+ clusters, 4000+ applications) where Venafi custom field enforcement requires common fields across many certificates.

Key Changes

• Extracts custom field parsing logic into reusable functions (parseCustomFieldAnnotation and mergeCustomFields)
• Reads custom fields from both Issuer and CertificateRequest annotations, with CR-level fields overriding Issuer-level fields
• Updates error messages to include the resource name for better debugging

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.

File	Description
pkg/controller/certificaterequests/venafi/venafi.go	Adds logic to read and merge custom fields from Issuer annotations with CertificateRequest annotations; updates error messages to include resource names
pkg/controller/certificaterequests/venafi/custom_fields.go	New file containing helper functions for parsing and merging custom field annotations
pkg/controller/certificaterequests/venafi/custom_fields_test.go	New unit tests for custom field parsing and merging logic
pkg/controller/certificaterequests/venafi/venafi_test.go	Updates expected error messages to include CertificateRequest name in test assertions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The test assumes a specific order of merged fields by accessing merged[0], but mergeCustomFields returns fields in non-deterministic order due to Go's map iteration. This test could fail intermittently. Consider using a more robust assertion:

var found bool
for _, field := range merged {
	if field.Name == "Authoriser Name" {
		assert.Equal(t, "Mary Jane", field.Value)
		found = true
		break
	}
}
assert.True(t, found, "Authoriser Name field not found")

Alternatively, if mergeCustomFields is updated to return sorted results, this test would be more reliable.

[wallrj-cyberark]

/test pull-cert-manager-master-e2e-v1-34-issuers-venafi-cloud
/test pull-cert-manager-master-e2e-v1-34-issuers-venafi-tpp

[wallrj-cyberark]

/test pull-cert-manager-master-e2e-v1-34-issuers-venafi-cloud
/test pull-cert-manager-master-e2e-v1-34-issuers-venafi-tpp

[wallrj-cyberark]

Thanks @k0da

This looks good.
I'm not convinced that we should use annotations as the mechanism.
I think it would be more intuitive if we added a new Issuer field:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: corp-issuer
  namespace: <NAMESPACE YOU WANT TO ISSUE CERTIFICATES IN>
spec:
  venafi:
    zone: \VED\Policy\devops\cert-manager # Set this to the policy folder you want to use
    tpp:
      customFields:
      - name: Environment 
         value: Prod
      - name: Division
         value: BU1
      url: https://tpp.venafi.example/vedsdk 
      credentialsRef:
        name: tpp-secret

The downsides of that approach are:

• Complicates the PR (requires updating the CRD types)
• Supporting annotations on Ingress, Certificate and the Issuer provides consistency. A new CRD field introduces a different mechanism which the cluster admin will have to learn.

Tell me which mechanism you prefer? And why?

[k0da]

@wallrj-cyberark I share the same sentiment about Issuer property. Although as you said Annotation on Ingress/Certificate is kind of stable mechanism and well know to users. Keeping a consistency would play a big benefit here.

While CR property is more cleaner approach. I don't a problem supporting both with property being higher priority in override chain.

I'd go as is for now. And follow CR change proposal in a separate PR.

[wallrj-cyberark]

@k0da Sorry for the delay.

I finally got round to testing this and observed a Certificate in TPP having the combined custom-fields from the Issuer and from the Certiifcate

# test-resources.yaml
---
apiVersion: v1
kind: Secret
metadata:
  name: tpp-credentials
stringData:
  username: "${VENAFI_TPP_USERNAME}"
  password: "${VENAFI_TPP_PASSWORD}"
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: test1
  annotations:
    venafi.cert-manager.io/custom-fields: |-
      [
        {"name": "Environment", "value": "Prod"}
      ]
spec:
  venafi:
    zone: ${VENAFI_TPP_ZONE}
    tpp:
      url: "${VENAFI_TPP_URL}"
      credentialsRef:
        name: tpp-credentials
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test1
  annotations:
    venafi.cert-manager.io/custom-fields: |-
      [
        {"name": "Team", "value": "Team1"}
      ]
spec:
  commonName: richardw-2.example.com
  secretName: test1-tls
  revisionHistoryLimit: 10
  issuerRef:
    name: test1

Next thing we'll need to do is create some documentation for this new feature.

• https://github.com/cert-manager/website/blob/release-next/content/docs/configuration/venafi.md

[wallrj]

/approve
/lgtm

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wallrj, wallrj-cyberark

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [wallrj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wallrj-cyberark]

📢 The fix or feature is now available for testing in an alpha release

• https://github.com/cert-manager/cert-manager/releases/tag/v1.20.0-alpha.1

Please test and report back.