combined_controller.go

Documentation: github.com/cert-manager/issuer-lib/controllers

     1  /*
     2  Copyright 2023 The cert-manager Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package controllers
    18  
    19  import (
    20  	"context"
    21  	"fmt"
    22  	"time"
    23  
    24  	"k8s.io/apimachinery/pkg/runtime/schema"
    25  	"k8s.io/client-go/tools/record"
    26  	"k8s.io/utils/clock"
    27  	ctrl "sigs.k8s.io/controller-runtime"
    28  	"sigs.k8s.io/controller-runtime/pkg/builder"
    29  	"sigs.k8s.io/controller-runtime/pkg/controller"
    30  
    31  	v1alpha1 "github.com/cert-manager/issuer-lib/api/v1alpha1"
    32  	"github.com/cert-manager/issuer-lib/controllers/signer"
    33  	"github.com/cert-manager/issuer-lib/internal/kubeutil"
    34  )
    35  
    36  type CombinedController struct {
    37  	IssuerTypes        []v1alpha1.Issuer
    38  	ClusterIssuerTypes []v1alpha1.Issuer
    39  
    40  	FieldOwner string
    41  
    42  	MaxRetryDuration time.Duration
    43  
    44  	// Check connects to a CA and checks if it is available
    45  	signer.Check
    46  	// Sign connects to a CA and returns a signed certificate for the supplied CertificateRequest.
    47  	signer.Sign
    48  
    49  	// IgnoreCertificateRequest is an optional function that can prevent the CertificateRequest
    50  	// and Kubernetes CSR controllers from reconciling a CertificateRequest resource.
    51  	signer.IgnoreCertificateRequest
    52  	// IgnoreIssuer is an optional function that can prevent the issuer controllers from
    53  	// reconciling an issuer resource.
    54  	signer.IgnoreIssuer
    55  
    56  	// EventRecorder is used for creating Kubernetes events on resources.
    57  	EventRecorder record.EventRecorder
    58  
    59  	// Clock is used to mock condition transition times in tests.
    60  	Clock clock.PassiveClock
    61  
    62  	// SetCAOnCertificateRequest is used to enable setting the CA status field on
    63  	// the CertificateRequest resource. This is disabled by default.
    64  	// Deprecated: this option is for backwards compatibility only. The use of
    65  	// ca.crt is discouraged. Instead, the CA certificate should be provided
    66  	// separately using a tool such as trust-manager.
    67  	SetCAOnCertificateRequest bool
    68  
    69  	// DisableCertificateRequestController is used to disable the CertificateRequest
    70  	// controller. This controller is enabled by default.
    71  	// You should only disable this controller if you eg. don't want to rely on the cert-manager
    72  	// CRDs to be installed.
    73  	// Note: in the future, we might remove this option and always enable the CertificateRequest
    74  	// controller.
    75  	DisableCertificateRequestController bool
    76  
    77  	// DisableKubernetesCSRController is used to disable the Kubernetes CSR controller.
    78  	// This controller is enabled by default.
    79  	// You should only disable this controller if you really don't want to support signing
    80  	// Kubernetes CSRs.
    81  	// Note: in the future, we might remove this option and always enable the Kubernetes CSR
    82  	// controller.
    83  	DisableKubernetesCSRController bool
    84  
    85  	// PreSetupWithManager is an optional function that can be used to perform
    86  	// additional setup before the controller is built and registered with the
    87  	// manager.
    88  	PreSetupWithManager func(context.Context, schema.GroupVersionKind, ctrl.Manager, *builder.Builder) error
    89  
    90  	// PostSetupWithManager is an optional function that can be used to perform
    91  	// additional setup after the controller is built and registered with the
    92  	// manager.
    93  	PostSetupWithManager func(context.Context, schema.GroupVersionKind, ctrl.Manager, controller.Controller) error
    94  }
    95  
    96  func (r *CombinedController) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
    97  	var err error
    98  	cl := mgr.GetClient()
    99  	eventSource := kubeutil.NewEventStore()
   100  
   101  	if r.Clock == nil {
   102  		r.Clock = clock.RealClock{}
   103  	}
   104  
   105  	for _, issuerType := range append(r.IssuerTypes, r.ClusterIssuerTypes...) {
   106  		if err = (&IssuerReconciler{
   107  			ForObject: issuerType,
   108  
   109  			FieldOwner:  r.FieldOwner,
   110  			EventSource: eventSource,
   111  
   112  			Client:        cl,
   113  			Check:         r.Check,
   114  			IgnoreIssuer:  r.IgnoreIssuer,
   115  			EventRecorder: r.EventRecorder,
   116  			Clock:         r.Clock,
   117  
   118  			PreSetupWithManager:  r.PreSetupWithManager,
   119  			PostSetupWithManager: r.PostSetupWithManager,
   120  		}).SetupWithManager(ctx, mgr); err != nil {
   121  			return fmt.Errorf("%T: %w", issuerType, err)
   122  		}
   123  	}
   124  
   125  	if r.DisableCertificateRequestController && r.DisableKubernetesCSRController {
   126  		return fmt.Errorf("both CertificateRequest and Kubernetes CSR controllers are disabled, must enable at least one")
   127  	}
   128  
   129  	if !r.DisableCertificateRequestController {
   130  		if err = (&CertificateRequestReconciler{
   131  			RequestController: RequestController{
   132  				IssuerTypes:        r.IssuerTypes,
   133  				ClusterIssuerTypes: r.ClusterIssuerTypes,
   134  
   135  				FieldOwner:       r.FieldOwner,
   136  				MaxRetryDuration: r.MaxRetryDuration,
   137  				EventSource:      eventSource,
   138  
   139  				Client:                   cl,
   140  				Sign:                     r.Sign,
   141  				IgnoreCertificateRequest: r.IgnoreCertificateRequest,
   142  				EventRecorder:            r.EventRecorder,
   143  				Clock:                    r.Clock,
   144  
   145  				PreSetupWithManager:  r.PreSetupWithManager,
   146  				PostSetupWithManager: r.PostSetupWithManager,
   147  			},
   148  
   149  			SetCAOnCertificateRequest: r.SetCAOnCertificateRequest,
   150  		}).SetupWithManager(ctx, mgr); err != nil {
   151  			return fmt.Errorf("CertificateRequestReconciler: %w", err)
   152  		}
   153  	}
   154  
   155  	if !r.DisableKubernetesCSRController {
   156  		if err = (&CertificateSigningRequestReconciler{
   157  			RequestController: RequestController{
   158  				IssuerTypes:        r.IssuerTypes,
   159  				ClusterIssuerTypes: r.ClusterIssuerTypes,
   160  
   161  				FieldOwner:       r.FieldOwner,
   162  				MaxRetryDuration: r.MaxRetryDuration,
   163  				EventSource:      eventSource,
   164  
   165  				Client:                   cl,
   166  				Sign:                     r.Sign,
   167  				IgnoreCertificateRequest: r.IgnoreCertificateRequest,
   168  				EventRecorder:            r.EventRecorder,
   169  				Clock:                    r.Clock,
   170  
   171  				PreSetupWithManager:  r.PreSetupWithManager,
   172  				PostSetupWithManager: r.PostSetupWithManager,
   173  			},
   174  		}).SetupWithManager(ctx, mgr); err != nil {
   175  			return fmt.Errorf("CertificateRequestReconciler: %w", err)
   176  		}
   177  	}
   178  
   179  	return nil
   180  }
   181
View as plain text