1 /* 2 Copyright 2023 The cert-manager Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package signer 18 19 import ( 20 "context" 21 "crypto/x509" 22 "time" 23 24 cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" 25 "github.com/cert-manager/cert-manager/pkg/util/pki" 26 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 27 "k8s.io/apimachinery/pkg/runtime/schema" 28 "k8s.io/apimachinery/pkg/types" 29 30 "github.com/cert-manager/issuer-lib/api/v1alpha1" 31 ) 32 33 // PEMBundle includes the PEM encoded X.509 certificate chain and CA. 34 // The first certificate in the ChainPEM chain is the leaf certificate, and the 35 // last certificate in the chain is the highest level non-self-signed certificate. 36 // The CAPEM certificate is our best guess at the CA that issued the leaf. 37 // IMORTANT: the CAPEM certificate is only used when the SetCAOnCertificateRequest 38 // option is enabled in the controller. This option is for backwards compatibility 39 // only. The use of the CA field and the ca.crt field in the resulting Secret is 40 // discouraged, instead the CA should be provisioned separately (e.g. using trust-manager). 41 type PEMBundle pki.PEMBundle 42 43 type Sign func(ctx context.Context, cr CertificateRequestObject, issuerObject v1alpha1.Issuer) (PEMBundle, error) 44 type Check func(ctx context.Context, issuerObject v1alpha1.Issuer) error 45 46 // CertificateRequestObject is an interface that represents either a 47 // cert-manager CertificateRequest or a Kubernetes CertificateSigningRequest 48 // resource. This interface hides the spec fields of the underlying resource 49 // and exposes a Certificate template and the raw CSR bytes instead. This 50 // allows the signer to be agnostic of the underlying resource type and also 51 // agnostic of the way the spec fields should be interpreted, such as the 52 // defaulting logic that is applied to it. It is still possible to access the 53 // labels and annotations of the underlying resource or any other metadata 54 // fields that might be useful to the signer. Also, the signer can use the 55 // GetConditions method to retrieve the conditions of the underlying resource. 56 // To update the conditions, the special error "SetCertificateRequestConditionError" 57 // can be returned from the Sign method. 58 type CertificateRequestObject interface { 59 metav1.Object 60 61 GetRequest() (template *x509.Certificate, duration time.Duration, csr []byte, err error) 62 63 GetConditions() []cmapi.CertificateRequestCondition 64 } 65 66 // IgnoreIssuer is an optional function that can prevent the issuer controllers from 67 // reconciling an issuer resource. By default, the controllers will reconcile all 68 // issuer resources that match the owned types. 69 // This function will be called by the issuer reconcile loops for each type that matches 70 // the owned types. If the function returns true, the controller will not reconcile the 71 // issuer resource. 72 type IgnoreIssuer func( 73 ctx context.Context, 74 issuerObject v1alpha1.Issuer, 75 ) (bool, error) 76 77 // IgnoreCertificateRequest is an optional function that can prevent the CertificateRequest 78 // and Kubernetes CSR controllers from reconciling a CertificateRequest resource. By default, 79 // the controllers will reconcile all CertificateRequest resources that match the issuerRef type. 80 // This function will be called by the CertificateRequest reconcile loop and the Kubernetes CSR 81 // reconcile loop for each type that matches the issuerRef type. If the function returns true, 82 // the controller will not reconcile the CertificateRequest resource. 83 type IgnoreCertificateRequest func( 84 ctx context.Context, 85 cr CertificateRequestObject, 86 issuerGvk schema.GroupVersionKind, 87 issuerName types.NamespacedName, 88 ) (bool, error) 89