From 56841f4aa1fc1f707f15f22f96828bfcece77eff Mon Sep 17 00:00:00 2001 From: Martin Weindel Date: Wed, 15 Sep 2021 14:42:56 +0200 Subject: [PATCH] added ready condition for certificates --- charts/cert-management/templates/crds-v1.yaml | 128 +++- .../templates/crds-v1beta1.yaml | 83 ++- examples/10-crds.yaml | 624 +----------------- go.mod | 2 +- go.sum | 4 +- ...gardener.cloud_certificaterevocations.yaml | 124 ++-- .../cert.gardener.cloud_certificates.yaml | 126 +++- .../crds/cert.gardener.cloud_issuers.yaml | 68 +- pkg/apis/cert/crds/zz_generated_crds.go | 318 ++++++--- pkg/apis/cert/v1alpha1/certificate.go | 14 + .../cert/v1alpha1/zz_generated.deepcopy.go | 8 + .../issuer/certificate/reconciler.go | 40 ++ .../hack/generate-crds | 2 +- vendor/modules.txt | 2 +- 14 files changed, 739 insertions(+), 804 deletions(-) diff --git a/charts/cert-management/templates/crds-v1.yaml b/charts/cert-management/templates/crds-v1.yaml index 4651e6066..5d02db639 100644 --- a/charts/cert-management/templates/crds-v1.yaml +++ b/charts/cert-management/templates/crds-v1.yaml @@ -219,7 +219,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.2.9 + controller-gen.kubebuilder.io/version: v0.4.1 labels: helm.sh/chart: {{ include "cert-management.chart" . }} app.kubernetes.io/name: {{ include "cert-management.name" . }} @@ -270,10 +270,14 @@ spec: description: Certificate is the certificate CR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -285,26 +289,33 @@ spec: maxLength: 64 type: string csr: - description: CSR is the alternative way to provide CN,DNSNames and other information. + description: CSR is the alternative way to provide CN,DNSNames and + other information. format: byte type: string dnsNames: - description: DNSNames are the optional additional domain names of the certificate. + description: DNSNames are the optional additional domain names of + the certificate. items: type: string type: array ensureRenewedAfter: - description: EnsureRenewedAfter specifies a time stamp in the past. Renewing is only triggered if certificate notBefore date is before this date. + description: EnsureRenewedAfter specifies a time stamp in the past. + Renewing is only triggered if certificate notBefore date is before + this date. format: date-time type: string issuerRef: description: IssuerRef is the reference of the issuer to use. properties: name: - description: Name is the name of the issuer (in the configured issuer namespace on default cluster or namespace on target cluster as given). + description: Name is the name of the issuer (in the configured + issuer namespace on default cluster or namespace on target cluster + as given). type: string namespace: - description: Namespace is the namespace of the issuer, only needed if issuer is defined on target cluster + description: Namespace is the namespace of the issuer, only needed + if issuer is defined on target cluster type: string required: - name @@ -313,16 +324,20 @@ spec: description: Renew triggers a renewal if set to true type: boolean secretName: - description: SecretName is the name of the secret object to use for storing the certificate. + description: SecretName is the name of the secret object to use for + storing the certificate. type: string secretRef: - description: SecretRef is the reference of the secret object to use for storing the certificate. + description: SecretRef is the reference of the secret object to use + for storing the certificate. properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference a + secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which the secret + name must be unique. type: string type: object type: object @@ -330,14 +345,17 @@ spec: description: CertificateStatus is the status of the certificate request. properties: backoff: - description: BackOff contains the state to back off failed certificate requests + description: BackOff contains the state to back off failed certificate + requests properties: observedGeneration: - description: ObservedGeneration is the observed generation the BackOffState is assigned to + description: ObservedGeneration is the observed generation the + BackOffState is assigned to format: int64 type: integer recheckAfter: - description: RetryAfter is the timestamp this cert request is not retried before. + description: RetryAfter is the timestamp this cert request is + not retried before. format: date-time type: string recheckInterval: @@ -350,6 +368,77 @@ spec: commonName: description: CommonName is the current CN. type: string + conditions: + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready`. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array dnsNames: description: DNSNames are the current domain names. items: @@ -362,7 +451,8 @@ spec: description: IssuerRef is the used issuer. properties: cluster: - description: Cluster is the cluster name of the issuer ('default' or 'target'). optional because of backwards compatibility + description: Cluster is the cluster name of the issuer ('default' + or 'target'). optional because of backwards compatibility type: string name: description: Name is the name of the issuer. @@ -375,14 +465,16 @@ spec: - namespace type: object lastPendingTimestamp: - description: LastPendingTimestamp contains the start timestamp of the last pending status. + description: LastPendingTimestamp contains the start timestamp of + the last pending status. format: date-time type: string message: description: Message is the status or error message. type: string observedGeneration: - description: ObservedGeneration is the observed generation of the spec. + description: ObservedGeneration is the observed generation of the + spec. format: int64 type: integer state: diff --git a/charts/cert-management/templates/crds-v1beta1.yaml b/charts/cert-management/templates/crds-v1beta1.yaml index f58906786..702e8f9f8 100644 --- a/charts/cert-management/templates/crds-v1beta1.yaml +++ b/charts/cert-management/templates/crds-v1beta1.yaml @@ -222,7 +222,7 @@ apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.2.9 + controller-gen.kubebuilder.io/version: v0.4.1 labels: helm.sh/chart: {{ include "cert-management.chart" . }} app.kubernetes.io/name: {{ include "cert-management.name" . }} @@ -315,10 +315,13 @@ spec: description: IssuerRef is the reference of the issuer to use. properties: name: - description: Name is the name of the issuer (in the configured issuer namespace on default cluster or namespace on target cluster as given). + description: Name is the name of the issuer (in the configured issuer + namespace on default cluster or namespace on target cluster as + given). type: string namespace: - description: Namespace is the namespace of the issuer, only needed if issuer is defined on target cluster + description: Namespace is the namespace of the issuer, only needed + if issuer is defined on target cluster type: string required: - name @@ -371,6 +374,77 @@ spec: commonName: description: CommonName is the current CN. type: string + conditions: + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready`. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a foo's + current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // + +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details + about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers of + specific condition types may define expected values and meanings + for this field, and whether the values are considered a guaranteed + API. The value should be a CamelCase string. This field may + not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array dnsNames: description: DNSNames are the current domain names. items: @@ -383,7 +457,8 @@ spec: description: IssuerRef is the used issuer. properties: cluster: - description: Cluster is the cluster name of the issuer ('default' or 'target'). optional because of backwards compatibility + description: Cluster is the cluster name of the issuer ('default' + or 'target'). optional because of backwards compatibility type: string name: description: Name is the name of the issuer. diff --git a/examples/10-crds.yaml b/examples/10-crds.yaml index 226d3aed6..ca2c89fe9 100644 --- a/examples/10-crds.yaml +++ b/examples/10-crds.yaml @@ -1,622 +1,4 @@ -# SPDX-FileCopyrightText: 2019 SAP SE or an SAP affiliate company and Gardener contributors # -# SPDX-License-Identifier: Apache-2.0 - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.9 - name: issuers.cert.gardener.cloud -spec: - group: cert.gardener.cloud - names: - kind: Issuer - listKind: IssuerList - plural: issuers - shortNames: - - issuer - singular: issuer - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: ACME Server - jsonPath: .spec.acme.server - name: SERVER - type: string - - description: ACME Registration email - jsonPath: .spec.acme.email - name: EMAIL - type: string - - description: Status of registration - jsonPath: .status.state - name: STATUS - type: string - - description: Issuer type - jsonPath: .status.type - name: TYPE - type: string - - description: object creation timestamp - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - description: included domains - jsonPath: .spec.acme.domains.include - name: INCLUDED_DOMAINS - priority: 2000 - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: Issuer is the issuer CR. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IssuerSpec is the spec of the issuer. - properties: - acme: - description: ACME is the ACME protocol specific spec. - properties: - autoRegistration: - description: AutoRegistration is the flag if automatic registration - should be applied if needed. - type: boolean - domains: - description: Domains optionally specifies domains allowed or forbidden - for certificate requests - properties: - exclude: - description: Exclude are domain names for which certificate - requests are forbidden (including any subdomains) - items: - type: string - type: array - include: - description: Include are domain names for which certificate - requests are allowed (including any subdomains) - items: - type: string - type: array - type: object - email: - description: Email is the email address to use for user registration. - type: string - externalAccountBinding: - description: ACMEExternalAccountBinding is a reference to a CA - external account of the ACME server. - properties: - keyID: - description: keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: keySecretRef is the secret ref to the Secret - which holds the symmetric MAC key of the External Account - Binding with data key 'hmacKey'. The secret key stored in - the Secret **must** be un-padded, base64 URL encoded data. - properties: - name: - description: Name is unique within a namespace to reference - a secret resource. - type: string - namespace: - description: Namespace defines the space within which - the secret name must be unique. - type: string - type: object - required: - - keyID - - keySecretRef - type: object - privateKeySecretRef: - description: PrivateKeySecretRef is the secret ref to the ACME - private key. - properties: - name: - description: Name is unique within a namespace to reference - a secret resource. - type: string - namespace: - description: Namespace defines the space within which the - secret name must be unique. - type: string - type: object - server: - description: Server is the URL of the ACME server. - type: string - skipDNSChallengeValidation: - description: SkipDNSChallengeValidation marks that this issuer - does not validate DNS challenges. In this case no DNS entries/records - are created for a DNS Challenge and DNS propagation is not checked. - type: boolean - required: - - email - - server - type: object - ca: - description: CA is the CA specific spec. - properties: - privateKeySecretRef: - description: PrivateKeySecretRef is the secret ref to the CA secret. - properties: - name: - description: Name is unique within a namespace to reference - a secret resource. - type: string - namespace: - description: Namespace defines the space within which the - secret name must be unique. - type: string - type: object - type: object - requestsPerDayQuota: - description: RequestsPerDayQuota is the maximum number of certificate - requests per days allowed for this issuer - type: integer - type: object - status: - description: IssuerStatus is the status of the issuer. - properties: - acme: - description: ACME is the ACME specific status. - type: object - x-kubernetes-preserve-unknown-fields: true - ca: - description: CA is the CA specific status. - type: object - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is the status or error message. - type: string - observedGeneration: - description: ObservedGeneration is the observed generation of the - spec. - format: int64 - type: integer - requestsPerDayQuota: - description: RequestsPerDayQuota is the actual maximum number of certificate - requests per days allowed for this issuer - type: integer - state: - description: State is either empty, 'Pending', 'Error', or 'Ready'. - type: string - type: - description: Type is the issuer type. Currently only 'acme' and 'ca' - are supported. - type: string - required: - - state - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.9 - name: certificates.cert.gardener.cloud -spec: - group: cert.gardener.cloud - names: - kind: Certificate - listKind: CertificateList - plural: certificates - shortNames: - - cert - singular: certificate - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Subject domain name of certificate - jsonPath: .status.commonName - name: COMMON NAME - type: string - - description: Issuer name - jsonPath: .status.issuerRef.name - name: ISSUER - type: string - - description: Status of registration - jsonPath: .status.state - name: STATUS - type: string - - description: Expiration date (not valid anymore after this date) - jsonPath: .status.expirationDate - name: EXPIRATION_DATE - priority: 500 - type: string - - description: Domains names in subject alternative names - jsonPath: .status.dnsNames - name: DNS_NAMES - priority: 2000 - type: string - - description: object creation timestamp - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: Certificate is the certificate CR. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CertificateSpec is the spec of the certificate to request. - properties: - commonName: - description: CommonName is the CN for the certificate (max. 64 chars). - maxLength: 64 - type: string - csr: - description: CSR is the alternative way to provide CN,DNSNames and other information. - format: byte - type: string - dnsNames: - description: DNSNames are the optional additional domain names of the certificate. - items: - type: string - type: array - ensureRenewedAfter: - description: EnsureRenewedAfter specifies a time stamp in the past. Renewing is only triggered if certificate notBefore date is before this date. - format: date-time - type: string - issuerRef: - description: IssuerRef is the reference of the issuer to use. - properties: - name: - description: Name is the name of the issuer (in the configured issuer namespace on default cluster or namespace on target cluster as given). - type: string - namespace: - description: Namespace is the namespace of the issuer, only needed if issuer is defined on target cluster - type: string - required: - - name - type: object - renew: - description: Renew triggers a renewal if set to true - type: boolean - secretName: - description: SecretName is the name of the secret object to use for storing the certificate. - type: string - secretRef: - description: SecretRef is the reference of the secret object to use for storing the certificate. - properties: - name: - description: Name is unique within a namespace to reference a secret resource. - type: string - namespace: - description: Namespace defines the space within which the secret name must be unique. - type: string - type: object - type: object - status: - description: CertificateStatus is the status of the certificate request. - properties: - backoff: - description: BackOff contains the state to back off failed certificate requests - properties: - observedGeneration: - description: ObservedGeneration is the observed generation the BackOffState is assigned to - format: int64 - type: integer - recheckAfter: - description: RetryAfter is the timestamp this cert request is not retried before. - format: date-time - type: string - recheckInterval: - description: RetryInterval is interval to wait for retrying. - type: string - required: - - recheckAfter - - recheckInterval - type: object - commonName: - description: CommonName is the current CN. - type: string - dnsNames: - description: DNSNames are the current domain names. - items: - type: string - type: array - expirationDate: - description: ExpirationDate shows the notAfter validity date. - type: string - issuerRef: - description: IssuerRef is the used issuer. - properties: - cluster: - description: Cluster is the cluster name of the issuer ('default' or 'target'). optional because of backwards compatibility - type: string - name: - description: Name is the name of the issuer. - type: string - namespace: - description: Namespace is the namespace of the issuer. - type: string - required: - - name - - namespace - type: object - lastPendingTimestamp: - description: LastPendingTimestamp contains the start timestamp of the last pending status. - format: date-time - type: string - message: - description: Message is the status or error message. - type: string - observedGeneration: - description: ObservedGeneration is the observed generation of the spec. - format: int64 - type: integer - state: - description: State is the certificate state. - type: string - required: - - state - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.9 - creationTimestamp: null - name: certificaterevocations.cert.gardener.cloud -spec: - group: cert.gardener.cloud - names: - kind: CertificateRevocation - listKind: CertificateRevocationList - plural: certificaterevocations - shortNames: - - certrevoke - singular: certificaterevocation - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Certificate to be revoked - jsonPath: .spec.certificateRef.name - name: CERTIFICATE - type: string - - description: status of revocation - jsonPath: .status.state - name: STATUS - type: string - - description: timestamp of complete revocation - jsonPath: .status.revocationApplied - name: REVOKED_AT - priority: 500 - type: date - - description: if true certificate objects should be renewed before revoking old certificates certificate(s) - jsonPath: .spec.renew - name: RENEW - type: boolean - - description: qualifying all certificates valid before this timestamp - jsonPath: .spec.qualifyingDate - name: QUALIFIED_AT - type: date - - description: object creation timestamp - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: CertificateRevocation is the certificate revocation custom resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CertificateRevocationSpec is the spec of the certificate revocation. - properties: - certificateRef: - description: CertificateRef is the references to the certificate to be revoked - properties: - name: - description: Name is the name of the certificate in the same namespace. - type: string - namespace: - description: Namespace is the namespace of the certificate CR. - type: string - required: - - name - - namespace - type: object - qualifyingDate: - description: QualifyingDate specifies that any certificate with the same DNS names like the given 'certificateRef' should be revoked if it is valid before this date. If not specified, it will be filled with the current time. - format: date-time - type: string - renew: - description: Renew specifies if certificate objects should be renewed before revoking old certificates - type: boolean - type: object - status: - description: CertificateRevocationStatus is the status of the certificate request. - properties: - message: - description: Message is the status or error message. - type: string - objects: - description: ObjectStatuses contains the statuses of the involved certificate objects - properties: - failed: - description: Failed is the list of certificate objects whose processing failed - items: - description: CertificateRef is the reference of the issuer by name. - properties: - name: - description: Name is the name of the certificate in the same namespace. - type: string - namespace: - description: Namespace is the namespace of the certificate CR. - type: string - required: - - name - - namespace - type: object - type: array - processing: - description: Processing is the list of certificate objects to be processed - items: - description: CertificateRef is the reference of the issuer by name. - properties: - name: - description: Name is the name of the certificate in the same namespace. - type: string - namespace: - description: Namespace is the namespace of the certificate CR. - type: string - required: - - name - - namespace - type: object - type: array - renewed: - description: Renewed is the list of certificate objects successfully renewed - items: - description: CertificateRef is the reference of the issuer by name. - properties: - name: - description: Name is the name of the certificate in the same namespace. - type: string - namespace: - description: Namespace is the namespace of the certificate CR. - type: string - required: - - name - - namespace - type: object - type: array - revoked: - description: Revoked is the list of certificate objects successfully revoked (without renewal) - items: - description: CertificateRef is the reference of the issuer by name. - properties: - name: - description: Name is the name of the certificate in the same namespace. - type: string - namespace: - description: Namespace is the namespace of the certificate CR. - type: string - required: - - name - - namespace - type: object - type: array - type: object - observedGeneration: - description: ObservedGeneration is the observed generation of the spec. - format: int64 - type: integer - revocationApplied: - description: RevocationApplied is the timestamp when the revocation was completed - format: date-time - type: string - secrets: - description: SecretStatuses contains the statuses of the involved certificate secrets - properties: - failed: - description: Failed is the list of certificate secrets whose revocation failed - items: - description: CertificateSecretRef is a reference to a secret together with the serial number - properties: - name: - description: Name is unique within a namespace to reference a secret resource. - type: string - namespace: - description: Namespace defines the space within which the secret name must be unique. - type: string - serialNumber: - description: SerialNumber is the serial number of the certificate - type: string - required: - - serialNumber - type: object - type: array - processing: - description: Processing is the list of certificate secrets to be processed - items: - description: CertificateSecretRef is a reference to a secret together with the serial number - properties: - name: - description: Name is unique within a namespace to reference a secret resource. - type: string - namespace: - description: Namespace defines the space within which the secret name must be unique. - type: string - serialNumber: - description: SerialNumber is the serial number of the certificate - type: string - required: - - serialNumber - type: object - type: array - revoked: - description: Revoked is the list of certificate secrets successfully revoked - items: - description: CertificateSecretRef is a reference to a secret together with the serial number - properties: - name: - description: Name is unique within a namespace to reference a secret resource. - type: string - namespace: - description: Namespace defines the space within which the secret name must be unique. - type: string - serialNumber: - description: SerialNumber is the serial number of the certificate - type: string - required: - - serialNumber - type: object - type: array - type: object - state: - description: State is the certificate state. - type: string - required: - - state - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} +# required CRDs will be deployed automatically by the controllers +# therefore there is no need to deploy those CRDs manually. +# \ No newline at end of file diff --git a/go.mod b/go.mod index 70fda5a0a..a4faaa96d 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.16 require ( github.com/ahmetb/gen-crd-api-reference-docs v0.2.0 github.com/emicklei/go-restful v2.11.1+incompatible // indirect - github.com/gardener/controller-manager-library v0.2.1-0.20210831082646-8ac5ffdda775 + github.com/gardener/controller-manager-library v0.2.1-0.20210915114933-bfc0604c32c5 github.com/gardener/external-dns-management v0.7.21 github.com/go-acme/lego/v4 v4.4.0 github.com/go-openapi/spec v0.19.4 // indirect diff --git a/go.sum b/go.sum index 2751ae366..19b8b423b 100644 --- a/go.sum +++ b/go.sum @@ -193,8 +193,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/gardener/controller-manager-library v0.2.1-0.20201009144316-bfa57b871e60/go.mod h1:XMp1tPcX3SP/dMd+3id418f5Cqu44vydeTkBRbW8EvQ= -github.com/gardener/controller-manager-library v0.2.1-0.20210831082646-8ac5ffdda775 h1:9fvyRE5d4rc7jSfA1WzEdSIRZOgD3pEglibNB6FkMDQ= -github.com/gardener/controller-manager-library v0.2.1-0.20210831082646-8ac5ffdda775/go.mod h1:E1Abd/nMB9pbwEiEHPADjsPgbJRJG90WlU28yim2DG4= +github.com/gardener/controller-manager-library v0.2.1-0.20210915114933-bfc0604c32c5 h1:HOZugGSJkzd/rgSfqgPM8Ku4c1JJMD0rPONWGWl0UkU= +github.com/gardener/controller-manager-library v0.2.1-0.20210915114933-bfc0604c32c5/go.mod h1:E1Abd/nMB9pbwEiEHPADjsPgbJRJG90WlU28yim2DG4= github.com/gardener/external-dns-management v0.7.21 h1:fuRFc2fGs1hkR7CJ3D7IiDplTE5pfuZj+otmTP/YKjc= github.com/gardener/external-dns-management v0.7.21/go.mod h1:QJM0IUSQhbK25ftg4ZvFHQuGuT7ScX6Xw4hCxO0j0IM= github.com/getkin/kin-openapi v0.13.0/go.mod h1:WGRs2ZMM1Q8LR1QBEwUxC6RJEfaBcD0s+pcEVXFuAjw= diff --git a/pkg/apis/cert/crds/cert.gardener.cloud_certificaterevocations.yaml b/pkg/apis/cert/crds/cert.gardener.cloud_certificaterevocations.yaml index 712ca7124..52a57161d 100644 --- a/pkg/apis/cert/crds/cert.gardener.cloud_certificaterevocations.yaml +++ b/pkg/apis/cert/crds/cert.gardener.cloud_certificaterevocations.yaml @@ -32,7 +32,8 @@ spec: name: REVOKED_AT priority: 500 type: date - - description: if true certificate objects should be renewed before revoking old certificates certificate(s) + - description: if true certificate objects should be renewed before revoking old + certificates certificate(s) jsonPath: .spec.renew name: RENEW type: boolean @@ -50,18 +51,24 @@ spec: description: CertificateRevocation is the certificate revocation custom resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: - description: CertificateRevocationSpec is the spec of the certificate revocation. + description: CertificateRevocationSpec is the spec of the certificate + revocation. properties: certificateRef: - description: CertificateRef is the references to the certificate to be revoked + description: CertificateRef is the references to the certificate to + be revoked properties: name: description: Name is the name of the certificate in the same namespace. @@ -74,32 +81,42 @@ spec: - namespace type: object qualifyingDate: - description: QualifyingDate specifies that any certificate with the same DNS names like the given 'certificateRef' should be revoked if it is valid before this date. If not specified, it will be filled with the current time. + description: QualifyingDate specifies that any certificate with the + same DNS names like the given 'certificateRef' should be revoked + if it is valid before this date. If not specified, it will be filled + with the current time. format: date-time type: string renew: - description: Renew specifies if certificate objects should be renewed before revoking old certificates + description: Renew specifies if certificate objects should be renewed + before revoking old certificates type: boolean type: object status: - description: CertificateRevocationStatus is the status of the certificate request. + description: CertificateRevocationStatus is the status of the certificate + request. properties: message: description: Message is the status or error message. type: string objects: - description: ObjectStatuses contains the statuses of the involved certificate objects + description: ObjectStatuses contains the statuses of the involved + certificate objects properties: failed: - description: Failed is the list of certificate objects whose processing failed + description: Failed is the list of certificate objects whose processing + failed items: - description: CertificateRef is the reference of the issuer by name. + description: CertificateRef is the reference of the issuer by + name. properties: name: - description: Name is the name of the certificate in the same namespace. + description: Name is the name of the certificate in the + same namespace. type: string namespace: - description: Namespace is the namespace of the certificate CR. + description: Namespace is the namespace of the certificate + CR. type: string required: - name @@ -107,15 +124,19 @@ spec: type: object type: array processing: - description: Processing is the list of certificate objects to be processed + description: Processing is the list of certificate objects to + be processed items: - description: CertificateRef is the reference of the issuer by name. + description: CertificateRef is the reference of the issuer by + name. properties: name: - description: Name is the name of the certificate in the same namespace. + description: Name is the name of the certificate in the + same namespace. type: string namespace: - description: Namespace is the namespace of the certificate CR. + description: Namespace is the namespace of the certificate + CR. type: string required: - name @@ -123,15 +144,19 @@ spec: type: object type: array renewed: - description: Renewed is the list of certificate objects successfully renewed + description: Renewed is the list of certificate objects successfully + renewed items: - description: CertificateRef is the reference of the issuer by name. + description: CertificateRef is the reference of the issuer by + name. properties: name: - description: Name is the name of the certificate in the same namespace. + description: Name is the name of the certificate in the + same namespace. type: string namespace: - description: Namespace is the namespace of the certificate CR. + description: Namespace is the namespace of the certificate + CR. type: string required: - name @@ -139,15 +164,19 @@ spec: type: object type: array revoked: - description: Revoked is the list of certificate objects successfully revoked (without renewal) + description: Revoked is the list of certificate objects successfully + revoked (without renewal) items: - description: CertificateRef is the reference of the issuer by name. + description: CertificateRef is the reference of the issuer by + name. properties: name: - description: Name is the name of the certificate in the same namespace. + description: Name is the name of the certificate in the + same namespace. type: string namespace: - description: Namespace is the namespace of the certificate CR. + description: Namespace is the namespace of the certificate + CR. type: string required: - name @@ -156,26 +185,33 @@ spec: type: array type: object observedGeneration: - description: ObservedGeneration is the observed generation of the spec. + description: ObservedGeneration is the observed generation of the + spec. format: int64 type: integer revocationApplied: - description: RevocationApplied is the timestamp when the revocation was completed + description: RevocationApplied is the timestamp when the revocation + was completed format: date-time type: string secrets: - description: SecretStatuses contains the statuses of the involved certificate secrets + description: SecretStatuses contains the statuses of the involved + certificate secrets properties: failed: - description: Failed is the list of certificate secrets whose revocation failed + description: Failed is the list of certificate secrets whose revocation + failed items: - description: CertificateSecretRef is a reference to a secret together with the serial number + description: CertificateSecretRef is a reference to a secret + together with the serial number properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which the + secret name must be unique. type: string serialNumber: description: SerialNumber is the serial number of the certificate @@ -185,15 +221,19 @@ spec: type: object type: array processing: - description: Processing is the list of certificate secrets to be processed + description: Processing is the list of certificate secrets to + be processed items: - description: CertificateSecretRef is a reference to a secret together with the serial number + description: CertificateSecretRef is a reference to a secret + together with the serial number properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which the + secret name must be unique. type: string serialNumber: description: SerialNumber is the serial number of the certificate @@ -203,15 +243,19 @@ spec: type: object type: array revoked: - description: Revoked is the list of certificate secrets successfully revoked + description: Revoked is the list of certificate secrets successfully + revoked items: - description: CertificateSecretRef is a reference to a secret together with the serial number + description: CertificateSecretRef is a reference to a secret + together with the serial number properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which the + secret name must be unique. type: string serialNumber: description: SerialNumber is the serial number of the certificate diff --git a/pkg/apis/cert/crds/cert.gardener.cloud_certificates.yaml b/pkg/apis/cert/crds/cert.gardener.cloud_certificates.yaml index 5b9ba4b2e..94038f342 100644 --- a/pkg/apis/cert/crds/cert.gardener.cloud_certificates.yaml +++ b/pkg/apis/cert/crds/cert.gardener.cloud_certificates.yaml @@ -51,10 +51,14 @@ spec: description: Certificate is the certificate CR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -66,26 +70,33 @@ spec: maxLength: 64 type: string csr: - description: CSR is the alternative way to provide CN,DNSNames and other information. + description: CSR is the alternative way to provide CN,DNSNames and + other information. format: byte type: string dnsNames: - description: DNSNames are the optional additional domain names of the certificate. + description: DNSNames are the optional additional domain names of + the certificate. items: type: string type: array ensureRenewedAfter: - description: EnsureRenewedAfter specifies a time stamp in the past. Renewing is only triggered if certificate notBefore date is before this date. + description: EnsureRenewedAfter specifies a time stamp in the past. + Renewing is only triggered if certificate notBefore date is before + this date. format: date-time type: string issuerRef: description: IssuerRef is the reference of the issuer to use. properties: name: - description: Name is the name of the issuer (in the configured issuer namespace on default cluster or namespace on target cluster as given). + description: Name is the name of the issuer (in the configured + issuer namespace on default cluster or namespace on target cluster + as given). type: string namespace: - description: Namespace is the namespace of the issuer, only needed if issuer is defined on target cluster + description: Namespace is the namespace of the issuer, only needed + if issuer is defined on target cluster type: string required: - name @@ -94,16 +105,20 @@ spec: description: Renew triggers a renewal if set to true type: boolean secretName: - description: SecretName is the name of the secret object to use for storing the certificate. + description: SecretName is the name of the secret object to use for + storing the certificate. type: string secretRef: - description: SecretRef is the reference of the secret object to use for storing the certificate. + description: SecretRef is the reference of the secret object to use + for storing the certificate. properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference a + secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which the secret + name must be unique. type: string type: object type: object @@ -111,14 +126,17 @@ spec: description: CertificateStatus is the status of the certificate request. properties: backoff: - description: BackOff contains the state to back off failed certificate requests + description: BackOff contains the state to back off failed certificate + requests properties: observedGeneration: - description: ObservedGeneration is the observed generation the BackOffState is assigned to + description: ObservedGeneration is the observed generation the + BackOffState is assigned to format: int64 type: integer recheckAfter: - description: RetryAfter is the timestamp this cert request is not retried before. + description: RetryAfter is the timestamp this cert request is + not retried before. format: date-time type: string recheckInterval: @@ -131,6 +149,77 @@ spec: commonName: description: CommonName is the current CN. type: string + conditions: + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready`. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array dnsNames: description: DNSNames are the current domain names. items: @@ -143,7 +232,8 @@ spec: description: IssuerRef is the used issuer. properties: cluster: - description: Cluster is the cluster name of the issuer ('default' or 'target'). optional because of backwards compatibility + description: Cluster is the cluster name of the issuer ('default' + or 'target'). optional because of backwards compatibility type: string name: description: Name is the name of the issuer. @@ -156,14 +246,16 @@ spec: - namespace type: object lastPendingTimestamp: - description: LastPendingTimestamp contains the start timestamp of the last pending status. + description: LastPendingTimestamp contains the start timestamp of + the last pending status. format: date-time type: string message: description: Message is the status or error message. type: string observedGeneration: - description: ObservedGeneration is the observed generation of the spec. + description: ObservedGeneration is the observed generation of the + spec. format: int64 type: integer state: diff --git a/pkg/apis/cert/crds/cert.gardener.cloud_issuers.yaml b/pkg/apis/cert/crds/cert.gardener.cloud_issuers.yaml index 0e9f5f8cc..baee88dd2 100644 --- a/pkg/apis/cert/crds/cert.gardener.cloud_issuers.yaml +++ b/pkg/apis/cert/crds/cert.gardener.cloud_issuers.yaml @@ -50,10 +50,14 @@ spec: description: Issuer is the issuer CR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -64,18 +68,22 @@ spec: description: ACME is the ACME protocol specific spec. properties: autoRegistration: - description: AutoRegistration is the flag if automatic registration should be applied if needed. + description: AutoRegistration is the flag if automatic registration + should be applied if needed. type: boolean domains: - description: Domains optionally specifies domains allowed or forbidden for certificate requests + description: Domains optionally specifies domains allowed or forbidden + for certificate requests properties: exclude: - description: Exclude are domain names for which certificate requests are forbidden (including any subdomains) + description: Exclude are domain names for which certificate + requests are forbidden (including any subdomains) items: type: string type: array include: - description: Include are domain names for which certificate requests are allowed (including any subdomains) + description: Include are domain names for which certificate + requests are allowed (including any subdomains) items: type: string type: array @@ -84,19 +92,26 @@ spec: description: Email is the email address to use for user registration. type: string externalAccountBinding: - description: ACMEExternalAccountBinding is a reference to a CA external account of the ACME server. + description: ACMEExternalAccountBinding is a reference to a CA + external account of the ACME server. properties: keyID: - description: keyID is the ID of the CA key that the External Account is bound to. + description: keyID is the ID of the CA key that the External + Account is bound to. type: string keySecretRef: - description: keySecretRef is the secret ref to the Secret which holds the symmetric MAC key of the External Account Binding with data key 'hmacKey'. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. + description: keySecretRef is the secret ref to the Secret + which holds the symmetric MAC key of the External Account + Binding with data key 'hmacKey'. The secret key stored in + the Secret **must** be un-padded, base64 URL encoded data. properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which + the secret name must be unique. type: string type: object required: @@ -104,20 +119,25 @@ spec: - keySecretRef type: object privateKeySecretRef: - description: PrivateKeySecretRef is the secret ref to the ACME private key. + description: PrivateKeySecretRef is the secret ref to the ACME + private key. properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which the + secret name must be unique. type: string type: object server: description: Server is the URL of the ACME server. type: string skipDNSChallengeValidation: - description: SkipDNSChallengeValidation marks that this issuer does not validate DNS challenges. In this case no DNS entries/records are created for a DNS Challenge and DNS propagation is not checked. + description: SkipDNSChallengeValidation marks that this issuer + does not validate DNS challenges. In this case no DNS entries/records + are created for a DNS Challenge and DNS propagation is not checked. type: boolean required: - email @@ -130,15 +150,18 @@ spec: description: PrivateKeySecretRef is the secret ref to the CA secret. properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which the + secret name must be unique. type: string type: object type: object requestsPerDayQuota: - description: RequestsPerDayQuota is the maximum number of certificate requests per days allowed for this issuer + description: RequestsPerDayQuota is the maximum number of certificate + requests per days allowed for this issuer type: integer type: object status: @@ -156,17 +179,20 @@ spec: description: Message is the status or error message. type: string observedGeneration: - description: ObservedGeneration is the observed generation of the spec. + description: ObservedGeneration is the observed generation of the + spec. format: int64 type: integer requestsPerDayQuota: - description: RequestsPerDayQuota is the actual maximum number of certificate requests per days allowed for this issuer + description: RequestsPerDayQuota is the actual maximum number of certificate + requests per days allowed for this issuer type: integer state: description: State is either empty, 'Pending', 'Error', or 'Ready'. type: string type: - description: Type is the issuer type. Currently only 'acme' and 'ca' are supported. + description: Type is the issuer type. Currently only 'acme' and 'ca' + are supported. type: string required: - state diff --git a/pkg/apis/cert/crds/zz_generated_crds.go b/pkg/apis/cert/crds/zz_generated_crds.go index ef0b98d89..49093c0d0 100644 --- a/pkg/apis/cert/crds/zz_generated_crds.go +++ b/pkg/apis/cert/crds/zz_generated_crds.go @@ -50,7 +50,8 @@ spec: name: REVOKED_AT priority: 500 type: date - - description: if true certificate objects should be renewed before revoking old certificates certificate(s) + - description: if true certificate objects should be renewed before revoking old + certificates certificate(s) jsonPath: .spec.renew name: RENEW type: boolean @@ -68,18 +69,24 @@ spec: description: CertificateRevocation is the certificate revocation custom resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: - description: CertificateRevocationSpec is the spec of the certificate revocation. + description: CertificateRevocationSpec is the spec of the certificate + revocation. properties: certificateRef: - description: CertificateRef is the references to the certificate to be revoked + description: CertificateRef is the references to the certificate to + be revoked properties: name: description: Name is the name of the certificate in the same namespace. @@ -92,32 +99,42 @@ spec: - namespace type: object qualifyingDate: - description: QualifyingDate specifies that any certificate with the same DNS names like the given 'certificateRef' should be revoked if it is valid before this date. If not specified, it will be filled with the current time. + description: QualifyingDate specifies that any certificate with the + same DNS names like the given 'certificateRef' should be revoked + if it is valid before this date. If not specified, it will be filled + with the current time. format: date-time type: string renew: - description: Renew specifies if certificate objects should be renewed before revoking old certificates + description: Renew specifies if certificate objects should be renewed + before revoking old certificates type: boolean type: object status: - description: CertificateRevocationStatus is the status of the certificate request. + description: CertificateRevocationStatus is the status of the certificate + request. properties: message: description: Message is the status or error message. type: string objects: - description: ObjectStatuses contains the statuses of the involved certificate objects + description: ObjectStatuses contains the statuses of the involved + certificate objects properties: failed: - description: Failed is the list of certificate objects whose processing failed + description: Failed is the list of certificate objects whose processing + failed items: - description: CertificateRef is the reference of the issuer by name. + description: CertificateRef is the reference of the issuer by + name. properties: name: - description: Name is the name of the certificate in the same namespace. + description: Name is the name of the certificate in the + same namespace. type: string namespace: - description: Namespace is the namespace of the certificate CR. + description: Namespace is the namespace of the certificate + CR. type: string required: - name @@ -125,15 +142,19 @@ spec: type: object type: array processing: - description: Processing is the list of certificate objects to be processed + description: Processing is the list of certificate objects to + be processed items: - description: CertificateRef is the reference of the issuer by name. + description: CertificateRef is the reference of the issuer by + name. properties: name: - description: Name is the name of the certificate in the same namespace. + description: Name is the name of the certificate in the + same namespace. type: string namespace: - description: Namespace is the namespace of the certificate CR. + description: Namespace is the namespace of the certificate + CR. type: string required: - name @@ -141,15 +162,19 @@ spec: type: object type: array renewed: - description: Renewed is the list of certificate objects successfully renewed + description: Renewed is the list of certificate objects successfully + renewed items: - description: CertificateRef is the reference of the issuer by name. + description: CertificateRef is the reference of the issuer by + name. properties: name: - description: Name is the name of the certificate in the same namespace. + description: Name is the name of the certificate in the + same namespace. type: string namespace: - description: Namespace is the namespace of the certificate CR. + description: Namespace is the namespace of the certificate + CR. type: string required: - name @@ -157,15 +182,19 @@ spec: type: object type: array revoked: - description: Revoked is the list of certificate objects successfully revoked (without renewal) + description: Revoked is the list of certificate objects successfully + revoked (without renewal) items: - description: CertificateRef is the reference of the issuer by name. + description: CertificateRef is the reference of the issuer by + name. properties: name: - description: Name is the name of the certificate in the same namespace. + description: Name is the name of the certificate in the + same namespace. type: string namespace: - description: Namespace is the namespace of the certificate CR. + description: Namespace is the namespace of the certificate + CR. type: string required: - name @@ -174,26 +203,33 @@ spec: type: array type: object observedGeneration: - description: ObservedGeneration is the observed generation of the spec. + description: ObservedGeneration is the observed generation of the + spec. format: int64 type: integer revocationApplied: - description: RevocationApplied is the timestamp when the revocation was completed + description: RevocationApplied is the timestamp when the revocation + was completed format: date-time type: string secrets: - description: SecretStatuses contains the statuses of the involved certificate secrets + description: SecretStatuses contains the statuses of the involved + certificate secrets properties: failed: - description: Failed is the list of certificate secrets whose revocation failed + description: Failed is the list of certificate secrets whose revocation + failed items: - description: CertificateSecretRef is a reference to a secret together with the serial number + description: CertificateSecretRef is a reference to a secret + together with the serial number properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which the + secret name must be unique. type: string serialNumber: description: SerialNumber is the serial number of the certificate @@ -203,15 +239,19 @@ spec: type: object type: array processing: - description: Processing is the list of certificate secrets to be processed + description: Processing is the list of certificate secrets to + be processed items: - description: CertificateSecretRef is a reference to a secret together with the serial number + description: CertificateSecretRef is a reference to a secret + together with the serial number properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which the + secret name must be unique. type: string serialNumber: description: SerialNumber is the serial number of the certificate @@ -221,15 +261,19 @@ spec: type: object type: array revoked: - description: Revoked is the list of certificate secrets successfully revoked + description: Revoked is the list of certificate secrets successfully + revoked items: - description: CertificateSecretRef is a reference to a secret together with the serial number + description: CertificateSecretRef is a reference to a secret + together with the serial number properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which the + secret name must be unique. type: string serialNumber: description: SerialNumber is the serial number of the certificate @@ -314,10 +358,14 @@ spec: description: Certificate is the certificate CR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -329,26 +377,33 @@ spec: maxLength: 64 type: string csr: - description: CSR is the alternative way to provide CN,DNSNames and other information. + description: CSR is the alternative way to provide CN,DNSNames and + other information. format: byte type: string dnsNames: - description: DNSNames are the optional additional domain names of the certificate. + description: DNSNames are the optional additional domain names of + the certificate. items: type: string type: array ensureRenewedAfter: - description: EnsureRenewedAfter specifies a time stamp in the past. Renewing is only triggered if certificate notBefore date is before this date. + description: EnsureRenewedAfter specifies a time stamp in the past. + Renewing is only triggered if certificate notBefore date is before + this date. format: date-time type: string issuerRef: description: IssuerRef is the reference of the issuer to use. properties: name: - description: Name is the name of the issuer (in the configured issuer namespace on default cluster or namespace on target cluster as given). + description: Name is the name of the issuer (in the configured + issuer namespace on default cluster or namespace on target cluster + as given). type: string namespace: - description: Namespace is the namespace of the issuer, only needed if issuer is defined on target cluster + description: Namespace is the namespace of the issuer, only needed + if issuer is defined on target cluster type: string required: - name @@ -357,16 +412,20 @@ spec: description: Renew triggers a renewal if set to true type: boolean secretName: - description: SecretName is the name of the secret object to use for storing the certificate. + description: SecretName is the name of the secret object to use for + storing the certificate. type: string secretRef: - description: SecretRef is the reference of the secret object to use for storing the certificate. + description: SecretRef is the reference of the secret object to use + for storing the certificate. properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference a + secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which the secret + name must be unique. type: string type: object type: object @@ -374,14 +433,17 @@ spec: description: CertificateStatus is the status of the certificate request. properties: backoff: - description: BackOff contains the state to back off failed certificate requests + description: BackOff contains the state to back off failed certificate + requests properties: observedGeneration: - description: ObservedGeneration is the observed generation the BackOffState is assigned to + description: ObservedGeneration is the observed generation the + BackOffState is assigned to format: int64 type: integer recheckAfter: - description: RetryAfter is the timestamp this cert request is not retried before. + description: RetryAfter is the timestamp this cert request is + not retried before. format: date-time type: string recheckInterval: @@ -394,6 +456,77 @@ spec: commonName: description: CommonName is the current CN. type: string + conditions: + description: List of status conditions to indicate the status of certificates. + Known condition types are `+"`"+`Ready`+"`"+`. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `+"`"+`json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`+"`"+` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array dnsNames: description: DNSNames are the current domain names. items: @@ -406,7 +539,8 @@ spec: description: IssuerRef is the used issuer. properties: cluster: - description: Cluster is the cluster name of the issuer ('default' or 'target'). optional because of backwards compatibility + description: Cluster is the cluster name of the issuer ('default' + or 'target'). optional because of backwards compatibility type: string name: description: Name is the name of the issuer. @@ -419,14 +553,16 @@ spec: - namespace type: object lastPendingTimestamp: - description: LastPendingTimestamp contains the start timestamp of the last pending status. + description: LastPendingTimestamp contains the start timestamp of + the last pending status. format: date-time type: string message: description: Message is the status or error message. type: string observedGeneration: - description: ObservedGeneration is the observed generation of the spec. + description: ObservedGeneration is the observed generation of the + spec. format: int64 type: integer state: @@ -503,10 +639,14 @@ spec: description: Issuer is the issuer CR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -517,18 +657,22 @@ spec: description: ACME is the ACME protocol specific spec. properties: autoRegistration: - description: AutoRegistration is the flag if automatic registration should be applied if needed. + description: AutoRegistration is the flag if automatic registration + should be applied if needed. type: boolean domains: - description: Domains optionally specifies domains allowed or forbidden for certificate requests + description: Domains optionally specifies domains allowed or forbidden + for certificate requests properties: exclude: - description: Exclude are domain names for which certificate requests are forbidden (including any subdomains) + description: Exclude are domain names for which certificate + requests are forbidden (including any subdomains) items: type: string type: array include: - description: Include are domain names for which certificate requests are allowed (including any subdomains) + description: Include are domain names for which certificate + requests are allowed (including any subdomains) items: type: string type: array @@ -537,19 +681,26 @@ spec: description: Email is the email address to use for user registration. type: string externalAccountBinding: - description: ACMEExternalAccountBinding is a reference to a CA external account of the ACME server. + description: ACMEExternalAccountBinding is a reference to a CA + external account of the ACME server. properties: keyID: - description: keyID is the ID of the CA key that the External Account is bound to. + description: keyID is the ID of the CA key that the External + Account is bound to. type: string keySecretRef: - description: keySecretRef is the secret ref to the Secret which holds the symmetric MAC key of the External Account Binding with data key 'hmacKey'. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. + description: keySecretRef is the secret ref to the Secret + which holds the symmetric MAC key of the External Account + Binding with data key 'hmacKey'. The secret key stored in + the Secret **must** be un-padded, base64 URL encoded data. properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which + the secret name must be unique. type: string type: object required: @@ -557,20 +708,25 @@ spec: - keySecretRef type: object privateKeySecretRef: - description: PrivateKeySecretRef is the secret ref to the ACME private key. + description: PrivateKeySecretRef is the secret ref to the ACME + private key. properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which the + secret name must be unique. type: string type: object server: description: Server is the URL of the ACME server. type: string skipDNSChallengeValidation: - description: SkipDNSChallengeValidation marks that this issuer does not validate DNS challenges. In this case no DNS entries/records are created for a DNS Challenge and DNS propagation is not checked. + description: SkipDNSChallengeValidation marks that this issuer + does not validate DNS challenges. In this case no DNS entries/records + are created for a DNS Challenge and DNS propagation is not checked. type: boolean required: - email @@ -583,15 +739,18 @@ spec: description: PrivateKeySecretRef is the secret ref to the CA secret. properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: Name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: Namespace defines the space within which the + secret name must be unique. type: string type: object type: object requestsPerDayQuota: - description: RequestsPerDayQuota is the maximum number of certificate requests per days allowed for this issuer + description: RequestsPerDayQuota is the maximum number of certificate + requests per days allowed for this issuer type: integer type: object status: @@ -609,17 +768,20 @@ spec: description: Message is the status or error message. type: string observedGeneration: - description: ObservedGeneration is the observed generation of the spec. + description: ObservedGeneration is the observed generation of the + spec. format: int64 type: integer requestsPerDayQuota: - description: RequestsPerDayQuota is the actual maximum number of certificate requests per days allowed for this issuer + description: RequestsPerDayQuota is the actual maximum number of certificate + requests per days allowed for this issuer type: integer state: description: State is either empty, 'Pending', 'Error', or 'Ready'. type: string type: - description: Type is the issuer type. Currently only 'acme' and 'ca' are supported. + description: Type is the issuer type. Currently only 'acme' and 'ca' + are supported. type: string required: - state diff --git a/pkg/apis/cert/v1alpha1/certificate.go b/pkg/apis/cert/v1alpha1/certificate.go index 84f610110..f3c6aebe2 100644 --- a/pkg/apis/cert/v1alpha1/certificate.go +++ b/pkg/apis/cert/v1alpha1/certificate.go @@ -116,8 +116,22 @@ type CertificateStatus struct { // BackOff contains the state to back off failed certificate requests // +optional BackOff *BackOffState `json:"backoff,omitempty"` + // List of status conditions to indicate the status of certificates. + // Known condition types are `Ready`. + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` } +const ( + // CertificateConditionReady indicates that a certificate is ready for use. + // This is defined as: + // - The target secret exists + // - The target secret contains a certificate that has not expired + // - The target secret contains a private key valid for the certificate + // - The commonName and dnsNames attributes match those specified on the Certificate + CertificateConditionReady string = "Ready" +) + // QualifiedIssuerRef is the full qualified issuer reference. type QualifiedIssuerRef struct { // Cluster is the cluster name of the issuer ('default' or 'target'). diff --git a/pkg/apis/cert/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/cert/v1alpha1/zz_generated.deepcopy.go index a13a7c180..896b24909 100644 --- a/pkg/apis/cert/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/cert/v1alpha1/zz_generated.deepcopy.go @@ -12,6 +12,7 @@ package v1alpha1 import ( v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -419,6 +420,13 @@ func (in *CertificateStatus) DeepCopyInto(out *CertificateStatus) { *out = new(BackOffState) (*in).DeepCopyInto(*out) } + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/pkg/controller/issuer/certificate/reconciler.go b/pkg/controller/issuer/certificate/reconciler.go index 48896cff6..d65575c25 100644 --- a/pkg/controller/issuer/certificate/reconciler.go +++ b/pkg/controller/issuer/certificate/reconciler.go @@ -1010,6 +1010,8 @@ func (r *certReconciler) prepareUpdateStatus(obj resources.Object, state string, } } + status.Conditions = r.updateReadyCondition(mod, status.Conditions, state, msg, status.ObservedGeneration) + cn := crt.Spec.CommonName dnsNames := crt.Spec.DNSNames if crt.Spec.CSR != nil { @@ -1035,6 +1037,44 @@ func (r *certReconciler) prepareUpdateStatus(obj resources.Object, state string, return mod, status } +func (r *certReconciler) updateReadyCondition(mod *resources.ModificationState, oldConditions []metav1.Condition, + state string, msg *string, observedGeneration int64) []metav1.Condition { + oldReadyCondition := &metav1.Condition{ + Type: api.CertificateConditionReady, + LastTransitionTime: metav1.NewTime(time.Now()), + } + if len(oldConditions) == 1 && oldConditions[0].Type == api.CertificateConditionReady { + oldReadyCondition = &oldConditions[0] + } + status := metav1.ConditionFalse + message := cmlutils.StringValue(msg) + if state == api.StateReady { + status = metav1.ConditionTrue + message = "" + } + newReadyCondition := metav1.Condition{ + Type: api.CertificateConditionReady, + Status: status, + Message: message, + ObservedGeneration: observedGeneration, + Reason: state, + LastTransitionTime: oldReadyCondition.LastTransitionTime, + } + modified := false + if oldReadyCondition.Status != newReadyCondition.Status { + newReadyCondition.LastTransitionTime = metav1.NewTime(time.Now()) + modified = true + } + modified = modified || oldReadyCondition.Message != newReadyCondition.Message + modified = modified || oldReadyCondition.ObservedGeneration != newReadyCondition.ObservedGeneration + modified = modified || oldReadyCondition.Reason != newReadyCondition.Reason + if modified { + mod.Modify(true) + return []metav1.Condition{newReadyCondition} + } + return oldConditions +} + func (r *certReconciler) updateStatus(logctx logger.LogContext, mod *resources.ModificationState) { err := mod.UpdateStatus() if err != nil { diff --git a/vendor/github.com/gardener/controller-manager-library/hack/generate-crds b/vendor/github.com/gardener/controller-manager-library/hack/generate-crds index 4abe7d737..248d56021 100644 --- a/vendor/github.com/gardener/controller-manager-library/hack/generate-crds +++ b/vendor/github.com/gardener/controller-manager-library/hack/generate-crds @@ -11,7 +11,7 @@ loop() if [ -f "$f" ]; then cat <