support ACME preferred chains

gardener · Aug 24, 2023 · 50fabfa · 50fabfa
1 parent 62062b5
commit 50fabfa
Show file tree

Hide file tree

Showing 279 changed files with 4,713 additions and 4,247 deletions.
diff --git a/README.md b/README.md
@@ -28,6 +28,7 @@ Currently, the `cert-controller-manager` supports certificate authorities via:
   - [Requesting a Certificate](#requesting-a-certificate)
     - [Using `commonName` and optional `dnsNames`](#using-commonname-and-optional-dnsnames)
     - [Follow CNAME](#follow-cname)
+    - [Preferred Chain](#preferred-chain)
     - [Using a certificate signing request (CSR)](#using-a-certificate-signing-request-csr)
     - [Creating JKS or PKCS#12 keystores](#creating-jks-or-pkcs12-keystores)
   - [Requesting a Certificate for Ingress](#requesting-a-certificate-for-ingress)
@@ -311,6 +312,24 @@ DNS challenge to the target, i.e. `_acme-challenge.my-service.sandbox.other-doma
 
 If you are using an annotated ingress or service resource, the option is set by the annotation `cert.gardener.cloud/follow-cname=true`.
 
+### Preferred Chain
+
+If the CA offers multiple certificate chains, you can select the chain with the optional `preferredChain` field.
+The value is the Subject Common Name of the issuer. If no match, the default offered chain will be used.
+Please consult the documentation of the ACME server about offered certificate chains.
+
+Example:
+    ```yaml
+    apiVersion: cert.gardener.cloud/v1alpha1
+    kind: Certificate
+    metadata:
+      name: cert-follow
+      namespace: default
+    spec:
+      commonName: my-service.example-domain.com
+      preferredChain: "ISRG Root X1"
+    ```
+
 ### Secret Labels
 
 The `secretLabels` section allows to specify labels to be set for the certificate secret.
@@ -448,12 +467,13 @@ See also [examples/40-ingress-echoheaders.yaml](./examples/40-ingress-echoheader
       annotations:
         # Let Gardener manage certificates for this Ingress.
         cert.gardener.cloud/purpose: managed
-        #dns.gardener.cloud/class: garden # needed on Gardener shoot clusters for managed DNS record creation (if not covered by `*.ingress.<GARDENER-CLUSTER>.<GARDENER-PROJECT>.shoot.example.com)
-        #cert.gardener.cloud/commonname: "*.demo.mydomain.com" # optional, if not specified the first name from spec.tls[].hosts is used as common name
-        #cert.gardener.cloud/dnsnames: "" # optional, if not specified the names from spec.tls[].hosts are used
-        #cert.gardener.cloud/follow-cname: "true" # optional, to activate CNAME following for the DNS challenge
+        #dns.gardener.cloud/class: garden                             # needed on Gardener shoot clusters for managed DNS record creation (if not covered by `*.ingress.<GARDENER-CLUSTER>.<GARDENER-PROJECT>.shoot.example.com)
+        #cert.gardener.cloud/commonname: "*.demo.mydomain.com"        # optional, if not specified the first name from spec.tls[].hosts is used as common name
+        #cert.gardener.cloud/dnsnames: ""                             # optional, if not specified the names from spec.tls[].hosts are used
+        #cert.gardener.cloud/follow-cname: "true"                     # optional, to activate CNAME following for the DNS challenge
         #cert.gardener.cloud/secret-labels: "key1=value1,key2=value2" # optional labels for the certificate secret
-        #cert.gardener.cloud/issuer: issuer-name # optional to specify custom issuer (use namespace/name for shoot issuers)
+        #cert.gardener.cloud/issuer: issuer-name                      # optional to specify custom issuer (use namespace/name for shoot issuers)
+        #cert.gardener.cloud/preferred-chain: "chain name"            # optional to specify preferred-chain (value is the Subject Common Name of the root issuer)
     spec:
       tls:
         - hosts:
@@ -499,12 +519,13 @@ metadata:
   annotations:
     cert.gardener.cloud/secretname: test-service-secret
     dns.gardener.cloud/dnsnames: test-service.demo.mydomain.com
-    #dns.gardener.cloud/class: garden # needed on Gardener shoot clusters for managed DNS record creation
-    #cert.gardener.cloud/commonname: "*.demo.mydomain.com" # optional, if not specified the first name from dns.gardener.cloud/dnsnames is used as common name
-    #cert.gardener.cloud/dnsnames: "" # optional, if specified overrides dns.gardener.cloud/dnsnames annotation for certificate names
-    #cert.gardener.cloud/follow-cname: "true" # optional, to activate CNAME following for the DNS challenge
+    #dns.gardener.cloud/class: garden                             # needed on Gardener shoot clusters for managed DNS record creation
+    #cert.gardener.cloud/commonname: "*.demo.mydomain.com"        # optional, if not specified the first name from dns.gardener.cloud/dnsnames is used as common name
+    #cert.gardener.cloud/dnsnames: ""                             # optional, if specified overrides dns.gardener.cloud/dnsnames annotation for certificate names
+    #cert.gardener.cloud/follow-cname: "true"                     # optional, to activate CNAME following for the DNS challenge
     #cert.gardener.cloud/secret-labels: "key1=value1,key2=value2" # optional labels for the certificate secret
-    #cert.gardener.cloud/issuer: issuer-name # optional to specify custom issuer (use namespace/name for shoot issuers)
+    #cert.gardener.cloud/issuer: issuer-name                      # optional to specify custom issuer (use namespace/name for shoot issuers)
+    #cert.gardener.cloud/preferred-chain: "chain name"            # optional to specify preferred-chain (value is the Subject Common Name of the root issuer)
     dns.gardener.cloud/ttl: "600"
   name: test-service
   namespace: default

diff --git a/charts/cert-management/templates/cert.gardener.cloud_certificates.yaml b/charts/cert-management/templates/cert.gardener.cloud_certificates.yaml
@@ -173,6 +173,12 @@ spec:
                     - passwordSecretRef
                     type: object
                 type: object
+              preferredChain:
+                description: 'PreferredChain allows to specify the preferred certificate
+                  chain: if the CA offers multiple certificate chains, prefer the
+                  chain with an issuer matching this Subject Common Name. If no match,
+                  the default offered chain will be used.'
+                type: string
               renew:
                 description: Renew triggers a renewal if set to true
                 type: boolean

diff --git a/examples/30-cert-simple.yaml b/examples/30-cert-simple.yaml
@@ -33,3 +33,6 @@ spec:
   # For example: If a CNAME record exists '_acme-challenge.cert1.mydomain.com' => '_acme-challenge.writable.domain.com',
   # the DNS challenge will be written to '_acme-challenge.writable.domain.com'.
   #followCNAME: true
+
+  # Optionally specify the preferred certificate chain: if the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.
+  #preferredChain: "ISRG Root X1"
diff --git a/examples/40-ingress-echoheaders.yaml b/examples/40-ingress-echoheaders.yaml
@@ -9,12 +9,13 @@ metadata:
   namespace: default
   annotations:
     cert.gardener.cloud/purpose: managed
-    #dns.gardener.cloud/class: garden # needed on Gardener shoot clusters for managed DNS record creation
-    #cert.gardener.cloud/commonname: "*.demo.mydomain.com" # optional, if not specified the first name from spec.tls[].hosts is used as common name
-    #cert.gardener.cloud/dnsnames: "" # optional, if not specified the names from spec.tls[].hosts are used
-    #cert.gardener.cloud/follow-cname: "true" # optional, same as spec.followCNAME in certificates
+    #dns.gardener.cloud/class: garden                             # needed on Gardener shoot clusters for managed DNS record creation
+    #cert.gardener.cloud/commonname: "*.demo.mydomain.com"        # optional, if not specified the first name from spec.tls[].hosts is used as common name
+    #cert.gardener.cloud/dnsnames: ""                             # optional, if not specified the names from spec.tls[].hosts are used
+    #cert.gardener.cloud/follow-cname: "true"                     # optional, same as spec.followCNAME in certificates
     #cert.gardener.cloud/secret-labels: "key1=value1,key2=value2" # optional labels for the certificate secret
-    #cert.gardener.cloud/issuer: issuer-name # optional to specify custom issuer (use namespace/name for shoot issuers)
+    #cert.gardener.cloud/issuer: issuer-name                      # optional to specify custom issuer (use namespace/name for shoot issuers)
+    #cert.gardener.cloud/preferred-chain: "chain name"            # optional to specify preferred-chain (value is the Subject Common Name of the root issuer)
 spec:
   tls:
     - hosts:

diff --git a/examples/40-service-loadbalancer.yaml b/examples/40-service-loadbalancer.yaml
@@ -9,12 +9,13 @@ metadata:
     cert.gardener.cloud/secretname: test-service-secret
     dns.gardener.cloud/dnsnames: test-service.demo.mydomain.com
     dns.gardener.cloud/ttl: "600"
-    #dns.gardener.cloud/class: garden # needed on Gardener shoot clusters for managed DNS record creation
-    #cert.gardener.cloud/commonname: "*.demo.mydomain.com" # optional, if not specified the first name from dns.gardener.cloud/dnsnames is used as common name
-    #cert.gardener.cloud/dnsnames: "" # optional, if specified overrides dns.gardener.cloud/dnsnames annotation for certificate names
-    #cert.gardener.cloud/follow-cname: "true" # optional, same as spec.followCNAME in certificates
+    #dns.gardener.cloud/class: garden                             # needed on Gardener shoot clusters for managed DNS record creation
+    #cert.gardener.cloud/commonname: "*.demo.mydomain.com"        # optional, if not specified the first name from dns.gardener.cloud/dnsnames is used as common name
+    #cert.gardener.cloud/dnsnames: ""                             # optional, if specified overrides dns.gardener.cloud/dnsnames annotation for certificate names
+    #cert.gardener.cloud/follow-cname: "true"                     # optional, same as spec.followCNAME in certificates
     #cert.gardener.cloud/secret-labels: "key1=value1,key2=value2" # optional labels for the certificate secret
-    #cert.gardener.cloud/issuer: issuer-name # optional to specify custom issuer (use namespace/name for shoot issuers)
+    #cert.gardener.cloud/issuer: issuer-name                      # optional to specify custom issuer (use namespace/name for shoot issuers)
+    #cert.gardener.cloud/preferred-chain: "chain name"            # optional to specify preferred-chain (value is the Subject Common Name of the root issuer)
   name: test-service
   namespace: default
 spec:

diff --git a/go.mod b/go.mod
@@ -8,8 +8,8 @@ require (
 	github.com/cert-manager/cert-manager v1.11.0
 	github.com/gardener/controller-manager-library v0.2.1-0.20230504074505-cf120e9a982d
 	github.com/gardener/external-dns-management v0.15.3
-	github.com/go-acme/lego/v4 v4.8.0
-	github.com/miekg/dns v1.1.51
+	github.com/go-acme/lego/v4 v4.14.0
+	github.com/miekg/dns v1.1.55
 	github.com/onsi/ginkgo/v2 v2.8.3
 	github.com/onsi/gomega v1.27.1
 	github.com/pavlo-v-chernykh/keystore-go/v4 v4.4.0
@@ -27,18 +27,19 @@ require (
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e // indirect
-	github.com/BurntSushi/toml v1.1.0 // indirect
+	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/alessio/shellescape v1.4.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/go-ldap/ldap/v3 v3.4.4 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
@@ -60,7 +61,7 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -74,20 +75,19 @@ require (
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/spf13/cobra v1.6.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/crypto v0.5.0 // indirect
-	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/oauth2 v0.4.0 // indirect
-	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/term v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/crypto v0.10.0 // indirect
+	golang.org/x/mod v0.11.0 // indirect
+	golang.org/x/net v0.11.0 // indirect
+	golang.org/x/oauth2 v0.9.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sys v0.9.0 // indirect
+	golang.org/x/term v0.9.0 // indirect
+	golang.org/x/text v0.10.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.6.0 // indirect
+	golang.org/x/tools v0.10.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.26.4 // indirect