support for secret labels

README.md

@@ -311,6 +311,28 @@ DNS challenge to the target, i.e. `_acme-challenge.my-service.sandbox.other-doma
 
 If you are using an annotated ingress or service resource, the option is set by the annotation `cert.gardener.cloud/follow-cname=true`.
 
+### Secret Labels
+
+The `secretLabels` section allows to specify labels to be set for the certificate secret.
+
+Example:
+
+```yaml
+apiVersion: cert.gardener.cloud/v1alpha1
+kind: Certificate
+metadata:
+  name: cert-secret-labels
+  namespace: default
+spec:
+  commonName: my-service.example-domain.com
+  secretName: my-secret
+  secretLabels:
+    key1: value1
+    key2: value2
+```
+
+In this case the secret `my-sceret` will contains the labels.
+
 ### Using a certificate signing request (CSR)
 
 You can provide a complete CSR in PEM format (and encoded as Base64).
@@ -430,6 +452,7 @@ See also [examples/40-ingress-echoheaders.yaml](./examples/40-ingress-echoheader
         #cert.gardener.cloud/commonname: "*.demo.mydomain.com" # optional, if not specified the first name from spec.tls[].hosts is used as common name
         #cert.gardener.cloud/dnsnames: "" # optional, if not specified the names from spec.tls[].hosts are used
         #cert.gardener.cloud/follow-cname: "true" # optional, to activate CNAME following for the DNS challenge
+        #cert.gardener.cloud/secret-labels: "key1=value1,key2=value2" # optional labels for the certificate secret
     spec:
       tls:
         - hosts:
@@ -479,6 +502,7 @@ metadata:
     #cert.gardener.cloud/commonname: "*.demo.mydomain.com" # optional, if not specified the first name from dns.gardener.cloud/dnsnames is used as common name
     #cert.gardener.cloud/dnsnames: "" # optional, if specified overrides dns.gardener.cloud/dnsnames annotation for certificate names
     #cert.gardener.cloud/follow-cname: "true" # optional, to activate CNAME following for the DNS challenge
+    #cert.gardener.cloud/secret-labels: "key1=value1,key2=value2" # optional labels for the certificate secret
     dns.gardener.cloud/ttl: "600"
   name: test-service
   namespace: default

examples/30-cert-simple-with-keystores.yaml

@@ -18,6 +18,10 @@ spec:
   secretRef:
     name: cert-simple-secret
     namespace: default
+  # optionally set labels for the secret
+  #secretLabels:
+  #  key1: value1
+  #  key2: value2
 
   # enable keystore creation for both JKS and PKCS#12
   # This will create additional data entries in the certificate secret named `keystore.jks`, `truststore.jks` for JKS

examples/30-cert-simple.yaml

@@ -21,6 +21,10 @@ spec:
   secretRef:
     name: cert-simple-secret
     namespace: default
+  # optionally set labels for the secret
+  #secretLabels:
+  #  key1: value1
+  #  key2: value2
 
   # If delegated domain for DNS01 challenge should be used. This has only an effect if a CNAME record is set for
   # either '_acme-challenge.cert1.mydomain.com' or '_acme-challenge.cert1.my-other-domain.com'.

examples/30-cert-wildcard.yaml

@@ -14,4 +14,8 @@ spec:
   # optionally specify secret to store certificate
   secretRef:
     name: cert-wildcard-secret
-    namespace: default
+    namespace: default
+  # optionally set labels for the secret
+  #secretLabels:
+  #  key1: value1
+  #  key2: value2

examples/40-ingress-echoheaders.yaml

@@ -13,6 +13,7 @@ metadata:
     #cert.gardener.cloud/commonname: "*.demo.mydomain.com" # optional, if not specified the first name from spec.tls[].hosts is used as common name
     #cert.gardener.cloud/dnsnames: "" # optional, if not specified the names from spec.tls[].hosts are used
     #cert.gardener.cloud/follow-cname: "true" # optional, same as spec.followCNAME in certificates
+    #cert.gardener.cloud/secret-labels: "key1=value1,key2=value2" # optional labels for the certificate secret
 spec:
   tls:
     - hosts:

examples/40-service-loadbalancer.yaml

@@ -13,6 +13,7 @@ metadata:
     #cert.gardener.cloud/commonname: "*.demo.mydomain.com" # optional, if not specified the first name from dns.gardener.cloud/dnsnames is used as common name
     #cert.gardener.cloud/dnsnames: "" # optional, if specified overrides dns.gardener.cloud/dnsnames annotation for certificate names
     #cert.gardener.cloud/follow-cname: "true" # optional, same as spec.followCNAME in certificates
+    #cert.gardener.cloud/secret-labels: "key1=value1,key2=value2" # optional labels for the certificate secret
   name: test-service
   namespace: default
 spec:

pkg/apis/cert/crds/cert.gardener.cloud_certificaterevocations.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.11.3
   creationTimestamp: null
   name: certificaterevocations.cert.gardener.cloud
 spec:
@@ -218,6 +218,7 @@ spec:
                       required:
                       - serialNumber
                       type: object
+                      x-kubernetes-map-type: atomic
                     type: array
                   processing:
                     description: Processing is the list of certificate secrets to
@@ -240,6 +241,7 @@ spec:
                       required:
                       - serialNumber
                       type: object
+                      x-kubernetes-map-type: atomic
                     type: array
                   revoked:
                     description: Revoked is the list of certificate secrets successfully
@@ -262,6 +264,7 @@ spec:
                       required:
                       - serialNumber
                       type: object
+                      x-kubernetes-map-type: atomic
                     type: array
                 type: object
               state:
@@ -277,9 +280,3 @@ spec:
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []

pkg/apis/cert/crds/cert.gardener.cloud_certificates.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.11.3
   creationTimestamp: null
   name: certificates.cert.gardener.cloud
 spec:
@@ -175,6 +175,11 @@ spec:
               renew:
                 description: Renew triggers a renewal if set to true
                 type: boolean
+              secretLabels:
+                additionalProperties:
+                  type: string
+                description: SecretLabels are labels to add to the certificate secret.
+                type: object
               secretName:
                 description: SecretName is the name of the secret object to use for
                   storing the certificate.
@@ -192,6 +197,7 @@ spec:
                       name must be unique.
                     type: string
                 type: object
+                x-kubernetes-map-type: atomic
             type: object
           status:
             description: CertificateStatus is the status of the certificate request.
@@ -227,8 +233,8 @@ spec:
                   description: "Condition contains details for one aspect of the current
                     state of this API Resource. --- This struct is intended for direct
                     use as an array at the field path .status.conditions.  For example,
-                    type FooStatus struct{ // Represents the observations of a foo's
-                    current state. // Known .status.conditions.type are: \"Available\",
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
                     \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
                     // +listType=map // +listMapKey=type Conditions []metav1.Condition
                     `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
@@ -341,9 +347,3 @@ spec:
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []

pkg/apis/cert/crds/cert.gardener.cloud_issuers.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.11.3
   creationTimestamp: null
   name: issuers.cert.gardener.cloud
 spec:
@@ -113,6 +113,7 @@ spec:
                               the secret name must be unique.
                             type: string
                         type: object
+                        x-kubernetes-map-type: atomic
                     required:
                     - keyID
                     - keySecretRef
@@ -137,6 +138,7 @@ spec:
                           secret name must be unique.
                         type: string
                     type: object
+                    x-kubernetes-map-type: atomic
                   server:
                     description: Server is the URL of the ACME server.
                     type: string
@@ -164,6 +166,7 @@ spec:
                           secret name must be unique.
                         type: string
                     type: object
+                    x-kubernetes-map-type: atomic
                 type: object
               requestsPerDayQuota:
                 description: RequestsPerDayQuota is the maximum number of certificate
@@ -210,9 +213,3 @@ spec:
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []

pkg/apis/cert/crds/zz_generated_crds.go

@@ -21,7 +21,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.11.3
   creationTimestamp: null
   name: certificaterevocations.cert.gardener.cloud
 spec:
@@ -236,6 +236,7 @@ spec:
                       required:
                       - serialNumber
                       type: object
+                      x-kubernetes-map-type: atomic
                     type: array
                   processing:
                     description: Processing is the list of certificate secrets to
@@ -258,6 +259,7 @@ spec:
                       required:
                       - serialNumber
                       type: object
+                      x-kubernetes-map-type: atomic
                     type: array
                   revoked:
                     description: Revoked is the list of certificate secrets successfully
@@ -280,6 +282,7 @@ spec:
                       required:
                       - serialNumber
                       type: object
+                      x-kubernetes-map-type: atomic
                     type: array
                 type: object
               state:
@@ -295,12 +298,6 @@ spec:
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
   `
 	utils.Must(registry.RegisterCRD(data))
 	data = `
@@ -309,7 +306,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.11.3
   creationTimestamp: null
   name: certificates.cert.gardener.cloud
 spec:
@@ -481,6 +478,11 @@ spec:
               renew:
                 description: Renew triggers a renewal if set to true
                 type: boolean
+              secretLabels:
+                additionalProperties:
+                  type: string
+                description: SecretLabels are labels to add to the certificate secret.
+                type: object
               secretName:
                 description: SecretName is the name of the secret object to use for
                   storing the certificate.
@@ -498,6 +500,7 @@ spec:
                       name must be unique.
                     type: string
                 type: object
+                x-kubernetes-map-type: atomic
             type: object
           status:
             description: CertificateStatus is the status of the certificate request.
@@ -533,8 +536,8 @@ spec:
                   description: "Condition contains details for one aspect of the current
                     state of this API Resource. --- This struct is intended for direct
                     use as an array at the field path .status.conditions.  For example,
-                    type FooStatus struct{ // Represents the observations of a foo's
-                    current state. // Known .status.conditions.type are: \"Available\",
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
                     \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
                     // +listType=map // +listMapKey=type Conditions []metav1.Condition
                     ` + "`" + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
@@ -647,12 +650,6 @@ spec:
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
   `
 	utils.Must(registry.RegisterCRD(data))
 	data = `
@@ -661,7 +658,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.11.3
   creationTimestamp: null
   name: issuers.cert.gardener.cloud
 spec:
@@ -771,6 +768,7 @@ spec:
                               the secret name must be unique.
                             type: string
                         type: object
+                        x-kubernetes-map-type: atomic
                     required:
                     - keyID
                     - keySecretRef
@@ -795,6 +793,7 @@ spec:
                           secret name must be unique.
                         type: string
                     type: object
+                    x-kubernetes-map-type: atomic
                   server:
                     description: Server is the URL of the ACME server.
                     type: string
@@ -822,6 +821,7 @@ spec:
                           secret name must be unique.
                         type: string
                     type: object
+                    x-kubernetes-map-type: atomic
                 type: object
               requestsPerDayQuota:
                 description: RequestsPerDayQuota is the maximum number of certificate
@@ -868,12 +868,6 @@ spec:
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
   `
 	utils.Must(registry.RegisterCRD(data))
 }

pkg/apis/cert/v1alpha1/certificate.go

@@ -62,6 +62,9 @@ type CertificateSpec struct {
 	// SecretRef is the reference of the secret object to use for storing the certificate.
 	// +optional
 	SecretRef *corev1.SecretReference `json:"secretRef,omitempty"`
+	// SecretLabels are labels to add to the certificate secret.
+	// +optional
+	SecretLabels map[string]string `json:"secretLabels,omitempty"`
 	// Renew triggers a renewal if set to true
 	// +optional
 	Renew *bool `json:"renew,omitempty"`