add additional waiting time to ratelimiting time, validate for duplic…

…ate domain names
gardener · May 27, 2020 · c377d27 · c377d27
1 parent d1d85da
commit c377d27
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 3 deletions.
diff --git a/charts/cert-management/templates/crds.yaml b/charts/cert-management/templates/crds.yaml
@@ -239,6 +239,27 @@ spec:
         status:
           description: CertificateStatus is the status of the certificate request.
           properties:
+            backoff:
+              description: BackOff contains the state to back off failed certificate
+                requests
+              properties:
+                observedGeneration:
+                  description: ObservedGeneration is the observed generation the BackOffState
+                    is assigned to
+                  format: int64
+                  type: integer
+                recheckAfter:
+                  description: RetryAfter is the timestamp this cert request is not
+                    retried before.
+                  format: date-time
+                  type: string
+                recheckInterval:
+                  description: RetryInterval is interval to wait for retrying.
+                  type: string
+              required:
+                - recheckAfter
+                - recheckInterval
+              type: object
             commonName:
               description: CommonName is the current CN.
               type: string
@@ -279,7 +300,6 @@ spec:
               description: State is the certificate state.
               type: string
           required:
-            - lastPendingTimestamp
             - state
           type: object
       required:

diff --git a/examples/30-cert-simple.yaml b/examples/30-cert-simple.yaml
@@ -1,12 +1,15 @@
 apiVersion: cert.gardener.cloud/v1alpha1
 kind: Certificate
 metadata:
+  annotations:
+    # class annotation only needed if cert-controller-manager is started with --cert-class=myclass
+    #cert.gardener.cloud/class: myclass
   name: cert-simple
   namespace: default
 spec:
   commonName: cert1.mydomain.com
   dnsNames:
-  - cert1.my-domain.com
+  - cert1.my-other-domain.com
   # if issuer is not specified, the default issuer is used
   issuerRef:
     name: issuer-staging

diff --git a/pkg/controller/issuer/certificate/reconciler.go b/pkg/controller/issuer/certificate/reconciler.go
@@ -31,6 +31,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/selection"
+	"k8s.io/apimachinery/pkg/util/sets"
 
 	"github.com/gardener/controller-manager-library/pkg/controllermanager/cluster"
 	"github.com/gardener/controller-manager-library/pkg/controllermanager/controller"
@@ -275,7 +276,7 @@ func (r *certReconciler) rateLimitingEndTime(timestamp *metav1.Time) *time.Time
 	if timestamp == nil {
 		return nil
 	}
-	endTime := timestamp.Add(r.rateLimiting)
+	endTime := timestamp.Add(r.rateLimiting).Add(r.additionalWait)
 	return &endTime
 }
 
@@ -442,6 +443,13 @@ func (r *certReconciler) validateDomainsAndCsr(spec *api.CertificateSpec) error
 	}
 
 	domainsToValidate := append([]string{*cn}, dnsNames...)
+	names := sets.String{}
+	for _, name := range domainsToValidate {
+		if names.Has(name) {
+			return fmt.Errorf("duplicate domain: %s", name)
+		}
+		names.Insert(name)
+	}
 	err = r.checkDomainRangeRestriction(spec, domainsToValidate)
 	return err
 }