quota for certificate requests, lease requests for all controllers

gardener · May 26, 2020 · d1d85da · d1d85da
1 parent 31adf7c
commit d1d85da
Show file tree

Hide file tree

Showing 322 changed files with 23,039 additions and 95,684 deletions.
diff --git a/.ci/pipeline_definitions b/.ci/pipeline_definitions
@@ -6,13 +6,6 @@ cert-management:
       version:
         preprocess: 'inject-commit-hash'
       component_descriptor: ~
-    steps:
-      check:
-        image: 'golang:1.13.3'
-      test:
-        image: 'golang:1.13.3'
-      build:
-        image: 'golang:1.13.3'
   jobs:
     head-update:
       traits:

diff --git a/Makefile b/Makefile
@@ -1,6 +1,9 @@
-EXECUTABLE=cert-controller-manager
-PROJECT=github.com/gardener/cert-management
-VERSION=$(shell cat VERSION)
+REGISTRY              := eu.gcr.io/gardener-project
+EXECUTABLE            := cert-controller-manager
+PROJECT               := github.com/gardener/cert-management
+CERT_IMAGE_REPOSITORY := $(REGISTRY)/cert-controller-manager
+VERSION               := $(shell cat VERSION)
+IMAGE_TAG             := $(VERSION)
 
 
 .PHONY: revendor
@@ -41,4 +44,8 @@ test:
 
 .PHONY: generate
 generate:
-	@./hack/generate-code
+	@./hack/generate-code
+
+.PHONY: docker-images
+docker-images:
+	@docker build -t $(CERT_IMAGE_REPOSITORY):$(IMAGE_TAG) -t $(CERT_IMAGE_REPOSITORY):latest -f build/Dockerfile --target cert-controller-manager .
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -12,11 +12,23 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM alpine:3.10
+#############      builder       #############
+FROM golang:1.13.9 AS builder
+
+WORKDIR /build
+COPY . .
+
+RUN make release
+
+############# base
+FROM alpine:3.11.3 AS base
+
+#############      cert-controller-manager     #############
+FROM base AS cert-controller-manager
 
 RUN addgroup -S app && adduser -S -G app app
 WORKDIR /
-ADD bin/rel/cert-controller-manager /cert-controller-manager
+COPY --from=builder /build/cert-controller-manager /cert-controller-manager
 USER app
 
 ENTRYPOINT ["/cert-controller-manager"]
diff --git a/examples/10-crds.yaml b/examples/10-crds.yaml
@@ -90,6 +90,9 @@ spec:
                 - email
                 - server
               type: object
+            requestsPerDayQuota:
+              description: RequestsPerDayQuota is the maximum number of certificate requests per days allowed for this issuer
+              type: integer
           type: object
         status:
           description: IssuerStatus is the status of the issuer.
@@ -104,6 +107,9 @@ spec:
               description: ObservedGeneration is the observed generation of the spec.
               format: int64
               type: integer
+            requestsPerDayQuota:
+              description: RequestsPerDayQuota is the actual maximum number of certificate requests per days allowed for this issuer
+              type: integer
             state:
               description: State is either empty, 'Pending', 'Error', or 'Ready'.
               type: string
@@ -227,6 +233,27 @@ spec:
         status:
           description: CertificateStatus is the status of the certificate request.
           properties:
+            backoff:
+              description: BackOff contains the state to back off failed certificate
+                requests
+              properties:
+                observedGeneration:
+                  description: ObservedGeneration is the observed generation the BackOffState
+                    is assigned to
+                  format: int64
+                  type: integer
+                recheckAfter:
+                  description: RetryAfter is the timestamp this cert request is not
+                    retried before.
+                  format: date-time
+                  type: string
+                recheckInterval:
+                  description: RetryInterval is interval to wait for retrying.
+                  type: string
+              required:
+                - recheckAfter
+                - recheckInterval
+              type: object
             commonName:
               description: CommonName is the current CN.
               type: string
@@ -267,7 +294,6 @@ spec:
               description: State is the certificate state.
               type: string
           required:
-            - lastPendingTimestamp
             - state
           type: object
       required:

diff --git a/examples/30-cert-csr.yaml b/examples/30-cert-csr.yaml
@@ -7,3 +7,7 @@ spec:
   csr: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQzFUQ0NBYjBDQVFBd2dZOHhDekFKQmdOVkJBWVRBbVJsTVJFd0R3WURWUVFIREFoWFlXeHNaRzl5WmpFTQpNQW9HQTFVRUNnd0RVMEZRTVE4d0RRWURWUVFMREFaVFFWQWdRMUF4SnpBbEJnTlZCQU1NSG1ObGNuUjBaWE4wClkzTnlMbTFoY25ScGJpNTBaWE4wTmpJeU55NXRiREVsTUNNR0NTcUdTSWIzRFFFSkFSWVdiV0Z5ZEdsdUxuZGwKYVc1a1pXeEFjMkZ3TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwyMwpYZXh4VUN0TGM3RFdvczkyZUphRUo1cjdyV3BJekJjd1NyaUpkOU5nTGFzSFp0Zm1SK01QVExoeG8rMGZlZXV1Ck01a2p0S1owSnNwNVVUSjdQbVpydmtpNXVmc2dQNnFOUUJvK1JDYzFRbUZSYUQySEdkbzVIVVg5VUFZRW5PQmgKYlZIRFBmWSswV0E1cWsyWDh1aDNaclcwS3gwUGcvaUtTVlZ3R1RYeG8wcWlhTWhlYXhodFFnK3FNemoyK2FlRgpSMU5UUHB2d2ppbjZsR0QzNEhFODlDdHY2dnF0WW1iRmtXQ0RrRmlGeEJaZGNYKzQ5UElSVnlPSG1XbGR1eG5tCjZqeU80RzJ6elJaaTdScDIya1BVVzhHWEtyWXd6TE9qQkFSOTZrRU1nRE1sOXBlSWxMUjFBeDB5ZnZsTzdpSmQKbW8rMWo2aXUvT1dPMFR6UHdxa0NBd0VBQWFBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ2tCQUl0cnZJSwo5OUhkOWJPY2NibUVrVW1najg0cXZtTmVrbmlHU3hEaTVRRHZQSitORUp5dEhHdXBUZVhvb005WDZjOVc4aHlTCkw4Tk5rWHdwYmlHSkpQYThjOU93L3V4VWU4TXN3MUljOWhWeTV0aDlZZlU3TTY2WjdMSEdvUDF1MzFQNWhWOEsKTHBPblhoeTRVbHFadE1SSmdsbWowYS9iZ3VmdEQ3YUVidHVGQ0xLQ0c2Vk1pMTc0YkNWUlpSbmtXUjRCdGViVAptcFlUYXp5Vjd3TXhxLzl3NGUyT0JqTFhwRHl4THo3RFBweHF1MHU0dHVPaXo0RmZJWUxtNDlyQUJGMW9lTVBICnl1WU5RWDRKWm9nRHFPN3BOS3JQNnZMQ2pDZmhJMUoyK1l1Vkp3c3QxUmJiUVdoS1NoMnIralh0cG1ocmRrdjEKMklVejV3Sk90TlhWCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
   issuerRef:
     name: issuer-staging
+  # optionally specify secret to store certificate
+  secretRef:
+    name: cert-csr-secret
+    namespace: default
diff --git a/examples/30-cert-simple.yaml b/examples/30-cert-simple.yaml
@@ -10,3 +10,7 @@ spec:
   # if issuer is not specified, the default issuer is used
   issuerRef:
     name: issuer-staging
+  # optionally specify secret to store certificate
+  secretRef:
+    name: cert-simple-secret
+    namespace: default
diff --git a/examples/30-cert-wildcard.yaml b/examples/30-cert-wildcard.yaml
@@ -1,9 +1,13 @@
 apiVersion: cert.gardener.cloud/v1alpha1
-kind: CertRequest
+kind: Certificate
 metadata:
   name: cert-wildcard
   namespace: default
 spec:
   commonName: "*.cert2.martin.mydomain.com"
   issuerRef:
     name: issuer-staging
+  # optionally specify secret to store certificate
+  secretRef:
+    name: cert-wildcard-secret
+    namespace: default
diff --git a/go.mod b/go.mod
@@ -3,42 +3,34 @@ module github.com/gardener/cert-management
 go 1.13
 
 require (
-	github.com/Masterminds/semver v1.4.2 // indirect
 	github.com/ahmetb/gen-crd-api-reference-docs v0.1.5
 	github.com/emicklei/go-restful v2.11.1+incompatible // indirect
-	github.com/gardener/controller-manager-library v0.1.1-0.20191220121917-d7bc378737f9
-	github.com/gardener/external-dns-management v0.7.3
-	github.com/go-acme/lego/v3 v3.3.0
+	github.com/gardener/controller-manager-library v0.1.1-0.20200505095016-1674d986dfac
+	github.com/gardener/external-dns-management v0.7.10
+	github.com/go-acme/lego/v3 v3.7.0
 	github.com/go-openapi/spec v0.19.4 // indirect
-	github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef // indirect
-	github.com/googleapis/gnostic v0.2.0 // indirect
-	github.com/imdario/mergo v0.3.7 // indirect
-	github.com/miekg/dns v1.1.15
+	github.com/miekg/dns v1.1.27
 	github.com/onsi/ginkgo v1.10.1
 	github.com/onsi/gomega v1.7.0
+	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.1.0
-	github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 // indirect
 	github.com/prometheus/common v0.7.0 // indirect
 	github.com/prometheus/procfs v0.0.5 // indirect
-	golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f
-	golang.org/x/oauth2 v0.0.0-20191122200657-5d9234df094c // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
-	k8s.io/api v0.16.4
-	k8s.io/apiextensions-apiserver v0.0.0-20190502093314-7526e4c489ad
+	golang.org/x/lint v0.0.0-20200302205851-738671d3881b
+	k8s.io/api v0.16.8
+	k8s.io/apiextensions-apiserver v0.16.8
 	k8s.io/apimachinery v0.17.0
 	k8s.io/client-go v11.0.1-0.20190708175433-62e1c231c5dc+incompatible
-	k8s.io/code-generator v0.16.4
+	k8s.io/code-generator v0.16.8
 	k8s.io/gengo v0.0.0-20191120174120-e74f70b9b27e // indirect
-	k8s.io/klog v1.0.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20190816220812-743ec37842bf
+	k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a
 	sigs.k8s.io/kind v0.7.0
 )
 
 replace (
-	k8s.io/api => k8s.io/api v0.16.4 // kubernetes-1.16.4
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.16.4 // kubernetes-1.16.4
-	k8s.io/apimachinery => k8s.io/apimachinery v0.16.5-beta.1 // kubernetes-1.16.4
-	k8s.io/client-go => k8s.io/client-go v0.16.4
-	k8s.io/code-generator => k8s.io/code-generator v0.16.5-beta.1 // kubernetes-1.16.4
+	k8s.io/api => k8s.io/api v0.16.8
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.16.8
+	k8s.io/apimachinery => k8s.io/apimachinery v0.16.8
+	k8s.io/client-go => k8s.io/client-go v0.16.8
 	k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a
 )