cert-manager
diff --git a/‎TODO
Lines changed: 5 additions & 0 deletions b/‎TODO
Lines changed: 5 additions & 0 deletions
diff --git a/‎go.mod
Lines changed: 3 additions & 9 deletions b/‎go.mod
Lines changed: 3 additions & 9 deletions
diff --git a/‎pkg/authority/api.go
Lines changed: 0 additions & 250 deletions b/‎pkg/authority/api.go
Lines changed: 0 additions & 250 deletions
diff --git a/‎pkg/authority/api/api.go
Lines changed: 50 additions & 0 deletions b/‎pkg/authority/api/api.go
Lines changed: 50 additions & 0 deletions
@@ -0,0 +1,5 @@
+- maybe remove dependency on controller-runtime (use client-go directly instead)
+- make sure to re-reconcile certificates before they expire
+- Can we make the solution leader-election-less? Does it make sense that we use the existing cr leader election or should we create a seperate leader-election just for the logic in this library?
+- Scope down controller RBAC to single CA Secret resource.
+- Use cli flags in the program to list the injectables, allowing use to scope down the injectable RBAC.
@@ -3,8 +3,7 @@ module github.com/cert-manager/webhook-cert-lib
 go 1.22.0
 
 require (
-	github.com/onsi/ginkgo/v2 v2.22.0
-	github.com/onsi/gomega v1.36.0
+	github.com/go-logr/logr v1.4.2
 	k8s.io/api v0.31.3
 	k8s.io/apimachinery v0.31.3
 	k8s.io/client-go v0.31.3
@@ -20,19 +19,15 @@ require (
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
-	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.4 // indirect
-	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/imdario/mergo v0.3.6 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -41,23 +36,22 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/onsi/ginkgo/v2 v2.22.0 // indirect
+	github.com/onsi/gomega v1.36.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect
 	golang.org/x/net v0.30.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
 	golang.org/x/sys v0.26.0 // indirect
 	golang.org/x/term v0.25.0 // indirect
 	golang.org/x/text v0.19.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.26.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 
@@ -0,0 +1,50 @@
+/*
+Copyright The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package api
+
+const (
+	// DynamicAuthoritySecretLabel will - if set to "true" - make the dynamic
+	// authority CA controller inject and maintain a dynamic CA.
+	// The label must be added to Secret resource that want to denote that they
+	// can be directly injected into injectables that have a
+	// `inject-dynamic-ca-from-secret` label.
+	// If an injectable references a Secret that does NOT have this annotation,
+	// the dynamic ca-injector will refuse to inject the secret.
+	DynamicAuthoritySecretLabel = "cert-manager.io/allow-dynamic-ca-injection"
+	// WantInjectFromSecretNamespaceLabel is the label that specifies that a
+	// particular object wants injection of dynamic CAs from secret in
+	// namespace.
+	// Must be used in conjunction with WantInjectFromSecretNameLabel.
+	WantInjectFromSecretNamespaceLabel = "cert-manager.io/inject-dynamic-ca-from-secret-namespace"
+	// WantInjectFromSecretNameLabel is the label that specifies that a
+	// particular object wants injection of dynamic CAs from secret with name.
+	// Must be used in conjunction with WantInjectFromSecretNamespaceLabel.
+	WantInjectFromSecretNameLabel = "cert-manager.io/inject-dynamic-ca-from-secret-name"
+
+	// TLSCABundleKey is used as a data key in Secret resources to store a CA
+	// certificate bundle.
+	TLSCABundleKey = "ca-bundle.crt"
+
+	// RenewCertificateSecretAnnotation is an annotation that can be set to
+	// an arbitrary value on a certificate secret to trigger a renewal of the
+	// certificate managed in the secret.
+	RenewCertificateSecretAnnotation = "renew.cert-manager.io/requestedAt"
+	// RenewHandledCertificateSecretAnnotation is an annotation that will be set on a
+	// certificate secret whenever a new certificate is renewed using the
+	// RenewCertificateSecretAnnotation annotation.
+	RenewHandledCertificateSecretAnnotation = "renew.cert-manager.io/lastRequestedAt"
+)