Add to override issuer on shard certificate tempalte

mjudeikis · mjudeikis · commit cce52ed15a8b · 2025-10-09T16:58:38.000+03:00
Signed-off-by: Mangirdas Judeikis &lt;mangirdas@judeikis.lt&gt;
On-behalf-of: SAP &lt;mangirdas.judeikis@sap.com&gt;
diff --git a/config/crd/bases/operator.kcp.io_frontproxies.yaml b/config/crd/bases/operator.kcp.io_frontproxies.yaml
@@ -188,6 +188,9 @@ spec:
                           description: |-
                             Requested DNS subject alternative names. The values given here will be merged into the
                             DNS names determined automatically by the kcp-operator.
+                            If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
+                            If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
+                            trying to guess what DNSNames configued issuer might support.
                           items:
                             type: string
                           type: array
@@ -208,6 +211,22 @@ spec:
                           items:
                             type: string
                           type: array
+                        issuerRef:
+                          description: IssuerRef is a reference to the issuer for
+                            this certificate.
+                          properties:
+                            group:
+                              description: Group of the object being referred to.
+                              type: string
+                            kind:
+                              description: Kind of the object being referred to.
+                              type: string
+                            name:
+                              description: Name of the object being referred to.
+                              type: string
+                          required:
+                          - name
+                          type: object
                         privateKey:
                           description: |-
                             Private key options. These include the key algorithm and size, the used
diff --git a/config/crd/bases/operator.kcp.io_kubeconfigs.yaml b/config/crd/bases/operator.kcp.io_kubeconfigs.yaml
@@ -65,6 +65,9 @@ spec:
                         description: |-
                           Requested DNS subject alternative names. The values given here will be merged into the
                           DNS names determined automatically by the kcp-operator.
+                          If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
+                          If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
+                          trying to guess what DNSNames configued issuer might support.
                         items:
                           type: string
                         type: array
@@ -85,6 +88,22 @@ spec:
                         items:
                           type: string
                         type: array
+                      issuerRef:
+                        description: IssuerRef is a reference to the issuer for this
+                          certificate.
+                        properties:
+                          group:
+                            description: Group of the object being referred to.
+                            type: string
+                          kind:
+                            description: Kind of the object being referred to.
+                            type: string
+                          name:
+                            description: Name of the object being referred to.
+                            type: string
+                        required:
+                        - name
+                        type: object
                       privateKey:
                         description: |-
                           Private key options. These include the key algorithm and size, the used
diff --git a/config/crd/bases/operator.kcp.io_rootshards.yaml b/config/crd/bases/operator.kcp.io_rootshards.yaml
@@ -274,6 +274,9 @@ spec:
                           description: |-
                             Requested DNS subject alternative names. The values given here will be merged into the
                             DNS names determined automatically by the kcp-operator.
+                            If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
+                            If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
+                            trying to guess what DNSNames configued issuer might support.
                           items:
                             type: string
                           type: array
@@ -294,6 +297,22 @@ spec:
                           items:
                             type: string
                           type: array
+                        issuerRef:
+                          description: IssuerRef is a reference to the issuer for
+                            this certificate.
+                          properties:
+                            group:
+                              description: Group of the object being referred to.
+                              type: string
+                            kind:
+                              description: Kind of the object being referred to.
+                              type: string
+                            name:
+                              description: Name of the object being referred to.
+                              type: string
+                          required:
+                          - name
+                          type: object
                         privateKey:
                           description: |-
                             Private key options. These include the key algorithm and size, the used
@@ -1689,6 +1708,9 @@ spec:
                               description: |-
                                 Requested DNS subject alternative names. The values given here will be merged into the
                                 DNS names determined automatically by the kcp-operator.
+                                If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
+                                If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
+                                trying to guess what DNSNames configued issuer might support.
                               items:
                                 type: string
                               type: array
@@ -1709,6 +1731,23 @@ spec:
                               items:
                                 type: string
                               type: array
+                            issuerRef:
+                              description: IssuerRef is a reference to the issuer
+                                for this certificate.
+                              properties:
+                                group:
+                                  description: Group of the object being referred
+                                    to.
+                                  type: string
+                                kind:
+                                  description: Kind of the object being referred to.
+                                  type: string
+                                name:
+                                  description: Name of the object being referred to.
+                                  type: string
+                              required:
+                              - name
+                              type: object
                             privateKey:
                               description: |-
                                 Private key options. These include the key algorithm and size, the used
diff --git a/config/crd/bases/operator.kcp.io_shards.yaml b/config/crd/bases/operator.kcp.io_shards.yaml
@@ -258,6 +258,9 @@ spec:
                           description: |-
                             Requested DNS subject alternative names. The values given here will be merged into the
                             DNS names determined automatically by the kcp-operator.
+                            If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
+                            If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
+                            trying to guess what DNSNames configued issuer might support.
                           items:
                             type: string
                           type: array
@@ -278,6 +281,22 @@ spec:
                           items:
                             type: string
                           type: array
+                        issuerRef:
+                          description: IssuerRef is a reference to the issuer for
+                            this certificate.
+                          properties:
+                            group:
+                              description: Group of the object being referred to.
+                              type: string
+                            kind:
+                              description: Kind of the object being referred to.
+                              type: string
+                            name:
+                              description: Name of the object being referred to.
+                              type: string
+                          required:
+                          - name
+                          type: object
                         privateKey:
                           description: |-
                             Private key options. These include the key algorithm and size, the used
diff --git a/internal/resources/utils/certificates.go b/internal/resources/utils/certificates.go
@@ -20,6 +20,7 @@ import (
 	"maps"
 
 	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 
 	"k8s.io/apimachinery/pkg/util/sets"
 
@@ -65,7 +66,16 @@ func applyCertificateSpecTemplate(cert *certmanagerv1.Certificate, tpl *operator
 		return cert
 	}
 
-	cert.Spec.DNSNames = mergeSlices(cert.Spec.DNSNames, tpl.DNSNames)
+	// If DNSNames is provided in the template and issuer is overrided,
+	// it will replace any existing DNSNames.
+	// We don't merge as we don't know if issuer supports our default names.
+	// Its users responsibility to add them back if needed.
+	if len(tpl.DNSNames) > 0 && tpl.IssuerRef != nil {
+		cert.Spec.DNSNames = tpl.DNSNames
+	} else if len(tpl.DNSNames) > 0 {
+		cert.Spec.DNSNames = mergeSlices(cert.Spec.DNSNames, tpl.DNSNames)
+	}
+
 	cert.Spec.IPAddresses = mergeSlices(cert.Spec.IPAddresses, tpl.IPAddresses)
 
 	if tpl.Duration != nil {
@@ -84,6 +94,13 @@ func applyCertificateSpecTemplate(cert *certmanagerv1.Certificate, tpl *operator
 		cert.Spec.SecretTemplate.Annotations = addNewKeys(cert.Spec.SecretTemplate.Annotations, secretTpl.Annotations)
 		cert.Spec.SecretTemplate.Labels = addNewKeys(cert.Spec.SecretTemplate.Labels, secretTpl.Labels)
 	}
+	if tpl.IssuerRef != nil {
+		cert.Spec.IssuerRef = cmmeta.ObjectReference{
+			Name:  tpl.IssuerRef.Name,
+			Kind:  tpl.IssuerRef.Kind,
+			Group: tpl.IssuerRef.Group,
+		}
+	}
 
 	cert.Spec.PrivateKey = applyCertificatePrivateKeyTemplate(cert.Spec.PrivateKey, tpl.PrivateKey)
 	cert.Spec.Subject = applyCertificateSubjectTemplate(cert.Spec.Subject, tpl.Subject)
diff --git a/sdk/apis/operator/v1alpha1/common.go b/sdk/apis/operator/v1alpha1/common.go
@@ -134,8 +134,16 @@ type CertificateSpecTemplate struct {
 	// +optional
 	Subject *X509Subject `json:"subject,omitempty"`
 
+	// IssuerRef is a reference to the issuer for this certificate.
+	//
+	// +optional
+	IssuerRef *ObjectReference `json:"issuerRef"`
+
 	// Requested DNS subject alternative names. The values given here will be merged into the
 	// DNS names determined automatically by the kcp-operator.
+	// If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
+	// If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
+	// trying to guess what DNSNames configued issuer might support.
 	//
 	// +optional
 	DNSNames []string `json:"dnsNames,omitempty"`
diff --git a/sdk/apis/operator/v1alpha1/zz_generated.deepcopy.go b/sdk/apis/operator/v1alpha1/zz_generated.deepcopy.go
diff --git a/sdk/applyconfiguration/operator/v1alpha1/certificateissuerref.go b/sdk/applyconfiguration/operator/v1alpha1/certificateissuerref.go
diff --git a/sdk/applyconfiguration/operator/v1alpha1/certificatespectemplate.go b/sdk/applyconfiguration/operator/v1alpha1/certificatespectemplate.go
