Issue 5514 read cabundle from kube objects - design doc

[AppalaKarthik]

Pull Request Motivation

Design Doc for referencing cabundle using kubernetes native objects(secrets/configmaps)

Issue reference 5514

Kind

Design

[jetstack-bot]

Hi @AppalaKarthik. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sankalp-at-gh]

This PR is to review design document for #5514

[inteon]

@AppalaKarthik Thank you for the design document, I think it is ready to be merged (will ask other maintainers to also have a look).
Could you sign-off on all commits? Our DCO check is failing.

[inteon]

I'm not sure that we have to introduce a new feature flag for this.
We also did not introduce a feature flag when we added secret refs for Vault: #5387

[erikgb]

Are we watching configmaps in cert-manager already? If not, I think it could make sense to initially add it behind a feature gate.

[inteon]

I think we should also specify that we want to stay up-to-date with the latest version of the resource (if the resource contents change, we want to start trusting the new CA).
TODO: check if #5387 does this properly & how it does this.

[erikgb]

Agreed. I think #5387 does this correctly for secrets, ref.

cert-manager/pkg/controller/issuers/checks.go

Lines 91 to 96 in 27fb916

	if iss.Spec.Vault.CABundleSecretRef != nil {
	if iss.Spec.Vault.CABundleSecretRef.Name == secret.Name {
	affected = append(affected, iss)
	continue
	}
	}

(and the same is implemented for cluster issuers).

[inteon]

@brianwarner could you fix the DCO error?

[brianwarner]

Hi @inteon, it was a merge commit which should generally be excluded from DCO checks. But if it's required and you don't have access to the dco bot config, it's probably best if I just prune the merge commit?

[erikgb]

merge commit which should generally be excluded from DCO checks

IMO this PR should be rebased and commits squashed. Any reason for not doing this?

[brianwarner]

That does make a lot more sense, yeah... @AppalaKarthik does that work for you?

[AppalaKarthik]

Yeah it does. Let me do that. From: Brian Warner ***@***.***> Date: Monday, September 25, 2023 at 4:42 PM To: cert-manager/cert-manager ***@***.***> Cc: Appala, Karthik ***@***.***>, Mention ***@***.***> Subject: Re: [cert-manager/cert-manager] Issue 5514 read cabundle from kube objects - design doc (PR #6228) NOTICE: This email is from an external sender - do not click on links or attachments unless you recognize the sender and know the content is safe. That does make a lot more sense, yeah... @AppalaKarthik<https://github.com/AppalaKarthik> does that work for you? — Reply to this email directly, view it on GitHub<#6228 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AY4S3OEPP5TLF5U5P3NDJXLX4HUD5ANCNFSM6AAAAAA2SNLBQY>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[jetstack-bot]

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

• e080fc4 Design proposal of how cabunc=dle can be read from kube objects
• 6775330 Renaming file to current date
• 9d23bb5 Adding author github links
• 4eeccf2 Adding author github links hyperlinks
• 39cb4c0 Removing author hyperlinks
• b626145 Removing author hyperlinks
• 332ffdb Correcting typos
• 6624671 Removing unwanted file
• a83cf94 Merge branch 'issue-5514-read-cabundle-from-kube-objects' of https://github.com/fidelity/cert-manager into issue-5514-read-cabundle-from-kube-objects
• 076071a Removing clustertrustbundle from design
• c19d292 Merge branch 'cert-manager:master' into issue-5514-read-cabundle-from-kube-objects
• a66692a Merge branch 'cert-manager:master' into issue-5514-read-cabundle-from-kube-objects

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[jetstack-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign irbekrm for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[cert-manager-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale

[hawksight]

/remove-lifecycle rotten

[hawksight]

/remove-lifecycle stale

[erikgb]

@AppalaKarthik Are you able to rebase/squash this PR to make it mergeable? If not, please let us know if you are ok with someone else picking this up.