Certificate revocation from CAS Console

[prateeknayak]

Hey Folks, Firstly thanks for the google-cas-issuer this really simplifies our integration with Google CAS.

While trialing this we observed the following behavior while revoking certificates

1. if I revoke the certificate that was issued by CAS to cert-manager from the CAS console the issuer doesn't know about it. I am guessing there is no event stream or check to ascertain if the cert is still valid? Just wanted to check if it was on the roadmap or any high level plan for revocation to be handled. A workaround for me would be to set the TTL of the cert to super low ( which will start hitting api aggressively ) but it will minimize the risk with revocation.

2. After revocation when I delete the certificate object google-cas-issuer starts spitting out errors like below

google-cas-issuer-d866f5f58-45bdm google-cas-issuer 
{
  "level": "error",
  "ts": 1615083602.4735746,
  "logger": "controller-runtime.manager.controller.certificaterequest",
  "msg": "Reconciler error",
  "reconciler group": "cert-manager.io",
  "reconciler kind": "CertificateRequest",
  "name": "demo-certificate-m27js",
  "namespace": "default",
  "error": "CertificateRequest.cert-manager.io \"demo-certificate-m27js\" not found",
  "stacktrace": "github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/pkg/mod/github.com/go-logr/zapr@v0.2.0/zapr.go:132\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.8.0/pkg/internal/controller/controller.go:297\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.8.0/pkg/internal/controller/controller.go:248\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.8.0/pkg/internal/controller/controller.go:211\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1\n\t/go/pkg/mod/k8s.io/apimachinery@v0.20.1/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/go/pkg/mod/k8s.io/apimachinery@v0.20.1/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/go/pkg/mod/k8s.io/apimachinery@v0.20.1/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/pkg/mod/k8s.io/apimachinery@v0.20.1/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext\n\t/go/pkg/mod/k8s.io/apimachinery@v0.20.1/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.UntilWithContext\n\t/go/pkg/mod/k8s.io/apimachinery@v0.20.1/pkg/util/wait/wait.go:99"
}

thing to note is if i just delete the secret, cert-manager gets a new certificate from CAS. so maybe just delete the secret to rotate / revoke the cert?

3. When I delete the secret cert-manager gets a new cert issued via CAS but leaves the old certificate as is in the CAS issued-certificates list. I have to manually revoke it.

Overall would like to understand what is the best way to handle revocation gracefully via cert-manager.

Thanks

[jakexks]

Hi @prateeknayak

1. This is more of a question for upstream cert-manager. Currently there's no support for revocation, although the feature request has been floated before. The current recommendation is to set certificate lifetimes to a short duration. It would be interesting to learn about your use case for revocation to add some weight to the issue, come chat with us in the #cert-manager channel on Kubernetes slack or our community meetings!
   In a future release, the issuer should be able to detect the revocation of the root or intermediate CA. We're just waiting for the Google CAS API to be finalised before implementing this.
2. That's looks like a bug, a deleted certificate has got stuck in the reconcile loop. I'll double check that. To force a renwal of an existing certificate you can use our kubectl plugin (or delete the secret): https://cert-manager.io/docs/usage/kubectl-plugin/
3. This feature has been requested before, and is still open. Handling 'unregistering' certificates from Venafi TPP cert-manager/cert-manager#2178. I don't believe anything is currently on the roadmap but we can prioritise features if they have commercial interest!

[jakexks]

The error loop should have been fixed in v0.2.0