Merge pull request #212 from Cisien/main

Pass non-driver volumeAttributes to the created CertificateRequest
cert-manager · Mar 25, 2024 · 25661e5 · 25661e5
2 parents ce2f25c + f53e30e
commit 25661e5
Show file tree

Hide file tree

Showing 3 changed files with 100 additions and 3 deletions.
diff --git a/pkg/requestgen/generator.go b/pkg/requestgen/generator.go
@@ -32,6 +32,7 @@ import (
 	"github.com/cert-manager/csi-lib/manager"
 	"github.com/cert-manager/csi-lib/metadata"
 
+	"github.com/cert-manager/csi-driver/pkg/apis"
 	"github.com/cert-manager/csi-driver/pkg/apis/defaults"
 	csiapi "github.com/cert-manager/csi-driver/pkg/apis/v1alpha1"
 	"github.com/cert-manager/csi-driver/pkg/apis/validation"
@@ -73,6 +74,19 @@ func RequestForMetadata(meta metadata.Metadata) (*manager.CertificateRequestBund
 		return nil, fmt.Errorf("%q: %w", csiapi.IPSANsKey, err)
 	}
 
+	annotations := make(map[string]string)
+	for key, val := range attrs {
+		group, _, found := strings.Cut(key, "/")
+		if !found {
+			continue
+		}
+
+		if group != apis.GroupName &&
+			group != "csi.storage.k8s.io" {
+			annotations[key] = val
+		}
+	}
+
 	return &manager.CertificateRequestBundle{
 		Request: &x509.CertificateRequest{
 			Subject: pkix.Name{
@@ -91,7 +105,7 @@ func RequestForMetadata(meta metadata.Metadata) (*manager.CertificateRequestBund
 			Kind:  attrs[csiapi.IssuerKindKey],
 			Group: attrs[csiapi.IssuerGroupKey],
 		},
-		Annotations: nil,
+		Annotations: annotations,
 	}, nil
 }
 

diff --git a/pkg/requestgen/generator_test.go b/pkg/requestgen/generator_test.go
@@ -79,7 +79,8 @@ func Test_RequestForMetadata(t *testing.T) {
 					Kind:  "Issuer",
 					Group: "cert-manager.io",
 				},
-				Duration: time.Hour * 24 * 90,
+				Duration:    time.Hour * 24 * 90,
+				Annotations: make(map[string]string),
 			},
 			expErr: false,
 		},
@@ -170,7 +171,8 @@ func Test_RequestForMetadata(t *testing.T) {
 					Kind:  "FooBar",
 					Group: "joshvanl.com",
 				},
-				Duration: time.Hour,
+				Duration:    time.Hour,
+				Annotations: make(map[string]string),
 			},
 			expErr: false,
 		},

diff --git a/test/e2e/suite/cases/annotations.go b/test/e2e/suite/cases/annotations.go
@@ -0,0 +1,81 @@
+/*
+Copyright 2021 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cases
+
+import (
+	"context"
+	"time"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/cert-manager/csi-driver/test/e2e/framework"
+	"github.com/cert-manager/csi-driver/test/e2e/util"
+)
+
+var _ = framework.CasesDescribe("Should set extra attributes as annotations on the CertificateRequest", func() {
+	f := framework.NewDefaultFramework("annotations")
+
+	It("should create a pod with a certificate with custom attributes set", func() {
+		testVolume, testPod := basePod(f, map[string]string{
+			"csi.cert-manager.io/issuer-name":  f.Issuer.Name,
+			"csi.cert-manager.io/issuer-kind":  f.Issuer.Kind,
+			"csi.cert-manager.io/issuer-group": f.Issuer.Group,
+			"csi.cert-manager.io/dns-names":    "a.example.com,b.example.com",
+			"csi.cert-manager.io/uri-sans":     "spiffe://my-service.sandbox.cluster.local,http://foo.bar",
+			"csi.cert-manager.io/ip-sans":      "192.168.0.1,123.4.5.6",
+			"csi.cert-manager.io/duration":     "123h",
+			"csi.cert-manager.io/is-ca":        "true",
+			"csi.cert-manager.io/common-name":  "foo-bar",
+			"csi.cert-manager.io/key-usages":   "signing,digital signature,content commitment,key encipherment,key agreement,data encipherment",
+			"custom.group.io/custom-key":       "custom-value",
+		})
+
+		By("Creating a Pod")
+		testPod, err := f.KubeClientSet.CoreV1().Pods(f.Namespace.Name).Create(context.TODO(), testPod, metav1.CreateOptions{})
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Waiting for Pod to become ready")
+		err = f.Helper().WaitForPodReady(f.Namespace.Name, testPod.Name, time.Minute)
+		Expect(err).NotTo(HaveOccurred())
+
+		testPod, err = f.KubeClientSet.CoreV1().Pods(f.Namespace.Name).Get(context.TODO(), testPod.Name, metav1.GetOptions{})
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Ensure the corresponding CertificateRequest should exist with the correct spec")
+		crs, err := f.Helper().WaitForCertificateRequestsReady(testPod, time.Second)
+		Expect(err).NotTo(HaveOccurred())
+
+		err = util.CertificateRequestMatchesSpec(crs[0], testVolume.CSI.VolumeAttributes)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(crs).To(HaveLen(1))
+
+		By("Ensuring the custom.group.io/custom-key annotation exists on the CertificateRequests with the value set to custom-value")
+		Expect(crs[0].Annotations).NotTo(BeEmpty())
+		Expect(crs[0].Annotations["custom.group.io/custom-key"]).Should(Equal("custom-value"))
+
+		By("Ensure the certificate key pair exists in the pod and matches that in the CertificateRequest")
+		certData, keyData, err := f.Helper().CertificateKeyInPodPath(f.Namespace.Name, testPod.Name, "test-container-1", "/tls",
+			testVolume.CSI.VolumeAttributes)
+		Expect(err).NotTo(HaveOccurred())
+
+		err = f.Helper().CertificateKeyMatch(crs[0], certData, keyData)
+		Expect(err).NotTo(HaveOccurred())
+	})
+})