Implement issuance of temporary certificate when using VirtualServer cert-manager integration

Author: svvac

deployments/common/crds/k8s.nginx.org_virtualservers.yaml

@@ -535,6 +535,8 @@ spec:
                           type: string
                         duration:
                           type: string
+                        issue-temp-cert:
+                          type: boolean
                         issuer:
                           type: string
                         issuer-group:

docs/content/configuration/virtualserver-and-virtualserverroute-resources.md

@@ -127,6 +127,7 @@ cert-manager:
 |``duration`` | This field allows you to configure spec.duration field for the Certificate to be generated. Must be specified using a [Go time.Duration](https://pkg.go.dev/time#ParseDuration) string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. | ``string`` | No |
 |``renew-before`` |  this annotation allows you to configure spec.renewBefore field for the Certificate to be generated. Must be specified using a [Go time.Duration](https://pkg.go.dev/time#ParseDuration) string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. | ``string`` | No |
 |``usages`` |  This field allows you to configure spec.usages field for the Certificate to be generated. Pass a string with comma-separated values i.e. ``key agreement,digital signature, server auth``. An exhaustive list of supported key usages can be found in the [the cert-manager api documentation](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.KeyUsage). | ``string`` | No |
+|``issue-temp-cert`` | When ``true``, ask cert-manager for a [temporary self-signed certificate](https://cert-manager.io/docs/usage/certificate/#temporary-certificates-while-issuing) pending the issuance of the Certificate. This allows HTTPS-only servers to use ACME HTTP01 challenges when the TLS secret does not exist yet. | ``boolean`` | No |
 {{% /table %}}
 
 ### VirtualServer.Listener

internal/certmanager/helper.go

@@ -41,6 +41,7 @@ var (
 	issuerKindCmField          = "tls.cert-manager.issuer-kind"
 	renewBeforeCmField         = "tls.cert-manager.renew-before"
 	usagesCmField              = "tls.cert-manager.usages"
+	certMgrTempCertAnnotation  = "cert-manager.io/issue-temporary-certificate"
 )
 
 // translateVsSpec updates the Certificate spec using the VS TLS Cert-Manager
@@ -115,6 +116,14 @@ func translateVsSpec(crt *cmapi.Certificate, vsCmSpec *vsapi.CertManager) error
 		}
 		crt.Spec.Usages = newUsages
 	}
+
+	if vsCmSpec.IssueTempCert {
+		if crt.ObjectMeta.Annotations == nil {
+			crt.ObjectMeta.Annotations = make(map[string]string)
+		}
+		crt.ObjectMeta.Annotations[certMgrTempCertAnnotation] = "true"
+	}
+
 	if len(errs) > 0 {
 		return errors.New(strings.Join(errs, ", "))
 	}

internal/certmanager/helper_test.go

@@ -44,6 +44,14 @@ func Test_translateVsSpec(t *testing.T) {
 		Usages:      "server auth,signing",
 	}
 
+	validSpecWithTempCert := vsapi.CertManager{
+		CommonName:    "www.example.com",
+		Duration:      "168h", // 1 week
+		RenewBefore:   "24h",
+		Usages:        "server auth,signing",
+		IssueTempCert: true,
+	}
+
 	invalidDuration := vsapi.CertManager{
 		Duration: "un-parsable duration",
 	}
@@ -71,6 +79,17 @@ func Test_translateVsSpec(t *testing.T) {
 				a.Equal([]cmapi.KeyUsage{cmapi.UsageServerAuth, cmapi.UsageSigning}, crt.Spec.Usages)
 			},
 		},
+		"success with temp cert": {
+			crt:    gen.Certificate("example-cert"),
+			cmspec: &validSpecWithTempCert,
+			check: func(a *assert.Assertions, crt *cmapi.Certificate) {
+				a.Equal("www.example.com", crt.Spec.CommonName)
+				a.Equal(&metav1.Duration{Duration: time.Hour * 24 * 7}, crt.Spec.Duration)
+				a.Equal(&metav1.Duration{Duration: time.Hour * 24}, crt.Spec.RenewBefore)
+				a.Equal([]cmapi.KeyUsage{cmapi.UsageServerAuth, cmapi.UsageSigning}, crt.Spec.Usages)
+				a.Equal("true", crt.ObjectMeta.Annotations[certMgrTempCertAnnotation])
+			},
+		},
 		"nil cm spec": {
 			crt:    gen.Certificate("example-cert"),
 			cmspec: nil,

pkg/apis/configuration/v1/types.go

@@ -300,6 +300,7 @@ type CertManager struct {
 	Duration      string `json:"duration"`
 	RenewBefore   string `json:"renew-before"`
 	Usages        string `json:"usages"`
+	IssueTempCert bool   `json:"issue-temp-cert"`
 }
 
 // VirtualServerStatus defines the status for the VirtualServer resource.