Merge pull request cert-manager#8174 from cert-manager-bot/cherry-pick-8160-to-release-1.18

cert-manager-prow[bot] · web-flow · commit 0be5a60e327c · 2025-10-15T11:02:57.000Z
[release-1.18] Add defaulting to Certificate - CertificateRequest comparison
diff --git a/pkg/util/pki/match.go b/pkg/util/pki/match.go
@@ -27,10 +27,10 @@ import (
 	"encoding/asn1"
 	"fmt"
 	"net"
-	"reflect"
 
 	"k8s.io/apimachinery/pkg/util/sets"
 
+	"github.com/cert-manager/cert-manager/pkg/apis/certmanager"
 	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	"github.com/cert-manager/cert-manager/pkg/util"
 )
@@ -224,7 +224,28 @@ func RequestMatchesSpec(req *cmapi.CertificateRequest, spec cmapi.CertificateSpe
 		req.Spec.Duration.Duration != spec.Duration.Duration {
 		violations = append(violations, "spec.duration")
 	}
-	if !reflect.DeepEqual(req.Spec.IssuerRef, spec.IssuerRef) {
+	// RequestMatchesSpec compares the IssuerRef in the CertificateRequest and
+	// CertificateSpec, regardless of any differences which are solely due to
+	// the presence or absence of default group (cert-manager.io) and kind (Issuer).
+	//
+	// We do not want to re-issue the Certificate if the user explicitly adds
+	// the default issuer group and kind.
+	// Nor do we want to re-issue if the user removes the default issuer group and kind.
+	//
+	// And we want to avoid re-issuing if a future version of the cert-manager
+	// CRDs introduces API defaults for issuerRef group and kind. Specifically,
+	// we want to gracefully handle a situation where the platform admin
+	// upgrades the CRDs to a version that has defaults, but not the controller.
+	// In that situation, when the CRDs are upgraded, the controller
+	// re-establishes its watches and refreshes its caches with updated Certificates
+	// and CertificateRequests, containing the new API defaults. But this
+	// doesn't happen transactionally, so the updated Certificates may start
+	// being reconciled before the cached CertificateRequests have been updated
+	// and there will be a mis-match if the Certificate has the default
+	// group/kind set but the CertificateRequest does not.
+	if req.Spec.IssuerRef.Name != spec.IssuerRef.Name ||
+		!issuerKindsEqual(req.Spec.IssuerRef.Kind, spec.IssuerRef.Kind) ||
+		!issuerGroupsEqual(req.Spec.IssuerRef.Group, spec.IssuerRef.Group) {
 		violations = append(violations, "spec.issuerRef")
 	}
 
@@ -233,6 +254,41 @@ func RequestMatchesSpec(req *cmapi.CertificateRequest, spec cmapi.CertificateSpe
 	return violations, nil
 }
 
+// These defaults are also applied at runtime by the cert-manager
+// CertificateRequest controller.
+const (
+	// defaultIssuerKind is the default value for an IssuerRef's kind field
+	// if it is not specified.
+	defaultIssuerKind = cmapi.IssuerKind
+	// defaultIssuerGroup is the default value for an IssuerRef's group field
+	// if it is not specified.
+	defaultIssuerGroup = certmanager.GroupName
+)
+
+// issuerKindsEqual returns true if the two issuer reference kinds are equal,
+// taking into account the defaulting of the kind to "Issuer".
+func issuerKindsEqual(l, r string) bool {
+	if l == "" {
+		l = defaultIssuerKind
+	}
+	if r == "" {
+		r = defaultIssuerKind
+	}
+	return l == r
+}
+
+// issuerGroupsEqual returns true if the two issuer reference groups are equal,
+// taking into account defaulting of the group to "cert-manager.io".
+func issuerGroupsEqual(l, r string) bool {
+	if l == "" {
+		l = defaultIssuerGroup
+	}
+	if r == "" {
+		r = defaultIssuerGroup
+	}
+	return l == r
+}
+
 func matchOtherNames(extension []pkix.Extension, specOtherNames []cmapi.OtherName) (bool, error) {
 	x509SANExtension, err := extractSANExtension(extension)
 	if err != nil {
diff --git a/pkg/util/pki/match_test.go b/pkg/util/pki/match_test.go
@@ -24,9 +24,12 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	"github.com/cert-manager/cert-manager/pkg/util/pki"
 	"github.com/cert-manager/cert-manager/test/unit/gen"
 )
@@ -290,6 +293,197 @@ func TestRequestMatchesSpecSubject(t *testing.T) {
 	}
 }
 
+// RequestMatchesSpecIssuerRef tests that RequestMatchesSpec correctly compares
+// the IssuerRef in the CertificateRequest and CertificateSpec, regardless of
+// any differences which are solely due to the presence or absence of default
+// group and kind.
+//
+// For example, we do not want to re-issue the Certificate if the user
+// explicitly adds the default issuer group and kind. Nor do we want to re-issue
+// if the user removes the default issuer group and kind.
+//
+// And we want to avoid re-issuing if a future version of the cert-manager
+// CRDs introduces API defaults for issuerRef group and kind. Specifically,
+// we want to gracefully handle a situation where the platform admin
+// upgrades the CRDs to a version that has defaults, but not the controller.
+// In that situation, when the CRDs are upgraded, the controller
+// re-establishes its watches and refreshes its caches with updated Certificates
+// and CertificateRequests, containing the new API defaults. But this
+// doesn't happen transactionally, so the updated Certificates may start
+// being reconciled before the cached CertificateRequests have been updated
+// and there will be a mis-match if the Certificate has the default
+// group/kind set but the CertificateRequest does not.
+func TestRequestMatchesSpecIssuerRef(t *testing.T) {
+	type testCase struct {
+		crSpec     *cmapi.CertificateRequest
+		certSpec   cmapi.CertificateSpec
+		err        string
+		violations []string
+	}
+
+	tests := map[string]testCase{
+		"should not report any violation if Certificate issuerRef matches the CertificateRequest's": {
+			crSpec: mustBuildCertificateRequest(t, &cmapi.Certificate{Spec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  "test-issuer",
+					Kind:  "Issuer",
+					Group: "cert-manager.io",
+				},
+			}}),
+			certSpec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  "test-issuer",
+					Kind:  "Issuer",
+					Group: "cert-manager.io",
+				},
+			},
+			err: "",
+		},
+		"should not report any violation if both Certificate and CertificateRequest issuerRef Kind and Group are empty": {
+			crSpec: mustBuildCertificateRequest(t, &cmapi.Certificate{Spec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name: "test-issuer",
+				},
+			}}),
+			certSpec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name: "test-issuer",
+				},
+			},
+			err: "",
+		},
+		"should not report any violation if Certificate issuerRef Kind and Group are defaulted and CertificateRequest issuerRef Group is empty": {
+			crSpec: mustBuildCertificateRequest(t, &cmapi.Certificate{Spec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name: "test-issuer",
+					Kind: "Issuer",
+				},
+			}}),
+			certSpec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  "test-issuer",
+					Kind:  "Issuer",
+					Group: "cert-manager.io",
+				},
+			},
+			err: "",
+		},
+		"should not report any violation if Certificate issuerRef Kind and Group are defaulted and CertificateRequest issuerRef Kind is empty": {
+			crSpec: mustBuildCertificateRequest(t, &cmapi.Certificate{Spec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  "test-issuer",
+					Group: "cert-manager.io",
+				},
+			}}),
+			certSpec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  "test-issuer",
+					Kind:  "Issuer",
+					Group: "cert-manager.io",
+				},
+			},
+			err: "",
+		},
+		"should report violation if Certificate issuerRef name mismatches the CertificateRequest's": {
+			crSpec: mustBuildCertificateRequest(t, &cmapi.Certificate{Spec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  "test-issuer",
+					Kind:  "Issuer",
+					Group: "cert-manager.io",
+				},
+			}}),
+			certSpec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  "different-issuer",
+					Kind:  "Issuer",
+					Group: "cert-manager.io",
+				},
+			},
+			err:        "",
+			violations: []string{"spec.issuerRef"},
+		},
+		"should not report any violation if Certificate issuerRef Kind and Group are defaulted and CertificateRequest's are empty": {
+			crSpec: mustBuildCertificateRequest(t, &cmapi.Certificate{Spec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name: "test-issuer",
+				},
+			}}),
+			certSpec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  "test-issuer",
+					Kind:  "Issuer",
+					Group: "cert-manager.io",
+				},
+			},
+			err: "",
+		},
+		"should report violation if Certificate issuerRef Kind mismatches the CertificateRequest's (defaulted vs non-defaulted)": {
+			crSpec: mustBuildCertificateRequest(t, &cmapi.Certificate{Spec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  "test-issuer",
+					Kind:  "ClusterIssuer",
+					Group: "cert-manager.io",
+				},
+			}}),
+			certSpec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  "test-issuer",
+					Kind:  "Issuer",
+					Group: "cert-manager.io",
+				},
+			},
+			err:        "",
+			violations: []string{"spec.issuerRef"},
+		},
+		"should report violation if Certificate issuerRef Group mismatches the CertificateRequest's (defaulted vs non-defaulted)": {
+			crSpec: mustBuildCertificateRequest(t, &cmapi.Certificate{Spec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  "test-issuer",
+					Kind:  "Issuer",
+					Group: "different-group.io",
+				},
+			}}),
+			certSpec: cmapi.CertificateSpec{
+				CommonName: "dummy-common-name",
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  "test-issuer",
+					Kind:  "Issuer",
+					Group: "cert-manager.io",
+				},
+			},
+			err:        "",
+			violations: []string{"spec.issuerRef"},
+		},
+	}
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			violations, err := pki.RequestMatchesSpec(test.crSpec, test.certSpec)
+			if test.err != "" {
+				assert.EqualError(t, err, test.err)
+				assert.Empty(t, violations)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, test.violations, violations)
+		})
+	}
+}
+
 func TestFuzzyX509AltNamesMatchSpec(t *testing.T) {
 	tests := map[string]struct {
 		x509       *x509.Certificate
