add support for specifying revisionHistoryLimit for the generated Certificate

cmd/root.go

@@ -35,6 +35,7 @@ func init() {
 	fs.String("service-name", "", "NamespacedName of the Contour LoadBalancer Service")
 	fs.String("default-issuer-name", "", "Issuer name used by default")
 	fs.String("default-issuer-kind", controllers.ClusterIssuerKind, "Issuer kind used by default")
+	fs.Uint("csr-revision-limit", 0, "Maximum number of CertificateRequest revisions to keep")
 	fs.String("ingress-class-name", "", "Ingress class name that watched by Contour Plus. If not specified, then all classes are watched")
 	fs.Bool("leader-election", true, "Enable/disable leader election")
 	if err := viper.BindPFlags(fs); err != nil {
@@ -65,6 +66,7 @@ In addition to flags, the following environment variables are read:
 	CP_SERVICE_NAME          NamespacedName of the Contour LoadBalancer Service
 	CP_DEFAULT_ISSUER_NAME   Issuer name used by default
 	CP_DEFAULT_ISSUER_KIND   Issuer kind used by default
+	CP_CSR_REVISION_LIMIT    Maximum number of CertificateRequest revisions to keep
 	CP_LEADER_ELECTION       Disable leader election if set to "false"
 	CP_INGRESS_CLASS_NAME    Ingress class name that watched by Contour Plus. If not specified, then all classes are watched`,
 	RunE: func(cmd *cobra.Command, args []string) error {

cmd/run.go

@@ -66,6 +66,8 @@ func run() error {
 
 	opts.IngressClassName = viper.GetString("ingress-class-name")
 
+	opts.CSRRevisionLimit = viper.GetUint("csr-revision-limit")
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme: scheme,
 		Metrics: metricsserver.Options{

controllers/httpproxy_controller.go

@@ -38,6 +38,7 @@ type HTTPProxyReconciler struct {
 	Prefix            string
 	DefaultIssuerName string
 	DefaultIssuerKind string
+	CSRRevisionLimit  uint
 	CreateDNSEndpoint bool
 	CreateCertificate bool
 	IngressClassName  string
@@ -217,11 +218,7 @@ func (r *HTTPProxyReconciler) reconcileCertificate(ctx context.Context, hp *proj
 		return nil
 	}
 
-	obj := &unstructured.Unstructured{}
-	obj.SetGroupVersionKind(certManagerGroupVersion.WithKind(CertificateKind))
-	obj.SetName(r.Prefix + hp.Name)
-	obj.SetNamespace(hp.Namespace)
-	obj.UnstructuredContent()["spec"] = map[string]interface{}{
+	certificateSpec := map[string]interface{}{
 		"dnsNames":   []string{vh.Fqdn},
 		"secretName": vh.TLS.SecretName,
 		"commonName": vh.Fqdn,
@@ -236,6 +233,16 @@ func (r *HTTPProxyReconciler) reconcileCertificate(ctx context.Context, hp *proj
 			usageClientAuth,
 		},
 	}
+
+	if r.CSRRevisionLimit > 0 {
+		certificateSpec["revisionHistoryLimit"] = r.CSRRevisionLimit
+	}
+
+	obj := &unstructured.Unstructured{}
+	obj.SetGroupVersionKind(certManagerGroupVersion.WithKind(CertificateKind))
+	obj.SetName(r.Prefix + hp.Name)
+	obj.SetNamespace(hp.Namespace)
+	obj.UnstructuredContent()["spec"] = certificateSpec
 	err := ctrl.SetControllerReference(hp, obj, r.Scheme)
 	if err != nil {
 		return err

controllers/httpproxy_controller_test.go

@@ -102,6 +102,7 @@ func testHTTPProxyReconcile() {
 			usageServerAuth,
 			usageClientAuth,
 		}))
+		Expect(crtSpec["revisionHistoryLimit"]).Should(BeNil())
 	})
 
 	It(`should not create DNSEndpoint and Certificate if "contour-plus.cybozu.com/exclude"" is "true"`, func() {
@@ -536,6 +537,52 @@ func testHTTPProxyReconcile() {
 			return k8sClient.Get(context.Background(), objKey, crt)
 		}, 5*time.Second).Should(Succeed())
 	})
+
+	It(`should create Certificate with revisionHistoryLimit set if specified`, func() {
+		ns := testNamespacePrefix + randomString(10)
+		Expect(k8sClient.Create(context.Background(), &corev1.Namespace{
+			ObjectMeta: ctrl.ObjectMeta{Name: ns},
+		})).ShouldNot(HaveOccurred())
+
+		scm, mgr := setupManager()
+
+		Expect(SetupReconciler(mgr, scm, ReconcilerOptions{
+			ServiceKey:        testServiceKey,
+			DefaultIssuerName: "test-issuer",
+			DefaultIssuerKind: IssuerKind,
+			CreateCertificate: true,
+			CSRRevisionLimit:  1,
+		})).ShouldNot(HaveOccurred())
+
+		stopMgr := startTestManager(mgr)
+		defer stopMgr()
+
+		By("creating HTTPProxy")
+		hpKey := client.ObjectKey{Name: "foo", Namespace: ns}
+		Expect(k8sClient.Create(context.Background(), newDummyHTTPProxy(hpKey))).ShouldNot(HaveOccurred())
+
+		By("getting Certificate")
+		crt := certificate()
+		objKey := client.ObjectKey{
+			Name:      hpKey.Name,
+			Namespace: hpKey.Namespace,
+		}
+		Eventually(func() error {
+			return k8sClient.Get(context.Background(), objKey, crt)
+		}).Should(Succeed())
+
+		crtSpec := crt.UnstructuredContent()["spec"].(map[string]interface{})
+		Expect(crtSpec["dnsNames"]).Should(Equal([]interface{}{dnsName}))
+		Expect(crtSpec["secretName"]).Should(Equal(testSecretName))
+		Expect(crtSpec["commonName"]).Should(Equal(dnsName))
+		Expect(crtSpec["usages"]).Should(Equal([]interface{}{
+			usageDigitalSignature,
+			usageKeyEncipherment,
+			usageServerAuth,
+			usageClientAuth,
+		}))
+		Expect(crtSpec["revisionHistoryLimit"]).Should(Equal(int64(1)))
+	})
 }
 
 func newDummyHTTPProxy(hpKey client.ObjectKey) *projectcontourv1.HTTPProxy {

controllers/setup.go

@@ -17,6 +17,7 @@ type ReconcilerOptions struct {
 	Prefix            string
 	DefaultIssuerName string
 	DefaultIssuerKind string
+	CSRRevisionLimit  uint
 	CreateDNSEndpoint bool
 	CreateCertificate bool
 	IngressClassName  string
@@ -40,6 +41,7 @@ func SetupReconciler(mgr manager.Manager, scheme *runtime.Scheme, opts Reconcile
 		Prefix:            opts.Prefix,
 		DefaultIssuerName: opts.DefaultIssuerName,
 		DefaultIssuerKind: opts.DefaultIssuerKind,
+		CSRRevisionLimit:  opts.CSRRevisionLimit,
 		CreateDNSEndpoint: opts.CreateDNSEndpoint,
 		CreateCertificate: opts.CreateCertificate,
 		IngressClassName:  opts.IngressClassName,