Add feature gate for ValidateCAA functionality and default it to off

To help avoid issues with the ValidateCAA functionality, this disables
the CAA check by default and adds a new --feature-gates=ValidateCAA=true
option to cert-manager-controller to allow enabling the previous
behaviour in v0.7.0 and v0.7.1.

Once issues with CNAMEd DNS names pointing to internal nameservers
are resolved, this option will be defaulted to on.

Signed-off-by: James Munnelly <[email protected]>

Author: munnerz

BUILD.bazel

@@ -63,6 +63,7 @@ filegroup(
         "//pkg/client/informers/externalversions:all-srcs",
         "//pkg/client/listers/certmanager/v1alpha1:all-srcs",
         "//pkg/controller:all-srcs",
+        "//pkg/feature:all-srcs",
         "//pkg/issuer:all-srcs",
         "//pkg/logs:all-srcs",
         "//pkg/metrics:all-srcs",

cmd/controller/BUILD.bazel

@@ -33,6 +33,7 @@ go_library(
         "//pkg/util:go_default_library",
         "//vendor/github.com/spf13/cobra:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
         "//vendor/k8s.io/client-go/plugin/pkg/client/auth:go_default_library",
         "//vendor/k8s.io/klog:go_default_library",
     ],

cmd/controller/start.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/spf13/cobra"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apiserver/pkg/util/feature"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
 	"github.com/jetstack/cert-manager/cmd/controller/app"
@@ -36,7 +37,6 @@ import (
 	_ "github.com/jetstack/cert-manager/pkg/issuer/selfsigned"
 	_ "github.com/jetstack/cert-manager/pkg/issuer/vault"
 	_ "github.com/jetstack/cert-manager/pkg/issuer/venafi"
-
 	logf "github.com/jetstack/cert-manager/pkg/logs"
 	"github.com/jetstack/cert-manager/pkg/util"
 )
@@ -80,6 +80,7 @@ to renew certificates at an appropriate time before expiry.`,
 
 	flags := cmd.Flags()
 	o.ControllerOptions.AddFlags(flags)
+	feature.DefaultMutableFeatureGate.AddFlag(flags)
 
 	return cmd
 }

pkg/controller/acmechallenges/BUILD.bazel

@@ -16,6 +16,7 @@ go_library(
         "//pkg/client/listers/certmanager/v1alpha1:go_default_library",
         "//pkg/controller:go_default_library",
         "//pkg/controller/acmechallenges/scheduler:go_default_library",
+        "//pkg/feature:go_default_library",
         "//pkg/issuer:go_default_library",
         "//pkg/issuer/acme/dns:go_default_library",
         "//pkg/issuer/acme/dns/util:go_default_library",
@@ -26,6 +27,7 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
         "//vendor/k8s.io/client-go/listers/core/v1:go_default_library",
         "//vendor/k8s.io/client-go/tools/cache:go_default_library",
         "//vendor/k8s.io/client-go/util/workqueue:go_default_library",

pkg/controller/acmechallenges/sync.go

@@ -24,11 +24,13 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 
 	"github.com/jetstack/cert-manager/pkg/acme"
 	acmecl "github.com/jetstack/cert-manager/pkg/acme/client"
 	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
 	controllerpkg "github.com/jetstack/cert-manager/pkg/controller"
+	"github.com/jetstack/cert-manager/pkg/feature"
 	dnsutil "github.com/jetstack/cert-manager/pkg/issuer/acme/dns/util"
 	logf "github.com/jetstack/cert-manager/pkg/logs"
 	acmeapi "github.com/jetstack/cert-manager/third_party/crypto/acme"
@@ -134,24 +136,26 @@ func (c *Controller) Sync(ctx context.Context, ch *cmapi.Challenge) (err error)
 		return nil
 	}
 
-	// check for CAA records.
-	// CAA records are static, so we don't have to present anything
-	// before we check for them.
+	if utilfeature.DefaultFeatureGate.Enabled(feature.ValidateCAA) {
+		// check for CAA records.
+		// CAA records are static, so we don't have to present anything
+		// before we check for them.
 
-	// Find out which identity the ACME server says it will use.
-	dir, err := cl.Discover(ctx)
-	if err != nil {
-		return err
-	}
-	// TODO(dmo): figure out if missing CAA identity in directory
-	// means no CAA check is performed by ACME server or if any valid
-	// CAA would stop issuance (strongly suspect the former)
-	if len(dir.CAA) != 0 {
-		err := dnsutil.ValidateCAA(ch.Spec.DNSName, dir.CAA, ch.Spec.Wildcard, c.Context.DNS01Nameservers)
+		// Find out which identity the ACME server says it will use.
+		dir, err := cl.Discover(ctx)
 		if err != nil {
-			ch.Status.Reason = fmt.Sprintf("CAA self-check failed: %s", err)
 			return err
 		}
+		// TODO(dmo): figure out if missing CAA identity in directory
+		// means no CAA check is performed by ACME server or if any valid
+		// CAA would stop issuance (strongly suspect the former)
+		if len(dir.CAA) != 0 {
+			err := dnsutil.ValidateCAA(ch.Spec.DNSName, dir.CAA, ch.Spec.Wildcard, c.Context.DNS01Nameservers)
+			if err != nil {
+				ch.Status.Reason = fmt.Sprintf("CAA self-check failed: %s", err)
+				return err
+			}
+		}
 	}
 
 	solver, err := c.solverFor(ch.Spec.Type)

pkg/feature/BUILD.bazel

@@ -0,0 +1,26 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["features.go"],
+    importpath = "github.com/jetstack/cert-manager/pkg/feature",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//vendor/k8s.io/apimachinery/pkg/util/runtime:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

pkg/feature/features.go

@@ -0,0 +1,40 @@
+/*
+Copyright 2019 The Jetstack cert-manager contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package feature
+
+import (
+	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apiserver/pkg/util/feature"
+)
+
+const (
+	// alpha: v0.7.2
+	//
+	// ValidateCAA enables CAA checking when issuing certificates
+	ValidateCAA feature.Feature = "ValidateCAA"
+)
+
+func init() {
+	runtime.Must(feature.DefaultMutableFeatureGate.Add(defaultKubernetesFeatureGates))
+}
+
+// defaultKubernetesFeatureGates consists of all known Kubernetes-specific feature keys.
+// To add a new feature, define a key for it above and add it here. The features will be
+// available throughout Kubernetes binaries.
+var defaultKubernetesFeatureGates = map[feature.Feature]feature.FeatureSpec{
+	ValidateCAA: {Default: false, PreRelease: feature.Alpha},
+}

vendor/modules.txt

@@ -521,14 +521,14 @@ k8s.io/apimachinery/pkg/api/equality
 k8s.io/apimachinery/pkg/util/rand
 k8s.io/apimachinery/pkg/apis/meta/v1beta1/validation
 # k8s.io/apiserver v0.0.0-20190413053200-5b6ebd80335e
+k8s.io/apiserver/pkg/util/feature
 k8s.io/apiserver/pkg/registry/rest
 k8s.io/apiserver/pkg/server
 k8s.io/apiserver/pkg/server/options
 k8s.io/apiserver/pkg/admission
 k8s.io/apiserver/pkg/endpoints/request
 k8s.io/apiserver/pkg/features
 k8s.io/apiserver/pkg/storage/names
-k8s.io/apiserver/pkg/util/feature
 k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle
 k8s.io/apiserver/pkg/admission/plugin/webhook/mutating
 k8s.io/apiserver/pkg/admission/plugin/webhook/validating