gardener · MartinWeindel · Jun 6, 2024 · May 7, 2024 · May 7, 2024 · Jun 4, 2024
diff --git a/README.md b/README.md
diff --git a/charts/cert-management/templates/clusterrole.yaml b/charts/cert-management/templates/clusterrole.yaml
@@ -95,6 +95,19 @@ rules:
   - update
   - create
   - watch
+{{- if .Values.configuration.useDnsrecords }}
+- apiGroups:
+  - extensions.gardener.cloud
+  resources:
+  - dnsrecords
+  verbs:
+  - get
+  - list
+  - update
+  - watch
+  - create
+  - delete
+{{- else }}
 - apiGroups:
   - dns.gardener.cloud
   resources:
@@ -106,3 +119,4 @@ rules:
   - watch
   - create
   - delete
+{{- end }}
diff --git a/charts/cert-management/templates/deployment.yaml b/charts/cert-management/templates/deployment.yaml
@@ -71,15 +71,24 @@ spec:
         {{- if .Values.configuration.cpuprofile }}
         - --cpuprofile={{ .Values.configuration.cpuprofile }}
         {{- end }}
+        {{- if .Values.configuration.defaultEcdsaPrivateKeySize }}
+        - --default-ecdsa-private-key-size={{ .Values.configuration.defaultEcdsaPrivateKeySize }}
+        {{- end }}
         {{- if .Values.configuration.defaultIssuer }}
         - --default-issuer={{ .Values.configuration.defaultIssuer }}
         {{- end }}
         {{- if .Values.configuration.defaultIssuerDomainRanges }}
         - --default-issuer-domain-ranges={{ .Values.configuration.defaultIssuerDomainRanges }}
         {{- end }}
+        {{- if .Values.configuration.defaultPrivateKeyAlgorithm }}
+        - --default-private-key-algorithm={{ .Values.configuration.defaultPrivateKeyAlgorithm }}
+        {{- end }}
         {{- if .Values.configuration.defaultRequestsPerDayQuota }}
         - --default-requests-per-day-quota={{ .Values.configuration.defaultRequestsPerDayQuota }}
         {{- end }}
+        {{- if .Values.configuration.defaultRsaPrivateKeySize }}
+        - --default-rsa-private-key-size={{ .Values.configuration.defaultRsaPrivateKeySize }}
+        {{- end }}
         {{- if .Values.configuration.defaultPoolResyncPeriod }}
         - --default.pool.resync-period={{ .Values.configuration.defaultPoolResyncPeriod }}
         {{- end }}
@@ -116,6 +125,9 @@ spec:
         {{- if .Values.configuration.gracePeriod }}
         - --grace-period={{ .Values.configuration.gracePeriod }}
         {{- end }}
+        {{- if .Values.configuration.httproutesPoolSize }}
+        - --httproutes.pool.size={{ .Values.configuration.httproutesPoolSize }}
+        {{- end }}
         {{- if .Values.configuration.ingressCertCertClass }}
         - --ingress-cert.cert-class={{ .Values.configuration.ingressCertCertClass }}
         {{- end }}
@@ -158,15 +170,24 @@ spec:
         {{- if .Values.configuration.issuerCertClass }}
         - --issuer.cert-class={{ .Values.configuration.issuerCertClass }}
         {{- end }}
+        {{- if .Values.configuration.issuerDefaultEcdsaPrivateKeySize }}
+        - --issuer.default-ecdsa-private-key-size={{ .Values.configuration.issuerDefaultEcdsaPrivateKeySize }}
+        {{- end }}
         {{- if .Values.configuration.issuerDefaultIssuer }}
         - --issuer.default-issuer={{ .Values.configuration.issuerDefaultIssuer }}
         {{- end }}
         {{- if .Values.configuration.issuerDefaultIssuerDomainRanges }}
         - --issuer.default-issuer-domain-ranges={{ .Values.configuration.issuerDefaultIssuerDomainRanges }}
         {{- end }}
+        {{- if .Values.configuration.issuerDefaultPrivateKeyAlgorithm }}
+        - --issuer.default-private-key-algorithm={{ .Values.configuration.issuerDefaultPrivateKeyAlgorithm }}
+        {{- end }}
         {{- if .Values.configuration.issuerDefaultRequestsPerDayQuota }}
         - --issuer.default-requests-per-day-quota={{ .Values.configuration.issuerDefaultRequestsPerDayQuota }}
         {{- end }}
+        {{- if .Values.configuration.issuerDefaultRsaPrivateKeySize }}
+        - --issuer.default-rsa-private-key-size={{ .Values.configuration.issuerDefaultRsaPrivateKeySize }}
+        {{- end }}
         {{- if .Values.configuration.issuerDefaultPoolResyncPeriod }}
         - --issuer.default.pool.resync-period={{ .Values.configuration.issuerDefaultPoolResyncPeriod }}
         {{- end }}
@@ -215,9 +236,75 @@ spec:
         {{- if .Values.configuration.issuerSecretsPoolSize }}
         - --issuer.secrets.pool.size={{ .Values.configuration.issuerSecretsPoolSize }}
         {{- end }}
+        {{- if .Values.configuration.issuerUseDnsrecords }}
+        - --issuer.use-dnsrecords={{ .Values.configuration.issuerUseDnsrecords }}
+        {{- end }}
         {{- if .Values.configuration.issuersPoolSize }}
         - --issuers.pool.size={{ .Values.configuration.issuersPoolSize }}
         {{- end }}
+        {{- if .Values.configuration.istioGatewaysDnsCertClass }}
+        - --istio-gateways-dns.cert-class={{ .Values.configuration.istioGatewaysDnsCertClass }}
+        {{- end }}
+        {{- if .Values.configuration.istioGatewaysDnsCertTargetClass }}
+        - --istio-gateways-dns.cert-target-class={{ .Values.configuration.istioGatewaysDnsCertTargetClass }}
+        {{- end }}
+        {{- if .Values.configuration.istioGatewaysDnsDefaultPoolResyncPeriod }}
+        - --istio-gateways-dns.default.pool.resync-period={{ .Values.configuration.istioGatewaysDnsDefaultPoolResyncPeriod }}
+        {{- end }}
+        {{- if .Values.configuration.istioGatewaysDnsDefaultPoolSize }}
+        - --istio-gateways-dns.default.pool.size={{ .Values.configuration.istioGatewaysDnsDefaultPoolSize }}
+        {{- end }}
+        {{- if .Values.configuration.istioGatewaysDnsPoolResyncPeriod }}
+        - --istio-gateways-dns.pool.resync-period={{ .Values.configuration.istioGatewaysDnsPoolResyncPeriod }}
+        {{- end }}
+        {{- if .Values.configuration.istioGatewaysDnsPoolSize }}
+        - --istio-gateways-dns.pool.size={{ .Values.configuration.istioGatewaysDnsPoolSize }}
+        {{- end }}
+        {{- if .Values.configuration.istioGatewaysDnsTargetNamePrefix }}
+        - --istio-gateways-dns.target-name-prefix={{ .Values.configuration.istioGatewaysDnsTargetNamePrefix }}
+        {{- end }}
+        {{- if .Values.configuration.istioGatewaysDnsTargetNamespace }}
+        - --istio-gateways-dns.target-namespace={{ .Values.configuration.istioGatewaysDnsTargetNamespace }}
+        {{- end }}
+        {{- if .Values.configuration.istioGatewaysDnsTargetsPoolSize }}
+        - --istio-gateways-dns.targets.pool.size={{ .Values.configuration.istioGatewaysDnsTargetsPoolSize }}
+        {{- end }}
+        {{- if .Values.configuration.istioGatewaysDnsTargetsourcesPoolSize }}
+        - --istio-gateways-dns.targetsources.pool.size={{ .Values.configuration.istioGatewaysDnsTargetsourcesPoolSize }}
+        {{- end }}
+        {{- if .Values.configuration.istioGatewaysDnsVirtualservicesPoolSize }}
+        - --istio-gateways-dns.virtualservices.pool.size={{ .Values.configuration.istioGatewaysDnsVirtualservicesPoolSize }}
+        {{- end }}
+        {{- if .Values.configuration.k8sGatewaysDnsCertClass }}
+        - --k8s-gateways-dns.cert-class={{ .Values.configuration.k8sGatewaysDnsCertClass }}
+        {{- end }}
+        {{- if .Values.configuration.k8sGatewaysDnsCertTargetClass }}
+        - --k8s-gateways-dns.cert-target-class={{ .Values.configuration.k8sGatewaysDnsCertTargetClass }}
+        {{- end }}
+        {{- if .Values.configuration.k8sGatewaysDnsDefaultPoolResyncPeriod }}
+        - --k8s-gateways-dns.default.pool.resync-period={{ .Values.configuration.k8sGatewaysDnsDefaultPoolResyncPeriod }}
+        {{- end }}
+        {{- if .Values.configuration.k8sGatewaysDnsDefaultPoolSize }}
+        - --k8s-gateways-dns.default.pool.size={{ .Values.configuration.k8sGatewaysDnsDefaultPoolSize }}
+        {{- end }}
+        {{- if .Values.configuration.k8sGatewaysDnsHttproutesPoolSize }}
+        - --k8s-gateways-dns.httproutes.pool.size={{ .Values.configuration.k8sGatewaysDnsHttproutesPoolSize }}
+        {{- end }}
+        {{- if .Values.configuration.k8sGatewaysDnsPoolResyncPeriod }}
+        - --k8s-gateways-dns.pool.resync-period={{ .Values.configuration.k8sGatewaysDnsPoolResyncPeriod }}
+        {{- end }}
+        {{- if .Values.configuration.k8sGatewaysDnsPoolSize }}
+        - --k8s-gateways-dns.pool.size={{ .Values.configuration.k8sGatewaysDnsPoolSize }}
+        {{- end }}
+        {{- if .Values.configuration.k8sGatewaysDnsTargetNamePrefix }}
+        - --k8s-gateways-dns.target-name-prefix={{ .Values.configuration.k8sGatewaysDnsTargetNamePrefix }}
+        {{- end }}
+        {{- if .Values.configuration.k8sGatewaysDnsTargetNamespace }}
+        - --k8s-gateways-dns.target-namespace={{ .Values.configuration.k8sGatewaysDnsTargetNamespace }}
+        {{- end }}
+        {{- if .Values.configuration.k8sGatewaysDnsTargetsPoolSize }}
+        - --k8s-gateways-dns.targets.pool.size={{ .Values.configuration.k8sGatewaysDnsTargetsPoolSize }}
+        {{- end }}
         {{- if .Values.configuration.kubeconfig }}
         - --kubeconfig={{ .Values.configuration.kubeconfig }}
         {{- end }}
@@ -353,9 +440,24 @@ spec:
         {{- if .Values.configuration.targetsPoolSize }}
         - --targets.pool.size={{ .Values.configuration.targetsPoolSize }}
         {{- end }}
+        {{- if .Values.configuration.targetsourcesPoolSize }}
+        - --targetsources.pool.size={{ .Values.configuration.targetsourcesPoolSize }}
+        {{- end }}
+        {{- if .Values.configuration.useDnsrecords }}
+        - --use-dnsrecords={{ .Values.configuration.useDnsrecords }}
+        {{- end }}
         {{- if .Values.configuration.version }}
         - --version={{ .Values.configuration.version }}
         {{- end }}
+        {{- if .Values.configuration.virtualservicesPoolSize }}
+        - --virtualservices.pool.size={{ .Values.configuration.virtualservicesPoolSize }}
+        {{- end }}
+        {{- if .Values.configuration.watchGatewaysCrdsDefaultPoolSize }}
+        - --watch-gateways-crds.default.pool.size={{ .Values.configuration.watchGatewaysCrdsDefaultPoolSize }}
+        {{- end }}
+        {{- if .Values.configuration.watchGatewaysCrdsPoolSize }}
+        - --watch-gateways-crds.pool.size={{ .Values.configuration.watchGatewaysCrdsPoolSize }}
+        {{- end }}
         ### end generated configuration
         {{- range $idx, $flag := .Values.additionalConfiguration }}
         - {{ $flag }}

diff --git a/charts/cert-management/values.yaml b/charts/cert-management/values.yaml
@@ -41,9 +41,12 @@ configuration:
   # config:
   # controllers:
   # cpuprofile:
+  # defaultEcdsaPrivateKeySize:
   # defaultIssuer:
   # defaultIssuerDomainRanges:
+  # defaultPrivateKeyAlgorithm:
   # defaultRequestsPerDayQuota:
+  # defaultRsaPrivateKeySize:
   # defaultPoolResyncPeriod:
   # defaultPoolSize:
   # disableNamespaceRestriction:
@@ -56,6 +59,7 @@ configuration:
   # dnsMigrationIds:
   # forceCrdUpdate:
   # gracePeriod:
+  # httproutesPoolSize:
   # ingressCertCertClass:
   # ingressCertCertTargetClass:
   # ingressCertDefaultPoolResyncPeriod:
@@ -70,9 +74,12 @@ configuration:
   # issuerAllowTargetIssuers:
   # issuerCascadeDelete:
   # issuerCertClass:
+  # issuerDefaultEcdsaPrivateKeySize:
   # issuerDefaultIssuer:
   # issuerDefaultIssuerDomainRanges:
+  # issuerDefaultPrivateKeyAlgorithm:
   # issuerDefaultRequestsPerDayQuota:
+  # issuerDefaultRsaPrivateKeySize:
   # issuerDefaultPoolResyncPeriod:
   # issuerDefaultPoolSize:
   # issuerDnsClass:
@@ -89,7 +96,29 @@ configuration:
   # issuerRenewalWindow:
   # issuerRevocationsPoolSize:
   # issuerSecretsPoolSize:
+  # issuerUseDnsrecords:
   # issuersPoolSize:
+  # istioGatewaysDnsCertClass:
+  # istioGatewaysDnsCertTargetClass:
+  # istioGatewaysDnsDefaultPoolResyncPeriod:
+  # istioGatewaysDnsDefaultPoolSize:
+  # istioGatewaysDnsPoolResyncPeriod:
+  # istioGatewaysDnsPoolSize:
+  # istioGatewaysDnsTargetNamePrefix:
+  # istioGatewaysDnsTargetNamespace:
+  # istioGatewaysDnsTargetsPoolSize:
+  # istioGatewaysDnsTargetsourcesPoolSize:
+  # istioGatewaysDnsVirtualservicesPoolSize:
+  # k8sGatewaysDnsCertClass:
+  # k8sGatewaysDnsCertTargetClass:
+  # k8sGatewaysDnsDefaultPoolResyncPeriod:
+  # k8sGatewaysDnsDefaultPoolSize:
+  # k8sGatewaysDnsHttproutesPoolSize:
+  # k8sGatewaysDnsPoolResyncPeriod:
+  # k8sGatewaysDnsPoolSize:
+  # k8sGatewaysDnsTargetNamePrefix:
+  # k8sGatewaysDnsTargetNamespace:
+  # k8sGatewaysDnsTargetsPoolSize:
   # kubeconfig:
   # kubeconfigDisableDeployCrds:
   # kubeconfigId:
@@ -135,6 +164,11 @@ configuration:
   # targetId:
   # targetMigrationIds:
   # targetsPoolSize:
+  # targetsourcesPoolSize:
+  # useDnsrecords:
   # version:
+  # virtualservicesPoolSize:
+  # watchGatewaysCrdsDefaultPoolSize:
+  # watchGatewaysCrdsPoolSize:
 
 additionalConfiguration: []
diff --git a/cmd/cert-controller-manager/main.go b/cmd/cert-controller-manager/main.go
@@ -10,7 +10,7 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/gardener/controller-manager-library/pkg/utils"
+	extensionsv1alpha "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	istionetworkingv1 "istio.io/client-go/pkg/apis/networking/v1"
 	istionetworkingv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
 	istionetworkingv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
@@ -26,6 +26,7 @@ import (
 	"github.com/gardener/controller-manager-library/pkg/controllermanager/cluster"
 	"github.com/gardener/controller-manager-library/pkg/controllermanager/controller/mappings"
 	"github.com/gardener/controller-manager-library/pkg/resources"
+	"github.com/gardener/controller-manager-library/pkg/utils"
 
 	dnsapi "github.com/gardener/external-dns-management/pkg/apis/dns/v1alpha1"
 
@@ -57,7 +58,7 @@ func init() {
 	cluster.Configure(
 		ctrl.DNSCluster,
 		"dns",
-		"cluster for writing challenge DNS entries",
+		"cluster for writing challenge DNSEntries or DNSRecords",
 	).MustRegister()
 
 	mappings.ForControllerGroup(ctrl.ControllerGroupCert).
@@ -71,6 +72,7 @@ func init() {
 	utils.Must(resources.Register(corev1.SchemeBuilder))
 	utils.Must(resources.Register(dnsapi.SchemeBuilder))
 	utils.Must(resources.Register(v1alpha1.SchemeBuilder))
+	utils.Must(resources.Register(extensionsv1alpha.SchemeBuilder))
 	utils.Must(resources.Register(coordinationv1.SchemeBuilder))
 	utils.Must(resources.Register(istionetworkingv1alpha3.SchemeBuilder))
 	utils.Must(resources.Register(istionetworkingv1beta1.SchemeBuilder))
@@ -80,17 +82,12 @@ func init() {
 	utils.Must(resources.Register(gatewayapisv1.SchemeBuilder))
 }
 
-func migrateExtensionsIngress(c controllermanager.Configuration) controllermanager.Configuration {
-	return c.GlobalGroupKindMigrations(resources.NewGroupKind("extensions", "Ingress"),
-		resources.NewGroupKind("networking.k8s.io", "Ingress"))
-}
-
 func main() {
 	if len(os.Args) == 2 && os.Args[1] == "version" {
 		fmt.Println(version)
 		os.Exit(0)
 	}
 	// set LEGO_DISABLE_CNAME_SUPPORT=true as we have our own logic for FollowCNAME
 	os.Setenv("LEGO_DISABLE_CNAME_SUPPORT", "true")
-	controllermanager.Start("cert-controller-manager", "Certificate controller manager", "nothing", migrateExtensionsIngress)
+	controllermanager.Start("cert-controller-manager", "Certificate controller manager", "nothing")
 }
diff --git a/examples/30-cert-simple.yaml b/examples/30-cert-simple.yaml
@@ -8,6 +8,9 @@ metadata:
   annotations:
     # class annotation only needed if cert-controller-manager is started with --cert-class=myclass
     #cert.gardener.cloud/class: myclass
+    # annotations needed when using DNSRecords
+    #cert.gardener.cloud/dnsrecord-provider-type: aws-route53
+    #cert.gardener.cloud/dnsrecord-secret-ref: myns/mysecret
   name: cert-simple
   namespace: default
 spec:

diff --git a/examples/40-gateway-gateway-api.yaml b/examples/40-gateway-gateway-api.yaml
@@ -11,6 +11,9 @@ metadata:
     #cert.gardener.cloud/preferred-chain: "chain name"            # optional to specify preferred-chain (value is the Subject Common Name of the root issuer)
     #cert.gardener.cloud/private-key-algorithm: ECDSA             # optional to specify algorithm for private key, allowed values are 'RSA' or 'ECDSA'
     #cert.gardener.cloud/private-key-size: "384"                  # optional to specify size of private key, allowed values for RSA are "2048", "3072", "4096" and for ECDSA "256" and "384"
+    # annotations needed when using DNSRecords
+    #cert.gardener.cloud/dnsrecord-provider-type: aws-route53
+    #cert.gardener.cloud/dnsrecord-secret-ref: myns/mysecret
   name: my-gateway
   namespace: default
 spec:

diff --git a/examples/40-ingress-echoheaders.yaml b/examples/40-ingress-echoheaders.yaml
@@ -18,6 +18,9 @@ metadata:
     #cert.gardener.cloud/preferred-chain: "chain name"            # optional to specify preferred-chain (value is the Subject Common Name of the root issuer)
     #cert.gardener.cloud/private-key-algorithm: ECDSA             # optional to specify algorithm for private key, allowed values are 'RSA' or 'ECDSA'
     #cert.gardener.cloud/private-key-size: "384"                  # optional to specify size of private key, allowed values for RSA are "2048", "3072", "4096" and for ECDSA "256" and "384"
+    # annotations needed when using DNSRecords
+    #cert.gardener.cloud/dnsrecord-provider-type: aws-route53
+    #cert.gardener.cloud/dnsrecord-secret-ref: myns/mysecret
 spec:
   tls:
     - hosts:

diff --git a/examples/40-service-loadbalancer.yaml b/examples/40-service-loadbalancer.yaml
@@ -18,6 +18,10 @@ metadata:
     #cert.gardener.cloud/preferred-chain: "chain name"            # optional to specify preferred-chain (value is the Subject Common Name of the root issuer)
     #cert.gardener.cloud/private-key-algorithm: ECDSA             # optional to specify algorithm for private key, allowed values are 'RSA' or 'ECDSA'
     #cert.gardener.cloud/private-key-size: "384"                  # optional to specify size of private key, allowed values for RSA are "2048", "3072", "4096" and for ECDSA "256" and "384"
+    # annotations needed when using DNSRecords
+    #cert.gardener.cloud/dnsrecord-provider-type: aws-route53
+    #cert.gardener.cloud/dnsrecord-secret-ref: myns/mysecret
+
   name: test-service
   namespace: default
 spec: