cert-manager icon indicating copy to clipboard operation
cert-manager copied to clipboard
verified publisher icon cert-manager

venafi: Process custom fields annotations on Issuer

Open k0da opened this issue 2 months ago • 5 comments

When processing custom fields on CSR take into consideration annotation on Issuer and use them as base, whith override/append on CSR level.

Pull Request Motivation

We have 200+ clusters with more that 4000 applications. With Venafi custom field enforcement, it would be nice to have and ability to define "global" custom fields on Issuer level with override/append on CSR level.

Kind

/kind feature

Release Note

For Venafi provider, read `venafi.cert-manager.io/custom-fields` annotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level.

k0da avatar Dec 04 '25 14:12 k0da

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign joshvanl for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

cert-manager-prow[bot] avatar Dec 04 '25 14:12 cert-manager-prow[bot]

Hi @k0da. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

cert-manager-prow[bot] avatar Dec 04 '25 14:12 cert-manager-prow[bot]

/ok-to-test

wallrj-cyberark avatar Dec 04 '25 14:12 wallrj-cyberark

/test pull-cert-manager-master-e2e-v1-34-issuers-venafi-cloud /test pull-cert-manager-master-e2e-v1-34-issuers-venafi-tpp

wallrj-cyberark avatar Dec 04 '25 16:12 wallrj-cyberark

/test pull-cert-manager-master-e2e-v1-34-issuers-venafi-cloud /test pull-cert-manager-master-e2e-v1-34-issuers-venafi-tpp

wallrj-cyberark avatar Dec 05 '25 06:12 wallrj-cyberark

@wallrj-cyberark I share the same sentiment about Issuer property. Although as you said Annotation on Ingress/Certificate is kind of stable mechanism and well know to users. Keeping a consistency would play a big benefit here.

While CR property is more cleaner approach. I don't a problem supporting both with property being higher priority in override chain.

I'd go as is for now. And follow CR change proposal in a separate PR.

k0da avatar Dec 12 '25 13:12 k0da