Not able to add service without adding host

[StefanAbl]

When creating an issuer with the addHost option set to false I am not able to successfully issue a certificate. This is because by default by default to create a service a host with the same FQDN must exist. To circumvent this issue the --skip-hostcheck option would be set on the command line. It's equivalent would have to be set in the request to the FreeIPA web API.

Logs from the controller container:

{
  "level": "error",
  "ts": 1618235548.570603,
  "logger": "controller-runtime.manager.controller.certificaterequest",
  "msg": "failed to sign certificate request",
  "reconciler group": "cert-manager.io",
  "reconciler kind": "CertificateRequest",
  "name": "test2-gm5pp",
  "namespace": "default",
  "certificaterequest": "default/test2-gm5pp",
  "error": "Fail to request certificate: NotFound (4001): The host 'test3.i.k3test.dns.navy' does not exist to add a service to.",
  "stacktrace": "github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/pkg/mod/github.com/go-logr/zapr@v0.2.0/zapr.go:132\ngithub.com/guilhem/freeipa-issuer/controllers.(*CertificateRequestReconciler).Reconcile\n\t/workspace/controllers/certificaterequest.go:112\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.7.0/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.7.0/pkg/internal/controller/controller.go:235\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.7.0/pkg/internal/controller/controller.go:198\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1\n\t/go/pkg/mod/k8s.io/apimachinery@v0.19.2/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/go/pkg/mod/k8s.io/apimachinery@v0.19.2/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/go/pkg/mod/k8s.io/apimachinery@v0.19.2/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/pkg/mod/k8s.io/apimachinery@v0.19.2/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext\n\t/go/pkg/mod/k8s.io/apimachinery@v0.19.2/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.UntilWithContext\n\t/go/pkg/mod/k8s.io/apimachinery@v0.19.2/pkg/util/wait/wait.go:99"
}

[StefanAbl]

So I did some more research and it seems like the option is not present in the version of tehwalris/go-freeipa. I updated the autogenerated code here and added the usage of the skip_host_check option here. This works and adds the service to the IPA Server without requiring a host.

I am not sure if this is wanted behavior for this application and I am also unsure about opening a PR because of the change of dependencies.

[guilhem]

@StefanAbl you can make a PR in upstream project. before beoing merged, you can go mod edit -replace to override lib with your patched version (and do a PR here ^^)

[StefanAbl]

Okay, I created a PR upstream

I tried using go mod edit -replace github.com/tehwalris/go-freeipa/freeipa=../go-freeipa/freeipa and the replacement was successfully added to the go.mod file, however it seems like the old version is still used:

$ go build provisionners/freeipa.go
# command-line-arguments
provisionners/freeipa.go:125:6: unknown field 'SkipHostCheck' in struct literal of type freeipa.ServiceAddOptionalArgs

I am not sure why, I think it could be because of the strange versioning of go-freeipa.

Maybe I should just wait for the pullrequest in go-freeipa to be accepted or someone has better go knowledge than I do.