Leverage trust domain in issuing certs; remove TD from identity (#4782)

* This PR finalizes the steps to allow for custom trust domains.
It accomplishes this by:

1. Remove trust domain from service identity
2. Modify IssueCertificate to accept a CN prefix instead of a full CN,
and apply the trust domain dynamically.
3. Change IssueCertificate to accept variadic options when the full CN
is actually provided

Signed-off-by: Sean Teeling <[email protected]>

* address comments

Signed-off-by: Sean Teeling <[email protected]>

* address comment

Signed-off-by: Sean Teeling <[email protected]>

* address lint

Signed-off-by: Sean Teeling <[email protected]>

Author: steeling

cmd/osm-controller/gateway.go

@@ -15,7 +15,6 @@ import (
 	"github.com/openservicemesh/osm/pkg/certificate"
 	"github.com/openservicemesh/osm/pkg/constants"
 	"github.com/openservicemesh/osm/pkg/envoy/bootstrap"
-	"github.com/openservicemesh/osm/pkg/identity"
 	"github.com/openservicemesh/osm/pkg/multicluster"
 	"github.com/openservicemesh/osm/pkg/utils"
 )
@@ -38,7 +37,7 @@ func bootstrapOSMMulticlusterGateway(kubeClient kubernetes.Interface, certManage
 	}
 
 	gatewayCN := multicluster.GetMulticlusterGatewaySubjectCommonName(osmServiceAccount, osmNamespace)
-	bootstrapCert, err := certManager.IssueCertificate(gatewayCN, constants.XDSCertificateValidityPeriod)
+	bootstrapCert, err := certManager.IssueCertificate(gatewayCN, certificate.WithValidityPeriod(constants.XDSCertificateValidityPeriod))
 	if err != nil {
 		return errors.Errorf("Error issuing bootstrap certificate for OSM gateway: %s", err)
 	}
@@ -47,7 +46,7 @@ func bootstrapOSMMulticlusterGateway(kubeClient kubernetes.Interface, certManage
 		NodeID:         bootstrapCert.GetCommonName().String(),
 		AdminPort:      constants.EnvoyAdminPort,
 		XDSClusterName: constants.OSMControllerName,
-		XDSHost:        fmt.Sprintf("%s.%s.svc.%s", constants.OSMControllerName, osmNamespace, identity.ClusterLocalTrustDomain),
+		XDSHost:        fmt.Sprintf("%s.%s.svc.cluster.local", constants.OSMControllerName, osmNamespace),
 		XDSPort:        constants.ADSServerPort,
 	})
 	if err != nil {

cmd/osm-controller/osm-controller.go

@@ -28,6 +28,7 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	"k8s.io/client-go/tools/clientcmd"
 
+	"github.com/openservicemesh/osm/pkg/certificate"
 	configClientset "github.com/openservicemesh/osm/pkg/gen/client/config/clientset/versioned"
 	policyClientset "github.com/openservicemesh/osm/pkg/gen/client/policy/clientset/versioned"
 
@@ -262,7 +263,7 @@ func main() {
 	proxyRegistry := registry.NewProxyRegistry(proxyMapper, msgBroker)
 	go proxyRegistry.ReleaseCertificateHandler(certManager, stop)
 
-	adsCert, err := certManager.IssueCertificate(xdsServerCertificateCommonName, constants.XDSCertificateValidityPeriod)
+	adsCert, err := certManager.IssueCertificate(xdsServerCertificateCommonName, certificate.WithValidityPeriod(constants.XDSCertificateValidityPeriod))
 	if err != nil {
 		events.GenericEventRecorder().FatalEvent(err, events.CertificateIssuanceFailure, "Error issuing XDS certificate to ADS server")
 	}

pkg/catalog/egress_test.go

@@ -433,7 +433,7 @@ func TestGetEgressTrafficPolicy(t *testing.T) {
 		},
 	}
 
-	testSourceIdentity := identity.ServiceIdentity("foo.bar.cluster.local")
+	testSourceIdentity := identity.ServiceIdentity("foo.bar")
 
 	for i, tc := range testCases {
 		t.Run(fmt.Sprintf("Running test case %d: %s", i, tc.name), func(t *testing.T) {

pkg/catalog/outbound_traffic_policies_test.go

@@ -76,12 +76,12 @@ func TestGetOutboundMeshTrafficPolicy(t *testing.T) {
 	}
 
 	svcIdentityToSvcMapping := map[string][]service.MeshService{
-		"sa1.ns1.cluster.local": {meshSvc1P1, meshSvc1P2},
-		"sa2.ns2.cluster.local": {meshSvc2}, // Client `downstreamIdentity` cannot access this upstream
-		"sa3.ns3.cluster.local": {meshSvc3, meshSvc3V1, meshSvc3V2, meshSvc4, meshSvc5},
+		"sa1.ns1": {meshSvc1P1, meshSvc1P2},
+		"sa2.ns2": {meshSvc2}, // Client `downstreamIdentity` cannot access this upstream
+		"sa3.ns3": {meshSvc3, meshSvc3V1, meshSvc3V2, meshSvc4, meshSvc5},
 	}
 
-	downstreamIdentity := identity.ServiceIdentity("sa-x.ns1.cluster.local")
+	downstreamIdentity := identity.ServiceIdentity("sa-x.ns1")
 
 	// TrafficTargets that allow: sa-x.ns1 -> sa1.ns1, sa3.ns3
 	// No TrafficTarget that allows sa-x.ns1 -> sa2.ns2 (this should be allowed in permissive mode)
@@ -691,7 +691,7 @@ func TestListOutboundServicesForIdentity(t *testing.T) {
 		},
 		{
 			name:           "gateway",
-			svcIdentity:    "gateway.osm-system.cluster.local",
+			svcIdentity:    "gateway.osm-system",
 			expectedList:   []service.MeshService{tests.BookstoreV1Service, tests.BookstoreV2Service, tests.BookstoreApexService, tests.BookbuyerService},
 			permissiveMode: true,
 		},

pkg/catalog/retry_test.go

@@ -38,7 +38,7 @@ func TestGetRetryPolicy(t *testing.T) {
 		policyController:   mockPolicyController,
 		kubeController:     mockKubeController,
 	}
-	retrySrc := identity.ServiceIdentity("sa1.ns.cluster.local")
+	retrySrc := identity.ServiceIdentity("sa1.ns")
 
 	testcases := []struct {
 		name                string

pkg/catalog/traffictarget_test.go

@@ -501,9 +501,9 @@ func TestListInboundTrafficTargetsWithRoutes(t *testing.T) {
 			expectedTrafficTargets: []trafficpolicy.TrafficTargetWithRoutes{
 				{
 					Name:        "ns-1/test-1",
-					Destination: identity.ServiceIdentity("sa-1.ns-1.cluster.local"),
+					Destination: identity.ServiceIdentity("sa-1.ns-1"),
 					Sources: []identity.ServiceIdentity{
-						identity.ServiceIdentity("sa-2.ns-2.cluster.local"),
+						identity.ServiceIdentity("sa-2.ns-2"),
 					},
 					TCPRouteMatches: []trafficpolicy.TCPRouteMatch{
 						{
@@ -588,9 +588,9 @@ func TestListInboundTrafficTargetsWithRoutes(t *testing.T) {
 			expectedTrafficTargets: []trafficpolicy.TrafficTargetWithRoutes{
 				{
 					Name:        "ns-1/test-1",
-					Destination: identity.ServiceIdentity("sa-1.ns-1.cluster.local"),
+					Destination: identity.ServiceIdentity("sa-1.ns-1"),
 					Sources: []identity.ServiceIdentity{
-						identity.ServiceIdentity("sa-2.ns-2.cluster.local"),
+						identity.ServiceIdentity("sa-2.ns-2"),
 					},
 					TCPRouteMatches: []trafficpolicy.TCPRouteMatch{
 						{
@@ -736,9 +736,9 @@ func TestListInboundTrafficTargetsWithRoutes(t *testing.T) {
 			expectedTrafficTargets: []trafficpolicy.TrafficTargetWithRoutes{
 				{
 					Name:        "ns-1/test-1",
-					Destination: identity.ServiceIdentity("sa-1.ns-1.cluster.local"),
+					Destination: identity.ServiceIdentity("sa-1.ns-1"),
 					Sources: []identity.ServiceIdentity{
-						identity.ServiceIdentity("sa-2.ns-2.cluster.local"),
+						identity.ServiceIdentity("sa-2.ns-2"),
 					},
 					TCPRouteMatches: []trafficpolicy.TCPRouteMatch{
 						{
@@ -753,9 +753,9 @@ func TestListInboundTrafficTargetsWithRoutes(t *testing.T) {
 				},
 				{
 					Name:        "ns-1/test-2",
-					Destination: identity.ServiceIdentity("sa-1.ns-1.cluster.local"),
+					Destination: identity.ServiceIdentity("sa-1.ns-1"),
 					Sources: []identity.ServiceIdentity{
-						identity.ServiceIdentity("sa-3.ns-3.cluster.local"),
+						identity.ServiceIdentity("sa-3.ns-3"),
 					},
 					TCPRouteMatches: []trafficpolicy.TCPRouteMatch{
 						{
@@ -823,9 +823,9 @@ func TestListInboundTrafficTargetsWithRoutes(t *testing.T) {
 			expectedTrafficTargets: []trafficpolicy.TrafficTargetWithRoutes{
 				{
 					Name:        "ns-1/test-1",
-					Destination: identity.ServiceIdentity("sa-1.ns-1.cluster.local"),
+					Destination: identity.ServiceIdentity("sa-1.ns-1"),
 					Sources: []identity.ServiceIdentity{
-						identity.ServiceIdentity("sa-2.ns-2.cluster.local"),
+						identity.ServiceIdentity("sa-2.ns-2"),
 					},
 					TCPRouteMatches: []trafficpolicy.TCPRouteMatch{
 						{

pkg/certificate/fake_manager.go

@@ -21,7 +21,11 @@ func (c *fakeMRCClient) GetCertIssuerForMRC(mrc *v1alpha2.MeshRootCertificate) (
 // List returns the single, pre-generated MRC. It is intended to implement the certificate.MRCClient interface.
 func (c *fakeMRCClient) List() ([]*v1alpha2.MeshRootCertificate, error) {
 	// return single empty object in the list.
-	return []*v1alpha2.MeshRootCertificate{{}}, nil
+	return []*v1alpha2.MeshRootCertificate{{
+		Spec: v1alpha2.MeshRootCertificateSpec{
+			TrustDomain: "fake.domain.com",
+		},
+	}}, nil
 }
 
 type fakeIssuer struct {

pkg/certificate/manager.go

@@ -24,7 +24,7 @@ func NewManager(mrcClient MRCClient, serviceCertValidityDuration time.Duration,
 		return nil, err
 	}
 
-	c := &issuer{Issuer: client, ID: clientID, CertificateAuthority: ca}
+	c := &issuer{Issuer: client, ID: clientID, CertificateAuthority: ca, TrustDomain: mrcs[0].Spec.TrustDomain}
 
 	m := &Manager{
 		// The signingIssuer is responsible for signing all newly issued certificates
@@ -59,15 +59,23 @@ func (m *Manager) Start(checkInterval time.Duration, stop <-chan struct{}) {
 // GetTrustDomain returns the trust domain from the configured signingkey issuer.
 // Note that the CRD uses a default, so this value will always be set.
 func (m *Manager) GetTrustDomain() string {
-	// TODO(4754): implement
-	return ""
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.signingIssuer.TrustDomain
 }
 
 func (m *Manager) checkAndRotate() {
 	// NOTE: checkAndRotate can reintroduce a certificate that has been released, thereby creating an unbounded cache.
 	// A certificate can also have been rotated already, leaving the list of issued certs stale, and we re-rotate.
 	// the latter is not a bug, but a source of inefficiency.
-	for _, cert := range m.ListIssuedCertificates() {
+
+	certs := map[string]*Certificate{}
+	m.cache.Range(func(keyIface interface{}, certInterface interface{}) bool {
+		key := keyIface.(string)
+		certs[key] = certInterface.(*Certificate)
+		return true // continue the iteration
+	})
+	for key, cert := range certs {
 		shouldRotate := cert.ShouldRotate()
 
 		word := map[bool]string{true: "will", false: "will not"}[shouldRotate]
@@ -78,7 +86,14 @@ func (m *Manager) checkAndRotate() {
 			RenewBeforeCertExpires)
 
 		if shouldRotate {
-			newCert, err := m.IssueCertificate(cert.GetCommonName(), m.serviceCertValidityDuration)
+			opts := []IssueOption{WithValidityPeriod(m.serviceCertValidityDuration)}
+			// if the key is equal to the common name, then it was issued with FullCNProvided(). This will prevent
+			// an additional trust domain from being appended. We don't do this in every case, in case the trust domain
+			// has changed since the last issue.
+			if key == cert.CommonName.String() {
+				opts = append(opts, FullCNProvided())
+			}
+			newCert, err := m.IssueCertificate(key, opts...)
 			if err != nil {
 				// TODO(#3962): metric might not be scraped before process restart resulting from this error
 				log.Error().Err(err).Str(errcode.Kind, errcode.GetErrCodeWithMetric(errcode.ErrRotatingCert)).
@@ -97,8 +112,8 @@ func (m *Manager) checkAndRotate() {
 	}
 }
 
-func (m *Manager) getFromCache(cn CommonName) *Certificate {
-	certInterface, exists := m.cache.Load(cn)
+func (m *Manager) getFromCache(key string) *Certificate {
+	certInterface, exists := m.cache.Load(key)
 	if !exists {
 		return nil
 	}
@@ -112,18 +127,24 @@ func (m *Manager) getFromCache(cn CommonName) *Certificate {
 }
 
 // IssueCertificate implements Manager and returns a newly issued certificate from the given client.
-func (m *Manager) IssueCertificate(cn CommonName, validityPeriod time.Duration) (*Certificate, error) {
+func (m *Manager) IssueCertificate(prefix string, opts ...IssueOption) (*Certificate, error) {
 	var err error
-	cert := m.getFromCache(cn) // Don't call this while holding the lock
+	cert := m.getFromCache(prefix) // Don't call this while holding the lock
+
+	options := defaultOptions(m.serviceCertValidityDuration)
+
+	for _, o := range opts {
+		o(options)
+	}
 
-	m.mu.RLock()
+	m.mu.Lock()
 	validatingIssuer := m.validatingIssuer
 	signingIssuer := m.signingIssuer
-	m.mu.RUnlock()
+	m.mu.Unlock()
 
 	start := time.Now()
 	if cert == nil || cert.signingIssuerID != signingIssuer.ID || cert.validatingIssuerID != validatingIssuer.ID {
-		cert, err = signingIssuer.IssueCertificate(cn, validityPeriod)
+		cert, err = signingIssuer.IssueCertificate(options.formatCN(prefix, signingIssuer.TrustDomain), options.validityPeriod)
 		if err != nil {
 			return nil, err
 		}
@@ -138,17 +159,17 @@ func (m *Manager) IssueCertificate(cn CommonName, validityPeriod time.Duration)
 		cert.validatingIssuerID = validatingIssuer.ID
 	}
 
-	m.cache.Store(cn, cert)
+	m.cache.Store(prefix, cert)
 
 	log.Trace().Msgf("It took %s to issue certificate with SerialNumber=%s", time.Since(start), cert.GetSerialNumber())
 
 	return cert, nil
 }
 
 // ReleaseCertificate is called when a cert will no longer be needed and should be removed from the system.
-func (m *Manager) ReleaseCertificate(cn CommonName) {
-	log.Trace().Msgf("Releasing certificate %s", cn)
-	m.cache.Delete(cn)
+func (m *Manager) ReleaseCertificate(key string) {
+	log.Trace().Msgf("Releasing certificate %s", key)
+	m.cache.Delete(key)
 }
 
 // ListIssuedCertificates implements CertificateDebugger interface and returns the list of issued certificates.