- Adds enableMeshRootCertificate to featureFlag values

jaellio · jaellio · commit b5855b05d29a · 2022-07-05T13:03:29.000-07:00
- Allows manager to set issuer ID
- Removes unnecessary newline

Signed-off-by: jaellio &lt;jaellio@microsoft.com&gt;
diff --git a/charts/osm/README.md b/charts/osm/README.md
@@ -93,12 +93,11 @@ The following table lists the configurable parameters of the osm chart and their
 | osm.enableReconciler | bool | `false` | Enable reconciler for OSM's CRDs and mutating webhook |
 | osm.enforceSingleMesh | bool | `true` | Enforce only deploying one mesh in the cluster |
 | osm.envoyLogLevel | string | `"error"` | Log level for the Envoy proxy sidecar. Non developers should generally never set this value. In production environments the LogLevel should be set to `error` |
-| osm.experimental | object | `{"enableMeshRootCertificate":false}` | Experimental values. Behavior is not supported. |
-| osm.experimental.enableMeshRootCertificate | bool | `false` | Enable the MeshRootCertificate to configure the OSM certificate provider. |
 | osm.featureFlags.enableAsyncProxyServiceMapping | bool | `false` | Enable async proxy-service mapping |
 | osm.featureFlags.enableEgressPolicy | bool | `true` | Enable OSM's Egress policy API. When enabled, fine grained control over Egress (external) traffic is enforced |
 | osm.featureFlags.enableEnvoyActiveHealthChecks | bool | `false` | Enable Envoy active health checks |
 | osm.featureFlags.enableIngressBackendPolicy | bool | `true` | Enables OSM's IngressBackend policy API. When enabled, OSM will use the IngressBackend API allow ingress traffic to mesh backends |
+| osm.featureFlags.enableMeshRootCertificate | bool | `false` | Enable the MeshRootCertificate to configure the OSM certificate provider |
 | osm.featureFlags.enableRetryPolicy | bool | `false` | Enable Retry Policy for automatic request retries |
 | osm.featureFlags.enableSnapshotCacheMode | bool | `false` | Enables SnapshotCache feature for Envoy xDS server. |
 | osm.featureFlags.enableWASMStats | bool | `true` | Enable extra Envoy statistics generated by a custom WASM extension |
diff --git a/charts/osm/templates/osm-bootstrap-deployment.yaml b/charts/osm/templates/osm-bootstrap-deployment.yaml
@@ -61,7 +61,7 @@ spec:
             "--osm-version", "{{ .Chart.AppVersion }}",
             "--ca-bundle-secret-name", "{{.Values.osm.caBundleSecretName}}",
             "--certificate-manager", "{{.Values.osm.certificateProvider.kind}}",
-            "--enable-mesh-root-certificate={{.Values.osm.experimental.enableMeshRootCertificate}}",
+            "--enable-mesh-root-certificate={{.Values.osm.featureFlags.enableMeshRootCertificate}}",
             {{ if eq .Values.osm.certificateProvider.kind "vault" }}
             "--vault-host", "{{.Values.osm.vault.host}}",
             "--vault-port", "{{.Values.osm.vault.port}}",
diff --git a/charts/osm/templates/osm-deployment.yaml b/charts/osm/templates/osm-deployment.yaml
@@ -61,7 +61,7 @@ spec:
             "--validator-webhook-config", "{{ include "osm.validatorWebhookConfigName" . }}",
             "--ca-bundle-secret-name", "{{.Values.osm.caBundleSecretName}}",
             "--certificate-manager", "{{.Values.osm.certificateProvider.kind}}",
-            "--enable-mesh-root-certificate={{.Values.osm.experimental.enableMeshRootCertificate}}",
+            "--enable-mesh-root-certificate={{.Values.osm.featureFlags.enableMeshRootCertificate}}",
             {{ if eq .Values.osm.certificateProvider.kind "vault" }}
             "--vault-host", "{{ required "osm.vault.host is required when osm.certificateProvider.kind==vault" .Values.osm.vault.host }}",
             "--vault-port", "{{.Values.osm.vault.port}}",
diff --git a/charts/osm/templates/osm-injector-deployment.yaml b/charts/osm/templates/osm-injector-deployment.yaml
@@ -58,7 +58,7 @@ spec:
             "--webhook-timeout", "{{.Values.osm.injector.webhookTimeoutSeconds}}",
             "--ca-bundle-secret-name", "{{.Values.osm.caBundleSecretName}}",
             "--certificate-manager", "{{.Values.osm.certificateProvider.kind}}",
-            "--enable-mesh-root-certificate={{.Values.osm.experimental.enableMeshRootCertificate}}",
+            "--enable-mesh-root-certificate={{.Values.osm.featureFlags.enableMeshRootCertificate}}",
             {{ if eq .Values.osm.certificateProvider.kind "vault" }}
             "--vault-host", "{{.Values.osm.vault.host}}",
             "--vault-port", "{{.Values.osm.vault.port}}",
diff --git a/charts/osm/templates/preset-mesh-root-certificate.yaml b/charts/osm/templates/preset-mesh-root-certificate.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.osm.experimental.enableMeshRootCertificate }}
+{{- if .Values.osm.featureFlags.enableMeshRootCertificate }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
diff --git a/charts/osm/values.schema.json b/charts/osm/values.schema.json
@@ -438,24 +438,6 @@
                         "envoyproxy/envoy-windows:v1.22.1@sha256:92733f8e5beae5c45df204a0e13edbd29e99adf962d1b1c7869b197d85c64bd0"
                     ]
                 },
-                "experimental": {
-                    "$id": "#/properties/osm/properties/experimental",
-                    "type": "object",
-                    "title": "The experimental schema",
-                    "description": "Parameters that are unsupported by OSM",
-                    "additionalProperties": false,
-                    "properties": {
-                        "enableMeshRootCertificate": {
-                            "$id": "#/properties/osm/properties/experimental/properties/enableMeshRootCertificate",
-                            "type": "boolean",
-                            "title": "Enable the MeshRootCertificate",
-                            "description": "Using the MeshRootCertificate to configure the OSM certificate provider is not supported",
-                            "examples": [
-                                false
-                            ]
-                        }
-                    }
-                },
                 "trustDomain": {
                     "$id": "#/properties/osm/properties/trustDomain",
                     "type": "string",
@@ -1001,7 +983,8 @@
                         "enableIngressBackendPolicy",
                         "enableEnvoyActiveHealthChecks",
                         "enableSnapshotCacheMode",
-                        "enableRetryPolicy"
+                        "enableRetryPolicy",
+                        "enableMeshRootCertificate"
                     ],
                     "properties": {
                         "enableWASMStats": {
@@ -1066,6 +1049,15 @@
                             "examples": [
                                 true
                             ]
+                        },
+                        "enableMeshRootCertificate": {
+                            "$id": "#/properties/osm/properties/featureFlags/properties/enableMeshRootCertificate",
+                            "type": "boolean",
+                            "title": "Enable the MeshRootCertificate",
+                            "description": "Enable the MeshRootCertificate to configure the OSM certificate provider.",
+                            "examples": [
+                                false
+                            ]
                         }
                     },
                     "additionalProperties": false
diff --git a/charts/osm/values.yaml b/charts/osm/values.yaml
@@ -167,11 +167,6 @@ osm:
     # The specified tolerations allow pods to schedule onto nodes with matching taints.
     tolerations: []
 
-  # -- Experimental values. Behavior is not supported.
-  experimental:
-    # -- Enable the MeshRootCertificate to configure the OSM certificate provider.
-    enableMeshRootCertificate: false
-
   # -- The trust domain to use as part of the common name when requesting new certificates.
   trustDomain: cluster.local
 
@@ -203,7 +198,6 @@ osm:
       # -- The Kubernetes secret key with the value bring the Vault token
       key: ""
 
-
   #
   # -- cert-manager.io configuration
   certmanager:
@@ -488,6 +482,8 @@ osm:
     enableSnapshotCacheMode: false
     # -- Enable Retry Policy for automatic request retries
     enableRetryPolicy: false
+    # -- Enable the MeshRootCertificate to configure the OSM certificate provider
+    enableMeshRootCertificate: false
 
   # -- Node tolerations applied to control plane pods.
   # The specified tolerations allow pods to schedule onto nodes with matching taints.
diff --git a/pkg/certificate/fake_manager.go b/pkg/certificate/fake_manager.go
@@ -20,8 +20,8 @@ var (
 
 type fakeMRCClient struct{}
 
-func (c *fakeMRCClient) GetCertIssuerForMRC(mrc *v1alpha2.MeshRootCertificate) (Issuer, pem.RootCertificate, string, error) {
-	return &fakeIssuer{}, pem.RootCertificate("rootCA"), "fake-issuer-1", nil
+func (c *fakeMRCClient) GetCertIssuerForMRC(mrc *v1alpha2.MeshRootCertificate) (Issuer, pem.RootCertificate, error) {
+	return &fakeIssuer{}, pem.RootCertificate("rootCA"), nil
 }
 
 // List returns the single, pre-generated MRC. It is intended to implement the certificate.MRCClient interface.
diff --git a/pkg/certificate/manager.go b/pkg/certificate/manager.go
@@ -121,12 +121,12 @@ func (m *Manager) handleMRCEvent(mrcClient MRCClient, event MRCEvent) error {
 			return nil
 		}
 
-		client, ca, clientID, err := mrcClient.GetCertIssuerForMRC(mrc)
+		client, ca, err := mrcClient.GetCertIssuerForMRC(mrc)
 		if err != nil {
 			return err
 		}
 
-		c := &issuer{Issuer: client, ID: clientID, CertificateAuthority: ca}
+		c := &issuer{Issuer: client, ID: mrc.Name, CertificateAuthority: ca}
 		switch {
 		case mrc.Status.State == constants.MRCStateActive:
 			m.mu.Lock()
diff --git a/pkg/certificate/providers/config.go b/pkg/certificate/providers/config.go
@@ -103,36 +103,35 @@ func NewCertificateManagerFromMRC(ctx context.Context, kubeClient kubernetes.Int
 }
 
 // GetCertIssuerForMRC returns a certificate.Issuer generated from the provided MRC.
-func (c *MRCProviderGenerator) GetCertIssuerForMRC(mrc *v1alpha2.MeshRootCertificate) (certificate.Issuer, pem.RootCertificate, string, error) {
+func (c *MRCProviderGenerator) GetCertIssuerForMRC(mrc *v1alpha2.MeshRootCertificate) (certificate.Issuer, pem.RootCertificate, error) {
 	p := mrc.Spec.Provider
 	var issuer certificate.Issuer
-	var id string
 	var err error
 	switch {
 	case p.Tresor != nil:
-		issuer, id, err = c.getTresorOSMCertificateManager(mrc)
+		issuer, err = c.getTresorOSMCertificateManager(mrc)
 	case p.Vault != nil:
-		issuer, id, err = c.getHashiVaultOSMCertificateManager(mrc)
+		issuer, err = c.getHashiVaultOSMCertificateManager(mrc)
 	case p.CertManager != nil:
-		issuer, id, err = c.getCertManagerOSMCertificateManager(mrc)
+		issuer, err = c.getCertManagerOSMCertificateManager(mrc)
 	default:
-		return nil, nil, "", fmt.Errorf("Unknown certificate provider: %+v", p)
+		return nil, nil, fmt.Errorf("Unknown certificate provider: %+v", p)
 	}
 
 	if err != nil {
-		return nil, nil, "", err
+		return nil, nil, err
 	}
 
 	ca, err := c.caExtractorFunc(issuer)
 	if err != nil {
-		return nil, nil, "", fmt.Errorf("error generating init cert: %w", err)
+		return nil, nil, fmt.Errorf("error generating init cert: %w", err)
 	}
 
-	return issuer, ca, id, nil
+	return issuer, ca, nil
 }
 
 // getTresorOSMCertificateManager returns a certificate manager instance with Tresor as the certificate provider
-func (c *MRCProviderGenerator) getTresorOSMCertificateManager(mrc *v1alpha2.MeshRootCertificate) (certificate.Issuer, string, error) {
+func (c *MRCProviderGenerator) getTresorOSMCertificateManager(mrc *v1alpha2.MeshRootCertificate) (certificate.Issuer, error) {
 	var err error
 	var rootCert *certificate.Certificate
 
@@ -142,20 +141,20 @@ func (c *MRCProviderGenerator) getTresorOSMCertificateManager(mrc *v1alpha2.Mesh
 	// Regardless of success or failure, all instances can proceed to load the same CA.
 	rootCert, err = tresor.NewCA(constants.CertificationAuthorityCommonName, constants.CertificationAuthorityRootValidityPeriod, rootCertCountry, rootCertLocality, rootCertOrganization)
 	if err != nil {
-		return nil, "", errors.New("Failed to create new Certificate Authority with cert issuer tresor")
+		return nil, errors.New("Failed to create new Certificate Authority with cert issuer tresor")
 	}
 
 	if rootCert.GetPrivateKey() == nil {
-		return nil, "", errors.New("Root cert does not have a private key")
+		return nil, errors.New("Root cert does not have a private key")
 	}
 
 	rootCert, err = k8s.GetCertificateFromSecret(mrc.Namespace, mrc.Spec.Provider.Tresor.CA.SecretRef.Name, rootCert, c.kubeClient)
 	if err != nil {
-		return nil, "", fmt.Errorf("Failed to synchronize certificate on Secrets API : %w", err)
+		return nil, fmt.Errorf("Failed to synchronize certificate on Secrets API : %w", err)
 	}
 
 	if rootCert.GetPrivateKey() == nil {
-		return nil, "", fmt.Errorf("Root cert does not have a private key: %w", certificate.ErrInvalidCertSecret)
+		return nil, fmt.Errorf("Root cert does not have a private key: %w", certificate.ErrInvalidCertSecret)
 	}
 
 	tresorClient, err := tresor.New(
@@ -164,14 +163,14 @@ func (c *MRCProviderGenerator) getTresorOSMCertificateManager(mrc *v1alpha2.Mesh
 		c.KeyBitSize,
 	)
 	if err != nil {
-		return nil, "", fmt.Errorf("failed to instantiate Tresor as a Certificate Manager: %w", err)
+		return nil, fmt.Errorf("failed to instantiate Tresor as a Certificate Manager: %w", err)
 	}
 
-	return tresorClient, mrc.Name, nil
+	return tresorClient, nil
 }
 
 // getHashiVaultOSMCertificateManager returns a certificate manager instance with Hashi Vault as the certificate provider
-func (c *MRCProviderGenerator) getHashiVaultOSMCertificateManager(mrc *v1alpha2.MeshRootCertificate) (certificate.Issuer, string, error) {
+func (c *MRCProviderGenerator) getHashiVaultOSMCertificateManager(mrc *v1alpha2.MeshRootCertificate) (certificate.Issuer, error) {
 	provider := mrc.Spec.Provider.Vault
 
 	// A Vault address would have the following shape: "http://vault.default.svc.cluster.local:8200"
@@ -184,7 +183,7 @@ func (c *MRCProviderGenerator) getHashiVaultOSMCertificateManager(mrc *v1alpha2.
 		log.Debug().Msgf("Attempting to get Vault token from secret %s", provider.Token.SecretKeyRef.Name)
 		vaultToken, err = getHashiVaultOSMToken(&provider.Token.SecretKeyRef, c.kubeClient)
 		if err != nil {
-			return nil, "", err
+			return nil, err
 		}
 	}
 
@@ -194,10 +193,10 @@ func (c *MRCProviderGenerator) getHashiVaultOSMCertificateManager(mrc *v1alpha2.
 		provider.Role,
 	)
 	if err != nil {
-		return nil, "", fmt.Errorf("error instantiating Hashicorp Vault as a Certificate Manager: %w", err)
+		return nil, fmt.Errorf("error instantiating Hashicorp Vault as a Certificate Manager: %w", err)
 	}
 
-	return vaultClient, mrc.Name, nil
+	return vaultClient, nil
 }
 
 // getHashiVaultOSMToken returns the Hashi Vault token from the secret specified in the provided secret key reference
@@ -216,11 +215,11 @@ func getHashiVaultOSMToken(secretKeyRef *v1alpha2.SecretKeyReferenceSpec, kubeCl
 }
 
 // getCertManagerOSMCertificateManager returns a certificate manager instance with cert-manager as the certificate provider
-func (c *MRCProviderGenerator) getCertManagerOSMCertificateManager(mrc *v1alpha2.MeshRootCertificate) (certificate.Issuer, string, error) {
+func (c *MRCProviderGenerator) getCertManagerOSMCertificateManager(mrc *v1alpha2.MeshRootCertificate) (certificate.Issuer, error) {
 	provider := mrc.Spec.Provider.CertManager
 	client, err := cmversionedclient.NewForConfig(c.kubeConfig)
 	if err != nil {
-		return nil, "", fmt.Errorf("Failed to build cert-manager client set: %s", err)
+		return nil, fmt.Errorf("Failed to build cert-manager client set: %s", err)
 	}
 
 	cmClient, err := certmanager.New(
@@ -234,8 +233,8 @@ func (c *MRCProviderGenerator) getCertManagerOSMCertificateManager(mrc *v1alpha2
 		c.KeyBitSize,
 	)
 	if err != nil {
-		return nil, "", fmt.Errorf("error instantiating Jetstack cert-manager client: %w", err)
+		return nil, fmt.Errorf("error instantiating Jetstack cert-manager client: %w", err)
 	}
 
-	return cmClient, mrc.Name, nil
+	return cmClient, nil
 }
diff --git a/pkg/certificate/providers/tresor/fake/fake.go b/pkg/certificate/providers/tresor/fake/fake.go
@@ -22,15 +22,15 @@ const (
 
 type fakeMRCClient struct{}
 
-func (c *fakeMRCClient) GetCertIssuerForMRC(mrc *v1alpha2.MeshRootCertificate) (certificate.Issuer, pem.RootCertificate, string, error) {
+func (c *fakeMRCClient) GetCertIssuerForMRC(mrc *v1alpha2.MeshRootCertificate) (certificate.Issuer, pem.RootCertificate, error) {
 	rootCertCountry := "US"
 	rootCertLocality := "CA"
 	ca, err := tresor.NewCA("Fake Tresor CN", 1*time.Hour, rootCertCountry, rootCertLocality, rootCertOrganization)
 	if err != nil {
-		return nil, nil, "", err
+		return nil, nil, err
 	}
 	issuer, err := tresor.New(ca, rootCertOrganization, 2048)
-	return issuer, pem.RootCertificate("rootCA"), "issuer-1", err
+	return issuer, pem.RootCertificate("rootCA"), err
 }
 
 // List returns the single, pre-generated MRC. It is intended to implement the certificate.MRCClient interface.
diff --git a/pkg/certificate/types.go b/pkg/certificate/types.go
@@ -123,7 +123,7 @@ type MRCClient interface {
 	MRCEventBroker
 
 	// GetCertIssuerForMRC returns an Issuer based on the provided MRC.
-	GetCertIssuerForMRC(mrc *v1alpha2.MeshRootCertificate) (Issuer, pem.RootCertificate, string, error)
+	GetCertIssuerForMRC(mrc *v1alpha2.MeshRootCertificate) (Issuer, pem.RootCertificate, error)
 }
 
 // MRCEventType is a type alias for a string describing the type of MRC event

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-{{- if .Values.osm.experimental.enableMeshRootCertificate }}`
	`1`	`+{{- if .Values.osm.featureFlags.enableMeshRootCertificate }}`
`2`	`2`	`apiVersion: v1`
`3`	`3`	`kind: ConfigMap`
`4`	`4`	`metadata:`
Original file line number	Diff line number	Diff line change
`@@ -20,8 +20,8 @@ var (`
`20`	`20`
`21`	`21`	`type fakeMRCClient struct{}`
`22`	`22`
`23`		`-func (c fakeMRCClient) GetCertIssuerForMRC(mrc v1alpha2.MeshRootCertificate) (Issuer, pem.RootCertificate, string, error) {`
`24`		`- return &fakeIssuer{}, pem.RootCertificate("rootCA"), "fake-issuer-1", nil`
	`23`	`+func (c fakeMRCClient) GetCertIssuerForMRC(mrc v1alpha2.MeshRootCertificate) (Issuer, pem.RootCertificate, error) {`
	`24`	`+ return &fakeIssuer{}, pem.RootCertificate("rootCA"), nil`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`// List returns the single, pre-generated MRC. It is intended to implement the certificate.MRCClient interface.`
Original file line number	Diff line number	Diff line change
`@@ -121,12 +121,12 @@ func (m *Manager) handleMRCEvent(mrcClient MRCClient, event MRCEvent) error {`
`121`	`121`	`return nil`
`122`	`122`	`}`
`123`	`123`
`124`		`- client, ca, clientID, err := mrcClient.GetCertIssuerForMRC(mrc)`
	`124`	`+ client, ca, err := mrcClient.GetCertIssuerForMRC(mrc)`
`125`	`125`	`if err != nil {`
`126`	`126`	`return err`
`127`	`127`	`}`
`128`	`128`
`129`		`- c := &issuer{Issuer: client, ID: clientID, CertificateAuthority: ca}`
	`129`	`+ c := &issuer{Issuer: client, ID: mrc.Name, CertificateAuthority: ca}`
`130`	`130`	`switch {`
`131`	`131`	`case mrc.Status.State == constants.MRCStateActive:`
`132`	`132`	`m.mu.Lock()`
Original file line number	Diff line number	Diff line change
`@@ -103,36 +103,35 @@ func NewCertificateManagerFromMRC(ctx context.Context, kubeClient kubernetes.Int`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`// GetCertIssuerForMRC returns a certificate.Issuer generated from the provided MRC.`
`106`		`-func (c MRCProviderGenerator) GetCertIssuerForMRC(mrc v1alpha2.MeshRootCertificate) (certificate.Issuer, pem.RootCertificate, string, error) {`
	`106`	`+func (c MRCProviderGenerator) GetCertIssuerForMRC(mrc v1alpha2.MeshRootCertificate) (certificate.Issuer, pem.RootCertificate, error) {`
`107`	`107`	`p := mrc.Spec.Provider`
`108`	`108`	`var issuer certificate.Issuer`
`109`		`- var id string`
`110`	`109`	`var err error`
`111`	`110`	`switch {`
`112`	`111`	`case p.Tresor != nil:`
`113`		`- issuer, id, err = c.getTresorOSMCertificateManager(mrc)`
	`112`	`+ issuer, err = c.getTresorOSMCertificateManager(mrc)`
`114`	`113`	`case p.Vault != nil:`
`115`		`- issuer, id, err = c.getHashiVaultOSMCertificateManager(mrc)`
	`114`	`+ issuer, err = c.getHashiVaultOSMCertificateManager(mrc)`
`116`	`115`	`case p.CertManager != nil:`
`117`		`- issuer, id, err = c.getCertManagerOSMCertificateManager(mrc)`
	`116`	`+ issuer, err = c.getCertManagerOSMCertificateManager(mrc)`
`118`	`117`	`default:`
`119`		`- return nil, nil, "", fmt.Errorf("Unknown certificate provider: %+v", p)`
	`118`	`+ return nil, nil, fmt.Errorf("Unknown certificate provider: %+v", p)`
`120`	`119`	`}`
`121`	`120`
`122`	`121`	`if err != nil {`
`123`		`- return nil, nil, "", err`
	`122`	`+ return nil, nil, err`
`124`	`123`	`}`
`125`	`124`
`126`	`125`	`ca, err := c.caExtractorFunc(issuer)`
`127`	`126`	`if err != nil {`
`128`		`- return nil, nil, "", fmt.Errorf("error generating init cert: %w", err)`
	`127`	`+ return nil, nil, fmt.Errorf("error generating init cert: %w", err)`
`129`	`128`	`}`
`130`	`129`
`131`		`- return issuer, ca, id, nil`
	`130`	`+ return issuer, ca, nil`
`132`	`131`	`}`
`133`	`132`
`134`	`133`	`// getTresorOSMCertificateManager returns a certificate manager instance with Tresor as the certificate provider`
`135`		`-func (c MRCProviderGenerator) getTresorOSMCertificateManager(mrc v1alpha2.MeshRootCertificate) (certificate.Issuer, string, error) {`
	`134`	`+func (c MRCProviderGenerator) getTresorOSMCertificateManager(mrc v1alpha2.MeshRootCertificate) (certificate.Issuer, error) {`
`136`	`135`	`var err error`
`137`	`136`	`var rootCert *certificate.Certificate`
`138`	`137`
`@@ -142,20 +141,20 @@ func (c MRCProviderGenerator) getTresorOSMCertificateManager(mrc v1alpha2.Mesh`
`142`	`141`	`// Regardless of success or failure, all instances can proceed to load the same CA.`
`143`	`142`	`rootCert, err = tresor.NewCA(constants.CertificationAuthorityCommonName, constants.CertificationAuthorityRootValidityPeriod, rootCertCountry, rootCertLocality, rootCertOrganization)`
`144`	`143`	`if err != nil {`
`145`		`- return nil, "", errors.New("Failed to create new Certificate Authority with cert issuer tresor")`
	`144`	`+ return nil, errors.New("Failed to create new Certificate Authority with cert issuer tresor")`
`146`	`145`	`}`
`147`	`146`
`148`	`147`	`if rootCert.GetPrivateKey() == nil {`
`149`		`- return nil, "", errors.New("Root cert does not have a private key")`
	`148`	`+ return nil, errors.New("Root cert does not have a private key")`
`150`	`149`	`}`
`151`	`150`
`152`	`151`	`rootCert, err = k8s.GetCertificateFromSecret(mrc.Namespace, mrc.Spec.Provider.Tresor.CA.SecretRef.Name, rootCert, c.kubeClient)`
`153`	`152`	`if err != nil {`
`154`		`- return nil, "", fmt.Errorf("Failed to synchronize certificate on Secrets API : %w", err)`
	`153`	`+ return nil, fmt.Errorf("Failed to synchronize certificate on Secrets API : %w", err)`
`155`	`154`	`}`
`156`	`155`
`157`	`156`	`if rootCert.GetPrivateKey() == nil {`
`158`		`- return nil, "", fmt.Errorf("Root cert does not have a private key: %w", certificate.ErrInvalidCertSecret)`
	`157`	`+ return nil, fmt.Errorf("Root cert does not have a private key: %w", certificate.ErrInvalidCertSecret)`
`159`	`158`	`}`
`160`	`159`
`161`	`160`	`tresorClient, err := tresor.New(`
`@@ -164,14 +163,14 @@ func (c MRCProviderGenerator) getTresorOSMCertificateManager(mrc v1alpha2.Mesh`
`164`	`163`	`c.KeyBitSize,`
`165`	`164`	`)`
`166`	`165`	`if err != nil {`
`167`		`- return nil, "", fmt.Errorf("failed to instantiate Tresor as a Certificate Manager: %w", err)`
	`166`	`+ return nil, fmt.Errorf("failed to instantiate Tresor as a Certificate Manager: %w", err)`
`168`	`167`	`}`
`169`	`168`
`170`		`- return tresorClient, mrc.Name, nil`
	`169`	`+ return tresorClient, nil`
`171`	`170`	`}`
`172`	`171`
`173`	`172`	`// getHashiVaultOSMCertificateManager returns a certificate manager instance with Hashi Vault as the certificate provider`
`174`		`-func (c MRCProviderGenerator) getHashiVaultOSMCertificateManager(mrc v1alpha2.MeshRootCertificate) (certificate.Issuer, string, error) {`
	`173`	`+func (c MRCProviderGenerator) getHashiVaultOSMCertificateManager(mrc v1alpha2.MeshRootCertificate) (certificate.Issuer, error) {`
`175`	`174`	`provider := mrc.Spec.Provider.Vault`
`176`	`175`
`177`	`176`	`// A Vault address would have the following shape: "http://vault.default.svc.cluster.local:8200"`
`@@ -184,7 +183,7 @@ func (c MRCProviderGenerator) getHashiVaultOSMCertificateManager(mrc v1alpha2.`
`184`	`183`	`log.Debug().Msgf("Attempting to get Vault token from secret %s", provider.Token.SecretKeyRef.Name)`
`185`	`184`	`vaultToken, err = getHashiVaultOSMToken(&provider.Token.SecretKeyRef, c.kubeClient)`
`186`	`185`	`if err != nil {`
`187`		`- return nil, "", err`
	`186`	`+ return nil, err`
`188`	`187`	`}`
`189`	`188`	`}`
`190`	`189`
`@@ -194,10 +193,10 @@ func (c MRCProviderGenerator) getHashiVaultOSMCertificateManager(mrc v1alpha2.`
`194`	`193`	`provider.Role,`
`195`	`194`	`)`
`196`	`195`	`if err != nil {`
`197`		`- return nil, "", fmt.Errorf("error instantiating Hashicorp Vault as a Certificate Manager: %w", err)`
	`196`	`+ return nil, fmt.Errorf("error instantiating Hashicorp Vault as a Certificate Manager: %w", err)`
`198`	`197`	`}`
`199`	`198`
`200`		`- return vaultClient, mrc.Name, nil`
	`199`	`+ return vaultClient, nil`
`201`	`200`	`}`
`202`	`201`
`203`	`202`	`// getHashiVaultOSMToken returns the Hashi Vault token from the secret specified in the provided secret key reference`
`@@ -216,11 +215,11 @@ func getHashiVaultOSMToken(secretKeyRef *v1alpha2.SecretKeyReferenceSpec, kubeCl`
`216`	`215`	`}`
`217`	`216`
`218`	`217`	`// getCertManagerOSMCertificateManager returns a certificate manager instance with cert-manager as the certificate provider`
`219`		`-func (c MRCProviderGenerator) getCertManagerOSMCertificateManager(mrc v1alpha2.MeshRootCertificate) (certificate.Issuer, string, error) {`
	`218`	`+func (c MRCProviderGenerator) getCertManagerOSMCertificateManager(mrc v1alpha2.MeshRootCertificate) (certificate.Issuer, error) {`
`220`	`219`	`provider := mrc.Spec.Provider.CertManager`
`221`	`220`	`client, err := cmversionedclient.NewForConfig(c.kubeConfig)`
`222`	`221`	`if err != nil {`
`223`		`- return nil, "", fmt.Errorf("Failed to build cert-manager client set: %s", err)`
	`222`	`+ return nil, fmt.Errorf("Failed to build cert-manager client set: %s", err)`
`224`	`223`	`}`
`225`	`224`
`226`	`225`	`cmClient, err := certmanager.New(`
`@@ -234,8 +233,8 @@ func (c MRCProviderGenerator) getCertManagerOSMCertificateManager(mrc v1alpha2`
`234`	`233`	`c.KeyBitSize,`
`235`	`234`	`)`
`236`	`235`	`if err != nil {`
`237`		`- return nil, "", fmt.Errorf("error instantiating Jetstack cert-manager client: %w", err)`
	`236`	`+ return nil, fmt.Errorf("error instantiating Jetstack cert-manager client: %w", err)`
`238`	`237`	`}`
`239`	`238`
`240`		`- return cmClient, mrc.Name, nil`
	`239`	`+ return cmClient, nil`
`241`	`240`	`}`
Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ type MRCClient interface {`
`123`	`123`	`MRCEventBroker`
`124`	`124`
`125`	`125`	`// GetCertIssuerForMRC returns an Issuer based on the provided MRC.`
`126`		`- GetCertIssuerForMRC(mrc *v1alpha2.MeshRootCertificate) (Issuer, pem.RootCertificate, string, error)`
	`126`	`+ GetCertIssuerForMRC(mrc *v1alpha2.MeshRootCertificate) (Issuer, pem.RootCertificate, error)`
`127`	`127`	`}`
`128`	`128`
`129`	`129`	`// MRCEventType is a type alias for a string describing the type of MRC event`