feat(certs): add trust domain to mesh root certificate (#4767)

Adds the trust domain to the mesh root certificate CRD

Signed-off-by: Sean Teeling <[email protected]>

Author: steeling

charts/osm/README.md

@@ -173,6 +173,7 @@ The following table lists the configurable parameters of the osm chart and their
 | osm.tracing.endpoint | string | `"/api/v2/spans"` | Tracing collector's API path where the spans will be sent to |
 | osm.tracing.image | string | `"jaegertracing/all-in-one"` | Image used for tracing |
 | osm.tracing.port | int | `9411` | Port of the tracing collector service |
+| osm.trustDomain | string | `"cluster.local"` | The trust domain to use as part of the common name when requesting new certificates. |
 | osm.validatorWebhook.webhookConfigurationName | string | `""` | Name of the ValidatingWebhookConfiguration |
 | osm.vault.host | string | `""` | Hashicorp Vault host/service - where Vault is installed |
 | osm.vault.port | int | `8200` | port to use to connect to Vault |

charts/osm/templates/preset-mesh-root-certificate.yaml

@@ -6,6 +6,7 @@ metadata:
 data:
   preset-mesh-root-certificate.json: |
     {
+      "trustDomain": {{.Values.osm.trustDomain | mustToJson}},
       "provider": {
         {{- if eq (.Values.osm.certificateProvider.kind | lower) "tresor"}}
         "tresor": {

charts/osm/values.schema.json

@@ -432,6 +432,16 @@
                         "envoyproxy/envoy-windows:v1.19.3@sha256:f990f024e7e95f07b6c0d416684734607761e382c35d1ba9414c7e3fbf23969c"
                     ]
                 },
+                "trustDomain": {
+                    "$id": "#/properties/osm/properties/trustDomain",
+                    "type": "string",
+                    "title": "The certificate issuance Trust Domain",
+                    "description": "The trust domain to use as part of the common name when requesting new certificates.",
+                    "examples": [
+                        "cluster.local",
+                        "example.com"
+                    ]
+                },
                 "certificateProvider": {
                     "$id": "#/properties/osm/properties/certificateProvider",
                     "type": "object",

charts/osm/values.yaml

@@ -108,6 +108,9 @@ osm:
     # -- Image used for Prometheus
     image: prom/prometheus:v2.34.0
 
+  # -- The trust domain to use as part of the common name when requesting new certificates.
+  trustDomain: cluster.local
+
   certificateProvider:
     # -- The Certificate manager type: `tresor`, `vault` or `cert-manager`
     kind: tresor

cmd/osm-bootstrap/crds/config_mesh_root_certificate.yaml

@@ -19,7 +19,7 @@ kind: CustomResourceDefinition
 metadata:
   name: meshrootcertificates.config.openservicemesh.io
   labels:
-    app.kubernetes.io/name : "openservicemesh.io"
+    app.kubernetes.io/name: "openservicemesh.io"
 spec:
   group: config.openservicemesh.io
   scope: Namespaced
@@ -35,14 +35,14 @@ spec:
       served: true
       storage: true
       additionalPrinterColumns:
-      - description: Current state of the MeshRootCertificate config
-        jsonPath: .status.currentState
-        name: State
-        type: string
-      - description: Current rotationStage of the MeshRootCertificate config
-        jsonPath: .status.currentRotationStage
-        name: RotationStage
-        type: string
+        - description: Current state of the MeshRootCertificate config
+          jsonPath: .status.currentState
+          name: State
+          type: string
+        - description: Current rotationStage of the MeshRootCertificate config
+          jsonPath: .status.currentRotationStage
+          name: RotationStage
+          type: string
       schema:
         openAPIV3Schema:
           type: object
@@ -52,6 +52,10 @@ spec:
               required:
                 - provider
               properties:
+                trustDomain:
+                  description: Trust Domain to use in common name for certificates, e.g. "example.com"
+                  type: string
+                  default: cluster.local
                 provider:
                   description: Certificate provider used by the mesh control plane
                   type: object
@@ -149,9 +153,9 @@ spec:
                                   description: Namespace of the kubernetes secret
                                   type: string
                   oneOf:
-                    - required: ['certManager']
-                    - required: ['vault']
-                    - required: ['tresor']
+                    - required: ["certManager"]
+                    - required: ["vault"]
+                    - required: ["tresor"]
             status:
               type: object
               x-kubernetes-preserve-unknown-fields: true

pkg/apis/config/v1alpha2/meshrootcertificate.go

@@ -30,6 +30,9 @@ type MeshRootCertificate struct {
 type MeshRootCertificateSpec struct {
 	// Provider specifies the mesh certificate provider
 	Provider ProviderSpec `json:"provider"`
+
+	// TrustDomain is the trust domain to use as a suffix in Common Names for new certificates.
+	TrustDomain string `json:"trustDomain"`
 }
 
 // ProviderSpec defines the certificate provider used by the mesh control plane