Add NewCertificateManagerFromMRC instead of modifying options

Signed-off-by: jaellio <[email protected]>

Author: jaellio

charts/osm/README.md

@@ -88,7 +88,6 @@ The following table lists the configurable parameters of the osm chart and their
 | osm.enableDebugServer | bool | `false` | Enable the debug HTTP server on OSM controller |
 | osm.enableEgress | bool | `true` | Enable egress in the mesh |
 | osm.enableFluentbit | bool | `false` | Enable Fluent Bit sidecar deployment on OSM controller's pod |
-| osm.enableMeshRootCertificate | bool | `false` | Enable the unsupported MeshRootCertificate. Support and functionality are not guaranteed. |
 | osm.enablePermissiveTrafficPolicy | bool | `true` | Enable permissive traffic policy mode |
 | osm.enablePrivilegedInitContainer | bool | `false` | Run init container in privileged mode |
 | osm.enableReconciler | bool | `false` | Enable reconciler for OSM's CRDs and mutating webhook |
@@ -266,6 +265,8 @@ The following table lists the configurable parameters of the osm chart and their
 | osm.tracing.port | int | `9411` | Port of the tracing collector service |
 | osm.tracing.tolerations | list | `[]` | Node tolerations applied to control plane pods. The specified tolerations allow pods to schedule onto nodes with matching taints. |
 | osm.trustDomain | string | `"cluster.local"` | The trust domain to use as part of the common name when requesting new certificates. |
+| osm.unsafe | object | `{"enableMeshRootCertificate":false}` | Unsafe values. Behavior is not supported. |
+| osm.unsafe.enableMeshRootCertificate | bool | `false` | Enable the MeshRootCertificate to configure the OSM certificate provider. |
 | osm.validatorWebhook.webhookConfigurationName | string | `""` | Name of the ValidatingWebhookConfiguration |
 | osm.vault.host | string | `""` | Hashicorp Vault host/service - where Vault is installed |
 | osm.vault.port | int | `8200` | port to use to connect to Vault |

charts/osm/templates/osm-bootstrap-deployment.yaml

@@ -61,7 +61,7 @@ spec:
             "--osm-version", "{{ .Chart.AppVersion }}",
             "--ca-bundle-secret-name", "{{.Values.osm.caBundleSecretName}}",
             "--certificate-manager", "{{.Values.osm.certificateProvider.kind}}",
-            "--enable-mesh-root-certificate", "{{.Values.osm.enableMeshRootCertificate}}",
+            "--enable-mesh-root-certificate", "{{.Values.osm.unsafe.enableMeshRootCertificate}}",
             {{ if eq .Values.osm.certificateProvider.kind "vault" }}
             "--vault-host", "{{.Values.osm.vault.host}}",
             "--vault-port", "{{.Values.osm.vault.port}}",

charts/osm/templates/osm-deployment.yaml

@@ -61,7 +61,7 @@ spec:
             "--validator-webhook-config", "{{ include "osm.validatorWebhookConfigName" . }}",
             "--ca-bundle-secret-name", "{{.Values.osm.caBundleSecretName}}",
             "--certificate-manager", "{{.Values.osm.certificateProvider.kind}}",
-            "--enable-mesh-root-certificate", "{{.Values.osm.enableMeshRootCertificate}}",
+            "--enable-mesh-root-certificate", "{{.Values.osm.unsafe.enableMeshRootCertificate}}",
             {{ if eq .Values.osm.certificateProvider.kind "vault" }}
             "--vault-host", "{{ required "osm.vault.host is required when osm.certificateProvider.kind==vault" .Values.osm.vault.host }}",
             "--vault-port", "{{.Values.osm.vault.port}}",

charts/osm/templates/osm-injector-deployment.yaml

@@ -58,7 +58,7 @@ spec:
             "--webhook-timeout", "{{.Values.osm.injector.webhookTimeoutSeconds}}",
             "--ca-bundle-secret-name", "{{.Values.osm.caBundleSecretName}}",
             "--certificate-manager", "{{.Values.osm.certificateProvider.kind}}",
-            "--enable-mesh-root-certificate", "{{.Values.osm.enableMeshRootCertificate}}",
+            "--enable-mesh-root-certificate", "{{.Values.osm.unsafe.enableMeshRootCertificate}}",
             {{ if eq .Values.osm.certificateProvider.kind "vault" }}
             "--vault-host", "{{.Values.osm.vault.host}}",
             "--vault-port", "{{.Values.osm.vault.port}}",

charts/osm/templates/preset-mesh-config.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.osm.enableMeshRootCertificate }}
+{{- if .Values.osm.unsafe.enableMeshRootCertificate }}
 apiVersion: v1
 kind: ConfigMap
 metadata:

charts/osm/values.schema.json

@@ -438,11 +438,20 @@
                         "envoyproxy/envoy-windows:v1.22.1@sha256:92733f8e5beae5c45df204a0e13edbd29e99adf962d1b1c7869b197d85c64bd0"
                     ]
                 },
-                "enableMeshRootCertificate": {
-                    "$id": "#/properties/osm/properties/enableMeshRootCertificate",
-                    "type": "boolean",
-                    "title": "Enable the unsupported MeshRootCertificate",
-                    "description": "Using the MeshRootCertificate to configure the OSM certificate provider is not supported on "
+                "unsafe": {
+                    "$id": "#/properties/osm/properties/unsafe",
+                    "type": "object",
+                    "title": "The unsafe schema",
+                    "description": "Parameters that are unsupported by OSM",
+                    "additionalProperties": false,
+                    "properties": {
+                        "enableMeshRootCertificate": {
+                            "$id": "#/properties/osm/properties/enableMeshRootCertificate",
+                            "type": "boolean",
+                            "title": "Enable the MeshRootCertificate",
+                            "description": "Using the MeshRootCertificate to configure the OSM certificate provider is not supported on "
+                        }
+                    }
                 },
                 "trustDomain": {
                     "$id": "#/properties/osm/properties/trustDomain",

charts/osm/values.yaml

@@ -167,8 +167,10 @@ osm:
     # The specified tolerations allow pods to schedule onto nodes with matching taints.
     tolerations: []
 
-  # -- Enable the unsupported MeshRootCertificate. Support and functionality are not guaranteed.
-  enableMeshRootCertificate: false
+  # -- Unsafe values. Behavior is not supported.
+  unsafe:
+    # -- Enable the MeshRootCertificate to configure the OSM certificate provider.
+    enableMeshRootCertificate: false
 
   # -- The trust domain to use as part of the common name when requesting new certificates.
   trustDomain: cluster.local
@@ -551,7 +553,7 @@ osm:
 
   #
   # -- OSM's preinstall hook parameters
-  
+
   preinstall:
     ## Affinity settings for pod assignment
     ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
@@ -584,7 +586,7 @@ osm:
 
     ## Affinity settings for pod assignment
     ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
-    affinity: 
+    affinity:
       nodeAffinity:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:

cmd/cli/install_test.go

@@ -290,14 +290,6 @@ var _ = Describe("Running the install command", func() {
 			err := installCmd.run(config)
 			Expect(err.Error()).To(ContainSubstring("osm.vault.host is required"))
 		})
-
-		It("should error when token isn't set", func() {
-			installCmd.setOptions = append(installCmd.setOptions,
-				"osm.vault.host=my-host",
-			)
-			err := installCmd.run(config)
-			Expect(err.Error()).To(ContainSubstring("osm.vault.token is required"))
-		})
 	})
 
 	Describe("with the cert-manager certificate manager", func() {

cmd/osm-bootstrap/osm-bootstrap.go

@@ -28,6 +28,7 @@ import (
 	"k8s.io/kubectl/pkg/util"
 
 	configv1alpha2 "github.com/openservicemesh/osm/pkg/apis/config/v1alpha2"
+	"github.com/openservicemesh/osm/pkg/certificate"
 	configClientset "github.com/openservicemesh/osm/pkg/gen/client/config/clientset/versioned"
 	"github.com/openservicemesh/osm/pkg/health"
 
@@ -120,19 +121,16 @@ func init() {
 }
 
 // TODO(#4502): This function can be deleted once we get rid of cert options.
-func getCertOptions() (*providers.CertProviderOptions, error) {
-	certOptions := &providers.CertProviderOptions{UseMeshRootCertificate: enableMeshRootCertificate}
+func getCertOptions() (providers.Options, error) {
 	switch providers.Kind(certProviderKind) {
 	case providers.TresorKind:
 		tresorOptions.SecretName = caBundleSecretName
-		certOptions.Option = tresorOptions
-		return certOptions, nil
+		return tresorOptions, nil
 	case providers.VaultKind:
-		certOptions.Option = vaultOptions
-		return certOptions, nil
+		vaultOptions.VaultTokenSecretNamespace = osmNamespace
+		return vaultOptions, nil
 	case providers.CertManagerKind:
-		certOptions.Option = certManagerOptions
-		return certOptions, nil
+		return certManagerOptions, nil
 	}
 	return nil, fmt.Errorf("unknown certificate provider kind: %s", certProviderKind)
 }
@@ -224,10 +222,19 @@ func main() {
 		log.Fatal().Err(err).Msg("Error getting certificate options")
 	}
 
-	certManager, err := providers.NewCertificateManager(ctx, kubeClient, kubeConfig, cfg, osmNamespace, certOpts, msgBroker, informerCollection, 5*time.Second)
-	if err != nil {
-		events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
-			"Error initializing certificate manager of kind %s", certProviderKind)
+	var certManager *certificate.Manager
+	if enableMeshRootCertificate {
+		certManager, err = providers.NewCertificateManagerFromMRC(ctx, kubeClient, kubeConfig, cfg, osmNamespace, certOpts, msgBroker, informerCollection, 5*time.Second)
+		if err != nil {
+			events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
+				"Error initializing certificate manager of kind %s from MRC", certProviderKind)
+		}
+	} else {
+		certManager, err = providers.NewCertificateManager(ctx, kubeClient, kubeConfig, cfg, osmNamespace, certOpts, msgBroker, informerCollection, 5*time.Second)
+		if err != nil {
+			events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
+				"Error initializing certificate manager of kind %s", certProviderKind)
+		}
 	}
 
 	// Initialize the crd conversion webhook server to support the conversion of OSM's CRDs

cmd/osm-controller/osm-controller.go

@@ -129,19 +129,16 @@ func init() {
 }
 
 // TODO(#4502): This function can be deleted once we get rid of cert options.
-func getCertOptions() (*providers.CertProviderOptions, error) {
-	certOptions := &providers.CertProviderOptions{UseMeshRootCertificate: enableMeshRootCertificate}
+func getCertOptions() (providers.Options, error) {
 	switch providers.Kind(certProviderKind) {
 	case providers.TresorKind:
 		tresorOptions.SecretName = caBundleSecretName
-		certOptions.Option = tresorOptions
-		return certOptions, nil
+		return tresorOptions, nil
 	case providers.VaultKind:
-		certOptions.Option = vaultOptions
-		return certOptions, nil
+		vaultOptions.VaultTokenSecretNamespace = osmNamespace
+		return vaultOptions, nil
 	case providers.CertManagerKind:
-		certOptions.Option = certManagerOptions
-		return certOptions, nil
+		return certManagerOptions, nil
 	}
 	return nil, fmt.Errorf("unknown certificate provider kind: %s", certProviderKind)
 }
@@ -215,12 +212,21 @@ func main() {
 	}
 
 	// Intitialize certificate manager/provider
-	certManager, err := providers.NewCertificateManager(ctx, kubeClient, kubeConfig, cfg, osmNamespace,
-		certOpts, msgBroker, informerCollection, 5*time.Second)
-
-	if err != nil {
-		events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
-			"Error fetching certificate manager of kind %s", certProviderKind)
+	var certManager *certificate.Manager
+	if enableMeshRootCertificate {
+		certManager, err = providers.NewCertificateManagerFromMRC(ctx, kubeClient, kubeConfig, cfg, osmNamespace,
+			certOpts, msgBroker, informerCollection, 5*time.Second)
+		if err != nil {
+			events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
+				"Error fetching certificate manager of kind %s from MRC", certProviderKind)
+		}
+	} else {
+		certManager, err = providers.NewCertificateManager(ctx, kubeClient, kubeConfig, cfg, osmNamespace,
+			certOpts, msgBroker, informerCollection, 5*time.Second)
+		if err != nil {
+			events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
+				"Error fetching certificate manager of kind %s", certProviderKind)
+		}
 	}
 
 	kubeProvider := kube.NewClient(k8sClient, cfg)

cmd/osm-injector/osm-injector.go

@@ -25,6 +25,7 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	"k8s.io/client-go/tools/clientcmd"
 
+	"github.com/openservicemesh/osm/pkg/certificate"
 	configClientset "github.com/openservicemesh/osm/pkg/gen/client/config/clientset/versioned"
 	policyClientset "github.com/openservicemesh/osm/pkg/gen/client/policy/clientset/versioned"
 	"github.com/openservicemesh/osm/pkg/health"
@@ -115,19 +116,16 @@ func init() {
 }
 
 // TODO(#4502): This function can be deleted once we get rid of cert options.
-func getCertOptions() (*providers.CertProviderOptions, error) {
-	certOptions := &providers.CertProviderOptions{UseMeshRootCertificate: enableMeshRootCertificate}
+func getCertOptions() (providers.Options, error) {
 	switch providers.Kind(certProviderKind) {
 	case providers.TresorKind:
 		tresorOptions.SecretName = caBundleSecretName
-		certOptions.Option = tresorOptions
-		return certOptions, nil
+		return tresorOptions, nil
 	case providers.VaultKind:
-		certOptions.Option = vaultOptions
-		return certOptions, nil
+		vaultOptions.VaultTokenSecretNamespace = osmNamespace
+		return vaultOptions, nil
 	case providers.CertManagerKind:
-		certOptions.Option = certManagerOptions
-		return certOptions, nil
+		return certManagerOptions, nil
 	}
 	return nil, fmt.Errorf("unknown certificate provider kind: %s", certProviderKind)
 }
@@ -208,11 +206,21 @@ func main() {
 		log.Fatal().Err(err).Msg("Error getting certificate options")
 	}
 	// Intitialize certificate manager/provider
-	certManager, err := providers.NewCertificateManager(ctx, kubeClient, kubeConfig, cfg, osmNamespace,
-		certOpts, msgBroker, informerCollection, 5*time.Second)
-	if err != nil {
-		events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
-			"Error initializing certificate manager of kind %s", certProviderKind)
+	var certManager *certificate.Manager
+	if enableMeshRootCertificate {
+		certManager, err = providers.NewCertificateManagerFromMRC(ctx, kubeClient, kubeConfig, cfg, osmNamespace,
+			certOpts, msgBroker, informerCollection, 5*time.Second)
+		if err != nil {
+			events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
+				"Error initializing certificate manager of kind %s from MRC", certProviderKind)
+		}
+	} else {
+		certManager, err = providers.NewCertificateManager(ctx, kubeClient, kubeConfig, cfg, osmNamespace,
+			certOpts, msgBroker, informerCollection, 5*time.Second)
+		if err != nil {
+			events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
+				"Error initializing certificate manager of kind %s", certProviderKind)
+		}
 	}
 
 	// Initialize the sidecar injector webhook