add trust domain to mesh root certificate

charts/osm/README.md

@@ -173,6 +173,7 @@ The following table lists the configurable parameters of the osm chart and their
 | osm.tracing.endpoint | string | `"/api/v2/spans"` | Tracing collector's API path where the spans will be sent to |
 | osm.tracing.image | string | `"jaegertracing/all-in-one"` | Image used for tracing |
 | osm.tracing.port | int | `9411` | Port of the tracing collector service |
+| osm.trustDomain | string | `"cluster.local"` | The trust domain to use as part of the common name when requesting new certificates. |
 | osm.validatorWebhook.webhookConfigurationName | string | `""` | Name of the ValidatingWebhookConfiguration |
 | osm.vault.host | string | `""` | Hashicorp Vault host/service - where Vault is installed |
 | osm.vault.port | int | `8200` | port to use to connect to Vault |

charts/osm/templates/preset-mesh-root-certificate.yaml

@@ -6,6 +6,7 @@ metadata:
 data:
   preset-mesh-root-certificate.json: |
     {
+      "trustDomain": {{.Values.osm.trustDomain | mustToJson}},
       "provider": {
         {{- if eq (.Values.osm.certificateProvider.kind | lower) "tresor"}}
         "tresor": {

charts/osm/values.schema.json

@@ -432,6 +432,16 @@
                         "envoyproxy/envoy-windows:v1.19.3@sha256:f990f024e7e95f07b6c0d416684734607761e382c35d1ba9414c7e3fbf23969c"
                     ]
                 },
+                "trustDomain": {
+                    "$id": "#/properties/osm/properties/trustDomain",
+                    "type": "string",
+                    "title": "The certificate issuance Trust Domain",
+                    "description": "The trust domain to use as part of the common name when requesting new certificates.",
+                    "examples": [
+                        "cluster.local",
+                        "example.com"
+                    ]
+                },
                 "certificateProvider": {
                     "$id": "#/properties/osm/properties/certificateProvider",
                     "type": "object",

charts/osm/values.yaml

@@ -108,6 +108,9 @@ osm:
     # -- Image used for Prometheus
     image: prom/prometheus:v2.34.0
 
+  # -- The trust domain to use as part of the common name when requesting new certificates.
+  trustDomain: cluster.local
+
   certificateProvider:
     # -- The Certificate manager type: `tresor`, `vault` or `cert-manager`
     kind: tresor

cmd/osm-bootstrap/crds/config_mesh_root_certificate.yaml

@@ -52,6 +52,10 @@ spec:
               required:
                 - provider
               properties:
+                trustDomain:
+                  description: Trust Domain to use in common name for certificates, ie "example.com"
+                  type: string
+                  default: cluster.local
                 provider:
                   description: Certificate provider used by the mesh control plane
                   type: object

pkg/apis/config/v1alpha2/meshrootcertificate.go

@@ -30,6 +30,9 @@ type MeshRootCertificate struct {
 type MeshRootCertificateSpec struct {
 	// Provider specifies the mesh certificate provider
 	Provider ProviderSpec `json:"provider"`
+
+	// TrustDomain is the trust domain to use as a suffix in Common Names for new certificates.
+	TrustDomain string `json:"trustDomain"`
 }
 
 // ProviderSpec defines the certificate provider used by the mesh control plane