openservicemesh · jaellio · Jul 5, 2022 · Jul 1, 2022 · Jul 1, 2022 · Jul 1, 2022
@@ -88,6 +88,7 @@ The following table lists the configurable parameters of the osm chart and their
 | osm.enableDebugServer | bool | `false` | Enable the debug HTTP server on OSM controller |
 | osm.enableEgress | bool | `true` | Enable egress in the mesh |
 | osm.enableFluentbit | bool | `false` | Enable Fluent Bit sidecar deployment on OSM controller's pod |
+| osm.enableMeshRootCertificate | bool | `false` | Enable the unsupported MeshRootCertificate. Support and functionality are not guaranteed. |
 | osm.enablePermissiveTrafficPolicy | bool | `true` | Enable permissive traffic policy mode |
 | osm.enablePrivilegedInitContainer | bool | `false` | Run init container in privileged mode |
 | osm.enableReconciler | bool | `false` | Enable reconciler for OSM's CRDs and mutating webhook |

@@ -61,11 +61,14 @@ spec:
             "--osm-version", "{{ .Chart.AppVersion }}",
             "--ca-bundle-secret-name", "{{.Values.osm.caBundleSecretName}}",
             "--certificate-manager", "{{.Values.osm.certificateProvider.kind}}",
+            "--enable-mesh-root-certificate", "{{.Values.osm.enableMeshRootCertificate}}",
             {{ if eq .Values.osm.certificateProvider.kind "vault" }}
             "--vault-host", "{{.Values.osm.vault.host}}",
             "--vault-port", "{{.Values.osm.vault.port}}",
             "--vault-protocol", "{{.Values.osm.vault.protocol}}",
             "--vault-token", "{{.Values.osm.vault.token}}",
+            "--vault-token-secret-name",  "{{ .Values.osm.vault.secret.name }}",
+            "--vault-token-secret-key",  "{{ .Values.osm.vault.secret.key }}",
             {{- end }}
             "--cert-manager-issuer-name", "{{.Values.osm.certmanager.issuerName}}",
             "--cert-manager-issuer-kind", "{{.Values.osm.certmanager.issuerKind}}",

@@ -61,11 +61,14 @@ spec:
             "--validator-webhook-config", "{{ include "osm.validatorWebhookConfigName" . }}",
             "--ca-bundle-secret-name", "{{.Values.osm.caBundleSecretName}}",
             "--certificate-manager", "{{.Values.osm.certificateProvider.kind}}",
+            "--enable-mesh-root-certificate", "{{.Values.osm.enableMeshRootCertificate}}",
             {{ if eq .Values.osm.certificateProvider.kind "vault" }}
             "--vault-host", "{{ required "osm.vault.host is required when osm.certificateProvider.kind==vault" .Values.osm.vault.host }}",
             "--vault-port", "{{.Values.osm.vault.port}}",
             "--vault-protocol", "{{.Values.osm.vault.protocol}}",
-            "--vault-token", "{{ required "osm.vault.token is required when osm.certificateProvider.kind==vault" .Values.osm.vault.token }}",
+            "--vault-token", "{{ .Values.osm.vault.token }}",
+            "--vault-token-secret-name",  "{{ .Values.osm.vault.secret.name }}",
+            "--vault-token-secret-key",  "{{ .Values.osm.vault.secret.key }}",
             {{- end }}
             "--cert-manager-issuer-name", "{{.Values.osm.certmanager.issuerName}}",
             "--cert-manager-issuer-kind", "{{.Values.osm.certmanager.issuerKind}}",

@@ -58,11 +58,14 @@ spec:
             "--webhook-timeout", "{{.Values.osm.injector.webhookTimeoutSeconds}}",
             "--ca-bundle-secret-name", "{{.Values.osm.caBundleSecretName}}",
             "--certificate-manager", "{{.Values.osm.certificateProvider.kind}}",
+            "--enable-mesh-root-certificate", "{{.Values.osm.enableMeshRootCertificate}}",
             {{ if eq .Values.osm.certificateProvider.kind "vault" }}
             "--vault-host", "{{.Values.osm.vault.host}}",
             "--vault-port", "{{.Values.osm.vault.port}}",
             "--vault-protocol", "{{.Values.osm.vault.protocol}}",
             "--vault-token", "{{.Values.osm.vault.token}}",
+            "--vault-token-secret-name",  "{{ .Values.osm.vault.secret.name }}",
+            "--vault-token-secret-key",  "{{ .Values.osm.vault.secret.key }}",
             {{- end }}
             "--cert-manager-issuer-name", "{{.Values.osm.certmanager.issuerName}}",
             "--cert-manager-issuer-kind", "{{.Values.osm.certmanager.issuerKind}}",

diff --git a/charts/osm/templates/preset-mesh-config.yaml b/charts/osm/templates/preset-mesh-config.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.osm.enableMeshRootCertificate }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -58,3 +59,4 @@ data:
         "enableRetryPolicy": {{.Values.osm.featureFlags.enableRetryPolicy | mustToJson}}
       }
     }
+{{- end }}
@@ -438,6 +438,12 @@
                         "envoyproxy/envoy-windows:v1.22.1@sha256:92733f8e5beae5c45df204a0e13edbd29e99adf962d1b1c7869b197d85c64bd0"
                     ]
                 },
+                "enableMeshRootCertificate": {
+                    "$id": "#/properties/osm/properties/enableMeshRootCertificate",
+                    "type": "boolean",
+                    "title": "Enable the unsupported MeshRootCertificate",
+                    "description": "Using the MeshRootCertificate to configure the OSM certificate provider is not supported on "
+                },
                 "trustDomain": {
                     "$id": "#/properties/osm/properties/trustDomain",
                     "type": "string",

@@ -167,6 +167,9 @@ osm:
     # The specified tolerations allow pods to schedule onto nodes with matching taints.
     tolerations: []
 
+  # -- Enable the unsupported MeshRootCertificate. Support and functionality are not guaranteed.
+  enableMeshRootCertificate: false
+
   # -- The trust domain to use as part of the common name when requesting new certificates.
   trustDomain: cluster.local
 
@@ -198,6 +201,7 @@ osm:
       # -- The Kubernetes secret key with the value bring the Vault token
       key: ""
 
+
   #
   # -- cert-manager.io configuration
   certmanager:

@@ -63,7 +63,8 @@ var (
 	meshName           string
 	osmVersion         string
 
-	certProviderKind string
+	certProviderKind          string
+	enableMeshRootCertificate bool
 
 	tresorOptions      providers.TresorOptions
 	vaultOptions       providers.VaultOptions
@@ -94,6 +95,7 @@ func init() {
 
 	// Generic certificate manager/provider options
 	flags.StringVar(&certProviderKind, "certificate-manager", providers.TresorKind.String(), fmt.Sprintf("Certificate manager, one of [%v]", providers.ValidCertificateProviders))
+	flags.BoolVar(&enableMeshRootCertificate, "enable-mesh-root-certificate", false, "Enable unsupported MeshRootCertificate to create the OSM Certificate Manager")
 	flags.StringVar(&caBundleSecretName, "ca-bundle-secret-name", "", "Name of the Kubernetes Secret for the OSM CA bundle")
 
 	// Vault certificate manager/provider options
@@ -102,6 +104,8 @@ func init() {
 	flags.StringVar(&vaultOptions.VaultToken, "vault-token", "", "Secret token for the the Hashi Vault")
 	flags.StringVar(&vaultOptions.VaultRole, "vault-role", "openservicemesh", "Name of the Vault role dedicated to Open Service Mesh")
 	flags.IntVar(&vaultOptions.VaultPort, "vault-port", 8200, "Port of the Hashi Vault")
+	flags.StringVar(&vaultOptions.VaultRole, "vault-token-secret-name", "", "Name of the secret storing the Vault token used in OSM")
+	flags.StringVar(&vaultOptions.VaultRole, "vault-token-secret-key", "", "Key for the vault token used in OSM")
 
 	// Cert-manager certificate manager/provider options
 	flags.StringVar(&certManagerOptions.IssuerName, "cert-manager-issuer-name", "osm-ca", "cert-manager issuer name")
@@ -116,15 +120,19 @@ func init() {
 }
 
 // TODO(#4502): This function can be deleted once we get rid of cert options.
-func getCertOptions() (providers.Options, error) {
+func getCertOptions() (*providers.CertProviderOptions, error) {
+	certOptions := &providers.CertProviderOptions{UseMeshRootCertificate: enableMeshRootCertificate}
 	switch providers.Kind(certProviderKind) {
 	case providers.TresorKind:
 		tresorOptions.SecretName = caBundleSecretName
-		return tresorOptions, nil
+		certOptions.Option = tresorOptions
+		return certOptions, nil
 	case providers.VaultKind:
-		return vaultOptions, nil
+		certOptions.Option = vaultOptions
+		return certOptions, nil
 	case providers.CertManagerKind:
-		return certManagerOptions, nil
+		certOptions.Option = certManagerOptions
+		return certOptions, nil
 	}
 	return nil, fmt.Errorf("unknown certificate provider kind: %s", certProviderKind)
 }
@@ -171,10 +179,12 @@ func main() {
 		return
 	}
 
-	err = bootstrap.ensureMeshRootCertificate()
-	if err != nil {
-		log.Fatal().Err(err).Msgf("Error setting up default MeshRootCertificate %s from ConfigMap %s", meshRootCertificateName, presetMeshRootCertificateName)
-		return
+	if enableMeshRootCertificate {
+		err = bootstrap.ensureMeshRootCertificate()
+		if err != nil {
+			log.Fatal().Err(err).Msgf("Error setting up default MeshRootCertificate %s from ConfigMap %s", meshRootCertificateName, presetMeshRootCertificateName)
+			return
+		}
 	}
 
 	err = bootstrap.initiatilizeKubernetesEventsRecorder()
@@ -414,7 +424,7 @@ func (b *bootstrap) createMeshRootCertificate() error {
 
 	_, err = b.configClient.ConfigV1alpha2().MeshRootCertificates(b.namespace).UpdateStatus(context.Background(), createdMRC, metav1.UpdateOptions{})
 	if apierrors.IsAlreadyExists(err) {
-		log.Info().Msgf("MeshRootCertificate statys already exists in %s. Skip creating.", b.namespace)
+		log.Info().Msgf("MeshRootCertificate status already exists in %s. Skip creating.", b.namespace)
 	}
 
 	if err != nil {

@@ -74,7 +74,8 @@ var (
 	osmMeshConfigName          string
 	osmVersion                 string
 
-	certProviderKind string
+	certProviderKind          string
+	enableMeshRootCertificate bool
 
 	tresorOptions      providers.TresorOptions
 	vaultOptions       providers.VaultOptions
@@ -102,6 +103,7 @@ func init() {
 
 	// Generic certificate manager/provider options
 	flags.StringVar(&certProviderKind, "certificate-manager", providers.TresorKind.String(), fmt.Sprintf("Certificate manager, one of [%v]", providers.ValidCertificateProviders))
+	flags.BoolVar(&enableMeshRootCertificate, "enable-mesh-root-certificate", false, "Enable unsupported MeshRootCertificate to create the OSM Certificate Manager")
 	flags.StringVar(&caBundleSecretName, "ca-bundle-secret-name", "", "Name of the Kubernetes Secret for the OSM CA bundle")
 
 	// Vault certificate manager/provider options
@@ -110,6 +112,8 @@ func init() {
 	flags.StringVar(&vaultOptions.VaultToken, "vault-token", "", "Secret token for the the Hashi Vault")
 	flags.StringVar(&vaultOptions.VaultRole, "vault-role", "openservicemesh", "Name of the Vault role dedicated to Open Service Mesh")
 	flags.IntVar(&vaultOptions.VaultPort, "vault-port", 8200, "Port of the Hashi Vault")
+	flags.StringVar(&vaultOptions.VaultRole, "vault-token-secret-name", "", "Name of the secret storing the Vault token used in OSM")
+	flags.StringVar(&vaultOptions.VaultRole, "vault-token-secret-key", "", "Key for the vault token used in OSM")
 
 	// Cert-manager certificate manager/provider options
 	flags.StringVar(&certManagerOptions.IssuerName, "cert-manager-issuer-name", "osm-ca", "cert-manager issuer name")
@@ -125,15 +129,19 @@ func init() {
 }
 
 // TODO(#4502): This function can be deleted once we get rid of cert options.
-func getCertOptions() (providers.Options, error) {
+func getCertOptions() (*providers.CertProviderOptions, error) {
+	certOptions := &providers.CertProviderOptions{UseMeshRootCertificate: enableMeshRootCertificate}
 	switch providers.Kind(certProviderKind) {
 	case providers.TresorKind:
 		tresorOptions.SecretName = caBundleSecretName
-		return tresorOptions, nil
+		certOptions.Option = tresorOptions
+		return certOptions, nil
 	case providers.VaultKind:
-		return vaultOptions, nil
+		certOptions.Option = vaultOptions
+		return certOptions, nil
 	case providers.CertManagerKind:
-		return certManagerOptions, nil
+		certOptions.Option = certManagerOptions
+		return certOptions, nil
 	}
 	return nil, fmt.Errorf("unknown certificate provider kind: %s", certProviderKind)
 }

@@ -57,7 +57,8 @@ var (
 	webhookTimeout     int32
 	osmVersion         string
 
-	certProviderKind string
+	certProviderKind          string
+	enableMeshRootCertificate bool
 
 	enableReconciler bool
 
@@ -87,6 +88,7 @@ func init() {
 
 	// Generic certificate manager/provider options
 	flags.StringVar(&certProviderKind, "certificate-manager", providers.TresorKind.String(), fmt.Sprintf("Certificate manager, one of [%v]", providers.ValidCertificateProviders))
+	flags.BoolVar(&enableMeshRootCertificate, "enable-mesh-root-certificate", false, "Enable unsupported MeshRootCertificate to create the OSM Certificate Manager")
 	flags.StringVar(&caBundleSecretName, "ca-bundle-secret-name", "", "Name of the Kubernetes Secret for the OSM CA bundle")
 
 	// Vault certificate manager/provider options
@@ -95,6 +97,8 @@ func init() {
 	flags.StringVar(&vaultOptions.VaultToken, "vault-token", "", "Secret token for the the Hashi Vault")
 	flags.StringVar(&vaultOptions.VaultRole, "vault-role", "openservicemesh", "Name of the Vault role dedicated to Open Service Mesh")
 	flags.IntVar(&vaultOptions.VaultPort, "vault-port", 8200, "Port of the Hashi Vault")
+	flags.StringVar(&vaultOptions.VaultRole, "vault-token-secret-name", "", "Name of the secret storing the Vault token used in OSM")
+	flags.StringVar(&vaultOptions.VaultRole, "vault-token-secret-key", "", "Key for the vault token used in OSM")
 
 	// Cert-manager certificate manager/provider options
 	flags.StringVar(&certManagerOptions.IssuerName, "cert-manager-issuer-name", "osm-ca", "cert-manager issuer name")
@@ -111,15 +115,19 @@ func init() {
 }
 
 // TODO(#4502): This function can be deleted once we get rid of cert options.
-func getCertOptions() (providers.Options, error) {
+func getCertOptions() (*providers.CertProviderOptions, error) {
+	certOptions := &providers.CertProviderOptions{UseMeshRootCertificate: enableMeshRootCertificate}
 	switch providers.Kind(certProviderKind) {
 	case providers.TresorKind:
 		tresorOptions.SecretName = caBundleSecretName
-		return tresorOptions, nil
+		certOptions.Option = tresorOptions
+		return certOptions, nil
 	case providers.VaultKind:
-		return vaultOptions, nil
+		certOptions.Option = vaultOptions
+		return certOptions, nil
 	case providers.CertManagerKind:
-		return certManagerOptions, nil
+		certOptions.Option = certManagerOptions
+		return certOptions, nil
 	}
 	return nil, fmt.Errorf("unknown certificate provider kind: %s", certProviderKind)
 }

@@ -44,14 +44,16 @@ var getCA func(certificate.Issuer) (pem.RootCertificate, error) = func(i certifi
 // NewCertificateManager returns a new certificate manager, with an MRC compat client.
 // TODO(4713): Use an informer behind a feature flag.
 func NewCertificateManager(ctx context.Context, kubeClient kubernetes.Interface, kubeConfig *rest.Config, cfg configurator.Configurator,
-	providerNamespace string, options Options, msgBroker *messaging.Broker, ic *informers.InformerCollection, checkInterval time.Duration) (*certificate.Manager, error) {
-	if err := options.Validate(); err != nil {
+	providerNamespace string, certOptions *CertProviderOptions, msgBroker *messaging.Broker, ic *informers.InformerCollection, checkInterval time.Duration) (*certificate.Manager, error) {
+	if certOptions != nil && certOptions.Option != nil {
+		return nil, errors.Errorf("failed to configure certificate manager: certOptions should not be nil")
+	}
+	if err := certOptions.Option.Validate(); err != nil {
 		return nil, err
 	}
 
 	var mrcClient certificate.MRCClient
-	if ic == nil || len(ic.List(informers.InformerKeyMeshRootCertificate)) == 0 {
-		// no MRCs detected; use the compat client
+	if !certOptions.UseMeshRootCertificate {
 		c := &MRCCompatClient{
 			MRCProviderGenerator: MRCProviderGenerator{
 				kubeClient:      kubeClient,
@@ -68,7 +70,7 @@ func NewCertificateManager(ctx context.Context, kubeClient kubernetes.Interface,
 					},
 				},
 				Spec: v1alpha2.MeshRootCertificateSpec{
-					Provider:    options.AsProviderSpec(),
+					Provider:    certOptions.Option.AsProviderSpec(),
 					TrustDomain: "cluster.local",
 				},
 				Status: v1alpha2.MeshRootCertificateStatus{
@@ -77,12 +79,11 @@ func NewCertificateManager(ctx context.Context, kubeClient kubernetes.Interface,
 			},
 		}
 		// TODO(#4745): Remove after deprecating the osm.vault.token option.
-		if vaultOption, ok := options.(VaultOptions); ok {
+		if vaultOption, ok := certOptions.Option.(VaultOptions); ok {
 			c.MRCProviderGenerator.DefaultVaultToken = vaultOption.VaultToken
 		}
 		mrcClient = c
 	} else {
-		// we have MRCs; use the MRC Client
 		c := &MRCComposer{
 			MRCProviderGenerator: MRCProviderGenerator{
 				kubeClient:      kubeClient,
@@ -93,7 +94,7 @@ func NewCertificateManager(ctx context.Context, kubeClient kubernetes.Interface,
 			informerCollection: ic,
 		}
 		// TODO(#4745): Remove after deprecating the osm.vault.token option.
-		if vaultOption, ok := options.(VaultOptions); ok {
+		if vaultOption, ok := certOptions.Option.(VaultOptions); ok {
 			c.MRCProviderGenerator.DefaultVaultToken = vaultOption.VaultToken
 		}
 

@@ -165,51 +165,14 @@ func TestGetCertificateManager(t *testing.T) {
 			cfg:         mockConfigurator,
 			expectError: true,
 		},
-		{
-			name:              "Reads MRC from informer collection",
-			cfg:               mockConfigurator,
-			kubeClient:        fake.NewSimpleClientset(),
-			options:           TresorOptions{SecretName: "osm-ca-bundle"},
-			providerNamespace: "osm-system",
-			configClient: fakeConfigClientset.NewSimpleClientset(&v1alpha2.MeshRootCertificate{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "osm-mesh-root-certificate",
-					Namespace: "osm-system",
-					Annotations: map[string]string{
-						constants.MRCVersionAnnotation: "0",
-					},
-				},
-				Spec: v1alpha2.MeshRootCertificateSpec{
-					Provider: v1alpha2.ProviderSpec{
-						Tresor: &v1alpha2.TresorProviderSpec{
-							CA: v1alpha2.TresorCASpec{
-								SecretRef: v1.SecretReference{
-									Name:      "osm-ca-bundle",
-									Namespace: "osm-system",
-								},
-							},
-						},
-					},
-				},
-				Status: v1alpha2.MeshRootCertificateStatus{
-					State: constants.MRCStateActive,
-				},
-			}),
-			informerCollectionFunc: func(tc testCase) (*informers.InformerCollection, error) {
-				ic, err := informers.NewInformerCollection("osm", nil, informers.WithKubeClient(tc.kubeClient), informers.WithConfigClient(tc.configClient, "", "osm-system"))
-				if err != nil {
-					return nil, err
-				}
-
-				return ic, nil
-			},
-		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(fmt.Sprintf(tc.name), func(t *testing.T) {
 			assert := tassert.New(t)
 
+			certOptions := &CertProviderOptions{UseMeshRootCertificate: false, Option: tc.options}
+
 			oldCA := getCA
 			getCA = func(i certificate.Issuer) (pem.RootCertificate, error) {
 				return pem.RootCertificate("id2"), nil
@@ -226,7 +189,7 @@ func TestGetCertificateManager(t *testing.T) {
 				require.NoError(t, err)
 			}
 
-			manager, err := NewCertificateManager(context.Background(), tc.kubeClient, tc.restConfig, tc.cfg, tc.providerNamespace, tc.options, tc.msgBroker, ic, 1*time.Hour)
+			manager, err := NewCertificateManager(context.Background(), tc.kubeClient, tc.restConfig, tc.cfg, tc.providerNamespace, certOptions, tc.msgBroker, ic, 1*time.Hour)
 			if tc.expectError {
 				assert.Empty(manager)
 				assert.Error(err)