Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Jul 11, 2023. It is now read-only.

Commit 388231e

Browse files
jaelliojaellio
committed
Update after Sean's refactoring
Signed-off-by: jaellio <[email protected]>
1 parent 73b83da commit 388231e

File tree

6 files changed

+39
-11
lines changed

6 files changed

+39
-11
lines changed

cmd/osm-bootstrap/crds/config_mesh_root_certificate.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,10 +60,14 @@ spec:
6060
description: Cert-manager provider configuration
6161
type: object
6262
required:
63+
- secretName
6364
- issuerName
6465
- issuerKind
6566
- issuerGroup
6667
properties:
68+
secretName:
69+
description: The name of the kubernetes secret containing the root certificate
70+
type: string
6771
issuerName:
6872
description: The name of the Issuer or ClusterIssuer resource
6973
type: string

pkg/apis/config/v1alpha2/meshrootcertificate.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,9 @@ type ProviderSpec struct {
4949

5050
// CertManagerProviderSpec defines the configuration of the cert-manager provider
5151
type CertManagerProviderSpec struct {
52+
// SecretName specifies the name of the k8s secret containing the root certificate
53+
SecretName string `json:"secretName"`
54+
5255
// IssuerName specifies the name of the Issuer resource
5356
IssuerName string `json:"issuerName"`
5457

pkg/certificate/providers/config.go

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,11 @@ func NewCertificateManager(kubeClient kubernetes.Interface, kubeConfig *rest.Con
6464
},
6565
}
6666

67+
// TODO(#4745): Remove after deprecating the osm.vault.token option.
68+
if vaultOption, ok := options.(VaultOptions); ok {
69+
mrcClient.MRCProviderGenerator.VaultToken = vaultOption.VaultToken
70+
}
71+
6772
return certificate.NewManager(mrcClient, cfg.GetServiceCertValidityPeriod(), msgBroker)
6873
}
6974

@@ -100,7 +105,7 @@ func (c *MRCProviderGenerator) getTresorOSMCertificateManager(mrc *v1alpha2.Mesh
100105
return nil, errors.New("Root cert does not have a private key")
101106
}
102107

103-
rootCert, err = k8s.GetCertificateFromSecret(mrc.Namespace, mrc.Spec.Provider.Tresor.SecretName, rootCert, c.kubeClient)
108+
rootCert, err = k8s.GetCertificateFromSecret(mrc.Namespace, mrc.Spec.Provider.Tresor.CA.SecretRef.Name, rootCert, c.kubeClient)
104109
if err != nil {
105110
return nil, fmt.Errorf("Failed to synchronize certificate on Secrets API : %w", err)
106111
}
@@ -128,7 +133,7 @@ func (c *MRCProviderGenerator) getHashiVaultOSMCertificateManager(mrc *v1alpha2.
128133
vaultAddr := fmt.Sprintf("%s://%s:%d", provider.Protocol, provider.Host, provider.Port)
129134
vaultClient, err := vault.New(
130135
vaultAddr,
131-
provider.Token,
136+
c.VaultToken,
132137
provider.Role,
133138
)
134139
if err != nil {

pkg/certificate/providers/config_test.go

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -97,17 +97,18 @@ func TestGetCertificateManager(t *testing.T) {
9797
}
9898

9999
func TestGetHashiVaultOSMCertificateManager(t *testing.T) {
100-
generator := &MRCProviderGenerator{
101-
KeyBitSize: 2048,
102-
}
103-
104100
opt := VaultOptions{
105101
VaultHost: "vault.default.svc.cluster.local",
106102
VaultToken: "vault-token",
107103
VaultRole: "role",
108104
VaultPort: 8200,
109105
}
110106

107+
generator := &MRCProviderGenerator{
108+
KeyBitSize: 2048,
109+
VaultToken: opt.VaultToken,
110+
}
111+
111112
testCases := []struct {
112113
name string
113114
vaultProtocol string

pkg/certificate/providers/options.go

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,13 @@ import (
44
"errors"
55
"fmt"
66

7+
corev1 "k8s.io/api/core/v1"
8+
79
"github.com/openservicemesh/osm/pkg/apis/config/v1alpha2"
810
)
911

12+
const vaultTokenSecretName = "osm-vault-token" // #nosec G101: Potential hardcoded credentials
13+
1014
// Validate validates the options for Tresor certificate provider
1115
func (options TresorOptions) Validate() error {
1216
if options.SecretName == "" {
@@ -19,7 +23,11 @@ func (options TresorOptions) Validate() error {
1923
func (options TresorOptions) AsProviderSpec() v1alpha2.ProviderSpec {
2024
return v1alpha2.ProviderSpec{
2125
Tresor: &v1alpha2.TresorProviderSpec{
22-
SecretName: options.SecretName,
26+
CA: v1alpha2.TresorCASpec{
27+
SecretRef: corev1.SecretReference{
28+
Name: options.SecretName,
29+
},
30+
},
2331
},
2432
}
2533
}
@@ -51,9 +59,13 @@ func (options VaultOptions) AsProviderSpec() v1alpha2.ProviderSpec {
5159
Vault: &v1alpha2.VaultProviderSpec{
5260
Protocol: options.VaultProtocol,
5361
Host: options.VaultHost,
54-
Token: options.VaultToken,
55-
Role: options.VaultRole,
56-
Port: options.VaultPort,
62+
Token: v1alpha2.VaultTokenSpec{
63+
SecretRef: corev1.SecretReference{
64+
Name: vaultTokenSecretName,
65+
},
66+
},
67+
Role: options.VaultRole,
68+
Port: options.VaultPort,
5769
},
5870
}
5971
}

pkg/certificate/providers/types.go

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ type TresorOptions struct {
5151
type VaultOptions struct {
5252
VaultProtocol string
5353
VaultHost string
54-
VaultToken string
54+
VaultToken string // TODO(#4745): Remove after deprecating the osm.vault.token option. Replace with VaultTokenSecretName
5555
VaultRole string
5656
VaultPort int
5757
}
@@ -80,4 +80,7 @@ type MRCProviderGenerator struct {
8080

8181
// TODO(#4502): move these to the compat client once we have added these fields to the MRC.
8282
KeyBitSize int
83+
84+
// TODO(#4745): Remove after deprecating the osm.vault.token option.
85+
VaultToken string
8386
}

0 commit comments

Comments
 (0)