backport: remove cert manager support (odigos-io#2138)

Cert-manager has been unreliable, often failing to generate certificates correctly or at all. This PR removes all cert-manager dependencies and switches to always self-signing certificates. As long as the CA bundle in MutatingWebhookConfiguration matches the TLS secret used by odigos-instrumentor, everything will work reliably. This change simplifies the process and ensures consistent behavior.
damemi · Jan 7, 2025 · 7c20b24 · 7c20b24
1 parent 5bffb1e
commit 7c20b24
Show file tree

Hide file tree

Showing 8 changed files with 70 additions and 211 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -232,7 +232,7 @@ If the Mutating Webhook is enabled, follow these steps:
    Create a local directory and extract the certificate and key by running the following command:
 
 ```
-mkdir -p serving-certs && kubectl get secret instrumentor-webhook-cert -n odigos-system -o jsonpath='{.data.tls\.crt}' | base64 -d > serving-certs/tls.crt && kubectl get secret instrumentor-webhook-cert -n odigos-system -o jsonpath='{.data.tls\.key}' | base64 -d > serving-certs/tls.key
+mkdir -p serving-certs && kubectl get secret webhook-cert -n odigos-system -o jsonpath='{.data.tls\.crt}' | base64 -d > serving-certs/tls.crt && kubectl get secret webhook-cert -n odigos-system -o jsonpath='{.data.tls\.key}' | base64 -d > serving-certs/tls.key
 ```
 
 2. Apply this service to the cluster, it will replace the existing `odigos-instrumentor` service:

diff --git a/cli/cmd/resources/instrumentor.go b/cli/cmd/resources/instrumentor.go
@@ -10,8 +10,6 @@ import (
 	"github.com/odigos-io/odigos/cli/pkg/kube"
 	"github.com/odigos-io/odigos/common"
 
-	certv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
-	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	"github.com/odigos-io/odigos/k8sutils/pkg/consts"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
@@ -35,7 +33,7 @@ const (
 	InstrumentorCertificateName        = InstrumentorDeploymentName
 	InstrumentorMutatingWebhookName    = "mutating-webhook-configuration"
 	InstrumentorContainerName          = "manager"
-	InstrumentorWebhookSecretName      = "instrumentor-webhook-cert"
+	InstrumentorWebhookSecretName      = "webhook-cert"
 	InstrumentorWebhookVolumeName      = "webhook-cert"
 )
 
@@ -229,72 +227,6 @@ func NewInstrumentorClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding {
 	}
 }
 
-func isCertManagerInstalled(ctx context.Context, c *kube.Client) bool {
-	// Check if CRD is installed
-	_, err := c.ApiExtensions.ApiextensionsV1().CustomResourceDefinitions().Get(ctx, "issuers.cert-manager.io", metav1.GetOptions{})
-	if err != nil {
-		return false
-	}
-
-	return true
-}
-
-func NewInstrumentorIssuer(ns string) *certv1.Issuer {
-	return &certv1.Issuer{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Issuer",
-			APIVersion: "cert-manager.io/v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "selfsigned-issuer",
-			Namespace: ns,
-			Labels: map[string]string{
-				"app.kubernetes.io/name":       "issuer",
-				"app.kubernetes.io/instance":   "selfsigned-issuer",
-				"app.kubernetes.io/component":  "certificate",
-				"app.kubernetes.io/created-by": "instrumentor",
-				"app.kubernetes.io/part-of":    "odigos",
-			},
-		},
-		Spec: certv1.IssuerSpec{
-			IssuerConfig: certv1.IssuerConfig{
-				SelfSigned: &certv1.SelfSignedIssuer{},
-			},
-		},
-	}
-}
-
-func NewInstrumentorCertificate(ns string) *certv1.Certificate {
-	return &certv1.Certificate{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Certificate",
-			APIVersion: "cert-manager.io/v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "serving-cert",
-			Namespace: ns,
-			Labels: map[string]string{
-				"app.kubernetes.io/name":       "instrumentor-cert",
-				"app.kubernetes.io/instance":   "instrumentor-cert",
-				"app.kubernetes.io/component":  "certificate",
-				"app.kubernetes.io/created-by": "instrumentor",
-				"app.kubernetes.io/part-of":    "odigos",
-			},
-		},
-		Spec: certv1.CertificateSpec{
-			DNSNames: []string{
-				fmt.Sprintf("odigos-instrumentor.%s.svc", ns),
-				fmt.Sprintf("odigos-instrumentor.%s.svc.cluster.local", ns),
-			},
-			IssuerRef: cmmeta.ObjectReference{
-				Kind: "Issuer",
-				Name: "selfsigned-issuer",
-			},
-			SecretName: InstrumentorWebhookSecretName,
-		},
-	}
-}
-
 func NewInstrumentorService(ns string) *corev1.Service {
 	return &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -595,7 +527,6 @@ func NewInstrumentorResourceManager(client *kube.Client, ns string, config *comm
 func (a *instrumentorResourceManager) Name() string { return "Instrumentor" }
 
 func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) error {
-	certManagerInstalled := isCertManagerInstalled(ctx, a.client)
 	resources := []kube.Object{
 		NewInstrumentorServiceAccount(a.ns),
 		NewInstrumentorLeaderElectionRoleBinding(a.ns),
@@ -606,33 +537,26 @@ func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) er
 		NewInstrumentorDeployment(a.ns, a.odigosVersion, a.config.TelemetryEnabled, a.config.ImagePrefix, a.config.InstrumentorImage),
 		NewInstrumentorService(a.ns),
 	}
-	if certManagerInstalled && a.config.SkipWebhookIssuerCreation != true {
-		resources = append([]kube.Object{NewInstrumentorIssuer(a.ns),
-			NewInstrumentorCertificate(a.ns),
-			NewMutatingWebhookConfiguration(a.ns, nil),
-		},
-			resources...)
-	} else {
-		ca, err := crypto.GenCA(InstrumentorCertificateName, 365)
-		if err != nil {
-			return fmt.Errorf("failed to generate CA: %w", err)
-		}
 
-		altNames := []string{
-			fmt.Sprintf("%s.%s.svc", InstrumentorServiceName, a.ns),
-			fmt.Sprintf("%s.%s.svc.cluster.local", InstrumentorServiceName, a.ns),
-		}
+	ca, err := crypto.GenCA(InstrumentorCertificateName, 365)
+	if err != nil {
+		return fmt.Errorf("failed to generate CA: %w", err)
+	}
 
-		cert, err := crypto.GenerateSignedCertificate("serving-cert", nil, altNames, 365, ca)
-		if err != nil {
-			return fmt.Errorf("failed to generate signed certificate: %w", err)
-		}
+	altNames := []string{
+		fmt.Sprintf("%s.%s.svc", InstrumentorServiceName, a.ns),
+		fmt.Sprintf("%s.%s.svc.cluster.local", InstrumentorServiceName, a.ns),
+	}
 
-		resources = append([]kube.Object{NewInstrumentorTLSSecret(a.ns, &cert),
-			NewMutatingWebhookConfiguration(a.ns, []byte(cert.Cert)),
-		},
-			resources...)
+	cert, err := crypto.GenerateSignedCertificate("serving-cert", nil, altNames, 365, ca)
+	if err != nil {
+		return fmt.Errorf("failed to generate signed certificate: %w", err)
 	}
 
+	resources = append([]kube.Object{NewInstrumentorTLSSecret(a.ns, &cert),
+		NewMutatingWebhookConfiguration(a.ns, []byte(cert.Cert)),
+	},
+		resources...)
+
 	return a.client.ApplyResources(ctx, a.config.ConfigVersion, resources)
 }
diff --git a/cli/go.mod b/cli/go.mod
@@ -3,7 +3,6 @@ module github.com/odigos-io/odigos/cli
 go 1.23.0
 
 require (
-	github.com/cert-manager/cert-manager v1.16.2
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-version v1.7.0
 	github.com/odigos-io/odigos/api v0.0.0
@@ -32,7 +31,6 @@ require (
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	sigs.k8s.io/controller-runtime v0.19.0 // indirect
-	sigs.k8s.io/gateway-api v1.1.0 // indirect
 )
 
 require (