backport: remove cert manager support (#2138)

Cert-manager has been unreliable, often failing to generate certificates
correctly or at all. This PR removes all cert-manager dependencies and
switches to always self-signing certificates. As long as the CA bundle
in MutatingWebhookConfiguration matches the TLS secret used by
odigos-instrumentor, everything will work reliably. This change
simplifies the process and ensures consistent behavior.

CONTRIBUTING.md

@@ -178,7 +178,7 @@ If the Mutating Webhook is enabled, follow these steps:
 1. Copy the TLS certificate and key:
 Create a local directory and extract the certificate and key by running the following command:  
 ```
-mkdir -p serving-certs && kubectl get secret instrumentor-webhook-cert -n odigos-system -o jsonpath='{.data.tls\.crt}' | base64 -d > serving-certs/tls.crt && kubectl get secret instrumentor-webhook-cert -n odigos-system -o jsonpath='{.data.tls\.key}' | base64 -d > serving-certs/tls.key
+mkdir -p serving-certs && kubectl get secret webhook-cert -n odigos-system -o jsonpath='{.data.tls\.crt}' | base64 -d > serving-certs/tls.crt && kubectl get secret webhook-cert -n odigos-system -o jsonpath='{.data.tls\.key}' | base64 -d > serving-certs/tls.key
 ```
 
 

cli/cmd/resources/instrumentor.go

@@ -10,8 +10,6 @@ import (
 	"github.com/odigos-io/odigos/cli/pkg/kube"
 	"github.com/odigos-io/odigos/common"
 
-	certv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
-	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	"github.com/odigos-io/odigos/k8sutils/pkg/consts"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
@@ -27,7 +25,7 @@ const (
 	InstrumentorDeploymentName    = "odigos-instrumentor"
 	InstrumentorAppLabelValue     = "odigos-instrumentor"
 	InstrumentorContainerName     = "manager"
-	InstrumentorWebhookSecretName = "instrumentor-webhook-cert"
+	InstrumentorWebhookSecretName = "webhook-cert"
 	InstrumentorWebhookVolumeName = "webhook-cert"
 )
 
@@ -221,72 +219,6 @@ func NewInstrumentorClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding {
 	}
 }
 
-func isCertManagerInstalled(ctx context.Context, c *kube.Client) bool {
-	// Check if CRD is installed
-	_, err := c.ApiExtensions.ApiextensionsV1().CustomResourceDefinitions().Get(ctx, "issuers.cert-manager.io", metav1.GetOptions{})
-	if err != nil {
-		return false
-	}
-
-	return true
-}
-
-func NewInstrumentorIssuer(ns string) *certv1.Issuer {
-	return &certv1.Issuer{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Issuer",
-			APIVersion: "cert-manager.io/v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "selfsigned-issuer",
-			Namespace: ns,
-			Labels: map[string]string{
-				"app.kubernetes.io/name":       "issuer",
-				"app.kubernetes.io/instance":   "selfsigned-issuer",
-				"app.kubernetes.io/component":  "certificate",
-				"app.kubernetes.io/created-by": "instrumentor",
-				"app.kubernetes.io/part-of":    "odigos",
-			},
-		},
-		Spec: certv1.IssuerSpec{
-			IssuerConfig: certv1.IssuerConfig{
-				SelfSigned: &certv1.SelfSignedIssuer{},
-			},
-		},
-	}
-}
-
-func NewInstrumentorCertificate(ns string) *certv1.Certificate {
-	return &certv1.Certificate{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Certificate",
-			APIVersion: "cert-manager.io/v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "serving-cert",
-			Namespace: ns,
-			Labels: map[string]string{
-				"app.kubernetes.io/name":       "instrumentor-cert",
-				"app.kubernetes.io/instance":   "instrumentor-cert",
-				"app.kubernetes.io/component":  "certificate",
-				"app.kubernetes.io/created-by": "instrumentor",
-				"app.kubernetes.io/part-of":    "odigos",
-			},
-		},
-		Spec: certv1.CertificateSpec{
-			DNSNames: []string{
-				fmt.Sprintf("odigos-instrumentor.%s.svc", ns),
-				fmt.Sprintf("odigos-instrumentor.%s.svc.cluster.local", ns),
-			},
-			IssuerRef: cmmeta.ObjectReference{
-				Kind: "Issuer",
-				Name: "selfsigned-issuer",
-			},
-			SecretName: InstrumentorWebhookSecretName,
-		},
-	}
-}
-
 func NewInstrumentorService(ns string) *corev1.Service {
 	return &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -587,7 +519,6 @@ func NewInstrumentorResourceManager(client *kube.Client, ns string, config *comm
 func (a *instrumentorResourceManager) Name() string { return "Instrumentor" }
 
 func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) error {
-	certManagerInstalled := isCertManagerInstalled(ctx, a.client)
 	resources := []kube.Object{
 		NewInstrumentorServiceAccount(a.ns),
 		NewInstrumentorLeaderElectionRoleBinding(a.ns),
@@ -597,33 +528,25 @@ func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) er
 		NewInstrumentorService(a.ns),
 	}
 
-	if certManagerInstalled {
-		resources = append([]kube.Object{NewInstrumentorIssuer(a.ns),
-			NewInstrumentorCertificate(a.ns),
-			NewMutatingWebhookConfiguration(a.ns, nil),
-		},
-			resources...)
-	} else {
-		ca, err := crypto.GenCA("odigos-instrumentor", 365)
-		if err != nil {
-			return fmt.Errorf("failed to generate CA: %w", err)
-		}
-
-		altNames := []string{
-			fmt.Sprintf("odigos-instrumentor.%s.svc", a.ns),
-			fmt.Sprintf("odigos-instrumentor.%s.svc.cluster.local", a.ns),
-		}
+	ca, err := crypto.GenCA("odigos-instrumentor", 365)
+	if err != nil {
+		return fmt.Errorf("failed to generate CA: %w", err)
+	}
 
-		cert, err := crypto.GenerateSignedCertificate("serving-cert", nil, altNames, 365, ca)
-		if err != nil {
-			return fmt.Errorf("failed to generate signed certificate: %w", err)
-		}
+	altNames := []string{
+		fmt.Sprintf("odigos-instrumentor.%s.svc", a.ns),
+		fmt.Sprintf("odigos-instrumentor.%s.svc.cluster.local", a.ns),
+	}
 
-		resources = append([]kube.Object{NewInstrumentorTLSSecret(a.ns, &cert),
-			NewMutatingWebhookConfiguration(a.ns, []byte(cert.Cert)),
-		},
-			resources...)
+	cert, err := crypto.GenerateSignedCertificate("serving-cert", nil, altNames, 365, ca)
+	if err != nil {
+		return fmt.Errorf("failed to generate signed certificate: %w", err)
 	}
 
+	resources = append([]kube.Object{NewInstrumentorTLSSecret(a.ns, &cert),
+		NewMutatingWebhookConfiguration(a.ns, []byte(cert.Cert)),
+	},
+		resources...)
+
 	return a.client.ApplyResources(ctx, a.config.ConfigVersion, resources)
 }

cli/go.mod

@@ -3,7 +3,6 @@ module github.com/odigos-io/odigos/cli
 go 1.22.0
 
 require (
-	github.com/cert-manager/cert-manager v1.15.3
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-version v1.7.0
 	github.com/odigos-io/odigos/api v0.0.0
@@ -29,9 +28,10 @@ require (
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	sigs.k8s.io/controller-runtime v0.19.0 // indirect
-	sigs.k8s.io/gateway-api v1.1.0 // indirect
 )
 
 require (

cli/go.sum

@@ -1,7 +1,5 @@
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/cert-manager/cert-manager v1.15.3 h1:/u9T0griwd5MegPfWbB7v0KcVcT9OJrEvPNhc9tl7xQ=
-github.com/cert-manager/cert-manager v1.15.3/go.mod h1:stBge/DTvrhfQMB/93+Y62s+gQgZBsfL1o0C/4AL/mI=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -200,8 +198,6 @@ k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q=
 sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4=
-sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM=
-sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=

helm/odigos/templates/instrumentor/deployment.yaml

@@ -72,7 +72,7 @@ spec:
       volumes:
         - name: webhook-cert
           secret:
-            secretName: instrumentor-webhook-cert
+            secretName: webhook-cert
             defaultMode: 420
       terminationGracePeriodSeconds: 10
 {{- if .Values.imagePullSecrets }}

helm/odigos/templates/instrumentor/webhook.yaml

@@ -1,4 +1,3 @@
-{{- $certManagerApiVersion := include "utils.certManagerApiVersion" . -}}
 {{- $altNames := list (printf "odigos-instrumentor.%s.svc" .Release.Namespace) (printf "odigos-instrumentor.%s.svc.cluster.local" .Release.Namespace) -}}
 {{- $ca := genCA "serving-cert" 365 -}}
 {{- $cert := genSignedCert "serving-cert" nil $altNames 365 $ca -}}
@@ -12,16 +11,10 @@ metadata:
     app.kubernetes.io/component: webhook
     app.kubernetes.io/created-by: instrumentor
     app.kubernetes.io/part-of: odigos
-{{- if $certManagerApiVersion }}
-  annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/serving-cert
-{{- end }}
 webhooks:
   - name: pod-mutating-webhook.odigos.io
     clientConfig:
-{{- if not $certManagerApiVersion }}
       caBundle: {{ $ca.Cert | b64enc }}
-{{- end }}
       service:
         name: odigos-instrumentor
         namespace: {{ .Release.Namespace }}
@@ -44,12 +37,11 @@ webhooks:
     timeoutSeconds: 10
     admissionReviewVersions: ["v1"]
 ---
-{{- if not $certManagerApiVersion }}
 apiVersion: v1
 kind: Secret
 type: kubernetes.io/tls
 metadata:
-  name: instrumentor-webhook-cert
+  name: webhook-cert
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: instrumentor-cert
@@ -62,5 +54,4 @@ metadata:
     "helm.sh/hook-delete-policy": "before-hook-creation"
 data:
   tls.crt: {{ $cert.Cert | b64enc }}
-  tls.key: {{ $cert.Key | b64enc }}
-{{- end }}
+  tls.key: {{ $cert.Key | b64enc }}