From 25d5e40cb959185a4d33b9286bcb46b00fe43519 Mon Sep 17 00:00:00 2001 From: Eden Federman Date: Sun, 5 Jan 2025 18:00:03 +0200 Subject: [PATCH 1/3] backport: remove cert-manager usage --- cli/cmd/resources/instrumentor.go | 109 +++--------------- helm/odigos/templates/_helpers.tpl | 13 --- .../templates/instrumentor/certificates.yaml | 36 ------ .../templates/instrumentor/webhook.yaml | 11 +- 4 files changed, 17 insertions(+), 152 deletions(-) delete mode 100644 helm/odigos/templates/_helpers.tpl delete mode 100644 helm/odigos/templates/instrumentor/certificates.yaml diff --git a/cli/cmd/resources/instrumentor.go b/cli/cmd/resources/instrumentor.go index e2e972306..99addb162 100644 --- a/cli/cmd/resources/instrumentor.go +++ b/cli/cmd/resources/instrumentor.go @@ -10,8 +10,6 @@ import ( "github.com/odigos-io/odigos/cli/pkg/kube" "github.com/odigos-io/odigos/common" - certv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" - cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" "github.com/odigos-io/odigos/k8sutils/pkg/consts" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" appsv1 "k8s.io/api/apps/v1" @@ -221,72 +219,6 @@ func NewInstrumentorClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding { } } -func isCertManagerInstalled(ctx context.Context, c *kube.Client) bool { - // Check if CRD is installed - _, err := c.ApiExtensions.ApiextensionsV1().CustomResourceDefinitions().Get(ctx, "issuers.cert-manager.io", metav1.GetOptions{}) - if err != nil { - return false - } - - return true -} - -func NewInstrumentorIssuer(ns string) *certv1.Issuer { - return &certv1.Issuer{ - TypeMeta: metav1.TypeMeta{ - Kind: "Issuer", - APIVersion: "cert-manager.io/v1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "selfsigned-issuer", - Namespace: ns, - Labels: map[string]string{ - "app.kubernetes.io/name": "issuer", - "app.kubernetes.io/instance": "selfsigned-issuer", - "app.kubernetes.io/component": "certificate", - "app.kubernetes.io/created-by": "instrumentor", - "app.kubernetes.io/part-of": "odigos", - }, - }, - Spec: certv1.IssuerSpec{ - IssuerConfig: certv1.IssuerConfig{ - SelfSigned: &certv1.SelfSignedIssuer{}, - }, - }, - } -} - -func NewInstrumentorCertificate(ns string) *certv1.Certificate { - return &certv1.Certificate{ - TypeMeta: metav1.TypeMeta{ - Kind: "Certificate", - APIVersion: "cert-manager.io/v1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "serving-cert", - Namespace: ns, - Labels: map[string]string{ - "app.kubernetes.io/name": "instrumentor-cert", - "app.kubernetes.io/instance": "instrumentor-cert", - "app.kubernetes.io/component": "certificate", - "app.kubernetes.io/created-by": "instrumentor", - "app.kubernetes.io/part-of": "odigos", - }, - }, - Spec: certv1.CertificateSpec{ - DNSNames: []string{ - fmt.Sprintf("odigos-instrumentor.%s.svc", ns), - fmt.Sprintf("odigos-instrumentor.%s.svc.cluster.local", ns), - }, - IssuerRef: cmmeta.ObjectReference{ - Kind: "Issuer", - Name: "selfsigned-issuer", - }, - SecretName: InstrumentorWebhookSecretName, - }, - } -} - func NewInstrumentorService(ns string) *corev1.Service { return &corev1.Service{ TypeMeta: metav1.TypeMeta{ @@ -587,7 +519,6 @@ func NewInstrumentorResourceManager(client *kube.Client, ns string, config *comm func (a *instrumentorResourceManager) Name() string { return "Instrumentor" } func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) error { - certManagerInstalled := isCertManagerInstalled(ctx, a.client) resources := []kube.Object{ NewInstrumentorServiceAccount(a.ns), NewInstrumentorLeaderElectionRoleBinding(a.ns), @@ -597,33 +528,25 @@ func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) er NewInstrumentorService(a.ns), } - if certManagerInstalled { - resources = append([]kube.Object{NewInstrumentorIssuer(a.ns), - NewInstrumentorCertificate(a.ns), - NewMutatingWebhookConfiguration(a.ns, nil), - }, - resources...) - } else { - ca, err := crypto.GenCA("odigos-instrumentor", 365) - if err != nil { - return fmt.Errorf("failed to generate CA: %w", err) - } - - altNames := []string{ - fmt.Sprintf("odigos-instrumentor.%s.svc", a.ns), - fmt.Sprintf("odigos-instrumentor.%s.svc.cluster.local", a.ns), - } + ca, err := crypto.GenCA("odigos-instrumentor", 365) + if err != nil { + return fmt.Errorf("failed to generate CA: %w", err) + } - cert, err := crypto.GenerateSignedCertificate("serving-cert", nil, altNames, 365, ca) - if err != nil { - return fmt.Errorf("failed to generate signed certificate: %w", err) - } + altNames := []string{ + fmt.Sprintf("odigos-instrumentor.%s.svc", a.ns), + fmt.Sprintf("odigos-instrumentor.%s.svc.cluster.local", a.ns), + } - resources = append([]kube.Object{NewInstrumentorTLSSecret(a.ns, &cert), - NewMutatingWebhookConfiguration(a.ns, []byte(cert.Cert)), - }, - resources...) + cert, err := crypto.GenerateSignedCertificate("serving-cert", nil, altNames, 365, ca) + if err != nil { + return fmt.Errorf("failed to generate signed certificate: %w", err) } + resources = append([]kube.Object{NewInstrumentorTLSSecret(a.ns, &cert), + NewMutatingWebhookConfiguration(a.ns, []byte(cert.Cert)), + }, + resources...) + return a.client.ApplyResources(ctx, a.config.ConfigVersion, resources) } diff --git a/helm/odigos/templates/_helpers.tpl b/helm/odigos/templates/_helpers.tpl deleted file mode 100644 index f2a0003b9..000000000 --- a/helm/odigos/templates/_helpers.tpl +++ /dev/null @@ -1,13 +0,0 @@ -{{- define "utils.certManagerApiVersion" -}} -{{- if .Capabilities.APIVersions.Has "cert-manager.io/v1" -}} -cert-manager.io/v1 -{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1beta1" -}} -cert-manager.io/v1beta1 -{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" -}} -cert-manager.io/v1alpha2 -{{- else if .Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1" -}} -certmanager.k8s.io/v1alpha1 -{{- else -}} -{{- print "" -}} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/helm/odigos/templates/instrumentor/certificates.yaml b/helm/odigos/templates/instrumentor/certificates.yaml deleted file mode 100644 index ab55f6c51..000000000 --- a/helm/odigos/templates/instrumentor/certificates.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- $certManagerApiVersion := include "utils.certManagerApiVersion" . -}} -{{- if $certManagerApiVersion }} -apiVersion: {{ $certManagerApiVersion }} -kind: Issuer -metadata: - name: selfsigned-issuer - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: issuer - app.kubernetes.io/instance: selfsigned-issuer - app.kubernetes.io/component: certificate - app.kubernetes.io/created-by: instrumentor - app.kubernetes.io/part-of: odigos -spec: - selfSigned: {} ---- -apiVersion: {{ $certManagerApiVersion }} -kind: Certificate -metadata: - name: serving-cert - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: instrumentor-cert - app.kubernetes.io/instance: instrumentor-cert - app.kubernetes.io/component: certificate - app.kubernetes.io/created-by: instrumentor - app.kubernetes.io/part-of: odigos -spec: - dnsNames: - - "odigos-instrumentor.{{ .Release.Namespace }}.svc" - - "odigos-instrumentor.{{ .Release.Namespace }}.svc.cluster.local" - issuerRef: - kind: Issuer - name: selfsigned-issuer - secretName: instrumentor-webhook-cert -{{- end }} \ No newline at end of file diff --git a/helm/odigos/templates/instrumentor/webhook.yaml b/helm/odigos/templates/instrumentor/webhook.yaml index 41ed17f26..712a515bc 100644 --- a/helm/odigos/templates/instrumentor/webhook.yaml +++ b/helm/odigos/templates/instrumentor/webhook.yaml @@ -1,4 +1,3 @@ -{{- $certManagerApiVersion := include "utils.certManagerApiVersion" . -}} {{- $altNames := list (printf "odigos-instrumentor.%s.svc" .Release.Namespace) (printf "odigos-instrumentor.%s.svc.cluster.local" .Release.Namespace) -}} {{- $ca := genCA "serving-cert" 365 -}} {{- $cert := genSignedCert "serving-cert" nil $altNames 365 $ca -}} @@ -12,16 +11,10 @@ metadata: app.kubernetes.io/component: webhook app.kubernetes.io/created-by: instrumentor app.kubernetes.io/part-of: odigos -{{- if $certManagerApiVersion }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/serving-cert -{{- end }} webhooks: - name: pod-mutating-webhook.odigos.io clientConfig: -{{- if not $certManagerApiVersion }} caBundle: {{ $ca.Cert | b64enc }} -{{- end }} service: name: odigos-instrumentor namespace: {{ .Release.Namespace }} @@ -44,7 +37,6 @@ webhooks: timeoutSeconds: 10 admissionReviewVersions: ["v1"] --- -{{- if not $certManagerApiVersion }} apiVersion: v1 kind: Secret type: kubernetes.io/tls @@ -62,5 +54,4 @@ metadata: "helm.sh/hook-delete-policy": "before-hook-creation" data: tls.crt: {{ $cert.Cert | b64enc }} - tls.key: {{ $cert.Key | b64enc }} -{{- end }} \ No newline at end of file + tls.key: {{ $cert.Key | b64enc }} \ No newline at end of file From bebb91ec70fa20e6d2b44b070b66d840688735a0 Mon Sep 17 00:00:00 2001 From: Eden Federman Date: Sun, 5 Jan 2025 18:37:31 +0200 Subject: [PATCH 2/3] rename secret --- CONTRIBUTING.md | 2 +- cli/cmd/resources/instrumentor.go | 2 +- helm/odigos/templates/instrumentor/deployment.yaml | 2 +- helm/odigos/templates/instrumentor/webhook.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c2327488a..d026066cd 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -178,7 +178,7 @@ If the Mutating Webhook is enabled, follow these steps: 1. Copy the TLS certificate and key: Create a local directory and extract the certificate and key by running the following command: ``` -mkdir -p serving-certs && kubectl get secret instrumentor-webhook-cert -n odigos-system -o jsonpath='{.data.tls\.crt}' | base64 -d > serving-certs/tls.crt && kubectl get secret instrumentor-webhook-cert -n odigos-system -o jsonpath='{.data.tls\.key}' | base64 -d > serving-certs/tls.key +mkdir -p serving-certs && kubectl get secret webhook-cert -n odigos-system -o jsonpath='{.data.tls\.crt}' | base64 -d > serving-certs/tls.crt && kubectl get secret webhook-cert -n odigos-system -o jsonpath='{.data.tls\.key}' | base64 -d > serving-certs/tls.key ``` diff --git a/cli/cmd/resources/instrumentor.go b/cli/cmd/resources/instrumentor.go index 99addb162..1f29dd170 100644 --- a/cli/cmd/resources/instrumentor.go +++ b/cli/cmd/resources/instrumentor.go @@ -25,7 +25,7 @@ const ( InstrumentorDeploymentName = "odigos-instrumentor" InstrumentorAppLabelValue = "odigos-instrumentor" InstrumentorContainerName = "manager" - InstrumentorWebhookSecretName = "instrumentor-webhook-cert" + InstrumentorWebhookSecretName = "webhook-cert" InstrumentorWebhookVolumeName = "webhook-cert" ) diff --git a/helm/odigos/templates/instrumentor/deployment.yaml b/helm/odigos/templates/instrumentor/deployment.yaml index db0422a1e..cc7b37c79 100644 --- a/helm/odigos/templates/instrumentor/deployment.yaml +++ b/helm/odigos/templates/instrumentor/deployment.yaml @@ -72,7 +72,7 @@ spec: volumes: - name: webhook-cert secret: - secretName: instrumentor-webhook-cert + secretName: webhook-cert defaultMode: 420 terminationGracePeriodSeconds: 10 {{- if .Values.imagePullSecrets }} diff --git a/helm/odigos/templates/instrumentor/webhook.yaml b/helm/odigos/templates/instrumentor/webhook.yaml index 712a515bc..7361f21b4 100644 --- a/helm/odigos/templates/instrumentor/webhook.yaml +++ b/helm/odigos/templates/instrumentor/webhook.yaml @@ -41,7 +41,7 @@ apiVersion: v1 kind: Secret type: kubernetes.io/tls metadata: - name: instrumentor-webhook-cert + name: webhook-cert namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: instrumentor-cert From e3b2d671bd5a70b5f79aec5b02bdfe60910e709d Mon Sep 17 00:00:00 2001 From: Eden Federman Date: Mon, 6 Jan 2025 08:51:47 +0200 Subject: [PATCH 3/3] go mod tidy --- cli/go.mod | 4 ++-- cli/go.sum | 4 ---- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/cli/go.mod b/cli/go.mod index 0bdf04b91..995daab18 100644 --- a/cli/go.mod +++ b/cli/go.mod @@ -3,7 +3,6 @@ module github.com/odigos-io/odigos/cli go 1.22.0 require ( - github.com/cert-manager/cert-manager v1.15.3 github.com/google/uuid v1.6.0 github.com/hashicorp/go-version v1.7.0 github.com/odigos-io/odigos/api v0.0.0 @@ -29,9 +28,10 @@ require ( github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/x448/float16 v0.8.4 // indirect + go.uber.org/zap v1.27.0 // indirect + golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect sigs.k8s.io/controller-runtime v0.19.0 // indirect - sigs.k8s.io/gateway-api v1.1.0 // indirect ) require ( diff --git a/cli/go.sum b/cli/go.sum index c67c4944a..823e7bf3d 100644 --- a/cli/go.sum +++ b/cli/go.sum @@ -1,7 +1,5 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= -github.com/cert-manager/cert-manager v1.15.3 h1:/u9T0griwd5MegPfWbB7v0KcVcT9OJrEvPNhc9tl7xQ= -github.com/cert-manager/cert-manager v1.15.3/go.mod h1:stBge/DTvrhfQMB/93+Y62s+gQgZBsfL1o0C/4AL/mI= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -200,8 +198,6 @@ k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= -sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= -sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=