Rebase

Signed-off-by: jaellio <jaellio@microsoft.com>

charts/osm/README.md

@@ -179,6 +179,7 @@ The following table lists the configurable parameters of the osm chart and their
 | osm.vault.protocol | string | `"http"` | protocol to use to connect to Vault |
 | osm.vault.role | string | `"openservicemesh"` | Vault role to be used by Open Service Mesh |
 | osm.vault.token | string | `""` | token that should be used to connect to Vault |
+| osm.vault.tokenSecretKey | string | `"token"` | The Kubernetes secret key with the value bring the Vault token |
 | osm.vault.tokenSecretName | string | `"osm-vault-token"` | The Kubernetes secret name to store the Vault token used in OSM |
 | osm.webhookConfigNamePrefix | string | `"osm-webhook"` | Prefix used in name of the webhook configuration resources |
 | smi.validateTrafficTarget | bool | `true` | Enables validation of SMI Traffic Target |

charts/osm/templates/preset-mesh-root-certificate.yaml

@@ -27,14 +27,16 @@ data:
         {{- if eq (.Values.osm.certificateProvider.kind | lower) "vault"}}
         "vault": {
           "token": {
-            "secretRef": {
+            "secretKeyRef": {
               "name": {{.Values.osm.vault.tokenSecretName | mustToJson}},
+              "key": {{.Values.osm.vault.tokenSecretKey | mustToJson}},
               "namespace": "{{include "osm.namespace" .}}"
             }
           },
           "host": {{.Values.osm.vault.host | mustToJson}},
           "role": {{.Values.osm.vault.role | mustToJson}},
-          "protocol": {{.Values.osm.vault.protocol | mustToJson}}
+          "protocol": {{.Values.osm.vault.protocol | mustToJson}},
+          "port": {{.Values.osm.vault.port | mustToJson}}
         }
         {{- end}}
       }

charts/osm/values.schema.json

@@ -1298,6 +1298,12 @@
                             "title": "Vault token secret name schema",
                             "description": "Name of the Kubernetes Secret to store the vault token",
                             "type": "string"
+                        },
+                        "tokenSecretKey": {
+                            "$id": "#/properties/osm/properties/vault/properties/tokenSecretKey",
+                            "title": "Vault token secret key schema",
+                            "description": "Name of the Kubernetes Secret key with the value of the vault token",
+                            "type": "string"
                         }
                     },
                     "examples": [

charts/osm/values.yaml

@@ -131,6 +131,8 @@ osm:
     role: openservicemesh
     # -- The Kubernetes secret name to store the Vault token used in OSM
     tokenSecretName: osm-vault-token
+    # -- The Kubernetes secret key with the value bring the Vault token
+    tokenSecretKey: token
 
   #
   # -- cert-manager.io configuration

cmd/osm-bootstrap/crds/config_mesh_root_certificate.yaml

@@ -60,14 +60,10 @@ spec:
                       description: Cert-manager provider configuration
                       type: object
                       required:
-                        - secretName
                         - issuerName
                         - issuerKind
                         - issuerGroup
                       properties:
-                        secretName:
-                          description: The name of the kubernetes secret containing the root certificate
-                          type: string
                         issuerName:
                           description: The name of the Issuer or ClusterIssuer resource
                           type: string

cmd/osm-bootstrap/osm-bootstrap.go

@@ -373,7 +373,7 @@ func (b *bootstrap) ensureMeshRootCertificate() error {
 	meshRootCertificateList, err := b.configClient.ConfigV1alpha2().MeshRootCertificates(b.namespace).List(context.TODO(), listOptions)
 
 	if len(meshRootCertificateList.Items) == 0 {
-		// create a MeshRootCertificate since none were found in the complete state and issuing rotationState
+		// create a MeshRootCertificate since none were found in the complete state and issuing rotationStage
 		return b.createMeshRootCertificate()
 	}
 	if err != nil {
@@ -437,8 +437,8 @@ func buildMeshRootCertificate(presetMeshRootCertificateConfigMap *corev1.ConfigM
 		},
 		Spec: presetMeshRootCertificateSpec,
 		Status: configv1alpha2.MeshRootCertificateStatus{
-			State:         "complete",
-			RotationStage: "issuing",
+			State:         constants.MRCStateComplete,
+			RotationStage: constants.MRCStageIssuing,
 		},
 	}
 

cmd/osm-bootstrap/osm-bootstrap_test.go

@@ -129,9 +129,11 @@ var testPresetMeshRootCertificate *corev1.ConfigMap = &corev1.ConfigMap{
 		presetMeshRootCertificateJSONKey: `{
 "provider": {
 	"tresor": {
-	 "secretRef": {
-	   "name": "osm-ca-bundle",
-	   "namespace": "test-namespace"
+	 "ca": {
+	  "secretRef": {
+        "name": "osm-ca-bundle",
+		"namespace": "test-namespace"
+	  }
 	 }
 	}
 	}
@@ -166,8 +168,8 @@ func TestBuildMeshRootCertificate(t *testing.T) {
 	assert.NoError(err)
 	assert.Contains(meshRootCertificate.Annotations, "kubectl.kubernetes.io/last-applied-configuration")
 	assert.Equal(meshRootCertificate.Name, meshRootCertificateName)
-	assert.Equal(meshRootCertificate.Spec.Provider.Tresor.SecretRef.Name, "osm-ca-bundle")
-	assert.Equal(meshRootCertificate.Spec.Provider.Tresor.SecretRef.Namespace, testNamespace)
+	assert.Equal(meshRootCertificate.Spec.Provider.Tresor.CA.SecretRef.Name, "osm-ca-bundle")
+	assert.Equal(meshRootCertificate.Spec.Provider.Tresor.CA.SecretRef.Namespace, testNamespace)
 	assert.Nil(meshRootCertificate.Spec.Provider.Vault)
 	assert.Nil(meshRootCertificate.Spec.Provider.CertManager)
 }

pkg/apis/config/v1alpha2/meshrootcertificate.go

@@ -49,9 +49,6 @@ type ProviderSpec struct {
 
 // CertManagerProviderSpec defines the configuration of the cert-manager provider
 type CertManagerProviderSpec struct {
-	// SecretName specifies the name of the k8s secret containing the root certificate
-	SecretName string `json:"secretName"`
-
 	// IssuerName specifies the name of the Issuer resource
 	IssuerName string `json:"issuerName"`
 

pkg/certificate/providers/compat.go

@@ -16,5 +16,3 @@ func (c *MRCCompatClient) List() ([]*v1alpha2.MeshRootCertificate, error) {
 // AddEventHandler is a no-op for the legacy client. The previous client could not handle changes, but we need this
 // method to implement the certificate.MRCClient interface.
 func (c *MRCCompatClient) AddEventHandler(cache.ResourceEventHandler) {}
-
-// provider.Tresor = &v1alpha2.TresorProviderSpec{SecretName: opts.SecretName}

pkg/certificate/providers/config.go

@@ -57,8 +57,8 @@ func NewCertificateManager(kubeClient kubernetes.Interface, kubeConfig *rest.Con
 			},
 			// TODO(#4502): Detect if an actual MRC exists, and set the status accordingly.
 			Status: v1alpha2.MeshRootCertificateStatus{
-				State:         constants.MRCStateValidating,
-				RotationStage: constants.MRCStageComplete,
+				State:         constants.MRCStateComplete,
+				RotationStage: constants.MRCStageIssuing,
 			},
 		},
 	}

pkg/constants/constants.go

@@ -166,8 +166,14 @@ const (
 	// MRCVersionAnnotation is the annotation used for the version of the MeshRootCertificate
 	MRCVersionAnnotation = "openservicemesh.io/mrc-version"
 
-	MRCStateValidating = "validating"
-	MRCStageComplete   = "complete"
+	// MRCStageValidating is the validating status option for the rotation stage of the MeshRootCertificate
+	MRCStageValidating = "validating"
+
+	// MRCStageIssuing is the issuing status option for the rotation stage of the MeshRootCertificate
+	MRCStageIssuing = "issuing"
+
+	// MRCStateComplete is the complete status option for the state of the MeshRootCertificate
+	MRCStateComplete = "complete"
 )
 
 // Labels used by the control plane

tests/framework/common.go

@@ -354,10 +354,13 @@ func (td *OsmTestData) GetOSMInstallOpts(options ...InstallOsmOpt) InstallOSMOpt
 		DeployFluentbit:         false,
 		EnableReconciler:        false,
 
-		VaultHost:     "vault." + td.OsmNamespace + ".svc.cluster.local",
-		VaultProtocol: "http",
-		VaultRole:     "openservicemesh",
-		VaultToken:    "token",
+		VaultHost:            "vault." + td.OsmNamespace + ".svc.cluster.local",
+		VaultProtocol:        "http",
+		VaultPort:            8200,
+		VaultRole:            "openservicemesh",
+		VaultToken:           "token",
+		VaultTokenSecretName: "osm-vault-token",
+		VaultTokenSecretKey:  "token-key",
 
 		CertmanagerIssuerGroup: "cert-manager.io",
 		CertmanagerIssuerKind:  "Issuer",
@@ -519,7 +522,9 @@ func (td *OsmTestData) InstallOSM(instOpts InstallOSMOpts) error {
 			fmt.Sprintf("osm.vault.host=%s", instOpts.VaultHost),
 			fmt.Sprintf("osm.vault.role=%s", instOpts.VaultRole),
 			fmt.Sprintf("osm.vault.protocol=%s", instOpts.VaultProtocol),
-			fmt.Sprintf("osm.vault.token=%s", instOpts.VaultToken))
+			fmt.Sprintf("osm.vault.token=%s", instOpts.VaultToken),
+			fmt.Sprintf("osm.vault.port=%s", instOpts.VaultPort),
+		)
 		// Wait for the vault pod
 		if err := td.WaitForPodsRunningReady(instOpts.ControlPlaneNS, 60*time.Second, 1, nil); err != nil {
 			return errors.Wrap(err, "failed waiting for vault pod to become ready")

tests/framework/types.go

@@ -106,10 +106,13 @@ type InstallOSMOpts struct {
 	DeployFluentbit         bool
 	EnableReconciler        bool
 
-	VaultHost     string
-	VaultProtocol string
-	VaultToken    string
-	VaultRole     string
+	VaultHost            string
+	VaultProtocol        string
+	VaultPort            int
+	VaultToken           string
+	VaultRole            string
+	VaultTokenSecretName string
+	VaultTokenSecretKey  string
 
 	CertmanagerIssuerGroup string
 	CertmanagerIssuerKind  string