From 653ab7b061c2efdae99c1396ca2d7faefd04b9bb Mon Sep 17 00:00:00 2001 From: mamyers Date: Thu, 16 Mar 2023 15:28:53 -0400 Subject: [PATCH 1/7] Deprecate fields pilotSecretName and rootCAConfigMapName in cert-manager configuration --- deploy/maistra-operator.yaml | 8 ++++---- deploy/src/crd.yaml | 8 ++++---- manifests-maistra/2.3.0/servicemeshcontrolplanes.crd.yaml | 8 ++++---- manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml | 8 ++++---- manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml | 8 ++++---- .../2.2.0/servicemeshcontrolplanes.crd.yaml | 8 ++++---- 6 files changed, 24 insertions(+), 24 deletions(-) diff --git a/deploy/maistra-operator.yaml b/deploy/maistra-operator.yaml index c34b887ceb..c4526d7c7f 100644 --- a/deploy/maistra-operator.yaml +++ b/deploy/maistra-operator.yaml @@ -4922,9 +4922,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: istiod-tls type: string - rootCAConfigMapName: + rootCAConfigMapName: istio-ca-root-cert type: string type: object custom: @@ -9800,9 +9800,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: istiod-tls type: string - rootCAConfigMapName: + rootCAConfigMapName: istio-ca-root-cert type: string type: object custom: diff --git a/deploy/src/crd.yaml b/deploy/src/crd.yaml index eb312b25eb..22df63e715 100644 --- a/deploy/src/crd.yaml +++ b/deploy/src/crd.yaml @@ -4921,9 +4921,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: istiod-tls type: string - rootCAConfigMapName: + rootCAConfigMapName: istio-ca-root-cert type: string type: object custom: @@ -9799,9 +9799,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: istiod-tls type: string - rootCAConfigMapName: + rootCAConfigMapName: istio-ca-root-cert type: string type: object custom: diff --git a/manifests-maistra/2.3.0/servicemeshcontrolplanes.crd.yaml b/manifests-maistra/2.3.0/servicemeshcontrolplanes.crd.yaml index 37d43cc398..2c69b047f2 100644 --- a/manifests-maistra/2.3.0/servicemeshcontrolplanes.crd.yaml +++ b/manifests-maistra/2.3.0/servicemeshcontrolplanes.crd.yaml @@ -4921,9 +4921,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: istiod-tls type: string - rootCAConfigMapName: + rootCAConfigMapName: istio-ca-root-cert type: string type: object custom: @@ -9799,9 +9799,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: istiod-tls type: string - rootCAConfigMapName: + rootCAConfigMapName: istio-ca-root-cert type: string type: object custom: diff --git a/manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml b/manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml index 298a1dd1ee..49588c1cfd 100644 --- a/manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml +++ b/manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml @@ -4921,9 +4921,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: istiod-tls type: string - rootCAConfigMapName: + rootCAConfigMapName: istio-ca-root-cert type: string type: object custom: @@ -9799,9 +9799,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: istiod-tls type: string - rootCAConfigMapName: + rootCAConfigMapName: istio-ca-root-cert type: string type: object custom: diff --git a/manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml b/manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml index b42e1ee044..ed1e6ebda5 100644 --- a/manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml +++ b/manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml @@ -4921,9 +4921,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: istiod-tls type: string - rootCAConfigMapName: + rootCAConfigMapName: istio-ca-root-cert type: string type: object custom: @@ -9799,9 +9799,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: istiod-tls type: string - rootCAConfigMapName: + rootCAConfigMapName: istio-ca-root-cert type: string type: object custom: diff --git a/manifests-servicemesh/2.2.0/servicemeshcontrolplanes.crd.yaml b/manifests-servicemesh/2.2.0/servicemeshcontrolplanes.crd.yaml index 43bd900c24..f0fdec43fc 100644 --- a/manifests-servicemesh/2.2.0/servicemeshcontrolplanes.crd.yaml +++ b/manifests-servicemesh/2.2.0/servicemeshcontrolplanes.crd.yaml @@ -4919,9 +4919,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: istiod-tls type: string - rootCAConfigMapName: + rootCAConfigMapName: istio-ca-root-cert type: string type: object custom: @@ -9797,9 +9797,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: istiod-tls type: string - rootCAConfigMapName: + rootCAConfigMapName: istio-ca-root-tls type: string type: object custom: From c006f75eb51b05c42eadeb4f1455310cff804780 Mon Sep 17 00:00:00 2001 From: mamyers Date: Thu, 16 Mar 2023 15:35:08 -0400 Subject: [PATCH 2/7] Update one rootCAConfigMapName --- manifests-servicemesh/2.2.0/servicemeshcontrolplanes.crd.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests-servicemesh/2.2.0/servicemeshcontrolplanes.crd.yaml b/manifests-servicemesh/2.2.0/servicemeshcontrolplanes.crd.yaml index f0fdec43fc..95d4994da9 100644 --- a/manifests-servicemesh/2.2.0/servicemeshcontrolplanes.crd.yaml +++ b/manifests-servicemesh/2.2.0/servicemeshcontrolplanes.crd.yaml @@ -9799,7 +9799,7 @@ spec: type: string pilotSecretName: istiod-tls type: string - rootCAConfigMapName: istio-ca-root-tls + rootCAConfigMapName: istio-ca-root-cert type: string type: object custom: From c93dfcfad8cb03e95236bacf0e51bf1aa3b91998 Mon Sep 17 00:00:00 2001 From: mamyers Date: Tue, 21 Mar 2023 11:50:09 -0400 Subject: [PATCH 3/7] Deprecate fields pilotSecretName and rootCAConfigMapName in cert-manager configuration --- deploy/src/crd.yaml | 4 +-- .../2.3.1/servicemeshcontrolplanes.crd.yaml | 8 ++--- .../2.4.0/servicemeshcontrolplanes.crd.yaml | 8 ++--- .../v2/servicemeshcontrolplane_types.go | 16 +++++++++ pkg/controller/versions/strategy_v2_4.go | 33 ++++++++++++++++++- 5 files changed, 58 insertions(+), 11 deletions(-) diff --git a/deploy/src/crd.yaml b/deploy/src/crd.yaml index 22df63e715..408cdc27e8 100644 --- a/deploy/src/crd.yaml +++ b/deploy/src/crd.yaml @@ -4921,9 +4921,9 @@ spec: properties: address: type: string - pilotSecretName: istiod-tls + pilotSecretName: type: string - rootCAConfigMapName: istio-ca-root-cert + rootCAConfigMapName: type: string type: object custom: diff --git a/manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml b/manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml index 49588c1cfd..215519e48f 100644 --- a/manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml +++ b/manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml @@ -4921,9 +4921,9 @@ spec: properties: address: type: string - pilotSecretName: istiod-tls + pilotSecretName: type: string - rootCAConfigMapName: istio-ca-root-cert + rootCAConfigMapName: type: string type: object custom: @@ -9799,9 +9799,9 @@ spec: properties: address: type: string - pilotSecretName: istiod-tls + pilotSecretName: type: string - rootCAConfigMapName: istio-ca-root-cert + rootCAConfigMapName: type: string type: object custom: diff --git a/manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml b/manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml index ed1e6ebda5..f8e41175d7 100644 --- a/manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml +++ b/manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml @@ -4921,9 +4921,9 @@ spec: properties: address: type: string - pilotSecretName: istiod-tls + pilotSecretName: type: string - rootCAConfigMapName: istio-ca-root-cert + rootCAConfigMapName: type: string type: object custom: @@ -9799,9 +9799,9 @@ spec: properties: address: type: string - pilotSecretName: istiod-tls + pilotSecretName: type: string - rootCAConfigMapName: istio-ca-root-cert + rootCAConfigMapName: type: string type: object custom: diff --git a/pkg/apis/maistra/v2/servicemeshcontrolplane_types.go b/pkg/apis/maistra/v2/servicemeshcontrolplane_types.go index e451a7898b..e3fd1ecb69 100644 --- a/pkg/apis/maistra/v2/servicemeshcontrolplane_types.go +++ b/pkg/apis/maistra/v2/servicemeshcontrolplane_types.go @@ -202,3 +202,19 @@ func (s ControlPlaneSpec) IsClusterScoped() (bool, error) { } return controlPlaneMode == ControlPlaneModeValueClusterScoped, nil } + +func (s ControlPlaneSpec) IsPilotSecretNameEnabled() bool { + return s.Security.CertificateAuthorization.CertManager != nil && s.Security.CertificateAuthorization.CertManager.PilotCertSecretName != "" + if s.Security.CertificateAuthorization.CertManager.PilotCertSecretName != nil { + return true + } + return false +} + +func (s ControlPlaneSpec) IsrootCAConfigMapNameEnabled() bool { + return s.Security.CertificateAuthorization.CertManager != nil && s.Security.CertificateAuthorization.CertManager.rootCAConfigMapName != "" + if s.Security.CertificateAuthorization.CertManager.rootCAConfigMapName != nil { + return true + } + return false +} \ No newline at end of file diff --git a/pkg/controller/versions/strategy_v2_4.go b/pkg/controller/versions/strategy_v2_4.go index 00d94699a9..5e3078a5b6 100644 --- a/pkg/controller/versions/strategy_v2_4.go +++ b/pkg/controller/versions/strategy_v2_4.go @@ -274,10 +274,41 @@ func (v *versionStrategyV2_4) ValidateRequest(ctx context.Context, cl client.Cli return admission.ValidationResponse(false, "a cluster-scoped SMCP may only be created by users with cluster-admin permissions") } } - + hasPilotSecretName != ContainsPilotSecretNameField(smcp) + if hasPilotSecretName { + return admission.ValidationResponse(false, "SMCP does not allow this field") +} + hasRootCAConfigMapName != ContainsRootCAConfigMapNameField(smcp) + if hasRootCAConfigMapName { + return admission.ValidationResponse(false, "SMCP does not allow this field") +} return admission.ValidationResponse(true, "") } + func ContainsPilotSecretNameField(smcp metav1.Object) bool { + switch s := smcp.(type) { + case *v1.ServiceMeshControlPlane: + return false + case *v2.ServiceMeshControlPlane: + return s.Spec.IsPilotSecretNameEnabled() + default: + return false + } +} + func ContainsRootCAConfigMapNameField(smcp metav1.Object) bool { + switch s := smcp.(type) { + case *v1.ServiceMeshControlPlane: + return false + case *v2.ServiceMeshControlPlane: + return s.Spec.IsRootCAConfigMapNameEnabled() + default: + return false + } +} + + + + func (v *versionStrategyV2_4) isRequesterClusterAdmin(ctx context.Context, cl client.Client, req admission.Request) (bool, error) { sar := &authorizationv1.SubjectAccessReview{ Spec: authorizationv1.SubjectAccessReviewSpec{ From fa8b61386718a429cf2faf38d59853b9d968b75b Mon Sep 17 00:00:00 2001 From: mamyers Date: Tue, 21 Mar 2023 12:04:03 -0400 Subject: [PATCH 4/7] Fixing the field I had commited eariler --- deploy/maistra-operator.yaml | 8 ++++---- deploy/src/crd.yaml | 6 +++--- manifests-maistra/2.3.0/servicemeshcontrolplanes.crd.yaml | 8 ++++---- .../2.2.0/servicemeshcontrolplanes.crd.yaml | 8 ++++---- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/deploy/maistra-operator.yaml b/deploy/maistra-operator.yaml index c4526d7c7f..c34b887ceb 100644 --- a/deploy/maistra-operator.yaml +++ b/deploy/maistra-operator.yaml @@ -4922,9 +4922,9 @@ spec: properties: address: type: string - pilotSecretName: istiod-tls + pilotSecretName: type: string - rootCAConfigMapName: istio-ca-root-cert + rootCAConfigMapName: type: string type: object custom: @@ -9800,9 +9800,9 @@ spec: properties: address: type: string - pilotSecretName: istiod-tls + pilotSecretName: type: string - rootCAConfigMapName: istio-ca-root-cert + rootCAConfigMapName: type: string type: object custom: diff --git a/deploy/src/crd.yaml b/deploy/src/crd.yaml index 408cdc27e8..eb312b25eb 100644 --- a/deploy/src/crd.yaml +++ b/deploy/src/crd.yaml @@ -4921,7 +4921,7 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: type: string rootCAConfigMapName: type: string @@ -9799,9 +9799,9 @@ spec: properties: address: type: string - pilotSecretName: istiod-tls + pilotSecretName: type: string - rootCAConfigMapName: istio-ca-root-cert + rootCAConfigMapName: type: string type: object custom: diff --git a/manifests-maistra/2.3.0/servicemeshcontrolplanes.crd.yaml b/manifests-maistra/2.3.0/servicemeshcontrolplanes.crd.yaml index 2c69b047f2..37d43cc398 100644 --- a/manifests-maistra/2.3.0/servicemeshcontrolplanes.crd.yaml +++ b/manifests-maistra/2.3.0/servicemeshcontrolplanes.crd.yaml @@ -4921,9 +4921,9 @@ spec: properties: address: type: string - pilotSecretName: istiod-tls + pilotSecretName: type: string - rootCAConfigMapName: istio-ca-root-cert + rootCAConfigMapName: type: string type: object custom: @@ -9799,9 +9799,9 @@ spec: properties: address: type: string - pilotSecretName: istiod-tls + pilotSecretName: type: string - rootCAConfigMapName: istio-ca-root-cert + rootCAConfigMapName: type: string type: object custom: diff --git a/manifests-servicemesh/2.2.0/servicemeshcontrolplanes.crd.yaml b/manifests-servicemesh/2.2.0/servicemeshcontrolplanes.crd.yaml index 95d4994da9..43bd900c24 100644 --- a/manifests-servicemesh/2.2.0/servicemeshcontrolplanes.crd.yaml +++ b/manifests-servicemesh/2.2.0/servicemeshcontrolplanes.crd.yaml @@ -4919,9 +4919,9 @@ spec: properties: address: type: string - pilotSecretName: istiod-tls + pilotSecretName: type: string - rootCAConfigMapName: istio-ca-root-cert + rootCAConfigMapName: type: string type: object custom: @@ -9797,9 +9797,9 @@ spec: properties: address: type: string - pilotSecretName: istiod-tls + pilotSecretName: type: string - rootCAConfigMapName: istio-ca-root-cert + rootCAConfigMapName: type: string type: object custom: From e0f9c4c0005c7b66cec122542a6e9e4bacde48cd Mon Sep 17 00:00:00 2001 From: mamyers Date: Tue, 21 Mar 2023 12:10:15 -0400 Subject: [PATCH 5/7] Cleaning up spaces --- manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml | 8 ++++---- manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml b/manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml index 215519e48f..298a1dd1ee 100644 --- a/manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml +++ b/manifests-maistra/2.3.1/servicemeshcontrolplanes.crd.yaml @@ -4921,9 +4921,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: type: string - rootCAConfigMapName: + rootCAConfigMapName: type: string type: object custom: @@ -9799,9 +9799,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: type: string - rootCAConfigMapName: + rootCAConfigMapName: type: string type: object custom: diff --git a/manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml b/manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml index f8e41175d7..b42e1ee044 100644 --- a/manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml +++ b/manifests-maistra/2.4.0/servicemeshcontrolplanes.crd.yaml @@ -4921,9 +4921,9 @@ spec: properties: address: type: string - pilotSecretName: + pilotSecretName: type: string - rootCAConfigMapName: + rootCAConfigMapName: type: string type: object custom: @@ -9801,7 +9801,7 @@ spec: type: string pilotSecretName: type: string - rootCAConfigMapName: + rootCAConfigMapName: type: string type: object custom: From a2adaa15432cbfe5b45214521bbde4de83b0f90c Mon Sep 17 00:00:00 2001 From: mamyers Date: Wed, 22 Mar 2023 11:48:08 -0400 Subject: [PATCH 6/7] Made a few changes due to testing errors --- .../maistra/v2/servicemeshcontrolplane_types.go | 15 ++++----------- pkg/controller/versions/strategy_v2_4.go | 8 ++++---- 2 files changed, 8 insertions(+), 15 deletions(-) diff --git a/pkg/apis/maistra/v2/servicemeshcontrolplane_types.go b/pkg/apis/maistra/v2/servicemeshcontrolplane_types.go index e3fd1ecb69..604c62e57f 100644 --- a/pkg/apis/maistra/v2/servicemeshcontrolplane_types.go +++ b/pkg/apis/maistra/v2/servicemeshcontrolplane_types.go @@ -204,17 +204,10 @@ func (s ControlPlaneSpec) IsClusterScoped() (bool, error) { } func (s ControlPlaneSpec) IsPilotSecretNameEnabled() bool { - return s.Security.CertificateAuthorization.CertManager != nil && s.Security.CertificateAuthorization.CertManager.PilotCertSecretName != "" - if s.Security.CertificateAuthorization.CertManager.PilotCertSecretName != nil { - return true - } - return false + return s.Security.CertificateAuthority.CertManager != nil && s.Security.CertificateAuthority.CertManager.PilotCertSecretName != "" } -func (s ControlPlaneSpec) IsrootCAConfigMapNameEnabled() bool { - return s.Security.CertificateAuthorization.CertManager != nil && s.Security.CertificateAuthorization.CertManager.rootCAConfigMapName != "" - if s.Security.CertificateAuthorization.CertManager.rootCAConfigMapName != nil { - return true - } - return false +func (s ControlPlaneSpec) IsRootCAConfigMapNameEnabled() bool { + return s.Security.CertificateAuthority.CertManager != nil && s.Security.CertificateAuthority.CertManager.RootCAConfigMapName != "" + } \ No newline at end of file diff --git a/pkg/controller/versions/strategy_v2_4.go b/pkg/controller/versions/strategy_v2_4.go index 5e3078a5b6..685dfb9a0a 100644 --- a/pkg/controller/versions/strategy_v2_4.go +++ b/pkg/controller/versions/strategy_v2_4.go @@ -274,13 +274,13 @@ func (v *versionStrategyV2_4) ValidateRequest(ctx context.Context, cl client.Cli return admission.ValidationResponse(false, "a cluster-scoped SMCP may only be created by users with cluster-admin permissions") } } - hasPilotSecretName != ContainsPilotSecretNameField(smcp) + hasPilotSecretName := ContainsPilotSecretNameField(smcp) if hasPilotSecretName { - return admission.ValidationResponse(false, "SMCP does not allow this field") + return admission.ValidationResponse(false, "SMCP does not allow PilotSecretName field") } - hasRootCAConfigMapName != ContainsRootCAConfigMapNameField(smcp) + hasRootCAConfigMapName := ContainsRootCAConfigMapNameField(smcp) if hasRootCAConfigMapName { - return admission.ValidationResponse(false, "SMCP does not allow this field") + return admission.ValidationResponse(false, "SMCP does not allow this RootCAConfigMapName field") } return admission.ValidationResponse(true, "") } From c5b29c9d4a2ef177c359febda57715b2acfa14b0 Mon Sep 17 00:00:00 2001 From: mamyers Date: Wed, 22 Mar 2023 11:49:06 -0400 Subject: [PATCH 7/7] Made changes --- pkg/controller/versions/strategy_v2_4.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/controller/versions/strategy_v2_4.go b/pkg/controller/versions/strategy_v2_4.go index 685dfb9a0a..72405518a6 100644 --- a/pkg/controller/versions/strategy_v2_4.go +++ b/pkg/controller/versions/strategy_v2_4.go @@ -280,7 +280,7 @@ func (v *versionStrategyV2_4) ValidateRequest(ctx context.Context, cl client.Cli } hasRootCAConfigMapName := ContainsRootCAConfigMapNameField(smcp) if hasRootCAConfigMapName { - return admission.ValidationResponse(false, "SMCP does not allow this RootCAConfigMapName field") + return admission.ValidationResponse(false, "SMCP does not allow RootCAConfigMapName field") } return admission.ValidationResponse(true, "") }