feat(certs): create MRC on install (#4747) · openservicemesh/osm@7ddd4d1 (original) (raw)

`@@ -44,9 +44,12 @@ import (

`

44

44

`)

`

45

45

``

46

46

`const (

`

47

``

`-

meshConfigName = "osm-mesh-config"

`

48

``

`-

presetMeshConfigName = "preset-mesh-config"

`

49

``

`-

presetMeshConfigJSONKey = "preset-mesh-config.json"

`

``

47

`+

meshConfigName = "osm-mesh-config"

`

``

48

`+

presetMeshConfigName = "preset-mesh-config"

`

``

49

`+

presetMeshConfigJSONKey = "preset-mesh-config.json"

`

``

50

`+

meshRootCertificateName = "osm-mesh-root-certificate"

`

``

51

`+

presetMeshRootCertificateName = "preset-mesh-root-certificate"

`

``

52

`+

presetMeshRootCertificateJSONKey = "preset-mesh-root-certificate.json"

`

50

53

`)

`

51

54

``

52

55

`var (

`

76

79

`)

`

77

80

``

78

81

`type bootstrap struct {

`

79

``

`-

kubeClient kubernetes.Interface

`

80

``

`-

meshConfigClient configClientset.Interface

`

81

``

`-

namespace string

`

``

82

`+

kubeClient kubernetes.Interface

`

``

83

`+

configClient configClientset.Interface

`

``

84

`+

namespace string

`

82

85

`}

`

83

86

``

84

87

`func init() {

`

`@@ -156,9 +159,9 @@ func main() {

`

156

159

` }

`

157

160

``

158

161

`bootstrap := bootstrap{

`

159

``

`-

kubeClient: kubeClient,

`

160

``

`-

meshConfigClient: configClient,

`

161

``

`-

namespace: osmNamespace,

`

``

162

`+

kubeClient: kubeClient,

`

``

163

`+

configClient: configClient,

`

``

164

`+

namespace: osmNamespace,

`

162

165

` }

`

163

166

``

164

167

`err = bootstrap.ensureMeshConfig()

`

`@@ -167,6 +170,12 @@ func main() {

`

167

170

`return

`

168

171

` }

`

169

172

``

``

173

`+

err = bootstrap.ensureMeshRootCertificate()

`

``

174

`+

if err != nil {

`

``

175

`+

log.Fatal().Err(err).Msgf("Error setting up default MeshRootCertificate %s from ConfigMap %s", meshRootCertificateName, presetMeshRootCertificateName)

`

``

176

`+

return

`

``

177

`+

}

`

``

178

+

170

179

`err = bootstrap.initiatilizeKubernetesEventsRecorder()

`

171

180

`if err != nil {

`

172

181

`log.Fatal().Err(err).Msg("Error initializing Kubernetes events recorder")

`

`@@ -253,7 +262,7 @@ func (b *bootstrap) createDefaultMeshConfig() error {

`

253

262

`if err != nil {

`

254

263

`return err

`

255

264

` }

`

256

``

`-

if _, err := b.meshConfigClient.ConfigV1alpha2().MeshConfigs(b.namespace).Create(context.TODO(), defaultMeshConfig, metav1.CreateOptions{}); err == nil {

`

``

265

`+

if _, err := b.configClient.ConfigV1alpha2().MeshConfigs(b.namespace).Create(context.TODO(), defaultMeshConfig, metav1.CreateOptions{}); err == nil {

`

257

266

`log.Info().Msgf("MeshConfig (%s) created in namespace %s", meshConfigName, b.namespace)

`

258

267

`return nil

`

259

268

` }

`

`@@ -267,7 +276,7 @@ func (b *bootstrap) createDefaultMeshConfig() error {

`

267

276

`}

`

268

277

``

269

278

`func (b *bootstrap) ensureMeshConfig() error {

`

270

``

`-

config, err := b.meshConfigClient.ConfigV1alpha2().MeshConfigs(b.namespace).Get(context.TODO(), meshConfigName, metav1.GetOptions{})

`

``

279

`+

config, err := b.configClient.ConfigV1alpha2().MeshConfigs(b.namespace).Get(context.TODO(), meshConfigName, metav1.GetOptions{})

`

271

280

`if apierrors.IsNotFound(err) {

`

272

281

`// create a default mesh config since it was not found

`

273

282

`return b.createDefaultMeshConfig()

`

`@@ -281,7 +290,7 @@ func (b *bootstrap) ensureMeshConfig() error {

`

281

290

`if err := util.CreateApplyAnnotation(config, unstructured.UnstructuredJSONScheme); err != nil {

`

282

291

`return err

`

283

292

` }

`

284

``

`-

if _, err := b.meshConfigClient.ConfigV1alpha2().MeshConfigs(b.namespace).Update(context.TODO(), config, metav1.UpdateOptions{}); err != nil {

`

``

293

`+

if _, err := b.configClient.ConfigV1alpha2().MeshConfigs(b.namespace).Update(context.TODO(), config, metav1.UpdateOptions{}); err != nil {

`

285

294

`return err

`

286

295

` }

`

287

296

` }

`

`@@ -355,3 +364,68 @@ func buildDefaultMeshConfig(presetMeshConfigMap *corev1.ConfigMap) (*configv1alp

`

355

364

``

356

365

`return config, util.CreateApplyAnnotation(config, unstructured.UnstructuredJSONScheme)

`

357

366

`}

`

``

367

+

``

368

`+

func (b *bootstrap) ensureMeshRootCertificate() error {

`

``

369

`+

meshRootCertificateList, err := b.configClient.ConfigV1alpha2().MeshRootCertificates(b.namespace).List(context.TODO(), metav1.ListOptions{})

`

``

370

`+

if err != nil {

`

``

371

`+

return err

`

``

372

`+

}

`

``

373

+

``

374

`+

if len(meshRootCertificateList.Items) != 0 {

`

``

375

`+

return nil

`

``

376

`+

}

`

``

377

+

``

378

`+

// create a MeshRootCertificate since none were found

`

``

379

`+

return b.createMeshRootCertificate()

`

``

380

`+

}

`

``

381

+

``

382

`+

func (b *bootstrap) createMeshRootCertificate() error {

`

``

383

`+

// find preset config map to build the MeshRootCertificate from

`

``

384

`+

presetMeshRootCertificate, err := b.kubeClient.CoreV1().ConfigMaps(b.namespace).Get(context.TODO(), presetMeshRootCertificateName, metav1.GetOptions{})

`

``

385

`+

if err != nil {

`

``

386

`+

return err

`

``

387

`+

}

`

``

388

+

``

389

`+

// Create a MeshRootCertificate

`

``

390

`+

defaultMeshRootCertificate, err := buildMeshRootCertificate(presetMeshRootCertificate)

`

``

391

`+

if err != nil {

`

``

392

`+

return err

`

``

393

`+

}

`

``

394

`+

_, err = b.configClient.ConfigV1alpha2().MeshRootCertificates(b.namespace).Create(context.TODO(), defaultMeshRootCertificate, metav1.CreateOptions{})

`

``

395

`+

if apierrors.IsAlreadyExists(err) {

`

``

396

`+

log.Info().Msgf("MeshRootCertificate already exists in %s. Skip creating.", b.namespace)

`

``

397

`+

return nil

`

``

398

`+

}

`

``

399

`+

if err != nil {

`

``

400

`+

return err

`

``

401

`+

}

`

``

402

+

``

403

`+

log.Info().Msgf("Successfully created MeshRootCertificate %s in %s.", meshRootCertificateName, b.namespace)

`

``

404

`+

return nil

`

``

405

`+

}

`

``

406

+

``

407

`+

func buildMeshRootCertificate(presetMeshRootCertificateConfigMap *corev1.ConfigMap) (*configv1alpha2.MeshRootCertificate, error) {

`

``

408

`+

presetMeshRootCertificate := presetMeshRootCertificateConfigMap.Data[presetMeshRootCertificateJSONKey]

`

``

409

`+

presetMeshRootCertificateSpec := configv1alpha2.MeshRootCertificateSpec{}

`

``

410

`+

err := json.Unmarshal([]byte(presetMeshRootCertificate), &presetMeshRootCertificateSpec)

`

``

411

`+

if err != nil {

`

``

412

`+

return nil, fmt.Errorf("error converting preset-mesh-root-certificate json string to MeshRootCertificate object: %w", err)

`

``

413

`+

}

`

``

414

+

``

415

`+

mrc := &configv1alpha2.MeshRootCertificate{

`

``

416

`+

TypeMeta: metav1.TypeMeta{

`

``

417

`+

Kind: "MeshRootCertificate",

`

``

418

`+

APIVersion: "config.openservicemesh.io/configv1alpha2",

`

``

419

`+

},

`

``

420

`+

ObjectMeta: metav1.ObjectMeta{

`

``

421

`+

Name: meshRootCertificateName,

`

``

422

`+

},

`

``

423

`+

Spec: presetMeshRootCertificateSpec,

`

``

424

`+

Status: configv1alpha2.MeshRootCertificateStatus{

`

``

425

`+

State: constants.MRCStateComplete,

`

``

426

`+

RotationStage: constants.MRCStageIssuing,

`

``

427

`+

},

`

``

428

`+

}

`

``

429

+

``

430

`+

return mrc, util.CreateApplyAnnotation(mrc, unstructured.UnstructuredJSONScheme)

`

``

431

`+

}

`