Remove cert-manager certificate generation, use self sign instead (#2146

)
odigos-io · Jan 8, 2025 · 82a098e · 82a098e
1 parent 5700724
commit 82a098e
Show file tree

Hide file tree

Showing 8 changed files with 21 additions and 165 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -232,7 +232,7 @@ If the Mutating Webhook is enabled, follow these steps:
    Create a local directory and extract the certificate and key by running the following command:
 
 ```
-mkdir -p serving-certs && kubectl get secret instrumentor-webhook-cert -n odigos-system -o jsonpath='{.data.tls\.crt}' | base64 -d > serving-certs/tls.crt && kubectl get secret instrumentor-webhook-cert -n odigos-system -o jsonpath='{.data.tls\.key}' | base64 -d > serving-certs/tls.key
+mkdir -p serving-certs && kubectl get secret webhook-cert -n odigos-system -o jsonpath='{.data.tls\.crt}' | base64 -d > serving-certs/tls.crt && kubectl get secret webhook-cert -n odigos-system -o jsonpath='{.data.tls\.key}' | base64 -d > serving-certs/tls.key
 ```
 
 2. Apply this service to the cluster, it will replace the existing `odigos-instrumentor` service:

diff --git a/cli/cmd/resources/instrumentor.go b/cli/cmd/resources/instrumentor.go
@@ -10,8 +10,6 @@ import (
 	"github.com/odigos-io/odigos/cli/pkg/kube"
 	"github.com/odigos-io/odigos/common"
 
-	certv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
-	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	"github.com/odigos-io/odigos/k8sutils/pkg/consts"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
@@ -35,7 +33,7 @@ const (
 	InstrumentorCertificateName        = InstrumentorDeploymentName
 	InstrumentorMutatingWebhookName    = "mutating-webhook-configuration"
 	InstrumentorContainerName          = "manager"
-	InstrumentorWebhookSecretName      = "instrumentor-webhook-cert"
+	InstrumentorWebhookSecretName      = "webhook-cert"
 	InstrumentorWebhookVolumeName      = "webhook-cert"
 )
 
@@ -219,72 +217,6 @@ func NewInstrumentorClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding {
 	}
 }
 
-func isCertManagerInstalled(ctx context.Context, c *kube.Client) bool {
-	// Check if CRD is installed
-	_, err := c.ApiExtensions.ApiextensionsV1().CustomResourceDefinitions().Get(ctx, "issuers.cert-manager.io", metav1.GetOptions{})
-	if err != nil {
-		return false
-	}
-
-	return true
-}
-
-func NewInstrumentorIssuer(ns string) *certv1.Issuer {
-	return &certv1.Issuer{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Issuer",
-			APIVersion: "cert-manager.io/v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "selfsigned-issuer",
-			Namespace: ns,
-			Labels: map[string]string{
-				"app.kubernetes.io/name":       "issuer",
-				"app.kubernetes.io/instance":   "selfsigned-issuer",
-				"app.kubernetes.io/component":  "certificate",
-				"app.kubernetes.io/created-by": "instrumentor",
-				"app.kubernetes.io/part-of":    "odigos",
-			},
-		},
-		Spec: certv1.IssuerSpec{
-			IssuerConfig: certv1.IssuerConfig{
-				SelfSigned: &certv1.SelfSignedIssuer{},
-			},
-		},
-	}
-}
-
-func NewInstrumentorCertificate(ns string) *certv1.Certificate {
-	return &certv1.Certificate{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Certificate",
-			APIVersion: "cert-manager.io/v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "serving-cert",
-			Namespace: ns,
-			Labels: map[string]string{
-				"app.kubernetes.io/name":       "instrumentor-cert",
-				"app.kubernetes.io/instance":   "instrumentor-cert",
-				"app.kubernetes.io/component":  "certificate",
-				"app.kubernetes.io/created-by": "instrumentor",
-				"app.kubernetes.io/part-of":    "odigos",
-			},
-		},
-		Spec: certv1.CertificateSpec{
-			DNSNames: []string{
-				fmt.Sprintf("odigos-instrumentor.%s.svc", ns),
-				fmt.Sprintf("odigos-instrumentor.%s.svc.cluster.local", ns),
-			},
-			IssuerRef: cmmeta.ObjectReference{
-				Kind: "Issuer",
-				Name: "selfsigned-issuer",
-			},
-			SecretName: InstrumentorWebhookSecretName,
-		},
-	}
-}
-
 func NewInstrumentorService(ns string) *corev1.Service {
 	return &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -585,7 +517,6 @@ func NewInstrumentorResourceManager(client *kube.Client, ns string, config *comm
 func (a *instrumentorResourceManager) Name() string { return "Instrumentor" }
 
 func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) error {
-	certManagerInstalled := isCertManagerInstalled(ctx, a.client)
 	resources := []kube.Object{
 		NewInstrumentorServiceAccount(a.ns),
 		NewInstrumentorLeaderElectionRoleBinding(a.ns),
@@ -596,33 +527,26 @@ func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) er
 		NewInstrumentorDeployment(a.ns, a.odigosVersion, a.config.TelemetryEnabled, a.config.ImagePrefix, a.config.InstrumentorImage),
 		NewInstrumentorService(a.ns),
 	}
-	if certManagerInstalled && a.config.SkipWebhookIssuerCreation != true {
-		resources = append([]kube.Object{NewInstrumentorIssuer(a.ns),
-			NewInstrumentorCertificate(a.ns),
-			NewMutatingWebhookConfiguration(a.ns, nil),
-		},
-			resources...)
-	} else {
-		ca, err := crypto.GenCA(InstrumentorCertificateName, 365)
-		if err != nil {
-			return fmt.Errorf("failed to generate CA: %w", err)
-		}
 
-		altNames := []string{
-			fmt.Sprintf("%s.%s.svc", InstrumentorServiceName, a.ns),
-			fmt.Sprintf("%s.%s.svc.cluster.local", InstrumentorServiceName, a.ns),
-		}
+	ca, err := crypto.GenCA(InstrumentorCertificateName, 365)
+	if err != nil {
+		return fmt.Errorf("failed to generate CA: %w", err)
+	}
 
-		cert, err := crypto.GenerateSignedCertificate("serving-cert", nil, altNames, 365, ca)
-		if err != nil {
-			return fmt.Errorf("failed to generate signed certificate: %w", err)
-		}
+	altNames := []string{
+		fmt.Sprintf("%s.%s.svc", InstrumentorServiceName, a.ns),
+		fmt.Sprintf("%s.%s.svc.cluster.local", InstrumentorServiceName, a.ns),
+	}
 
-		resources = append([]kube.Object{NewInstrumentorTLSSecret(a.ns, &cert),
-			NewMutatingWebhookConfiguration(a.ns, []byte(cert.Cert)),
-		},
-			resources...)
+	cert, err := crypto.GenerateSignedCertificate("serving-cert", nil, altNames, 365, ca)
+	if err != nil {
+		return fmt.Errorf("failed to generate signed certificate: %w", err)
 	}
 
+	resources = append([]kube.Object{NewInstrumentorTLSSecret(a.ns, &cert),
+		NewMutatingWebhookConfiguration(a.ns, []byte(cert.Cert)),
+	},
+		resources...)
+
 	return a.client.ApplyResources(ctx, a.config.ConfigVersion, resources)
 }
diff --git a/cli/go.mod b/cli/go.mod
@@ -3,7 +3,6 @@ module github.com/odigos-io/odigos/cli
 go 1.23.0
 
 require (
-	github.com/cert-manager/cert-manager v1.16.2
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-version v1.7.0
 	github.com/odigos-io/odigos/api v0.0.0
@@ -32,7 +31,6 @@ require (
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	sigs.k8s.io/controller-runtime v0.19.0 // indirect
-	sigs.k8s.io/gateway-api v1.1.0 // indirect
 )
 
 require (

diff --git a/cli/go.sum b/cli/go.sum
@@ -1,7 +1,5 @@
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/cert-manager/cert-manager v1.16.2 h1:c9UU2E+8XWGruyvC/mdpc1wuLddtgmNr8foKdP7a8Jg=
-github.com/cert-manager/cert-manager v1.16.2/go.mod h1:MfLVTL45hFZsqmaT1O0+b2ugaNNQQZttSFV9hASHUb0=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -197,8 +195,6 @@ k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6J
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q=
 sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4=
-sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM=
-sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=

diff --git a/helm/odigos/templates/_helpers.tpl b/helm/odigos/templates/_helpers.tpl
diff --git a/helm/odigos/templates/instrumentor/certificates.yaml b/helm/odigos/templates/instrumentor/certificates.yaml
diff --git a/helm/odigos/templates/instrumentor/deployment.yaml b/helm/odigos/templates/instrumentor/deployment.yaml
@@ -72,7 +72,7 @@ spec:
       volumes:
         - name: webhook-cert
           secret:
-            secretName: instrumentor-webhook-cert
+            secretName: webhook-cert
             defaultMode: 420
       terminationGracePeriodSeconds: 10
 {{- if .Values.imagePullSecrets }}

diff --git a/helm/odigos/templates/instrumentor/webhook.yaml b/helm/odigos/templates/instrumentor/webhook.yaml
@@ -1,4 +1,3 @@
-{{- $certManagerApiVersion := include "utils.certManagerApiVersion" . -}}
 {{- $altNames := list (printf "odigos-instrumentor.%s.svc" .Release.Namespace) (printf "odigos-instrumentor.%s.svc.cluster.local" .Release.Namespace) -}}
 {{- $ca := genCA "serving-cert" 365 -}}
 {{- $cert := genSignedCert "serving-cert" nil $altNames 365 $ca -}}
@@ -12,16 +11,10 @@ metadata:
     app.kubernetes.io/component: webhook
     app.kubernetes.io/created-by: instrumentor
     app.kubernetes.io/part-of: odigos
-{{- if $certManagerApiVersion }}
-  annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/serving-cert
-{{- end }}
 webhooks:
   - name: pod-mutating-webhook.odigos.io
     clientConfig:
-{{- if not $certManagerApiVersion }}
       caBundle: {{ $ca.Cert | b64enc }}
-{{- end }}
       service:
         name: odigos-instrumentor
         namespace: {{ .Release.Namespace }}
@@ -44,12 +37,11 @@ webhooks:
     timeoutSeconds: 10
     admissionReviewVersions: ["v1"]
 ---
-{{- if not $certManagerApiVersion }}
 apiVersion: v1
 kind: Secret
 type: kubernetes.io/tls
 metadata:
-  name: instrumentor-webhook-cert
+  name: webhook-cert
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: instrumentor-cert
@@ -62,5 +54,4 @@ metadata:
     "helm.sh/hook-delete-policy": "before-hook-creation"
 data:
   tls.crt: {{ $cert.Cert | b64enc }}
-  tls.key: {{ $cert.Key | b64enc }}
-{{- end }}
+  tls.key: {{ $cert.Key | b64enc }}