Skip to content

Commit

Permalink
Merge pull request #246 from DrummyFloyd/fix-tls
Browse files Browse the repository at this point in the history
fix(ess): missing mtls injection
  • Loading branch information
ytsarev authored Mar 11, 2024
2 parents b96960b + 5f3cdb9 commit 538a260
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 2 deletions.
10 changes: 10 additions & 0 deletions cmd/provider/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"path/filepath"
"time"

"github.com/crossplane/crossplane-runtime/pkg/certificates"
"github.com/crossplane/crossplane-runtime/pkg/controller"
"github.com/crossplane/crossplane-runtime/pkg/feature"
"go.uber.org/zap/zapcore"
Expand Down Expand Up @@ -59,6 +60,7 @@ func main() {
namespace = app.Flag("namespace", "Namespace used to set as default scope in default secret store config.").Default("crossplane-system").Envar("POD_NAMESPACE").String()
enableExternalSecretStores = app.Flag("enable-external-secret-stores", "Enable support for ExternalSecretStores.").Default("false").Envar("ENABLE_EXTERNAL_SECRET_STORES").Bool()
enableManagementPolicies = app.Flag("enable-management-policies", "Enable support for Management Policies.").Default("true").Envar("ENABLE_MANAGEMENT_POLICIES").Bool()
essTLSCertsPath = app.Flag("ess-tls-cert-dir", "Path of ESS TLS certificates.").Envar("ESS_TLS_CERTS_DIR").String()
)
kingpin.MustParse(app.Parse(os.Args[1:]))

Expand Down Expand Up @@ -118,6 +120,14 @@ func main() {
if *enableExternalSecretStores {
o.Features.Enable(features.EnableAlphaExternalSecretStores)
log.Info("Alpha feature enabled", "flag", features.EnableAlphaExternalSecretStores)
o.ESSOptions = &controller.ESSOptions{}
if *essTLSCertsPath != "" {
log.Info("ESS TLS certificates path is set. Loading mTLS configuration.")
tCfg, err := certificates.LoadMTLSConfig(filepath.Join(*essTLSCertsPath, "ca.crt"), filepath.Join(*essTLSCertsPath, "tls.crt"), filepath.Join(*essTLSCertsPath, "tls.key"), false)
kingpin.FatalIfError(err, "Cannot load ESS TLS config.")

o.ESSOptions.TLSConfig = tCfg
}

// Ensure default store config exists.
kingpin.FatalIfError(resource.Ignore(kerrors.IsAlreadyExists, mgr.GetClient().Create(context.Background(), &v1beta1.StoreConfig{
Expand Down
3 changes: 1 addition & 2 deletions internal/controller/workspace/workspace.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ func Setup(mgr ctrl.Manager, o controller.Options, timeout, pollJitter time.Dura

cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
if o.Features.Enabled(features.EnableAlphaExternalSecretStores) {
cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), v1beta1.StoreConfigGroupVersionKind))
cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), v1beta1.StoreConfigGroupVersionKind, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))
}

c := &connector{
Expand Down Expand Up @@ -355,7 +355,6 @@ func (c *external) Observe(ctx context.Context, mg resource.Managed) (managed.Ex
}
// Include any non-sensitive outputs in our status
op, err := c.tf.Outputs(ctx)

if err != nil {
return managed.ExternalObservation{}, errors.Wrap(err, errOutputs)
}
Expand Down

0 comments on commit 538a260

Please sign in to comment.