Allow to set ConfigMap name for istio-ca-root-cert

Co-authored-by: Daniel Grimm <[email protected]> Signed-off-by: Yann Liu <[email protected]>
maistra · May 23, 2024 · ff42a6a · ff42a6a
1 parent 0381b91
commit ff42a6a
Show file tree

Hide file tree

Showing 61 changed files with 160 additions and 121 deletions.
diff --git a/manifests/charts/gateways/istio-egress/templates/deployment.yaml b/manifests/charts/gateways/istio-egress/templates/deployment.yaml
@@ -285,7 +285,7 @@ spec:
 {{- if eq .Values.global.pilotCertProvider "istiod" }}
       - name: istiod-ca-cert
         configMap:
-          name: istio-ca-root-cert
+          name: {{ .Values.global.caCertConfigMapName }}
 {{- end }}
       - name: podinfo
         downwardAPI:

diff --git a/manifests/charts/gateways/istio-egress/values.yaml b/manifests/charts/gateways/istio-egress/values.yaml
@@ -214,6 +214,9 @@ global:
   # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
   caAddress: ""
 
+  # The name of the ConfigMap that stores the CA Root Certificate
+  caCertConfigMapName: "istio-ca-root-cert"
+
   # Used to locate istiod.
   istioNamespace: istio-system
 

diff --git a/manifests/charts/gateways/istio-ingress/templates/deployment.yaml b/manifests/charts/gateways/istio-ingress/templates/deployment.yaml
@@ -285,7 +285,7 @@ spec:
 {{- if eq .Values.global.pilotCertProvider "istiod" }}
       - name: istiod-ca-cert
         configMap:
-          name: istio-ca-root-cert
+          name: {{ .Values.global.caCertConfigMapName }}
 {{- end }}
       - name: podinfo
         downwardAPI:

diff --git a/manifests/charts/gateways/istio-ingress/values.yaml b/manifests/charts/gateways/istio-ingress/values.yaml
@@ -231,6 +231,9 @@ global:
   # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
   caAddress: ""
 
+  # The name of the ConfigMap that stores the CA Root Certificate
+  caCertConfigMapName: "istio-ca-root-cert"
+
   # Used to locate istiod.
   istioNamespace: istio-system
 

diff --git a/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml b/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml
@@ -231,7 +231,7 @@ spec:
   {{- if eq .Values.global.pilotCertProvider "istiod" }}
   - name: istiod-ca-cert
     configMap:
-      name: istio-ca-root-cert
+      name: {{ .Values.global.caCertConfigMapName }}
   {{- end }}
   {{- if .Values.global.mountMtlsCerts }}
   # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.

diff --git a/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml b/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml
@@ -289,7 +289,7 @@ spec:
   {{- if eq .Values.global.pilotCertProvider "istiod" }}
   - name: istiod-ca-cert
     configMap:
-      name: istio-ca-root-cert
+      name: {{ .Values.global.caCertConfigMapName }}
   {{- end }}
   {{- if .Values.global.mountMtlsCerts }}
   # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.

diff --git a/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml b/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml
@@ -497,7 +497,7 @@ spec:
   {{- if eq .Values.global.pilotCertProvider "istiod" }}
   - name: istiod-ca-cert
     configMap:
-      name: istio-ca-root-cert
+      name: {{ .Values.global.caCertConfigMapName }}
   {{- end }}
   {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
   - name: kube-ca-cert

diff --git a/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml b/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml
@@ -264,7 +264,7 @@ spec:
       {{- if eq .Values.global.pilotCertProvider "istiod" }}
       - name: istiod-ca-cert
         configMap:
-          name: istio-ca-root-cert
+          name: {{ .Values.global.caCertConfigMapName }}
       {{- end }}
       {{- if .Values.global.imagePullSecrets }}
       imagePullSecrets:

diff --git a/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml b/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml
@@ -228,7 +228,7 @@ spec:
               expirationSeconds: 43200
               path: istio-token
       - configMap:
-          name: istio-ca-root-cert
+          name: {{ .Values.global.caCertConfigMapName }}
         name: istiod-ca-cert
       {{- if .Values.global.imagePullSecrets }}
       imagePullSecrets:

diff --git a/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml b/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml
@@ -254,7 +254,7 @@ spec:
           optional: true
       - name: istio-csr-ca-configmap
         configMap:
-          name: istio-ca-root-cert
+          name: {{ .Values.global.caCertConfigMapName }}
           defaultMode: 420
           optional: true
   {{- if .Values.pilot.jwksResolverExtraRootCA }}

diff --git a/manifests/charts/istio-control/istio-discovery/values.yaml b/manifests/charts/istio-control/istio-discovery/values.yaml
@@ -393,6 +393,9 @@ global:
   # If not set explicitly, default to the Istio discovery address.
   caAddress: ""
 
+  # The name of the ConfigMap that stores the CA Root Certificate
+  caCertConfigMapName: "istio-ca-root-cert"
+
   # Configure a remote cluster data plane controlled by an external istiod.
   # When set to true, istiod is not deployed locally and only a subset of the other
   # discovery charts are enabled.

diff --git a/manifests/charts/istiod-remote/files/gateway-injection-template.yaml b/manifests/charts/istiod-remote/files/gateway-injection-template.yaml
@@ -231,7 +231,7 @@ spec:
   {{- if eq .Values.global.pilotCertProvider "istiod" }}
   - name: istiod-ca-cert
     configMap:
-      name: istio-ca-root-cert
+      name: {{ .Values.global.caCertConfigMapName }}
   {{- end }}
   {{- if .Values.global.mountMtlsCerts }}
   # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.

diff --git a/manifests/charts/istiod-remote/files/injection-template.yaml b/manifests/charts/istiod-remote/files/injection-template.yaml
@@ -497,7 +497,7 @@ spec:
   {{- if eq .Values.global.pilotCertProvider "istiod" }}
   - name: istiod-ca-cert
     configMap:
-      name: istio-ca-root-cert
+      name: {{ .Values.global.caCertConfigMapName }}
   {{- end }}
   {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
   - name: kube-ca-cert

diff --git a/manifests/charts/istiod-remote/values.yaml b/manifests/charts/istiod-remote/values.yaml
@@ -332,6 +332,8 @@ global:
   # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
   # If not set explicitly, default to the Istio discovery address.
   caAddress: ""
+  # The name of the ConfigMap that stores the CA Root Certificate
+  caCertConfigMapName: "istio-ca-root-cert"
   # Configure a remote cluster data plane controlled by an external istiod.
   # When set to true, istiod is not deployed locally and only a subset of the other
   # discovery charts are enabled.

diff --git a/manifests/charts/ztunnel/templates/daemonset.yaml b/manifests/charts/ztunnel/templates/daemonset.yaml
@@ -136,7 +136,7 @@ spec:
               audience: istio-ca
       - name: istiod-ca-cert
         configMap:
-          name: istio-ca-root-cert
+          name: {{ .Values.global.caCertConfigMapName }}
       {{- with .Values.volumes }}
         {{- toYaml . | nindent 6}}
       {{- end }}
diff --git a/manifests/charts/ztunnel/values.yaml b/manifests/charts/ztunnel/values.yaml
@@ -56,6 +56,9 @@ multiCluster:
 meshConfig:
   defaultConfig:
     proxyMetadata: {}
+global:
+  # The name of the ConfigMap that stores the CA Root Certificate
+  caCertConfigMapName: "istio-ca-root-cert"
 
 # Ambient redirection mode: "iptables" or "ebpf"
 redirectMode: "iptables"

diff --git a/pilot/pkg/config/kube/gateway/deploymentcontroller_test.go b/pilot/pkg/config/kube/gateway/deploymentcontroller_test.go
@@ -361,10 +361,11 @@ func TestVersionManagement(t *testing.T) {
 }
 
 func testInjectionConfig(t test.Failer) func() inject.WebhookConfig {
-	vc, err := inject.NewValuesConfig(`
+	vc, err := inject.NewValuesConfig(fmt.Sprintf(`
 global:
   hub: test
-  tag: test`)
+  tag: test
+  caCertConfigMapName: %s`, features.CACertConfigMapName))
 	if err != nil {
 		t.Fatal(err)
 	}

diff --git a/pilot/pkg/features/pilot.go b/pilot/pkg/features/pilot.go
@@ -723,6 +723,9 @@ var (
 	EnableGatewayControllerMode = env.Register("PILOT_ENABLE_GATEWAY_CONTROLLER_MODE", false,
 		"If enabled, istiod will watch Gateway API and k8s resources in every namespace, but Istio resources will be limited to "+
 			"namespaces that match the meshConfig.discoverySelectors").Get()
+
+	CACertConfigMapName = env.RegisterStringVar("PILOT_CA_CERT_CONFIG_MAP_NAME", "istio-ca-root-cert",
+		"Name of the ConfigMap that stores the CA Root Certificate.").Get()
 )
 
 // UnsafeFeaturesEnabled returns true if any unsafe features are enabled.

diff --git a/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go b/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go
@@ -34,9 +34,6 @@ import (
 )
 
 const (
-	// CACertNamespaceConfigMap is the name of the ConfigMap in each namespace storing the root cert of non-Kube CA.
-	CACertNamespaceConfigMap = "istio-ca-root-cert"
-
 	// maxRetries is the number of times a namespace will be retried before it is dropped out of the queue.
 	// With the current rate-limiter in use (5ms*2^(maxRetries-1)) the following numbers represent the
 	// sequence of delays between successive queuing of a namespace.
@@ -45,6 +42,9 @@ const (
 	maxRetries = 5
 )
 
+// CACertNamespaceConfigMap is the name of the ConfigMap in each namespace storing the root cert of non-Kube CA.
+var CACertNamespaceConfigMap = features.CACertConfigMapName
+
 var configMapLabel = map[string]string{"istio.io/config": "true"}
 
 // NamespaceController manages reconciles a configmap in each namespace with a desired set of data.

diff --git a/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.template.gen.yaml b/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.values.gen.yaml b/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/default.template.gen.yaml b/pkg/kube/inject/testdata/inputs/default.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/default.values.gen.yaml b/pkg/kube/inject/testdata/inputs/default.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml b/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.values.gen.yaml b/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml