Eliminate use of naked bool (includeDefaultCAs) in ClusterBundle API

Signed-off-by: Erik Godding Boye <egboye@gmail.com>

Author: erikgb

deploy/crds/trust-manager.io_clusterbundles.yaml

@@ -59,20 +59,32 @@ spec:
           spec:
             description: Desired state of the Bundle resource.
             properties:
+              defaultCAs:
+                description: DefaultCAs configures the use of a default CA bundle
+                  as a trust source.
+                properties:
+                  provider:
+                    description: "Provider identifies the provider of the default
+                      CA bundle.\n\nValid values:\n- System: Uses the default CA package
+                      made available to trust-manager at\n\t\tstartup. This package
+                      is typically provided when trust-manager is installed\n\t\tvia
+                      Helm, or when the controller is started with the\n\t\t\"--default-package-location\"
+                      flag, which enables a package-injecting init\n\t\tcontainer.\n\n\t\tIf
+                      no default CA package was configured at startup, specifying
+                      this source\n\t\twill result in reconciliation failure.\n\n\t\tThe
+                      version of the default CA package used for a Bundle is reported
+                      in\n\t\tstatus.defaultCAPackageVersion.\n- Disabled: No default
+                      CAs are used as sources."
+                    enum:
+                    - System
+                    - Disabled
+                    type: string
+                required:
+                - provider
+                type: object
               inLineCAs:
                 description: InLine is a simple string to append as the source data.
                 type: string
-              includeDefaultCAs:
-                description: |-
-                  IncludeDefaultCAs, when true, requests the default CA bundle to be used as a source.
-                  Default CAs are available if trust-manager was installed via Helm
-                  or was otherwise set up to include a package-injecting init container by using the
-                  "--default-package-location" flag when starting the trust-manager controller.
-                  If default CAs were not configured at start-up, any request to use the default
-                  CAs will fail.
-                  The version of the default CA package which is used for a Bundle is stored in the
-                  defaultCAPackageVersion field of the Bundle's status field.
-                type: boolean
               sources:
                 description: Sources is a set of references to data whose data will
                   sync to the target.

pkg/apis/trust/v1alpha1/conversion.go

@@ -24,6 +24,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	apimachineryconversion "k8s.io/apimachinery/pkg/conversion"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
 
 	trustv1alpha2 "github.com/cert-manager/trust-manager/pkg/apis/trustmanager/v1alpha2"
@@ -105,7 +106,11 @@ func Convert_v1alpha1_BundleSource_To_v1alpha2_BundleSource(in *BundleSource, ou
 	}
 	if in.UseDefaultCAs != nil {
 		obj := scope.Meta().Context.(*trustv1alpha2.ClusterBundle)
-		obj.Spec.IncludeDefaultCAs = in.UseDefaultCAs
+		provider := trustv1alpha2.DefaultCAsProviderDisabled
+		if *in.UseDefaultCAs {
+			provider = trustv1alpha2.DefaultCAsProviderSystem
+		}
+		obj.Spec.DefaultCAs = &trustv1alpha2.DefaultCAsSource{Provider: provider}
 	}
 
 	return nil
@@ -221,8 +226,8 @@ func Convert_v1alpha2_BundleSpec_To_v1alpha1_BundleSpec(in *trustv1alpha2.Bundle
 	if in.InLineCAs != nil {
 		out.Sources = append(out.Sources, BundleSource{InLine: in.InLineCAs})
 	}
-	if in.IncludeDefaultCAs != nil {
-		out.Sources = append(out.Sources, BundleSource{UseDefaultCAs: in.IncludeDefaultCAs})
+	if in.DefaultCAs != nil {
+		out.Sources = append(out.Sources, BundleSource{UseDefaultCAs: ptr.To(in.DefaultCAs.Provider == trustv1alpha2.DefaultCAsProviderSystem)})
 	}
 
 	return nil

pkg/apis/trust/v1alpha1/conversion_test.go

@@ -93,6 +93,7 @@ func fuzzFuncs(_ runtimeserializer.CodecFactory) []any {
 		spokeSourceObjectKeySelectorFuzzer,
 		spokeBundleTargetFuzzer,
 		hubBundleSourceFuzzer,
+		hubDefaultCAsFuzzer,
 		hubBundleTargetFuzzer,
 	}
 }
@@ -165,6 +166,14 @@ func hubBundleSourceFuzzer(obj *trustmanagerapi.BundleSource, c randfill.Continu
 	obj.Kind = kindSet[rand.Intn(len(kindSet))] //nolint:gosec
 }
 
+func hubDefaultCAsFuzzer(obj *trustmanagerapi.DefaultCAsSource, c randfill.Continue) {
+	c.FillNoCustom(obj)
+
+	// We only allow known providers, so must normalize the provider
+	providerSet := []string{trustmanagerapi.DefaultCAsProviderDisabled, trustmanagerapi.DefaultCAsProviderSystem}
+	obj.Provider = providerSet[rand.Intn(len(providerSet))] //nolint:gosec
+}
+
 func hubBundleTargetFuzzer(obj *trustmanagerapi.BundleTarget, c randfill.Continue) {
 	c.FillNoCustom(obj)
 

pkg/apis/trust/v1alpha1/zz_generated.conversion.go

@@ -66,16 +66,9 @@ type BundleSpec struct {
 	// +kubebuilder:validation:MaxItems=100
 	Sources []BundleSource `json:"sources,omitempty"`
 
-	// IncludeDefaultCAs, when true, requests the default CA bundle to be used as a source.
-	// Default CAs are available if trust-manager was installed via Helm
-	// or was otherwise set up to include a package-injecting init container by using the
-	// "--default-package-location" flag when starting the trust-manager controller.
-	// If default CAs were not configured at start-up, any request to use the default
-	// CAs will fail.
-	// The version of the default CA package which is used for a Bundle is stored in the
-	// defaultCAPackageVersion field of the Bundle's status field.
+	// DefaultCAs configures the use of a default CA bundle as a trust source.
 	// +optional
-	IncludeDefaultCAs *bool `json:"includeDefaultCAs,omitempty"`
+	DefaultCAs *DefaultCAsSource `json:"defaultCAs,omitempty"`
 
 	// InLine is a simple string to append as the source data.
 	// +optional
@@ -100,6 +93,28 @@ type BundleSource struct {
 	Key string `json:"key"`
 }
 
+// DefaultCAsSource configures the use of a default CA bundle as a trust source.
+type DefaultCAsSource struct {
+	// Provider identifies the provider of the default CA bundle.
+	//
+	// Valid values:
+	// - System: Uses the default CA package made available to trust-manager at
+	//		startup. This package is typically provided when trust-manager is installed
+	//		via Helm, or when the controller is started with the
+	//		"--default-package-location" flag, which enables a package-injecting init
+	//		container.
+	//
+	//		If no default CA package was configured at startup, specifying this source
+	//		will result in reconciliation failure.
+	//
+	//		The version of the default CA package used for a Bundle is reported in
+	//		status.defaultCAPackageVersion.
+	// - Disabled: No default CAs are used as sources.
+	// +required
+	// +kubebuilder:validation:Enum=System;Disabled
+	Provider string `json:"provider"`
+}
+
 // BundleTarget is the target resource that the Bundle will sync all source
 // data to.
 // +kubebuilder:validation:XValidation:rule="[has(self.configMap), has(self.secret)].exists(x,x)", message="any of the following fields must be provided: [configMap, secret]"
@@ -156,6 +171,9 @@ const (
 	ConfigMapKind string = "ConfigMap"
 
 	SecretKind string = "Secret"
+
+	DefaultCAsProviderDisabled string = "Disabled"
+	DefaultCAsProviderSystem   string = "System"
 )
 
 // SourceReference is a reference to a source object.

pkg/apis/trustmanager/v1alpha2/types_cluster_bundle.go

@@ -119,7 +119,7 @@ var _ = Describe("ClusterBundle Migration", func() {
 		clusterBundle.Annotations = map[string]string{
 			trustmanagerapi.BundleMigratedAnnotation: "true",
 		}
-		clusterBundle.Spec.IncludeDefaultCAs = ptr.To(true)
+		clusterBundle.Spec.DefaultCAs = &trustmanagerapi.DefaultCAsSource{Provider: trustmanagerapi.DefaultCAsProviderSystem}
 		Expect(cl.Update(ctx, clusterBundle)).To(Succeed())
 
 		Eventually(func() (string, error) {