Eliminate use of naked bool (includeDefaultCAs) in ClusterBundle API

deploy/crds/trust-manager.io_clusterbundles.yaml

@@ -59,21 +59,33 @@ spec:
           spec:
             description: spec represents the desired state of the ClusterBundle resource.
             properties:
+              defaultCAs:
+                description: defaultCAs configures the use of a default CA bundle
+                  as a trust source.
+                properties:
+                  provider:
+                    description: "provider identifies the provider of the default
+                      CA bundle.\n\nValid values:\n- System: Uses the default CA package
+                      made available to trust-manager at startup.\n     The default
+                      CA bundle is available only if trust-manager was installed with\n\t\tdefault
+                      CA support enabled, either via the Helm chart or by starting
+                      the\n\t\ttrust-manager controller with the \"--default-package-location\"
+                      flag.\n\n\t\tIf no default CA package was configured at startup,
+                      specifying this source\n\t\twill result in reconciliation failure.\n\n\t\tThe
+                      version of the default CA package used for this Bundle is reported
+                      in\n\t\tstatus.defaultCAVersion.\n- Disabled: No default CAs
+                      are used as sources."
+                    enum:
+                    - System
+                    - Disabled
+                    type: string
+                required:
+                - provider
+                type: object
               inLineCAs:
                 description: inLineCAs is a simple string to append as the source
                   data.
                 type: string
-              includeDefaultCAs:
-                description: |-
-                  includeDefaultCAs indicates whether the default CA bundle should be used as a source.
-                  The default CA bundle is available only if trust-manager was installed with
-                  default CA support enabled, either via the Helm chart or by starting the
-                  trust-manager controller with the "--default-package-location" flag.
-                  If default CA support was not enabled at startup, setting this field to true
-                  will result in reconciliation failure.
-                  The version of the default CA package used for this Bundle is reported in
-                  status.defaultCAVersion.
-                type: boolean
               sourceRefs:
                 description: |-
                   sourceRefs is a list of references to resources whose data will be appended and synced into

pkg/apis/trust/v1alpha1/conversion.go

@@ -24,6 +24,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	apimachineryconversion "k8s.io/apimachinery/pkg/conversion"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
 
 	trustv1alpha2 "github.com/cert-manager/trust-manager/pkg/apis/trustmanager/v1alpha2"
@@ -125,7 +126,11 @@ func Convert_v1alpha1_BundleSource_To_v1alpha2_BundleSourceRef(in *BundleSource,
 	}
 	if in.UseDefaultCAs != nil {
 		obj := scope.Meta().Context.(*trustv1alpha2.ClusterBundle)
-		obj.Spec.IncludeDefaultCAs = in.UseDefaultCAs
+		provider := trustv1alpha2.DefaultCAsProviderDisabled
+		if *in.UseDefaultCAs {
+			provider = trustv1alpha2.DefaultCAsProviderSystem
+		}
+		obj.Spec.DefaultCAs = &trustv1alpha2.DefaultCAsSource{Provider: provider}
 	}
 
 	return nil
@@ -253,8 +258,8 @@ func Convert_v1alpha2_BundleSpec_To_v1alpha1_BundleSpec(in *trustv1alpha2.Bundle
 	if in.InLineCAs != nil {
 		out.Sources = append(out.Sources, BundleSource{InLine: in.InLineCAs})
 	}
-	if in.IncludeDefaultCAs != nil {
-		out.Sources = append(out.Sources, BundleSource{UseDefaultCAs: in.IncludeDefaultCAs})
+	if in.DefaultCAs != nil {
+		out.Sources = append(out.Sources, BundleSource{UseDefaultCAs: ptr.To(in.DefaultCAs.Provider == trustv1alpha2.DefaultCAsProviderSystem)})
 	}
 
 	return nil

pkg/apis/trust/v1alpha1/conversion_test.go

@@ -93,6 +93,7 @@ func fuzzFuncs(_ runtimeserializer.CodecFactory) []any {
 		spokeSourceObjectKeySelectorFuzzer,
 		spokeBundleTargetFuzzer,
 		hubBundleSourceRefFuzzer,
+		hubDefaultCAsFuzzer,
 		hubBundleTargetFuzzer,
 	}
 }
@@ -165,6 +166,14 @@ func hubBundleSourceRefFuzzer(obj *trustmanagerapi.BundleSourceRef, c randfill.C
 	obj.Kind = kindSet[rand.Intn(len(kindSet))] //nolint:gosec
 }
 
+func hubDefaultCAsFuzzer(obj *trustmanagerapi.DefaultCAsSource, c randfill.Continue) {
+	c.FillNoCustom(obj)
+
+	// We only allow known providers, so must normalize the provider
+	providerSet := []string{trustmanagerapi.DefaultCAsProviderDisabled, trustmanagerapi.DefaultCAsProviderSystem}
+	obj.Provider = providerSet[rand.Intn(len(providerSet))] //nolint:gosec
+}
+
 func hubBundleTargetFuzzer(obj *trustmanagerapi.BundleTarget, c randfill.Continue) {
 	c.FillNoCustom(obj)
 

pkg/apis/trustmanager/v1alpha2/types_cluster_bundle.go

@@ -71,16 +71,9 @@ type BundleSpec struct {
 	// +kubebuilder:validation:MaxItems=100
 	SourceRefs []BundleSourceRef `json:"sourceRefs,omitempty"`
 
-	// includeDefaultCAs indicates whether the default CA bundle should be used as a source.
-	// The default CA bundle is available only if trust-manager was installed with
-	// default CA support enabled, either via the Helm chart or by starting the
-	// trust-manager controller with the "--default-package-location" flag.
-	// If default CA support was not enabled at startup, setting this field to true
-	// will result in reconciliation failure.
-	// The version of the default CA package used for this Bundle is reported in
-	// status.defaultCAVersion.
+	// defaultCAs configures the use of a default CA bundle as a trust source.
 	// +optional
-	IncludeDefaultCAs *bool `json:"includeDefaultCAs,omitempty"`
+	DefaultCAs *DefaultCAsSource `json:"defaultCAs,omitempty"`
 
 	// inLineCAs is a simple string to append as the source data.
 	// +optional
@@ -106,6 +99,27 @@ type BundleSourceRef struct {
 	Key string `json:"key"`
 }
 
+// DefaultCAsSource configures the use of a default CA bundle as a trust source.
+type DefaultCAsSource struct {
+	// provider identifies the provider of the default CA bundle.
+	//
+	// Valid values:
+	// - System: Uses the default CA package made available to trust-manager at startup.
+	//      The default CA bundle is available only if trust-manager was installed with
+	//		default CA support enabled, either via the Helm chart or by starting the
+	//		trust-manager controller with the "--default-package-location" flag.
+	//
+	//		If no default CA package was configured at startup, specifying this source
+	//		will result in reconciliation failure.
+	//
+	//		The version of the default CA package used for this Bundle is reported in
+	//		status.defaultCAVersion.
+	// - Disabled: No default CAs are used as sources.
+	// +required
+	// +kubebuilder:validation:Enum=System;Disabled
+	Provider string `json:"provider"`
+}
+
 // BundleTarget is the target resource that the Bundle will sync all source
 // data to.
 // +kubebuilder:validation:XValidation:rule="[has(self.configMap), has(self.secret)].exists(x,x)", message="any of the following fields must be provided: [configMap, secret]"
@@ -163,6 +177,9 @@ const (
 	ConfigMapKind string = "ConfigMap"
 
 	SecretKind string = "Secret"
+
+	DefaultCAsProviderDisabled string = "Disabled"
+	DefaultCAsProviderSystem   string = "System"
 )
 
 // SourceReference is a reference to a source object.

test/integration/clusterbundle/migration_test.go

@@ -119,7 +119,7 @@ var _ = Describe("ClusterBundle Migration", func() {
 		clusterBundle.Annotations = map[string]string{
 			trustmanagerapi.BundleMigratedAnnotation: "true",
 		}
-		clusterBundle.Spec.IncludeDefaultCAs = ptr.To(true)
+		clusterBundle.Spec.DefaultCAs = &trustmanagerapi.DefaultCAsSource{Provider: trustmanagerapi.DefaultCAsProviderSystem}
 		Expect(cl.Update(ctx, clusterBundle)).To(Succeed())
 
 		Eventually(func() (string, error) {