From a94bdfcb447f9b889cb8a6a58a788a5718369af9 Mon Sep 17 00:00:00 2001
From: Jordan Levin <jordan.levin@sap.com>
Date: Mon, 18 Mar 2024 16:08:55 -0700
Subject: [PATCH] fix: ESS Certs (#3)

* initialize provider

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

* go1.21

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

* init repo

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

* skip golang install in lint step

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

* skip cache

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

* upgrade golangci-linter

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

* fix: ESS Certs (#2)

* initialize provider (#1)

* initialize provider

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

* go1.21

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

* init repo

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

* skip golang install in lint step

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

* skip cache

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

* upgrade golangci-linter

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

---------

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

* fix ess certs

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

---------

Signed-off-by: Jordan Levin <jordan.levin@sap.com>

---------

Signed-off-by: Jordan Levin <jordan.levin@sap.com>
---
 cmd/provider/main.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/cmd/provider/main.go b/cmd/provider/main.go
index 0d5f9c6..8a5579f 100644
--- a/cmd/provider/main.go
+++ b/cmd/provider/main.go
@@ -11,6 +11,7 @@ import (
 	"time"
 
 	xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
+	"github.com/crossplane/crossplane-runtime/pkg/certificates"
 	xpcontroller "github.com/crossplane/crossplane-runtime/pkg/controller"
 	"github.com/crossplane/crossplane-runtime/pkg/feature"
 	"github.com/crossplane/crossplane-runtime/pkg/logging"
@@ -47,6 +48,7 @@ func main() {
 		providerSource   = app.Flag("terraform-provider-source", "Terraform provider source.").Required().Envar("TERRAFORM_PROVIDER_SOURCE").String()
 		providerVersion  = app.Flag("terraform-provider-version", "Terraform provider version.").Required().Envar("TERRAFORM_PROVIDER_VERSION").String()
 
+		essTLSCertsPath            = app.Flag("ess-tls-cert-dir", "Path of ESS TLS certificates.").Envar("ESS_TLS_CERTS_DIR").String()
 		namespace                  = app.Flag("namespace", "Namespace used to set as default scope in default secret store config.").Default("crossplane-system").Envar("POD_NAMESPACE").String()
 		enableExternalSecretStores = app.Flag("enable-external-secret-stores", "Enable support for ExternalSecretStores.").Default("false").Envar("ENABLE_EXTERNAL_SECRET_STORES").Bool()
 		enableManagementPolicies   = app.Flag("enable-management-policies", "Enable support for Management Policies.").Default("true").Envar("ENABLE_MANAGEMENT_POLICIES").Bool()
@@ -79,7 +81,7 @@ func main() {
 		RenewDeadline:              func() *time.Duration { d := 50 * time.Second; return &d }(),
 	})
 	kingpin.FatalIfError(err, "Cannot create controller manager")
-	kingpin.FatalIfError(apis.AddToScheme(mgr.GetScheme()), "Cannot add Upjet-EC APIs to scheme")
+	kingpin.FatalIfError(apis.AddToScheme(mgr.GetScheme()), "Cannot add Elastic Cloud APIs to scheme")
 	o := tjcontroller.Options{
 		Options: xpcontroller.Options{
 			Logger:                  log,
@@ -97,8 +99,17 @@ func main() {
 
 	if *enableExternalSecretStores {
 		o.SecretStoreConfigGVK = &v1alpha1.StoreConfigGroupVersionKind
+		o.ESSOptions = &tjcontroller.ESSOptions{}
 		log.Info("Alpha feature enabled", "flag", features.EnableAlphaExternalSecretStores)
 
+		if *essTLSCertsPath != "" {
+			log.Info("ESS TLS certificates path is set. Loading mTLS configuration.")
+			tCfg, err := certificates.LoadMTLSConfig(filepath.Join(*essTLSCertsPath, "ca.crt"), filepath.Join(*essTLSCertsPath, "tls.crt"), filepath.Join(*essTLSCertsPath, "tls.key"), false)
+			kingpin.FatalIfError(err, "Cannot load ESS TLS config.")
+
+			o.ESSOptions.TLSConfig = tCfg
+		}
+
 		// Ensure default store config exists.
 		kingpin.FatalIfError(resource.Ignore(kerrors.IsAlreadyExists, mgr.GetClient().Create(context.Background(), &v1alpha1.StoreConfig{
 			ObjectMeta: metav1.ObjectMeta{