Add certwatcher for TLS cert and key from controller-runtime

Also adds error for missing either tls-key or tls-cert arguments. Signed-off-by: Tayler Geiger <tayler@redhat.com>
operator-framework · May 9, 2024 · 904d3d7 · 904d3d7
1 parent d34081c
commit 904d3d7
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 28 deletions.
diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -17,7 +17,6 @@ limitations under the License.
 package main
 
 import (
-	"crypto/tls"
 	"flag"
 	"fmt"
 	"net"
@@ -41,6 +40,7 @@ import (
 
 	"github.com/operator-framework/catalogd/api/core/v1alpha1"
 	"github.com/operator-framework/catalogd/internal/garbagecollection"
+	"github.com/operator-framework/catalogd/internal/serverutil"
 	"github.com/operator-framework/catalogd/internal/source"
 	"github.com/operator-framework/catalogd/internal/third_party/server"
 	"github.com/operator-framework/catalogd/internal/version"
@@ -92,8 +92,8 @@ func main() {
 	flag.StringVar(&cacheDir, "cache-dir", "/var/cache/", "The directory in the filesystem that catalogd will use for file based caching")
 	flag.BoolVar(&catalogdVersion, "version", false, "print the catalogd version and exit")
 	flag.DurationVar(&gcInterval, "gc-interval", 12*time.Hour, "interval in which garbage collection should be run against the catalog content cache")
-	flag.StringVar(&certFile, "tls-cert", "", "The certificate file used for serving catalog contents over HTTPS")
-	flag.StringVar(&keyFile, "tls-key", "", "The key file used for serving catalog contents over HTTPS")
+	flag.StringVar(&certFile, "tls-cert", "", "The certificate file used for serving catalog contents over HTTPS. Requires tls-key.")
+	flag.StringVar(&keyFile, "tls-key", "", "The key file used for serving catalog contents over HTTPS. Requires tls-cert.")
 	opts := zap.Options{
 		Development: true,
 	}
@@ -150,29 +150,11 @@ func main() {
 		os.Exit(1)
 	}
 
-	if certFile != "" && keyFile != "" {
-		cert, err := tls.LoadX509KeyPair(certFile, keyFile)
-		if err != nil {
-			setupLog.Error(err, "unable to load certificate key pair")
-			os.Exit(1)
-		}
-		config := &tls.Config{
-			Certificates: []tls.Certificate{cert},
-			MinVersion:   tls.VersionTLS13,
-		}
-		listener, err = tls.Listen("tcp", catalogServerAddr, config)
-		if err != nil {
-			setupLog.Error(err, "unable to create HTTPS server listener")
-			os.Exit(1)
-		}
-		externalAddr = "https://" + externalAddr
-	} else {
-		listener, err = net.Listen("tcp", catalogServerAddr)
-		if err != nil {
-			setupLog.Error(err, "unable to create HTTP server listener")
-			os.Exit(1)
-		}
-		externalAddr = "http://" + externalAddr
+	// create listener here
+	listener, externalAddr, err = serverutil.ConfigureListener(certFile, keyFile, externalAddr, catalogServerAddr, mgr)
+	if err != nil {
+		setupLog.Error(err, "unable to configure server listener")
+		os.Exit(1)
 	}
 
 	baseStorageURL, err := url.Parse(fmt.Sprintf("%s/catalogs/", externalAddr))
@@ -199,7 +181,7 @@ func main() {
 	}
 
 	if err := mgr.Add(&catalogServer); err != nil {
-		setupLog.Error(err, "unable to start catalog server")
+		setupLog.Error(err, "unable to add catalog server to manager")
 		os.Exit(1)
 	}
 
@@ -236,7 +218,7 @@ func main() {
 		Interval:       gcInterval,
 	}
 	if err := mgr.Add(gc); err != nil {
-		setupLog.Error(err, "problem adding garbage collector to manager")
+		setupLog.Error(err, "unable to add garbage collector to manager")
 		os.Exit(1)
 	}
 

diff --git a/internal/serverutil/serverutil.go b/internal/serverutil/serverutil.go
@@ -0,0 +1,43 @@
+package serverutil
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net"
+
+	ctrl "sigs.k8s.io/controller-runtime"
+
+	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
+)
+
+func ConfigureListener(cert string, key string, addr string, catalogAddr string, mgr ctrl.Manager) (net.Listener, string, error) {
+	switch {
+	case cert == "" && key == "":
+		listener, err := net.Listen("tcp", catalogAddr)
+		if err != nil {
+			return nil, "", fmt.Errorf("unable to create HTTP server listener: %w", err)
+		}
+		addr = "http://" + addr
+		return listener, addr, nil
+	case cert != "" && key != "":
+		tlsFileWatcher, err := certwatcher.New(cert, key)
+		if err != nil {
+			return nil, "", err
+		}
+		config := &tls.Config{
+			GetCertificate: tlsFileWatcher.GetCertificate,
+			MinVersion:     tls.VersionTLS13,
+		}
+		listener, err := tls.Listen("tcp", catalogAddr, config)
+		if err != nil {
+			return nil, "", fmt.Errorf("unable to create HTTPS server listener: %w", err)
+		}
+		if err := mgr.Add(tlsFileWatcher); err != nil {
+			return nil, "", fmt.Errorf("unable to add TLS file watcher to manager: %w", err)
+		}
+		addr = "https://" + addr
+		return listener, addr, nil
+	default:
+		return nil, "", fmt.Errorf("unable to configure TLS certificates, tls-cert and tls-key flags must be used together")
+	}
+}