From 8e771af9b5100e374e1ca6b286428bf0ff37f0f3 Mon Sep 17 00:00:00 2001 From: everettraven Date: Wed, 17 Apr 2024 16:49:35 -0400 Subject: [PATCH 1/2] make catalog server serve catalog contents over HTTPS adds cert-manager as a dependency again to create self-signed certs for the catalog server Signed-off-by: everettraven --- .goreleaser.yml | 2 ++ Makefile | 6 +++++- cmd/manager/main.go | 13 ++++++++++--- config/certmanager/certificate.yaml | 19 +++++++++++++++++++ config/certmanager/issuer.yaml | 7 +++++++ config/certmanager/kustomization.yaml | 3 +++ config/default/kustomization.yaml | 2 +- config/manager/catalogserver_service.yaml | 4 ++-- config/manager/manager.yaml | 7 ++++++- internal/third_party/server/server.go | 20 ++++++++++++++++++++ 10 files changed, 75 insertions(+), 8 deletions(-) create mode 100644 config/certmanager/certificate.yaml create mode 100644 config/certmanager/issuer.yaml create mode 100644 config/certmanager/kustomization.yaml diff --git a/.goreleaser.yml b/.goreleaser.yml index ab4f87de..9b74e2e8 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -66,6 +66,8 @@ release: header: | ## Installation ```bash + kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml + kubectl wait --for=condition=Available --namespace=cert-manager deployment/cert-manager-webhook --timeout=60s kubectl apply -f https://github.com/operator-framework/catalogd/releases/download/{{ .Tag }}/catalogd.yaml kubectl wait --for=condition=Available --namespace=catalogd-system deployment/catalogd-controller-manager --timeout=60s ``` diff --git a/Makefile b/Makefile index 40286991..2e42337b 100644 --- a/Makefile +++ b/Makefile @@ -152,7 +152,7 @@ kind-load: $(KIND) ## Load the built images onto the local cluster $(KIND) load docker-image $(IMAGE) --name $(KIND_CLUSTER_NAME) .PHONY: install -install: build-container kind-load deploy wait ## Install local catalogd +install: build-container kind-load cert-manager deploy wait ## Install local catalogd .PHONY: deploy deploy: $(KUSTOMIZE) ## Deploy Catalogd to the K8s cluster specified in ~/.kube/config. @@ -166,6 +166,10 @@ undeploy: $(KUSTOMIZE) ## Undeploy Catalogd from the K8s cluster specified in ~/ wait: kubectl wait --for=condition=Available --namespace=$(CATALOGD_NAMESPACE) deployment/catalogd-controller-manager --timeout=60s +.PHONY: cert-manager +cert-manager: + kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/${CERT_MGR_VERSION}/cert-manager.yaml + kubectl wait --for=condition=Available --namespace=cert-manager deployment/cert-manager-webhook --timeout=60s ##@ Release export ENABLE_RELEASE_PIPELINE ?= false diff --git a/cmd/manager/main.go b/cmd/manager/main.go index e4b8b08b..9161bfb1 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -77,9 +77,11 @@ func main() { catalogdVersion bool systemNamespace string catalogServerAddr string - httpExternalAddr string + httpsExternalAddr string cacheDir string gcInterval time.Duration + certfile string + keyfile string ) flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") @@ -89,10 +91,12 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.StringVar(&systemNamespace, "system-namespace", "", "The namespace catalogd uses for internal state, configuration, and workloads") flag.StringVar(&catalogServerAddr, "catalogs-server-addr", ":8083", "The address where the unpacked catalogs' content will be accessible") - flag.StringVar(&httpExternalAddr, "http-external-address", "http://catalogd-catalogserver.catalogd-system.svc", "The external address at which the http server is reachable.") + flag.StringVar(&httpsExternalAddr, "https-external-address", "https://catalogd-catalogserver.catalogd-system.svc", "The external address at which the http server is reachable.") flag.StringVar(&cacheDir, "cache-dir", "/var/cache/", "The directory in the filesystem that catalogd will use for file based caching") flag.BoolVar(&catalogdVersion, "version", false, "print the catalogd version and exit") flag.DurationVar(&gcInterval, "gc-interval", 12*time.Hour, "interval in which garbage collection should be run against the catalog content cache") + flag.StringVar(&certfile, "tls-cert", "/var/certs/tls.crt", "The certificate file used for serving catalog contents over HTTPS") + flag.StringVar(&keyfile, "tls-key", "/var/certs/tls.key", "The key file used for serving catalog contents over HTTPS") opts := zap.Options{ Development: true, } @@ -149,7 +153,7 @@ func main() { os.Exit(1) } - baseStorageURL, err := url.Parse(fmt.Sprintf("%s/catalogs/", httpExternalAddr)) + baseStorageURL, err := url.Parse(fmt.Sprintf("%s/catalogs/", httpsExternalAddr)) if err != nil { setupLog.Error(err, "unable to create base storage URL") os.Exit(1) @@ -168,6 +172,9 @@ func main() { WriteTimeout: 5 * time.Minute, }, ShutdownTimeout: &shutdownTimeout, + ServeTLS: true, + CertFile: certfile, + KeyFile: keyfile, } if err := mgr.Add(&catalogServer); err != nil { diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml new file mode 100644 index 00000000..65d60555 --- /dev/null +++ b/config/certmanager/certificate.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: catalogserver-cert + namespace: system +spec: + secretName: catalogd-catalogserver-cert + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - operator-framework + isCA: false + dnsNames: + - catalogd-catalogserver.catalogd-system.svc + issuerRef: + name: catalogd-catalogserver-selfsigned-issuer + kind: Issuer + diff --git a/config/certmanager/issuer.yaml b/config/certmanager/issuer.yaml new file mode 100644 index 00000000..11b78ec2 --- /dev/null +++ b/config/certmanager/issuer.yaml @@ -0,0 +1,7 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: catalogserver-selfsigned-issuer + namespace: system +spec: + selfSigned: {} diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml new file mode 100644 index 00000000..b5142199 --- /dev/null +++ b/config/certmanager/kustomization.yaml @@ -0,0 +1,3 @@ +resources: +- issuer.yaml +- certificate.yaml diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index f1c837dd..3415459a 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -14,5 +14,5 @@ kind: Kustomization resources: - ../crd - ../rbac +- ../certmanager - ../manager - diff --git a/config/manager/catalogserver_service.yaml b/config/manager/catalogserver_service.yaml index 872afc15..0e7e4026 100644 --- a/config/manager/catalogserver_service.yaml +++ b/config/manager/catalogserver_service.yaml @@ -10,7 +10,7 @@ spec: selector: control-plane: controller-manager ports: - - name: http + - name: https protocol: TCP - port: 80 + port: 443 targetPort: 8083 diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index f1069f4e..1a3562f8 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -75,12 +75,14 @@ spec: args: - --leader-elect - --metrics-bind-address=127.0.0.1:8080 - - --http-external-address=http://catalogd-catalogserver.catalogd-system.svc + - --https-external-address=https://catalogd-catalogserver.catalogd-system.svc image: controller:latest name: manager volumeMounts: - name: cache mountPath: /var/cache/ + - name: catalogserver-certs + mountPath: /var/certs/ securityContext: allowPrivilegeEscalation: false capabilities: @@ -108,3 +110,6 @@ spec: volumes: - name: cache emptyDir: {} + - name: catalogserver-certs + secret: + secretName: catalogd-catalogserver-cert diff --git a/internal/third_party/server/server.go b/internal/third_party/server/server.go index c8cf442c..3b22fac3 100644 --- a/internal/third_party/server/server.go +++ b/internal/third_party/server/server.go @@ -62,6 +62,18 @@ type Server struct { // ShutdownTimeout is an optional duration that indicates how long to wait for the server to shutdown gracefully. If not set, // the server will wait indefinitely for all connections to close. ShutdownTimeout *time.Duration + + // ServeTLS is an optional bool that indicates that the server should + // serve over HTTPS + ServeTLS bool + + // CertFile is the certificate file to use when serving over HTTPS. + // Only used and required when ServeTLS is "true". + CertFile string + + // KeyFile is the key file to use when serving over HTTPS. + // Only used and required when ServeTLS is "true". + KeyFile string } // Start starts the server. It will block until the server is stopped or an error occurs. @@ -116,7 +128,15 @@ func (s *Server) addr() string { func (s *Server) serve() error { if s.Listener != nil { + if s.ServeTLS { + return s.Server.ServeTLS(s.Listener, s.CertFile, s.KeyFile) + } return s.Server.Serve(s.Listener) } + + if s.ServeTLS { + return s.Server.ListenAndServeTLS(s.CertFile, s.KeyFile) + } + return s.Server.ListenAndServe() } From 495903c3e85b17304df0e008b68b5aac43a6ca3b Mon Sep 17 00:00:00 2001 From: everettraven Date: Wed, 17 Apr 2024 16:55:33 -0400 Subject: [PATCH 2/2] fix e2e Signed-off-by: everettraven --- test/e2e/unpack_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/unpack_test.go b/test/e2e/unpack_test.go index b2a63db4..06c20d23 100644 --- a/test/e2e/unpack_test.go +++ b/test/e2e/unpack_test.go @@ -93,7 +93,7 @@ var _ = Describe("Catalog Unpacking", func() { // the ProxyGet() call below needs an explicit port value, so if // value from url.Port() is empty, we assume port 80. if port == "" { - port = "80" + port = "443" } resp := kubeClient.CoreV1().Services(ns).ProxyGet(url.Scheme, name, port, url.Path, map[string]string{}) rc, err := resp.Stream(ctx)