⚠️ Serve catalog over HTTPS #263
Conversation
adds cert-manager as a dependency again to create self-signed certs for the catalog server Signed-off-by: everettraven <everettraven@gmail.com>
This allows the use of alternate certificate managers. Signed-off-by: Tayler Geiger <tayler@redhat.com>
openshift-ci
bot
added
the
do-not-merge/work-in-progress
trgeiger
force-pushed
the
https-tayler
branch
2 times, most recently
from
30449a5
to
5428233
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #263 +/- ##
=======================================
Coverage 48.84% 48.84%
=======================================
Files 8 8
Lines 434 434
=======================================
Hits 212 212
Misses 201 201
Partials 21 21 ☔ View full report in Codecov by Sentry. |
trgeiger
force-pushed
the
https-tayler
branch
2 times, most recently
from
c20a488
to
d42ad79
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
Fix a few manifest issues as well. Signed-off-by: Tayler Geiger <tayler@redhat.com>
trgeiger
force-pushed
the
https-tayler
branch
7 times, most recently
from
81314f6
to
02e3232
Compare
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - pods |
There was a problem hiding this comment.
Out of scope for this PR, but seeing this I don't think we need these permissions on pods anymore. we don't use a pod to unpack the catalog contents anymore and probably forgot to come back and cleanup these permissions. I'll create an issue for this.
trgeiger
force-pushed
the
https-tayler
branch
2 times, most recently
from
904d3d7
to
04cc7c0
Compare
internal/serverutil/serverutil.go
Outdated
| "sigs.k8s.io/controller-runtime/pkg/certwatcher" | ||
| ) | ||
|
|
||
| func ConfigureListener(cert string, key string, addr string, catalogAddr string, mgr ctrl.Manager) (net.Listener, string, error) { |
There was a problem hiding this comment.
As I mentioned in Slack, I didn't realize how complex the signature for this function would be when I suggested it. At this point, it seems like we might as well go one step further and setup the entire server as part of this function.
I think just adding the storeDir would give us all the info we need to do that?
Also some nit suggestions on naming and order of parameters.
- Put the manager parameter first. That aligns with other functions that configure/add stuff to the manager.
- Group
storeDirandexternalAddrtogether, since they are used to build the storage struct. - Use
certFileandkeyFile(instead ofcertandkeyto make it more clear that they are the filenames of the cert and key, not the cert and key themselves) - Group listenAddr, certFile, and keyFile together since they are used to build the listener
Putting all that together, WDYT of this?
func AddCatalogServerToManager(mgr ctrl.Manager, storeDir, externalAddr, listenAddr, certFile, keyFile string) errorThere was a problem hiding this comment.
If we are concerned about the size of the function signature, it can probably be reduced to something like:
type CatalogServerConfig struct {
...
}
func AddCatalogServerToManager(mgr ctrl.Manager, cfg CatalogServerConfig) (net.Listener, string, error) {
...
}
trgeiger
force-pushed
the
https-tayler
branch
2 times, most recently
from
7577dc3
to
fa4bb3c
Compare
- Add error for missing either tls-key or tls-cert arguments. - Move server creation and configuration to serverutil Signed-off-by: Tayler Geiger <tayler@redhat.com>
There was a problem hiding this comment.
LGTM - thanks @trgeiger . I'll hold merging for a bit to allow @joelanford to take another pass
|
Thanks, Bryce. Should we adjust anything in the readme's quickstart instructions or anywhere else in docs? |
Ah, great question (and good catch). We should probably update the quickstart instructions for port-forwarding and the |
|
How should we handle changing the instructions, given that HTTP is still supported if no TLS keys are provided, and the cert-manager is now an overlay. Do we just add that information as caveats to the instructions? Should I detail pulling down the cert and providing it to curl? etc. |
I'm not too familiar with how the overlays work, but IIUC the default deployment (i.e what is released) is going to be including the cert-manager resources and enable TLS (please correct me if I am wrong). If that is the default I would document whatever the default is. I would not document pulling down the cert and providing it to curl and instead document with |
|
I made a couple small edits to README.md and https://github.com/operator-framework/catalogd/blob/main/docs/fetching-catalog-contents.md, let me know what you think |
There was a problem hiding this comment.
A couple nits on the docs edits but I won't hold this PR on those. Great work @trgeiger !
|
Those were quick fixes, just made em so no need to hold off for another issue/pr for those. |
This adds the ability to use HTTPS on the catalog server.
If the TLS cert and key filenames are provided via the relevant flags, then the server will be set to use HTTPS. If neither or only one of those options are provided, the server will use HTTP.
This also changes the http-external-address flag to just external-address, with the user no longer prepending the address with http or https.
This PR also includes an overhaul of the organization of the manifests. Following the example of rukpak, cert-manager is used in the Makefile build targets so HTTPS is enabled in kind, but cert-manager is not a required dependency of catalogd. Instead, it's applied as an overlay which we target in the Makefile.