From 2080e21d59a4b0df3db705619a9c51ee34f07383 Mon Sep 17 00:00:00 2001 From: Tayler Geiger Date: Thu, 6 Jun 2024 13:18:55 -0500 Subject: [PATCH] Reorganize TLS changes --- cmd/manager/main.go | 29 ++++------------ config/base/{default => }/kustomization.yaml | 6 ++-- config/base/manager/manager.yaml | 2 +- config/overlays/tls/kustomization.yaml | 5 +-- .../tls/patches/manager_deployment_cert.yaml | 2 +- internal/httputil/httputil.go | 34 +++++++++++++++++++ 6 files changed, 46 insertions(+), 32 deletions(-) rename config/base/{default => }/kustomization.yaml (99%) create mode 100644 internal/httputil/httputil.go diff --git a/cmd/manager/main.go b/cmd/manager/main.go index 52c566fc1..26db37b61 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -17,15 +17,11 @@ limitations under the License. package main import ( - "crypto/tls" "crypto/x509" "flag" "fmt" - "log" - "net/http" "net/url" "os" - "time" "github.com/spf13/pflag" "go.uber.org/zap/zapcore" @@ -48,6 +44,7 @@ import ( catalogclient "github.com/operator-framework/operator-controller/internal/catalogmetadata/client" "github.com/operator-framework/operator-controller/internal/controllers" "github.com/operator-framework/operator-controller/internal/handler" + "github.com/operator-framework/operator-controller/internal/httputil" "github.com/operator-framework/operator-controller/internal/labels" "github.com/operator-framework/operator-controller/internal/version" "github.com/operator-framework/operator-controller/pkg/features" @@ -82,11 +79,11 @@ func main() { systemNamespace string unpackImage string provisionerStorageDirectory string - tlsCert string + caCert string ) flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") - flag.StringVar(&tlsCert, "tls-cert", "", "The TLS certificate to use for verifying HTTPS connections to the Catalogd web server.") + flag.StringVar(&caCert, "ca-cert", "", "The TLS certificate to use for verifying HTTPS connections to the Catalogd web server.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") @@ -156,23 +153,9 @@ func main() { os.Exit(1) } - httpClient := &http.Client{Timeout: 10 * time.Second} - - if tlsCert != "" { - cert, err := os.ReadFile(tlsCert) - if err != nil { - log.Fatalf("Failed to read certificate file: %v", err) - } - caCertPool := x509.NewCertPool() - caCertPool.AppendCertsFromPEM(cert) - tlsConfig := &tls.Config{ - RootCAs: caCertPool, - MinVersion: tls.VersionTLS12, - } - tlsTransport := &http.Transport{ - TLSClientConfig: tlsConfig, - } - httpClient.Transport = tlsTransport + httpClient, err := httputil.BuildHTTPClient(caCert) + if err != nil { + setupLog.Error(err, "unable to create catalogd http client") } cl := mgr.GetClient() diff --git a/config/base/default/kustomization.yaml b/config/base/kustomization.yaml similarity index 99% rename from config/base/default/kustomization.yaml rename to config/base/kustomization.yaml index 6e2a672dd..1b7e00afe 100644 --- a/config/base/default/kustomization.yaml +++ b/config/base/kustomization.yaml @@ -15,9 +15,9 @@ namePrefix: operator-controller- # someName: someValue resources: -- ../crd -- ../rbac -- ../manager +- crd +- rbac +- manager # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml #- ../webhook diff --git a/config/base/manager/manager.yaml b/config/base/manager/manager.yaml index 605218229..022426c33 100644 --- a/config/base/manager/manager.yaml +++ b/config/base/manager/manager.yaml @@ -114,6 +114,6 @@ spec: terminationGracePeriodSeconds: 10 volumes: - name: cache - emptyDir: {} + emptyDir: {} - name: bundle-cache emptyDir: {} \ No newline at end of file diff --git a/config/overlays/tls/kustomization.yaml b/config/overlays/tls/kustomization.yaml index d78038704..82fbc91e2 100644 --- a/config/overlays/tls/kustomization.yaml +++ b/config/overlays/tls/kustomization.yaml @@ -6,15 +6,12 @@ namespace: operator-controller-system # "wordpress" becomes "alices-wordpress". # Note that it should also match with the prefix (text before '-') of the namespace # field above. -namePrefix: operator-controller- # the following config is for teaching kustomize how to do var substitution apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ../../base/crd -- ../../base/rbac -- ../../base/manager +- ../../base patches: - target: diff --git a/config/overlays/tls/patches/manager_deployment_cert.yaml b/config/overlays/tls/patches/manager_deployment_cert.yaml index dd35b5f1b..72615bcd5 100644 --- a/config/overlays/tls/patches/manager_deployment_cert.yaml +++ b/config/overlays/tls/patches/manager_deployment_cert.yaml @@ -6,4 +6,4 @@ value: {"name":"ca-certificate", "readOnly": true, "mountPath":"/var/certs"} - op: add path: /spec/template/spec/containers/0/args/- - value: "--tls-cert=/var/certs/tls.crt" \ No newline at end of file + value: "--ca-cert=/var/certs/tls.crt" \ No newline at end of file diff --git a/internal/httputil/httputil.go b/internal/httputil/httputil.go new file mode 100644 index 000000000..dde765f0a --- /dev/null +++ b/internal/httputil/httputil.go @@ -0,0 +1,34 @@ +package httputil + +import ( + "crypto/tls" + "crypto/x509" + "net/http" + "os" + "time" +) + +func BuildHTTPClient(caCert string) (*http.Client, error) { + httpClient := &http.Client{Timeout: 10 * time.Second} + + if caCert != "" { + // tlsFileWatcher, err := certwatcher.New(caCert, "") + + cert, err := os.ReadFile(caCert) + if err != nil { + return nil, err + } + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(cert) + tlsConfig := &tls.Config{ + RootCAs: caCertPool, + MinVersion: tls.VersionTLS12, + } + tlsTransport := &http.Transport{ + TLSClientConfig: tlsConfig, + } + httpClient.Transport = tlsTransport + } + + return httpClient, nil +}