Implement TLS overlay for Catalogd TLS

Signed-off-by: Tayler Geiger <tayler@redhat.com>

.gitignore

@@ -39,3 +39,4 @@ install.sh
 site
 
 .tiltbuild/
+.vscode

Makefile

@@ -54,7 +54,7 @@ else
 $(warning Could not find docker or podman in path! This may result in targets requiring a container runtime failing!) 
 endif
 
-KUSTOMIZE_BUILD_DIR := config/default
+KUSTOMIZE_BUILD_DIR := config/overlays/tls
 
 # Disable -j flag for make
 .NOTPARALLEL:
@@ -95,7 +95,7 @@ tidy: #HELP Update dependencies.
 
 .PHONY: manifests
 manifests: $(CONTROLLER_GEN) #EXHELP Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/base/crd/bases
 
 .PHONY: generate
 generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -148,7 +148,7 @@ build-push-e2e-catalog: ## Build the testdata catalog used for e2e tests and pus
 # for example: ARTIFACT_PATH=/tmp/artifacts make test-e2e
 .PHONY: test-e2e
 test-e2e: KIND_CLUSTER_NAME := operator-controller-e2e
-test-e2e: KUSTOMIZE_BUILD_DIR := config/e2e
+test-e2e: KUSTOMIZE_BUILD_DIR := config/base/e2e
 test-e2e: GO_BUILD_FLAGS := -cover
 test-e2e: run image-registry build-push-e2e-catalog kind-load-test-artifacts e2e e2e-coverage kind-clean #HELP Run e2e test suite on local kind cluster
 

Tiltfile

@@ -9,7 +9,7 @@ repos = cfg.get('repos', ['operator-controller', 'catalogd'])
 
 repo = {
     'image': 'quay.io/operator-framework/operator-controller',
-    'yaml': 'config/default',
+    'yaml': 'config/overlays/tls',
     'binaries': {
         'manager': 'operator-controller-controller-manager',
     },

cmd/manager/main.go

@@ -17,9 +17,11 @@ limitations under the License.
 package main
 
 import (
+	"crypto/tls"
 	"crypto/x509"
 	"flag"
 	"fmt"
+	"log"
 	"net/http"
 	"net/url"
 	"os"
@@ -80,9 +82,11 @@ func main() {
 		systemNamespace             string
 		unpackImage                 string
 		provisionerStorageDirectory string
+		tlsCert                     string
 	)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.StringVar(&tlsCert, "tls-cert", "", "The TLS certificate to use for verifying HTTPS connections to the Catalogd web server.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
@@ -152,8 +156,27 @@ func main() {
 		os.Exit(1)
 	}
 
+	httpClient := &http.Client{Timeout: 10 * time.Second}
+
+	if tlsCert != "" {
+		cert, err := os.ReadFile(tlsCert)
+		if err != nil {
+			log.Fatalf("Failed to read certificate file: %v", err)
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(cert)
+		tlsConfig := &tls.Config{
+			RootCAs:    caCertPool,
+			MinVersion: tls.VersionTLS12,
+		}
+		tlsTransport := &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
+		httpClient.Transport = tlsTransport
+	}
+
 	cl := mgr.GetClient()
-	catalogClient := catalogclient.New(cl, cache.NewFilesystemCache(cachePath, &http.Client{Timeout: 10 * time.Second}))
+	catalogClient := catalogclient.New(cl, cache.NewFilesystemCache(cachePath, httpClient))
 
 	cfgGetter, err := helmclient.NewActionConfigGetter(mgr.GetConfig(), mgr.GetRESTMapper(), helmclient.StorageNamespaceMapper(func(o client.Object) (string, error) {
 		return systemNamespace, nil

config/crd/kustomization.yaml → config/base/crd/kustomization.yaml

@@ -3,7 +3,6 @@
 # It should be run by config/default
 resources:
 - bases/olm.operatorframework.io_clusterextensions.yaml
-- bases/olm.operatorframework.io_extensions.yaml
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:

config/e2e/kustomization.yaml → config/base/e2e/kustomization.yaml

@@ -1,7 +1,7 @@
 namespace: operator-controller-system
 
 resources:
-- ../default
+- ../../overlays/tls
 - manager_e2e_coverage_pvc.yaml
 - manager_e2e_coverage_copy_pod.yaml
 

config/manager/manager.yaml → config/base/manager/manager.yaml

@@ -114,6 +114,6 @@ spec:
       terminationGracePeriodSeconds: 10
       volumes:
         - name: cache
-          emptyDir: {}
+          emptyDir: {} 
         - name: bundle-cache
-          emptyDir: {}
+          emptyDir: {}

config/rbac/role.yaml → config/base/rbac/role.yaml

@@ -20,7 +20,7 @@ rules:
 - apiGroups:
   - catalogd.operatorframework.io
   resources:
-  - catalogs
+  - clustercatalogs
   verbs:
   - list
   - watch