✨ Update to catalogd v0.17.0 to share a common certificate issuer (#970)

* Reorganize config to support reusable components

Update to catalogd v0.17.0 to share a common certificate issuer

Signed-off-by: Todd Short <tshort@redhat.com>

* fixup! Reorganize config to support reusable components

Signed-off-by: Todd Short <tshort@redhat.com>

---------

Signed-off-by: Todd Short <tshort@redhat.com>

Makefile

@@ -54,7 +54,7 @@ else
 $(warning Could not find docker or podman in path! This may result in targets requiring a container runtime failing!)
 endif
 
-KUSTOMIZE_BUILD_DIR := config/overlays/tls
+KUSTOMIZE_BUILD_DIR := config/overlays/cert-manager
 
 # Disable -j flag for make
 .NOTPARALLEL:
@@ -155,6 +155,7 @@ test-e2e: GO_BUILD_FLAGS := -cover
 test-e2e: run image-registry build-push-e2e-catalog registry-load-bundles e2e e2e-coverage kind-clean #HELP Run e2e test suite on local kind cluster
 
 .PHONY: extension-developer-e2e
+extension-developer-e2e: KUSTOMIZE_BUILD_DIR := config/overlays/cert-manager
 extension-developer-e2e: KIND_CLUSTER_NAME := operator-controller-ext-dev-e2e  #EXHELP Run extension-developer e2e on local kind cluster
 extension-developer-e2e: run image-registry test-ext-dev-e2e kind-clean
 

Tiltfile

@@ -1,23 +1,21 @@
 if not os.path.exists('../tilt-support'):
     fail('Please clone https://github.com/operator-framework/tilt-support to ../tilt-support')
 
-load('../tilt-support/Tiltfile', 'deploy_repo', 'process_yaml')
+load('../tilt-support/Tiltfile', 'deploy_repo')
 
 config.define_string_list('repos', args=True)
 cfg = config.parse()
 repos = cfg.get('repos', ['operator-controller', 'catalogd'])
 
 repo = {
     'image': 'quay.io/operator-framework/operator-controller',
-    'yaml': 'config/overlays/tls',
+    'yaml': 'config/overlays/cert-manager',
     'binaries': {
         'manager': 'operator-controller-controller-manager',
     },
     'starting_debug_port': 30000,
 }
 
-process_yaml("testdata/certs/issuers.yaml")
-
 for r in repos:
     if r == 'operator-controller':
         deploy_repo('operator-controller', repo)

config/README.md

@@ -0,0 +1,52 @@
+# OPERATOR-CONTROLLER CONFIG
+
+## config/base
+
+This provides an insecure (i.e. no TLS) basic configuration of operator-controller.
+
+This configuration specifies a namespace of `olmv1-system`.
+
+## config/overlays/cert-manager
+
+This includes support for a secure (i.e. with TLS) configuration of operator-controller. This configuration uses:
+* config/base
+* config/components/tls
+* config/components/ca
+
+This configuration requires cert-manager.
+
+## config/overlays/e2e
+
+This provides additional configuration support for end-to-end testing, including code coverage. This configuration uses:
+* config/base
+* config/components/tls
+* config/components/ca
+* config/components/coverage
+
+This configuration requires cert-manager.
+
+## Components
+
+Each of the `kustomization.yaml` files specify a `Component`, rather than an overlay.
+
+### config/components/tls
+
+This provides a basic configuration of operator-controller with TLS support for catalogd.
+
+This component specifies the `olmv1-system` namespace.
+
+This component requires cert-manager.
+
+### config/components/coverage
+
+Provides configuration for code coverage.
+
+This component specifies the `olmv1-system` namespace.
+
+### config/components/ca
+
+Procides a CA for operator-controller operation.
+
+This component _does not_ specify a namespace, and must be included last.
+
+This component requires cert-manager.

config/components/ca/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+# No namespace is specified here, otherwise, it will overwrite _all_ the other namespaces!
+resources:
+- issuers.yaml

config/components/coverage/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+namespace: olmv1-system
+resources:
+- manager_e2e_coverage_pvc.yaml
+- manager_e2e_coverage_copy_pod.yaml
+patches:
+- path: manager_e2e_coverage_patch.yaml

config/components/tls/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+namespace: olmv1-system
+resources:
+- resources/manager_cert.yaml
+patches:
+- target:
+    kind: Deployment
+    name: controller-manager
+  path: patches/manager_deployment_cert.yaml

config/components/tls/patches/manager_deployment_cert.yaml

@@ -0,0 +1,9 @@
+- op: add
+  path: /spec/template/spec/volumes/-
+  value: {"name":"olmv1-certificate", "secret":{"secretName":"olmv1-cert", "optional": false, "items": [{"key": "ca.crt", "path": "olm-ca.crt"}]}}
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/certs/olm-ca.crt", "subPath":"olm-ca.crt"}
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--ca-certs-dir=/var/certs"

config/overlays/cert-manager/kustomization.yaml

@@ -0,0 +1,10 @@
+# kustomization file for secure operator-controller
+# DO NOT ADD A NAMESPACE HERE
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+components:
+- ../../components/tls
+# ca must be last or tls will overwrite the namespaces
+- ../../components/ca

config/overlays/e2e/kustomization.yaml

@@ -1,9 +1,11 @@
-namespace: olmv1-system
-
+# kustomization file for all the e2e's
+# DO NOT ADD A NAMESPACE HERE
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 resources:
-- ../../overlays/tls
-- manager_e2e_coverage_pvc.yaml
-- manager_e2e_coverage_copy_pod.yaml
-
-patches:
-- path: manager_e2e_coverage_patch.yaml
+- ../../base
+components:
+- ../../components/tls
+- ../../components/coverage
+# ca must be last or (tls|coverage) will overwrite the namespaces
+- ../../components/ca

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/go-logr/logr v1.4.2
 	github.com/google/go-cmp v0.6.0
 	github.com/operator-framework/api v0.26.0
-	github.com/operator-framework/catalogd v0.16.0
+	github.com/operator-framework/catalogd v0.17.0
 	github.com/operator-framework/helm-operator-plugins v0.2.2-0.20240520180534-f463c36fedf9
 	github.com/operator-framework/operator-registry v1.44.0
 	github.com/operator-framework/rukpak v0.24.0

go.sum

@@ -606,8 +606,8 @@ github.com/openshift/crd-schema-checker v0.0.0-20240404194209-35a9033b1d11 h1:eT
 github.com/openshift/crd-schema-checker v0.0.0-20240404194209-35a9033b1d11/go.mod h1:EmVJt97N+pfWFsli/ipXTBZqSG5F5KGQhm3c3IsGq1o=
 github.com/operator-framework/api v0.26.0 h1:YVntU2NkVl5zSLLwK5kFcH6P3oSvN9QDgTsY9mb4yUM=
 github.com/operator-framework/api v0.26.0/go.mod h1:3IxOwzVUeGxYlzfwKCcfCyS+q3EEhWA/4kv7UehbeyM=
-github.com/operator-framework/catalogd v0.16.0 h1:9J3Kg5ey5NptXReZ7J0ZAarXEz6RsWanfeWhurDtVh0=
-github.com/operator-framework/catalogd v0.16.0/go.mod h1:7zVv39zlmvJvRePtRzdMRqn8s/WRH4ALXMJCKNQMKmc=
+github.com/operator-framework/catalogd v0.17.0 h1:Vsl32qKf2nKbAnKNfJ6eREOkirx5+oxpUuSwMxGS/dc=
+github.com/operator-framework/catalogd v0.17.0/go.mod h1:7zVv39zlmvJvRePtRzdMRqn8s/WRH4ALXMJCKNQMKmc=
 github.com/operator-framework/helm-operator-plugins v0.2.2-0.20240520180534-f463c36fedf9 h1:f7/TMBpuIZEQ3JbD9UyP1L1ZCSLLWdR2aPN+A+dOHFY=
 github.com/operator-framework/helm-operator-plugins v0.2.2-0.20240520180534-f463c36fedf9/go.mod h1:ly6Bd9rSzmt37Wy6WtZHmA+IY9zG958MryJFLcVpCXw=
 github.com/operator-framework/operator-lib v0.14.0 h1:er+BgZymZD1im2wytLJiPLZpGALAX6N0gXaHx3PKbO4=

scripts/install.tpl.sh

@@ -35,42 +35,6 @@ function kubectl_wait() {
 kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/download/${cert_mgr_version}/cert-manager.yaml"
 kubectl_wait "cert-manager" "deployment/cert-manager-webhook" "60s"
 
-# Create a self-signed ClusterIssuer
-kubectl apply -f - <<EOF
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: self-sign-issuer
-  namespace: cert-manager
-spec:
-  selfSigned: {}
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: olmv1-ca
-  namespace: cert-manager
-spec:
-  isCA: true
-  commonName: olmv1-ca
-  secretName: olmv1-ca
-  privateKey:
-    algorithm: ECDSA
-    size: 256
-  issuerRef:
-    name: self-sign-issuer
-    kind: Issuer
-    group: cert-manager.io
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: olmv1-ca
-spec:
-  ca:
-    secretName: olmv1-ca
-EOF
-
 kubectl apply -f "https://github.com/operator-framework/catalogd/releases/download/${catalogd_version}/catalogd.yaml"
 kubectl_wait "olmv1-system" "deployment/catalogd-controller-manager" "60s"