⚠ add TLS overlay for Catalogd v0.13.0 web server TLS #888

trgeiger · 2024-05-23T19:41:10Z

Description

Updates the Catalogd dependency to v0.14.0 which uses TLS for the web server and olmv1-system for the namespace

shifts manifests structure to use an overlay, similar to catalogd and rukpak
installs Catalogd to the operator-controller-system namespace so operator-controller can access its tls.crt
adds a flag to the manager specifying the ca cert to use for TLS authentication
change default namespace to olmv1-system

Reviewer Checklist

API Go Documentation
Tests: Unit Tests (and E2E Tests, if appropriate)
Comprehensive Commit Messages
Links to related GitHub Issue(s)

netlify · 2024-05-23T19:41:26Z

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	`3755d66`
🔍 Latest deploy log	https://app.netlify.com/sites/olmv1/deploys/666b26139aa753000800389e
😎 Deploy Preview	https://deploy-preview-888--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

cmd/manager/main.go

joelanford · 2024-06-05T20:12:20Z

cmd/manager/main.go

+		cert, err := os.ReadFile(tlsCert)
+		if err != nil {
+			log.Fatalf("Failed to read certificate file: %v", err)
+		}


We probably need to anticipate rotation of this cert as well.

I've been trying to figure out a solution for this, but I'm hitting a wall. It looks like this is an issue others have encountered before and there's not a native mechanism for reloading rootCAs in go: golang/go#35887 (comment)

Oh that looks like a minefield. I suppose for now we can punt on handling CA rotation, and revisit if it becomes a practical issue. Maybe just make a separate issue for this?

That sounds good to me, might be a good contribution to make to Go at some point

cmd/manager/main.go

config/base/manager/manager.yaml

config/base/default/kustomization.yaml

config/overlays/tls/kustomization.yaml

config/overlays/tls/patches/manager_namespace_label.yaml

config/overlays/tls/patches/manager_deployment_cert.yaml

config/base/e2e/kustomization.yaml

trgeiger · 2024-06-10T14:18:34Z

Barring any other feedback, the only remaining issue is deciding how we want to handle installing Catalogd to the operator-controller namespace for the purposes of Tilt. We could add some custom logic to one of the tiltfiles, but we could also change Catalogd's default namespace to just be operator-controller-system if we don't have any compelling reasons to keep it in its own namespace. @everettraven would appreciate your thoughts when you're back in the office.

m1kola · 2024-06-11T10:26:40Z

cmd/manager/main.go

 	)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.StringVar(&caCert, "ca-cert", "", "The TLS certificate to use for verifying HTTPS connections to the Catalogd web server.")


Wondering if we should make it more generic: not only about catalogd. E.g. what if we want to pull bundles from a registry with a self-signed certs?

See #905 (comment) for example.

cc @varshaprasad96

I think that is reasonable, but I'd probably recommend doing it in a follow up. Looking at the comment thread you shared, it seems like that is more tailored specifically to the direct image registry client image unpacker hitting a cert issue. It would definitely be nice to generalize the ca certificate loading and behavior but I think it makes the most sense to keep this PR scoped to the catalogd use case and then in a follow up issue look into how we can expand it to support other use cases.

everettraven · 2024-06-11T14:53:34Z

scripts/install.tpl.sh

@@ -35,8 +35,8 @@ function kubectl_wait() {
 kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/download/${cert_mgr_version}/cert-manager.yaml"
 kubectl_wait "cert-manager" "deployment/cert-manager-webhook" "60s"

-kubectl apply -f "https://github.com/operator-framework/catalogd/releases/download/${catalogd_version}/catalogd.yaml"
-kubectl_wait "catalogd-system" "deployment/catalogd-controller-manager" "60s"
+curl -L https://github.com/operator-framework/catalogd/releases/download/${catalogd_version}/catalogd.yaml | sed s/catalogd-system/operator-controller-system/g | kubectl apply -f -


I think this is fine temporarily, but if we are going to use a common namespace I'd like to see if there is a way we could use something like kustomize to have a more declarative and consistent override than using sed.

I wonder if we could make use of the remote targets functionality in Kustomize to help us achieve this and it be a bit more robust (I think we could make sure it only changes the namespace): https://github.com/kubernetes-sigs/kustomize/blob/master/examples/remoteBuild.md

Good point. However, if we do decide to make all OLMv1 components just install into the same namespace by default, then we wouldn't need to do this anymore.

codecov · 2024-06-11T20:17:00Z

Codecov Report

Attention: Patch coverage is 84.61538% with 4 lines in your changes missing coverage. Please review.

Project coverage is 79.34%. Comparing base (8041cc4) to head (3755d66).

Files	Patch %	Lines
cmd/manager/main.go	66.66%	1 Missing and 1 partial ⚠️
internal/httputil/httputil.go	86.66%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #888      +/-   ##
==========================================
+ Coverage   79.15%   79.34%   +0.19%     
==========================================
  Files          15       16       +1     
  Lines        1084     1104      +20     
==========================================
+ Hits          858      876      +18     
- Misses        157      158       +1     
- Partials       69       70       +1

Flag	Coverage Δ
e2e	`58.15% <84.61%> (+0.95%)`	⬆️
unit	`53.71% <7.69%> (-1.00%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Fix references to Catalog and CatalogSpec

Signed-off-by: Tayler Geiger <tayler@redhat.com>

Use v0.14.0 of Catalogd which also uses olmv1-system namespace

trgeiger requested a review from a team as a code owner May 23, 2024 19:41

trgeiger force-pushed the https-catalogd branch 3 times, most recently from a30b4d6 to 8da32c6 Compare May 23, 2024 20:00

trgeiger marked this pull request as draft May 23, 2024 20:08

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 23, 2024

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 31, 2024

trgeiger force-pushed the https-catalogd branch from 8da32c6 to fcac7e4 Compare June 4, 2024 20:12

trgeiger changed the title ~~⚠ add trust-manager overlay for Catalogd v0.13.0 web server TLS~~ ⚠ add TLS overlay for Catalogd v0.13.0 web server TLS Jun 4, 2024

trgeiger force-pushed the https-catalogd branch from fcac7e4 to b8fbfdb Compare June 4, 2024 20:32

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 4, 2024

trgeiger force-pushed the https-catalogd branch 3 times, most recently from e7c719c to d330542 Compare June 4, 2024 21:28

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 5, 2024

trgeiger force-pushed the https-catalogd branch from d330542 to 940cc15 Compare June 5, 2024 19:56

trgeiger marked this pull request as ready for review June 5, 2024 20:01

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 5, 2024

trgeiger force-pushed the https-catalogd branch from 940cc15 to 8d56a38 Compare June 5, 2024 20:05