-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Certificate support for image registry #960
Conversation
✅ Deploy Preview for olmv1 ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Remove the InsecureSkipTLSVerify annotations. * Create a ClusterIssuer CA (via openssl) that is used by OLMv1 e2e * Update the operator controller to specify a cert directory, rather than a single file. * Use this directory for catalogd and image-registries * Update the deployment to reference CAs appropriately Signed-off-by: Todd Short <tshort@redhat.com>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #960 +/- ##
==========================================
- Coverage 80.14% 79.28% -0.86%
==========================================
Files 16 16
Lines 1103 1120 +17
==========================================
+ Hits 884 888 +4
- Misses 152 159 +7
- Partials 67 73 +6
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
To consolidate |
Signed-off-by: Todd Short <tshort@redhat.com>
Signed-off-by: Todd Short <tshort@redhat.com>
I can't get kustomize to use a different directory, so I'm applying the yaml for the certificates directly from a file, which also means I can apply them for Tilt from the same source. |
internal/httputil/httputil.go
Outdated
RootCAs: caCertPool, | ||
MinVersion: tls.VersionTLS12, | ||
if info.IsDir() { | ||
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the intention to recurse through all subdirectories? I'm tempted to suggest that we stick to finding files in a single named directory without recursing, but I'm curious if you have a specific reason.
To avoid recursing, we can return filepath.SkipDir
here.
return nil | |
return filepath.SkipDir |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it's intended to skip directories. I didn't see this in any examples.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This appears to skip "."
as a directory, meaning, it skips the current directory... so the e2es fail.
(Or something equally nefarious.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, found one example, and the example has a comparison with a directory name, so we'd need to do that to properly use filepathSkipDir
; not sure it's worth it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe switch over to os.ReadDir()
, which makes the intent more clear anyways?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will look
|
||
if caCert != "" { | ||
// tlsFileWatcher, err := certwatcher.New(caCert, "") | ||
func LoadCerts(caDir string) (string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like it would be a nicer abstraction if this was:
func LoadCerts(caDir string) (string, error) { | |
func AddCertificatesFromDirectory(certPool *x509.CertPool, caDir string) error { ... } |
In which case, we could add each file's content, collect errors reading/adding each file, and then tell callers which specific files failed for which reasons.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not compatible with the current rukpak API, which expects a string of PEM. Maybe when rukpak is fully integrated into operator-controller? I agree that this would be better for a larger directory. There does not appear to be a way to extract certificates/PEM from a CertPool, so it can't be done with this signature, yet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I was just looking at LoadCerts
being called in BuildHTTPClient
, which turns around and consumes the certs
string by immediately adding to the caCertPool
.
And that made me think we could pass the caCertPool
into this function and call AppendCertsFromPEM
for each file's contents. Then, when my suggested function signature returns, you end up with caCertPool
having everything in caDir
added to it.
Seems like I'm missing something though?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's also used when creating a BundleDeployment for a rukpak API.
bd := r.generateBundleDeploymentForUnpack(bundle.Image, ext) |
So, we need to change the rukpak API to accept a caPool first, then we can do as you suggest.
scripts/install.tpl.sh
Outdated
kubectl apply -f testdata/certs/issuers.yaml | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This won't work when we publish this install script in our release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried numerous ways to get the secret for the ClusterIssuser
into the cert-manager
namespace, but despite trying various transformations:
, I couldn't get kustomize to do it (it wanted to put stuff into the olmv1-system
directory. Using a separate file at least avoids duplication among the two e2e tests. But I can always do it via a HEREDOC.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i.e. if you can figure out how to make kustomize work the way we want, I'd much prefer to do it that way!
Signed-off-by: Todd Short <tshort@redhat.com>
- path: patches/manager_cert_patch.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
manager_deployment_cert.yaml
and manager_cert_patch.yaml
seem to patch the same deployment and same fields but in different ways. I think it would be good to standardise.
issuerRef: | ||
name: olmv1-ca | ||
kind: ClusterIssuer | ||
group: cert-manager.io |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This introduces a dependency on ClusterIssuer
which is only being created In install.tpl.sh
/in Tilt.
This means it is no longer possible to do this to install:
kubectl apply -f https://github.com/operator-framework/catalogd/releases/download/$CATALOGD_VERSION/catalogd.yaml
kubectl apply -f https://github.com/operator-framework/operator-controller/releases/download/$VERSION/operator-controller.yaml
You have to checkout the repo run the install script.
Are we ok with that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also about related changes in scripts/install.tpl.sh
where we create CA, etc.
As far as I understand - we need to create CA and patch deployment of the manger only for E2E setups. If it is the case - can we put this in config/overlays/e2e/
?
I would like to avoid having to create all this on every cluster just because our E2E setup requires it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need cert-manager regardless, AFAICT, as catalogd now creates certificates. So, the method listed above no longer works (or at least it shouldn't).
I tried to put this into the e2e overlay, but could not get the namespace to work as expected. Please see #960 (comment); I have been unable to figure out how to apply resources into the cert-manager
namespace. i.e. kustomize
seems to be locking me into a single namespace...
TL;DR: The challenge I've run into w/ adding the certificates is being able to put them into the cert-manager namespace for the |
A number of my comments in this PR were based on the understanding that this is only about making our E2E setup work with TLS. After chatting with @joelanford and @tmshort I got more context. The primary objective of the PR to get rid of Explanation from @joelanford:
|
Three follow-ons to this PR:
|
Follow ups should be captured by this epic: #967 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes themselves look fine to me, but I noticed the e2es are failing. Any insights as to why?
I made a change that passed due to caching issues... I had to fix it up and it should be ok now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't love that this is duplicated here and in the HEREDOC, but I also recognize that this setup is temporary. Can we just make sure that our follow-ups include a callout to remove this duplication?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See #967 (comment)
d510ad1
Fixes: #921
Remove the InsecureSkipTLSVerify annotations.
Description
Reviewer Checklist