⚠ add TLS overlay for Catalogd v0.13.0 web server TLS (#888)

* Update catalogd dep to v0.13.0

Fix references to Catalog and CatalogSpec

* Implement TLS overlay for Catalogd TLS

Signed-off-by: Tayler Geiger <[email protected]>

* Reorganize TLS changes

* Move e2e to its own overlay

* Change default namespace to olmv1-system

Use v0.14.0 of Catalogd which also uses olmv1-system namespace

---------

Signed-off-by: Tayler Geiger <[email protected]>

Author: trgeiger

.gitignore

@@ -39,3 +39,4 @@ install.sh
 site
 
 .tiltbuild/
+.vscode

Makefile

@@ -54,7 +54,7 @@ else
 $(warning Could not find docker or podman in path! This may result in targets requiring a container runtime failing!) 
 endif
 
-KUSTOMIZE_BUILD_DIR := config/default
+KUSTOMIZE_BUILD_DIR := config/overlays/tls
 
 # Disable -j flag for make
 .NOTPARALLEL:
@@ -95,7 +95,7 @@ tidy: #HELP Update dependencies.
 
 .PHONY: manifests
 manifests: $(CONTROLLER_GEN) #EXHELP Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/base/crd/bases
 
 .PHONY: generate
 generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -150,7 +150,7 @@ build-push-e2e-catalog: ## Build the testdata catalog used for e2e tests and pus
 # for example: ARTIFACT_PATH=/tmp/artifacts make test-e2e
 .PHONY: test-e2e
 test-e2e: KIND_CLUSTER_NAME := operator-controller-e2e
-test-e2e: KUSTOMIZE_BUILD_DIR := config/e2e
+test-e2e: KUSTOMIZE_BUILD_DIR := config/overlays/e2e
 test-e2e: GO_BUILD_FLAGS := -cover
 test-e2e: run image-registry build-push-e2e-catalog registry-load-bundles e2e e2e-coverage kind-clean #HELP Run e2e test suite on local kind cluster
 

Tiltfile

@@ -9,7 +9,7 @@ repos = cfg.get('repos', ['operator-controller', 'catalogd'])
 
 repo = {
     'image': 'quay.io/operator-framework/operator-controller',
-    'yaml': 'config/default',
+    'yaml': 'config/overlays/tls',
     'binaries': {
         'manager': 'operator-controller-controller-manager',
     },

cmd/manager/main.go

@@ -20,11 +20,9 @@ import (
 	"crypto/x509"
 	"flag"
 	"fmt"
-	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
-	"time"
 
 	"github.com/spf13/pflag"
 	"go.uber.org/zap/zapcore"
@@ -50,6 +48,7 @@ import (
 	"github.com/operator-framework/operator-controller/internal/catalogmetadata/cache"
 	catalogclient "github.com/operator-framework/operator-controller/internal/catalogmetadata/client"
 	"github.com/operator-framework/operator-controller/internal/controllers"
+	"github.com/operator-framework/operator-controller/internal/httputil"
 	"github.com/operator-framework/operator-controller/internal/labels"
 	"github.com/operator-framework/operator-controller/internal/version"
 	"github.com/operator-framework/operator-controller/pkg/features"
@@ -58,7 +57,7 @@ import (
 
 var (
 	setupLog               = ctrl.Log.WithName("setup")
-	defaultSystemNamespace = "operator-controller-system"
+	defaultSystemNamespace = "olmv1-system"
 )
 
 // podNamespace checks whether the controller is running in a Pod vs.
@@ -82,9 +81,11 @@ func main() {
 		operatorControllerVersion   bool
 		systemNamespace             string
 		provisionerStorageDirectory string
+		caCert                      string
 	)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.StringVar(&caCert, "ca-cert", "", "The TLS certificate to use for verifying HTTPS connections to the Catalogd web server.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
@@ -153,8 +154,13 @@ func main() {
 		os.Exit(1)
 	}
 
+	httpClient, err := httputil.BuildHTTPClient(caCert)
+	if err != nil {
+		setupLog.Error(err, "unable to create catalogd http client")
+	}
+
 	cl := mgr.GetClient()
-	catalogClient := catalogclient.New(cl, cache.NewFilesystemCache(cachePath, &http.Client{Timeout: 10 * time.Second}))
+	catalogClient := catalogclient.New(cl, cache.NewFilesystemCache(cachePath, httpClient))
 
 	cfgGetter, err := helmclient.NewActionConfigGetter(mgr.GetConfig(), mgr.GetRESTMapper(), helmclient.StorageNamespaceMapper(func(o client.Object) (string, error) {
 		return systemNamespace, nil

config/crd/bases/olm.operatorframework.io_clusterextensions.yaml renamed to config/base/crd/bases/olm.operatorframework.io_clusterextensions.yaml

@@ -1,5 +1,5 @@
 # Adds namespace to all resources.
-namespace: operator-controller-system
+namespace: olmv1-system
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
@@ -15,9 +15,9 @@ namePrefix: operator-controller-
 #    someName: someValue
 
 resources:
-- ../crd
-- ../rbac
-- ../manager
+- crd
+- rbac
+- manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- ../webhook

config/crd/kustomization.yaml renamed to config/base/crd/kustomization.yaml

@@ -114,4 +114,4 @@ spec:
         - name: cache
           emptyDir: {}
         - name: bundle-cache
-          emptyDir: {}
+          emptyDir: {}

config/crd/kustomizeconfig.yaml renamed to config/base/crd/kustomizeconfig.yaml

@@ -20,7 +20,7 @@ rules:
 - apiGroups:
   - catalogd.operatorframework.io
   resources:
-  - catalogs
+  - clustercatalogs
   verbs:
   - list
   - watch

config/default/kustomization.yaml renamed to config/base/kustomization.yaml

@@ -1,7 +1,7 @@
-namespace: operator-controller-system
+namespace: olmv1-system
 
 resources:
-- ../default
+- ../../overlays/tls
 - manager_e2e_coverage_pvc.yaml
 - manager_e2e_coverage_copy_pod.yaml
 

config/manager/kustomization.yaml renamed to config/base/manager/kustomization.yaml

@@ -0,0 +1,20 @@
+# Adds namespace to all resources.
+namespace: olmv1-system
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+
+# the following config is for teaching kustomize how to do var substitution
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+- target:
+    kind: Deployment
+    name: controller-manager
+  path: patches/manager_deployment_cert.yaml

config/manager/manager.yaml renamed to config/base/manager/manager.yaml

@@ -0,0 +1,9 @@
+- op: add
+  path: /spec/template/spec/volumes/-
+  value: {"name":"ca-certificate", "secret":{"secretName":"catalogd-catalogserver-cert", "optional": false, "items": [{"key": "tls.crt", "path": "tls.crt"}]}}
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value: {"name":"ca-certificate", "readOnly": true, "mountPath":"/var/certs"}
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--ca-cert=/var/certs/tls.crt"

config/prometheus/kustomization.yaml renamed to config/base/prometheus/kustomization.yaml

@@ -1,5 +1,5 @@
 apiVersion: catalogd.operatorframework.io/v1alpha1
-kind: Catalog
+kind: ClusterCatalog
 metadata:
   name: operatorhubio
 spec:

config/prometheus/monitor.yaml renamed to config/base/prometheus/monitor.yaml

@@ -10,7 +10,7 @@ require (
 	github.com/go-logr/logr v1.4.2
 	github.com/google/go-cmp v0.6.0
 	github.com/operator-framework/api v0.25.0
-	github.com/operator-framework/catalogd v0.12.0
+	github.com/operator-framework/catalogd v0.14.0
 	github.com/operator-framework/helm-operator-plugins v0.2.2-0.20240520180534-f463c36fedf9
 	github.com/operator-framework/operator-registry v1.43.1
 	github.com/operator-framework/rukpak v0.23.1

config/rbac/auth_proxy_client_clusterrole.yaml renamed to config/base/rbac/auth_proxy_client_clusterrole.yaml

@@ -475,8 +475,8 @@ github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE
 github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/operator-framework/api v0.25.0 h1:pSQwFSoPmZaTIERadawxtCwicehLkC7i9n3w3+70SVI=
 github.com/operator-framework/api v0.25.0/go.mod h1:PvyCQb0x53ytIqdTECH5e+iqv+am3uZ0qGsZWmL35gQ=
-github.com/operator-framework/catalogd v0.12.0 h1:Cww+CyowkfTFugB9ZjUDpKvumh2vPe/TjCUpMHDmVBM=
-github.com/operator-framework/catalogd v0.12.0/go.mod h1:4lryGtBTVOdqlKR0MaVYnlsSOc7HiagVRVo3J4uIo7E=
+github.com/operator-framework/catalogd v0.14.0 h1:M/kDqhH1hBB9amUk7/dAV4WZuJIa5ARboeY6GMjhx0E=
+github.com/operator-framework/catalogd v0.14.0/go.mod h1:84M4gm0JPrwOLVbEOoCns/xjlg4ljenVMPYUO/Cs+Wc=
 github.com/operator-framework/helm-operator-plugins v0.2.2-0.20240520180534-f463c36fedf9 h1:f7/TMBpuIZEQ3JbD9UyP1L1ZCSLLWdR2aPN+A+dOHFY=
 github.com/operator-framework/helm-operator-plugins v0.2.2-0.20240520180534-f463c36fedf9/go.mod h1:ly6Bd9rSzmt37Wy6WtZHmA+IY9zG958MryJFLcVpCXw=
 github.com/operator-framework/operator-lib v0.14.0 h1:er+BgZymZD1im2wytLJiPLZpGALAX6N0gXaHx3PKbO4=

config/rbac/auth_proxy_role.yaml renamed to config/base/rbac/auth_proxy_role.yaml

@@ -4,7 +4,7 @@ set -euo pipefail
 
 COVERAGE_OUTPUT="${COVERAGE_OUTPUT:-e2e-cover.out}"
 
-OPERATOR_CONTROLLER_NAMESPACE="operator-controller-system"
+OPERATOR_CONTROLLER_NAMESPACE="olmv1-system"
 OPERATOR_CONTROLLER_MANAGER_DEPLOYMENT_NAME="operator-controller-controller-manager"
 COPY_POD_NAME="e2e-coverage-copy-pod"
 

config/rbac/auth_proxy_role_binding.yaml renamed to config/base/rbac/auth_proxy_role_binding.yaml

@@ -66,7 +66,7 @@ type filesystemCache struct {
 // resources that have been successfully reconciled, unpacked, and are being served.
 // These requirements help ensure that we can rely on status conditions to determine
 // when to issue a request to update the cached Catalog contents.
-func (fsc *filesystemCache) FetchCatalogContents(ctx context.Context, catalog *catalogd.Catalog) (io.ReadCloser, error) {
+func (fsc *filesystemCache) FetchCatalogContents(ctx context.Context, catalog *catalogd.ClusterCatalog) (io.ReadCloser, error) {
 	if catalog == nil {
 		return nil, fmt.Errorf("error: provided catalog must be non-nil")
 	}

config/rbac/auth_proxy_service.yaml renamed to config/base/rbac/auth_proxy_service.yaml

@@ -54,7 +54,7 @@ func TestCache(t *testing.T) {
 	t.Run("FetchCatalogContents", func(t *testing.T) {
 		type test struct {
 			name           string
-			catalog        *catalogd.Catalog
+			catalog        *catalogd.ClusterCatalog
 			contents       []byte
 			wantErr        bool
 			tripper        *MockTripper
@@ -64,11 +64,11 @@ func TestCache(t *testing.T) {
 		for _, tt := range []test{
 			{
 				name: "valid non-cached fetch",
-				catalog: &catalogd.Catalog{
+				catalog: &catalogd.ClusterCatalog{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-catalog",
 					},
-					Status: catalogd.CatalogStatus{
+					Status: catalogd.ClusterCatalogStatus{
 						ResolvedSource: &catalogd.ResolvedCatalogSource{
 							Type: catalogd.SourceTypeImage,
 							Image: &catalogd.ResolvedImageSource{
@@ -82,11 +82,11 @@ func TestCache(t *testing.T) {
 			},
 			{
 				name: "valid cached fetch",
-				catalog: &catalogd.Catalog{
+				catalog: &catalogd.ClusterCatalog{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-catalog",
 					},
-					Status: catalogd.CatalogStatus{
+					Status: catalogd.ClusterCatalogStatus{
 						ResolvedSource: &catalogd.ResolvedCatalogSource{
 							Type: catalogd.SourceTypeImage,
 							Image: &catalogd.ResolvedImageSource{
@@ -102,11 +102,11 @@ func TestCache(t *testing.T) {
 			},
 			{
 				name: "cached update fetch with changes",
-				catalog: &catalogd.Catalog{
+				catalog: &catalogd.ClusterCatalog{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-catalog",
 					},
-					Status: catalogd.CatalogStatus{
+					Status: catalogd.ClusterCatalogStatus{
 						ResolvedSource: &catalogd.ResolvedCatalogSource{
 							Type: catalogd.SourceTypeImage,
 							Image: &catalogd.ResolvedImageSource{
@@ -122,11 +122,11 @@ func TestCache(t *testing.T) {
 			},
 			{
 				name: "fetch error",
-				catalog: &catalogd.Catalog{
+				catalog: &catalogd.ClusterCatalog{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-catalog",
 					},
-					Status: catalogd.CatalogStatus{
+					Status: catalogd.ClusterCatalogStatus{
 						ResolvedSource: &catalogd.ResolvedCatalogSource{
 							Type: catalogd.SourceTypeImage,
 							Image: &catalogd.ResolvedImageSource{
@@ -141,11 +141,11 @@ func TestCache(t *testing.T) {
 			},
 			{
 				name: "fetch internal server error response",
-				catalog: &catalogd.Catalog{
+				catalog: &catalogd.ClusterCatalog{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-catalog",
 					},
-					Status: catalogd.CatalogStatus{
+					Status: catalogd.ClusterCatalogStatus{
 						ResolvedSource: &catalogd.ResolvedCatalogSource{
 							Type: catalogd.SourceTypeImage,
 							Image: &catalogd.ResolvedImageSource{
@@ -167,11 +167,11 @@ func TestCache(t *testing.T) {
 			},
 			{
 				name: "nil catalog.status.resolvedSource",
-				catalog: &catalogd.Catalog{
+				catalog: &catalogd.ClusterCatalog{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-catalog",
 					},
-					Status: catalogd.CatalogStatus{
+					Status: catalogd.ClusterCatalogStatus{
 						ResolvedSource: nil,
 					},
 				},
@@ -181,11 +181,11 @@ func TestCache(t *testing.T) {
 			},
 			{
 				name: "nil catalog.status.resolvedSource.image",
-				catalog: &catalogd.Catalog{
+				catalog: &catalogd.ClusterCatalog{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test-catalog",
 					},
-					Status: catalogd.CatalogStatus{
+					Status: catalogd.ClusterCatalogStatus{
 						ResolvedSource: &catalogd.ResolvedCatalogSource{
 							Image: nil,
 						},

config/rbac/clusterextension_editor_role.yaml renamed to config/base/rbac/clusterextension_editor_role.yaml

@@ -23,7 +23,7 @@ type Fetcher interface {
 	// server for the catalog provided. It returns an io.ReadCloser
 	// containing the FBC contents that the caller is expected to close.
 	// returns an error if any occur.
-	FetchCatalogContents(ctx context.Context, catalog *catalogd.Catalog) (io.ReadCloser, error)
+	FetchCatalogContents(ctx context.Context, catalog *catalogd.ClusterCatalog) (io.ReadCloser, error)
 }
 
 func New(cl client.Client, fetcher Fetcher) *Client {
@@ -46,7 +46,7 @@ type Client struct {
 func (c *Client) Bundles(ctx context.Context) ([]*catalogmetadata.Bundle, error) {
 	var allBundles []*catalogmetadata.Bundle
 
-	var catalogList catalogd.CatalogList
+	var catalogList catalogd.ClusterCatalogList
 	if err := c.cl.List(ctx, &catalogList); err != nil {
 		return nil, err
 	}