Implement TLS overlay for Catalogd TLS

Signed-off-by: Tayler Geiger <[email protected]>

Author: trgeiger

.gitignore

@@ -39,3 +39,4 @@ install.sh
 site
 
 .tiltbuild/
+.vscode

.vscode/launch.json

@@ -54,7 +54,7 @@ else
 $(warning Could not find docker or podman in path! This may result in targets requiring a container runtime failing!) 
 endif
 
-KUSTOMIZE_BUILD_DIR := config/default
+KUSTOMIZE_BUILD_DIR := config/overlays/tls
 
 # Disable -j flag for make
 .NOTPARALLEL:
@@ -148,7 +148,7 @@ build-push-e2e-catalog: ## Build the testdata catalog used for e2e tests and pus
 # for example: ARTIFACT_PATH=/tmp/artifacts make test-e2e
 .PHONY: test-e2e
 test-e2e: KIND_CLUSTER_NAME := operator-controller-e2e
-test-e2e: KUSTOMIZE_BUILD_DIR := config/e2e
+test-e2e: KUSTOMIZE_BUILD_DIR := config/base/e2e
 test-e2e: GO_BUILD_FLAGS := -cover
 test-e2e: run image-registry build-push-e2e-catalog kind-load-test-artifacts e2e e2e-coverage kind-clean #HELP Run e2e test suite on local kind cluster
 

Makefile

@@ -9,7 +9,7 @@ repos = cfg.get('repos', ['operator-controller', 'catalogd'])
 
 repo = {
     'image': 'quay.io/operator-framework/operator-controller',
-    'yaml': 'config/default',
+    'yaml': 'config/overlays/tls',
     'binaries': {
         'manager': 'operator-controller-controller-manager',
     },

Tiltfile

@@ -17,9 +17,11 @@ limitations under the License.
 package main
 
 import (
+	"crypto/tls"
 	"crypto/x509"
 	"flag"
 	"fmt"
+	"log"
 	"net/http"
 	"net/url"
 	"os"
@@ -80,9 +82,11 @@ func main() {
 		systemNamespace             string
 		unpackImage                 string
 		provisionerStorageDirectory string
+		tlsCert                     string
 	)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.StringVar(&tlsCert, "tls-cert", "", "The TLS certificate to use for verifying HTTPS connections to the Catalogd web server.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
@@ -152,8 +156,27 @@ func main() {
 		os.Exit(1)
 	}
 
+	httpClient := &http.Client{Timeout: 10 * time.Second}
+
+	if tlsCert != "" {
+		cert, err := os.ReadFile(tlsCert)
+		if err != nil {
+			log.Fatalf("Failed to read certificate file: %v", err)
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(cert)
+		tlsConfig := &tls.Config{
+			RootCAs:    caCertPool,
+			MinVersion: tls.VersionTLS12,
+		}
+		tlsTransport := &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
+		httpClient.Transport = tlsTransport
+	}
+
 	cl := mgr.GetClient()
-	catalogClient := catalogclient.New(cl, cache.NewFilesystemCache(cachePath, &http.Client{Timeout: 10 * time.Second}))
+	catalogClient := catalogclient.New(cl, cache.NewFilesystemCache(cachePath, httpClient))
 
 	cfgGetter, err := helmclient.NewActionConfigGetter(mgr.GetConfig(), mgr.GetRESTMapper(), helmclient.StorageNamespaceMapper(func(o client.Object) (string, error) {
 		return systemNamespace, nil

cmd/manager/main.go

@@ -114,6 +114,6 @@ spec:
       terminationGracePeriodSeconds: 10
       volumes:
         - name: cache
-          emptyDir: {}
+          emptyDir: {} 
         - name: bundle-cache
-          emptyDir: {}
+          emptyDir: {}

config/crd/bases/olm.operatorframework.io_clusterextensions.yaml renamed to config/base/crd/bases/olm.operatorframework.io_clusterextensions.yaml

@@ -20,7 +20,7 @@ rules:
 - apiGroups:
   - catalogd.operatorframework.io
   resources:
-  - catalogs
+  - clustercatalogs
   verbs:
   - list
   - watch

config/crd/bases/olm.operatorframework.io_extensions.yaml renamed to config/base/crd/bases/olm.operatorframework.io_extensions.yaml

@@ -0,0 +1,27 @@
+# Adds namespace to all resources.
+namespace: operator-controller-system
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: operator-controller-
+
+# the following config is for teaching kustomize how to do var substitution
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base/crd
+- ../../base/rbac
+- ../../base/manager
+
+patches:
+- target:
+    kind: Deployment
+    name: controller-manager
+  path: patches/manager_deployment_cert.yaml
+- target:
+    kind: Namespace
+    name: system
+  path: patches/manager_namespace_label.yaml

config/crd/kustomization.yaml renamed to config/base/crd/kustomization.yaml

@@ -0,0 +1,9 @@
+- op: add
+  path: /spec/template/spec/volumes/-
+  value: {"name":"ca-certificate", "secret":{"secretName":"catalogd-catalogserver-cert", "optional": false, "items": [{"key": "tls.crt", "path": "tls.crt"}]}}
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value: {"name":"ca-certificate", "readOnly": true, "mountPath":"/var/certs"}
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--tls-cert=/var/certs/tls.crt"

config/crd/kustomizeconfig.yaml renamed to config/base/crd/kustomizeconfig.yaml

@@ -0,0 +1,3 @@
+- op: add
+  path: /metadata/labels/trust
+  value: "enabled"

config/default/kustomization.yaml renamed to config/base/default/kustomization.yaml

@@ -1,5 +1,5 @@
 apiVersion: catalogd.operatorframework.io/v1alpha1
-kind: Catalog
+kind: ClusterCatalog
 metadata:
   name: operatorhubio
 spec:

config/e2e/kustomization.yaml renamed to config/base/e2e/kustomization.yaml

@@ -108,7 +108,7 @@ type InstalledBundleGetter interface {
 //+kubebuilder:rbac:groups=core,resources=pods/log,verbs=get
 //+kubebuilder:rbac:groups=*,resources=*,verbs=*
 
-//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=catalogs,verbs=list;watch
+//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=clustercatalogs,verbs=list;watch
 //+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=catalogmetadata,verbs=list;watch
 
 // The operator controller needs to watch all the bundle objects and reconcile accordingly. Though not ideal, but these permissions are required.

config/e2e/manager_e2e_coverage_copy_pod.yaml renamed to config/base/e2e/manager_e2e_coverage_copy_pod.yaml

@@ -35,8 +35,8 @@ function kubectl_wait() {
 kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/download/${cert_mgr_version}/cert-manager.yaml"
 kubectl_wait "cert-manager" "deployment/cert-manager-webhook" "60s"
 
-kubectl apply -f "https://github.com/operator-framework/catalogd/releases/download/${catalogd_version}/catalogd.yaml"
-kubectl_wait "catalogd-system" "deployment/catalogd-controller-manager" "60s"
+curl -L https://github.com/operator-framework/catalogd/releases/download/${catalogd_version}/catalogd.yaml | sed s/catalogd-system/operator-controller-system/g | kubectl apply -f -
+kubectl_wait "operator-controller-system" "deployment/catalogd-controller-manager" "60s"
 
 kubectl apply -f "${operator_controller_manifest}"
 kubectl_wait "operator-controller-system" "deployment/operator-controller-controller-manager" "60s"