From b128ce3e0724d788b26ec4113554eaa9bf29f4ba Mon Sep 17 00:00:00 2001 From: Todd Short Date: Mon, 17 Jun 2024 11:43:03 -0400 Subject: [PATCH 1/7] Certificate support for image registry Remove the InsecureSkipTLSVerify annotations. * Create a ClusterIssuer CA (via openssl) that is used by OLMv1 e2e * Update the operator controller to specify a cert directory, rather than a single file. * Use this directory for catalogd and image-registries * Update the deployment to reference CAs appropriately Signed-off-by: Todd Short --- Makefile | 1 + cmd/manager/main.go | 7 ++- config/overlays/certs/kustomization.yaml | 8 +++ config/overlays/certs/manager_cert.yaml | 16 +++++ config/overlays/certs/manager_cert_patch.yaml | 23 +++++++ config/overlays/e2e/kustomization.yaml | 2 +- .../tls/patches/manager_deployment_cert.yaml | 6 +- .../clusterextension_controller.go | 28 ++++----- internal/httputil/httputil.go | 60 ++++++++++++++----- scripts/install.tpl.sh | 36 +++++++++++ test/e2e/cluster_extension_install_test.go | 3 - .../extension_developer_test.go | 3 - test/tools/image-registry.sh | 12 +--- 13 files changed, 149 insertions(+), 56 deletions(-) create mode 100644 config/overlays/certs/kustomization.yaml create mode 100644 config/overlays/certs/manager_cert.yaml create mode 100644 config/overlays/certs/manager_cert_patch.yaml diff --git a/Makefile b/Makefile index e46cc379a..c437e7e7a 100644 --- a/Makefile +++ b/Makefile @@ -155,6 +155,7 @@ test-e2e: GO_BUILD_FLAGS := -cover test-e2e: run image-registry build-push-e2e-catalog registry-load-bundles e2e e2e-coverage kind-clean #HELP Run e2e test suite on local kind cluster .PHONY: extension-developer-e2e +extension-developer-e2e: KUSTOMIZE_BUILD_DIR := config/overlays/certs extension-developer-e2e: KIND_CLUSTER_NAME := operator-controller-ext-dev-e2e #EXHELP Run extension-developer e2e on local kind cluster extension-developer-e2e: run image-registry test-ext-dev-e2e kind-clean diff --git a/cmd/manager/main.go b/cmd/manager/main.go index a91a51b86..27c03372d 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -79,11 +79,11 @@ func main() { cachePath string operatorControllerVersion bool systemNamespace string - caCert string + caCertDir string ) flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") - flag.StringVar(&caCert, "ca-cert", "", "The TLS certificate to use for verifying HTTPS connections to the Catalogd web server.") + flag.StringVar(&caCertDir, "ca-cert", "", "The directory of TLS certificate to use for verifying HTTPS connections to the Catalogd and docker-registry web servers.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") @@ -151,7 +151,7 @@ func main() { os.Exit(1) } - httpClient, err := httputil.BuildHTTPClient(caCert) + httpClient, err := httputil.BuildHTTPClient(caCertDir) if err != nil { setupLog.Error(err, "unable to create catalogd http client") } @@ -217,6 +217,7 @@ func main() { InstalledBundleGetter: &controllers.DefaultInstalledBundleGetter{ActionClientGetter: acg}, Handler: registryv1handler.HandlerFunc(registry.HandleBundleDeployment), Finalizers: clusterExtensionFinalizers, + CaCertDir: caCertDir, }).SetupWithManager(mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", "ClusterExtension") os.Exit(1) diff --git a/config/overlays/certs/kustomization.yaml b/config/overlays/certs/kustomization.yaml new file mode 100644 index 000000000..697e26ebb --- /dev/null +++ b/config/overlays/certs/kustomization.yaml @@ -0,0 +1,8 @@ +namespace: olmv1-system + +resources: +- ../../overlays/tls +- manager_cert.yaml + +patches: +- path: manager_cert_patch.yaml diff --git a/config/overlays/certs/manager_cert.yaml b/config/overlays/certs/manager_cert.yaml new file mode 100644 index 000000000..a7a19f4dd --- /dev/null +++ b/config/overlays/certs/manager_cert.yaml @@ -0,0 +1,16 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: olmv1-cert +spec: + secretName: olmv1-cert + dnsNames: + - operator-controller.olmv1-system.svc + - operator-controller.olmv1-system.svc.cluster.local + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: olmv1-ca + kind: ClusterIssuer + group: cert-manager.io diff --git a/config/overlays/certs/manager_cert_patch.yaml b/config/overlays/certs/manager_cert_patch.yaml new file mode 100644 index 000000000..959d53a9a --- /dev/null +++ b/config/overlays/certs/manager_cert_patch.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + - name: manager + volumeMounts: + - name: e2e-cert + mountPath: /var/certs/olm-ca.crt + subPath: olm-ca.crt + readOnly: true + volumes: + - name: e2e-cert + secret: + secretName: olmv1-cert + items: + - key: ca.crt + path: olm-ca.crt diff --git a/config/overlays/e2e/kustomization.yaml b/config/overlays/e2e/kustomization.yaml index e9a19438f..9bc1bd43b 100644 --- a/config/overlays/e2e/kustomization.yaml +++ b/config/overlays/e2e/kustomization.yaml @@ -1,7 +1,7 @@ namespace: olmv1-system resources: -- ../../overlays/tls +- ../../overlays/certs - manager_e2e_coverage_pvc.yaml - manager_e2e_coverage_copy_pod.yaml diff --git a/config/overlays/tls/patches/manager_deployment_cert.yaml b/config/overlays/tls/patches/manager_deployment_cert.yaml index 72615bcd5..18e465164 100644 --- a/config/overlays/tls/patches/manager_deployment_cert.yaml +++ b/config/overlays/tls/patches/manager_deployment_cert.yaml @@ -1,9 +1,9 @@ - op: add path: /spec/template/spec/volumes/- - value: {"name":"ca-certificate", "secret":{"secretName":"catalogd-catalogserver-cert", "optional": false, "items": [{"key": "tls.crt", "path": "tls.crt"}]}} + value: {"name":"catalogd-certificate", "secret":{"secretName":"catalogd-catalogserver-cert", "optional": false, "items": [{"key": "ca.crt", "path": "catalogd.crt"}]}} - op: add path: /spec/template/spec/containers/0/volumeMounts/- - value: {"name":"ca-certificate", "readOnly": true, "mountPath":"/var/certs"} + value: {"name":"catalogd-certificate", "readOnly": true, "mountPath":"/var/certs/catalogd.crt", "subPath":"catalogd.crt"} - op: add path: /spec/template/spec/containers/0/args/- - value: "--ca-cert=/var/certs/tls.crt" \ No newline at end of file + value: "--ca-cert=/var/certs" diff --git a/internal/controllers/clusterextension_controller.go b/internal/controllers/clusterextension_controller.go index b7572fe89..72a43ae8c 100644 --- a/internal/controllers/clusterextension_controller.go +++ b/internal/controllers/clusterextension_controller.go @@ -73,6 +73,7 @@ import ( catalogfilter "github.com/operator-framework/operator-controller/internal/catalogmetadata/filter" catalogsort "github.com/operator-framework/operator-controller/internal/catalogmetadata/sort" "github.com/operator-framework/operator-controller/internal/conditionsets" + "github.com/operator-framework/operator-controller/internal/httputil" "github.com/operator-framework/operator-controller/internal/labels" ) @@ -90,16 +91,13 @@ type ClusterExtensionReconciler struct { cache cache.Cache InstalledBundleGetter InstalledBundleGetter Finalizers crfinalizer.Finalizers + CaCertDir string } type InstalledBundleGetter interface { GetInstalledBundle(ctx context.Context, ext *ocv1alpha1.ClusterExtension) (*ocv1alpha1.BundleMetadata, error) } -const ( - bundleConnectionAnnotation string = "bundle.connection.config/insecureSkipTLSVerify" -) - //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions,verbs=get;list;watch //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/status,verbs=update;patch //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/finalizers,verbs=update @@ -249,7 +247,7 @@ func (r *ClusterExtensionReconciler) reconcile(ctx context.Context, ext *ocv1alp // Generate a BundleDeployment from the ClusterExtension to Unpack. // Note: The BundleDeployment here is not a k8s API, its a simple Go struct which // necessary embedded values. - bd := r.generateBundleDeploymentForUnpack(bundle.Image, ext) + bd := r.generateBundleDeploymentForUnpack(ctx, bundle.Image, ext) unpackResult, err := r.Unpacker.Unpack(ctx, bd) if err != nil { setStatusUnpackFailed(ext, err.Error()) @@ -533,7 +531,11 @@ func SetDeprecationStatus(ext *ocv1alpha1.ClusterExtension, bundle *catalogmetad } } -func (r *ClusterExtensionReconciler) generateBundleDeploymentForUnpack(bundlePath string, ce *ocv1alpha1.ClusterExtension) *rukpakv1alpha2.BundleDeployment { +func (r *ClusterExtensionReconciler) generateBundleDeploymentForUnpack(ctx context.Context, bundlePath string, ce *ocv1alpha1.ClusterExtension) *rukpakv1alpha2.BundleDeployment { + certData, err := httputil.LoadCerts(r.CaCertDir) + if err != nil { + log.FromContext(ctx).WithName("operator-controller").WithValues("cluster-extension", ce.GetName()).Error(err, "unable to get TLS certificate") + } return &rukpakv1alpha2.BundleDeployment{ TypeMeta: metav1.TypeMeta{ Kind: ce.Kind, @@ -549,24 +551,14 @@ func (r *ClusterExtensionReconciler) generateBundleDeploymentForUnpack(bundlePat Type: rukpakv1alpha2.SourceTypeImage, Image: &rukpakv1alpha2.ImageSource{ Ref: bundlePath, - InsecureSkipTLSVerify: isInsecureSkipTLSVerifySet(ce), + InsecureSkipTLSVerify: false, + CertificateData: certData, }, }, }, } } -func isInsecureSkipTLSVerifySet(ce *ocv1alpha1.ClusterExtension) bool { - if ce == nil { - return false - } - value, ok := ce.Annotations[bundleConnectionAnnotation] - if !ok { - return false - } - return value == "true" -} - // SetupWithManager sets up the controller with the Manager. func (r *ClusterExtensionReconciler) SetupWithManager(mgr ctrl.Manager) error { controller, err := ctrl.NewControllerManagedBy(mgr). diff --git a/internal/httputil/httputil.go b/internal/httputil/httputil.go index dde765f0a..b8b7ab958 100644 --- a/internal/httputil/httputil.go +++ b/internal/httputil/httputil.go @@ -5,30 +5,60 @@ import ( "crypto/x509" "net/http" "os" + "path/filepath" + "strings" "time" ) -func BuildHTTPClient(caCert string) (*http.Client, error) { - httpClient := &http.Client{Timeout: 10 * time.Second} - - if caCert != "" { - // tlsFileWatcher, err := certwatcher.New(caCert, "") +func LoadCerts(caDir string) (string, error) { + if caDir == "" { + return "", nil + } - cert, err := os.ReadFile(caCert) + var certs []string + err := filepath.Walk(caDir, func(path string, info os.FileInfo, err error) error { if err != nil { - return nil, err + return err } - caCertPool := x509.NewCertPool() - caCertPool.AppendCertsFromPEM(cert) - tlsConfig := &tls.Config{ - RootCAs: caCertPool, - MinVersion: tls.VersionTLS12, + if info.IsDir() { + return nil } - tlsTransport := &http.Transport{ - TLSClientConfig: tlsConfig, + data, err := os.ReadFile(path) + if err != nil { + return err } - httpClient.Transport = tlsTransport + certs = append(certs, string(data)) + return nil + }) + if err != nil { + return "", err + } + return strings.Join(certs, "\n"), nil +} + +func BuildHTTPClient(caDir string) (*http.Client, error) { + httpClient := &http.Client{Timeout: 10 * time.Second} + + // use the SystemCertPool as a default + caCertPool, err := x509.SystemCertPool() + if err != nil { + return nil, err + } + + certs, err := LoadCerts(caDir) + if err != nil { + return nil, err + } + + caCertPool.AppendCertsFromPEM([]byte(certs)) + tlsConfig := &tls.Config{ + RootCAs: caCertPool, + MinVersion: tls.VersionTLS12, + } + tlsTransport := &http.Transport{ + TLSClientConfig: tlsConfig, } + httpClient.Transport = tlsTransport return httpClient, nil } diff --git a/scripts/install.tpl.sh b/scripts/install.tpl.sh index 1b44ac630..1adfa96ed 100644 --- a/scripts/install.tpl.sh +++ b/scripts/install.tpl.sh @@ -35,6 +35,42 @@ function kubectl_wait() { kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/download/${cert_mgr_version}/cert-manager.yaml" kubectl_wait "cert-manager" "deployment/cert-manager-webhook" "60s" +# Create the self-signed certificate for the ClusterIssuer and the ClusterIssuer +kubectl apply -f - < Date: Fri, 21 Jun 2024 13:15:01 -0400 Subject: [PATCH 2/7] fixup! Certificate support for image registry Signed-off-by: Todd Short --- Makefile | 1 - cmd/manager/main.go | 2 +- config/overlays/certs/kustomization.yaml | 8 -------- config/overlays/e2e/kustomization.yaml | 2 +- config/overlays/tls/kustomization.yaml | 4 +++- .../{certs => tls/patches}/manager_cert_patch.yaml | 0 config/overlays/tls/patches/manager_deployment_cert.yaml | 2 +- .../overlays/{certs => tls/resources}/manager_cert.yaml | 0 internal/controllers/clusterextension_controller.go | 5 ++--- 9 files changed, 8 insertions(+), 16 deletions(-) delete mode 100644 config/overlays/certs/kustomization.yaml rename config/overlays/{certs => tls/patches}/manager_cert_patch.yaml (100%) rename config/overlays/{certs => tls/resources}/manager_cert.yaml (100%) diff --git a/Makefile b/Makefile index c437e7e7a..e46cc379a 100644 --- a/Makefile +++ b/Makefile @@ -155,7 +155,6 @@ test-e2e: GO_BUILD_FLAGS := -cover test-e2e: run image-registry build-push-e2e-catalog registry-load-bundles e2e e2e-coverage kind-clean #HELP Run e2e test suite on local kind cluster .PHONY: extension-developer-e2e -extension-developer-e2e: KUSTOMIZE_BUILD_DIR := config/overlays/certs extension-developer-e2e: KIND_CLUSTER_NAME := operator-controller-ext-dev-e2e #EXHELP Run extension-developer e2e on local kind cluster extension-developer-e2e: run image-registry test-ext-dev-e2e kind-clean diff --git a/cmd/manager/main.go b/cmd/manager/main.go index 27c03372d..de138d522 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -83,7 +83,7 @@ func main() { ) flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") - flag.StringVar(&caCertDir, "ca-cert", "", "The directory of TLS certificate to use for verifying HTTPS connections to the Catalogd and docker-registry web servers.") + flag.StringVar(&caCertDir, "ca-cert-dir", "", "The directory of TLS certificate to use for verifying HTTPS connections to the Catalogd and docker-registry web servers.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") diff --git a/config/overlays/certs/kustomization.yaml b/config/overlays/certs/kustomization.yaml deleted file mode 100644 index 697e26ebb..000000000 --- a/config/overlays/certs/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -namespace: olmv1-system - -resources: -- ../../overlays/tls -- manager_cert.yaml - -patches: -- path: manager_cert_patch.yaml diff --git a/config/overlays/e2e/kustomization.yaml b/config/overlays/e2e/kustomization.yaml index 9bc1bd43b..e9a19438f 100644 --- a/config/overlays/e2e/kustomization.yaml +++ b/config/overlays/e2e/kustomization.yaml @@ -1,7 +1,7 @@ namespace: olmv1-system resources: -- ../../overlays/certs +- ../../overlays/tls - manager_e2e_coverage_pvc.yaml - manager_e2e_coverage_copy_pod.yaml diff --git a/config/overlays/tls/kustomization.yaml b/config/overlays/tls/kustomization.yaml index 9d8517a68..e7c746a95 100644 --- a/config/overlays/tls/kustomization.yaml +++ b/config/overlays/tls/kustomization.yaml @@ -12,9 +12,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base +- resources/manager_cert.yaml patches: - target: kind: Deployment name: controller-manager - path: patches/manager_deployment_cert.yaml \ No newline at end of file + path: patches/manager_deployment_cert.yaml +- path: patches/manager_cert_patch.yaml diff --git a/config/overlays/certs/manager_cert_patch.yaml b/config/overlays/tls/patches/manager_cert_patch.yaml similarity index 100% rename from config/overlays/certs/manager_cert_patch.yaml rename to config/overlays/tls/patches/manager_cert_patch.yaml diff --git a/config/overlays/tls/patches/manager_deployment_cert.yaml b/config/overlays/tls/patches/manager_deployment_cert.yaml index 18e465164..e5f8eac56 100644 --- a/config/overlays/tls/patches/manager_deployment_cert.yaml +++ b/config/overlays/tls/patches/manager_deployment_cert.yaml @@ -6,4 +6,4 @@ value: {"name":"catalogd-certificate", "readOnly": true, "mountPath":"/var/certs/catalogd.crt", "subPath":"catalogd.crt"} - op: add path: /spec/template/spec/containers/0/args/- - value: "--ca-cert=/var/certs" + value: "--ca-cert-dir=/var/certs" diff --git a/config/overlays/certs/manager_cert.yaml b/config/overlays/tls/resources/manager_cert.yaml similarity index 100% rename from config/overlays/certs/manager_cert.yaml rename to config/overlays/tls/resources/manager_cert.yaml diff --git a/internal/controllers/clusterextension_controller.go b/internal/controllers/clusterextension_controller.go index 72a43ae8c..4051dde71 100644 --- a/internal/controllers/clusterextension_controller.go +++ b/internal/controllers/clusterextension_controller.go @@ -550,9 +550,8 @@ func (r *ClusterExtensionReconciler) generateBundleDeploymentForUnpack(ctx conte Source: rukpakv1alpha2.BundleSource{ Type: rukpakv1alpha2.SourceTypeImage, Image: &rukpakv1alpha2.ImageSource{ - Ref: bundlePath, - InsecureSkipTLSVerify: false, - CertificateData: certData, + Ref: bundlePath, + CertificateData: certData, }, }, }, From 6155df5a892de0dbfd366e7ed19c7035089c29cb Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 21 Jun 2024 19:04:37 -0400 Subject: [PATCH 3/7] fixup! Certificate support for image registry Signed-off-by: Todd Short --- Tiltfile | 4 +++- scripts/install.tpl.sh | 36 +----------------------------------- testdata/certs/issuers.yaml | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 36 insertions(+), 36 deletions(-) create mode 100644 testdata/certs/issuers.yaml diff --git a/Tiltfile b/Tiltfile index ef12a3042..a2c9b47c0 100644 --- a/Tiltfile +++ b/Tiltfile @@ -1,7 +1,7 @@ if not os.path.exists('../tilt-support'): fail('Please clone https://github.com/operator-framework/tilt-support to ../tilt-support') -load('../tilt-support/Tiltfile', 'deploy_repo') +load('../tilt-support/Tiltfile', 'deploy_repo', 'process_yaml') config.define_string_list('repos', args=True) cfg = config.parse() @@ -16,6 +16,8 @@ repo = { 'starting_debug_port': 30000, } +process_yaml("testdata/certs/issuers.yaml") + for r in repos: if r == 'operator-controller': deploy_repo('operator-controller', repo) diff --git a/scripts/install.tpl.sh b/scripts/install.tpl.sh index 1adfa96ed..56f47a8b7 100644 --- a/scripts/install.tpl.sh +++ b/scripts/install.tpl.sh @@ -35,41 +35,7 @@ function kubectl_wait() { kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/download/${cert_mgr_version}/cert-manager.yaml" kubectl_wait "cert-manager" "deployment/cert-manager-webhook" "60s" -# Create the self-signed certificate for the ClusterIssuer and the ClusterIssuer -kubectl apply -f - < Date: Sat, 22 Jun 2024 13:25:54 -0400 Subject: [PATCH 4/7] fixup! Certificate support for image registry Signed-off-by: Todd Short --- internal/httputil/httputil.go | 2 +- scripts/install.tpl.sh | 36 ++++++++++++++++++++++++++++++++++- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/internal/httputil/httputil.go b/internal/httputil/httputil.go index b8b7ab958..8a0de53f1 100644 --- a/internal/httputil/httputil.go +++ b/internal/httputil/httputil.go @@ -21,7 +21,7 @@ func LoadCerts(caDir string) (string, error) { return err } if info.IsDir() { - return nil + return filepath.SkipDir } data, err := os.ReadFile(path) if err != nil { diff --git a/scripts/install.tpl.sh b/scripts/install.tpl.sh index 56f47a8b7..9af36c32c 100644 --- a/scripts/install.tpl.sh +++ b/scripts/install.tpl.sh @@ -35,7 +35,41 @@ function kubectl_wait() { kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/download/${cert_mgr_version}/cert-manager.yaml" kubectl_wait "cert-manager" "deployment/cert-manager-webhook" "60s" -kubectl apply -f testdata/certs/issuers.yaml +# Create a self-signed ClusterIssuer +kubectl apply -f - < Date: Sun, 23 Jun 2024 16:22:32 -0400 Subject: [PATCH 5/7] fixup! Certificate support for image registry --- internal/httputil/httputil.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/httputil/httputil.go b/internal/httputil/httputil.go index 8a0de53f1..b8b7ab958 100644 --- a/internal/httputil/httputil.go +++ b/internal/httputil/httputil.go @@ -21,7 +21,7 @@ func LoadCerts(caDir string) (string, error) { return err } if info.IsDir() { - return filepath.SkipDir + return nil } data, err := os.ReadFile(path) if err != nil { From 421d281db45e3fc3f130da3ba9525ee48ea17fe5 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Mon, 24 Jun 2024 12:45:35 -0400 Subject: [PATCH 6/7] fixup! Certificate support for image registry --- cmd/manager/main.go | 2 +- .../tls/patches/manager_deployment_cert.yaml | 2 +- internal/httputil/httputil.go | 22 ++++++++----------- 3 files changed, 11 insertions(+), 15 deletions(-) diff --git a/cmd/manager/main.go b/cmd/manager/main.go index de138d522..c6e7d3353 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -83,7 +83,7 @@ func main() { ) flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") - flag.StringVar(&caCertDir, "ca-cert-dir", "", "The directory of TLS certificate to use for verifying HTTPS connections to the Catalogd and docker-registry web servers.") + flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of TLS certificate to use for verifying HTTPS connections to the Catalogd and docker-registry web servers.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") diff --git a/config/overlays/tls/patches/manager_deployment_cert.yaml b/config/overlays/tls/patches/manager_deployment_cert.yaml index e5f8eac56..94df488c6 100644 --- a/config/overlays/tls/patches/manager_deployment_cert.yaml +++ b/config/overlays/tls/patches/manager_deployment_cert.yaml @@ -6,4 +6,4 @@ value: {"name":"catalogd-certificate", "readOnly": true, "mountPath":"/var/certs/catalogd.crt", "subPath":"catalogd.crt"} - op: add path: /spec/template/spec/containers/0/args/- - value: "--ca-cert-dir=/var/certs" + value: "--ca-certs-dir=/var/certs" diff --git a/internal/httputil/httputil.go b/internal/httputil/httputil.go index b8b7ab958..e99815d88 100644 --- a/internal/httputil/httputil.go +++ b/internal/httputil/httputil.go @@ -5,7 +5,6 @@ import ( "crypto/x509" "net/http" "os" - "path/filepath" "strings" "time" ) @@ -16,22 +15,19 @@ func LoadCerts(caDir string) (string, error) { } var certs []string - err := filepath.Walk(caDir, func(path string, info os.FileInfo, err error) error { - if err != nil { - return err - } - if info.IsDir() { - return nil + dirEntries, err := os.ReadDir(caDir) + if err != nil { + return "", err + } + for _, e := range dirEntries { + if e.IsDir() { + continue } - data, err := os.ReadFile(path) + data, err := os.ReadFile(e.Name()) if err != nil { - return err + return "", err } certs = append(certs, string(data)) - return nil - }) - if err != nil { - return "", err } return strings.Join(certs, "\n"), nil } From 3ca71ba867f727fd33e6f2ade490af902ca95664 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Mon, 24 Jun 2024 13:32:11 -0400 Subject: [PATCH 7/7] fixup! Certificate support for image registry --- internal/httputil/httputil.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/internal/httputil/httputil.go b/internal/httputil/httputil.go index e99815d88..8ee0cb852 100644 --- a/internal/httputil/httputil.go +++ b/internal/httputil/httputil.go @@ -5,6 +5,7 @@ import ( "crypto/x509" "net/http" "os" + "path/filepath" "strings" "time" ) @@ -14,7 +15,7 @@ func LoadCerts(caDir string) (string, error) { return "", nil } - var certs []string + certs := []string{} dirEntries, err := os.ReadDir(caDir) if err != nil { return "", err @@ -23,7 +24,7 @@ func LoadCerts(caDir string) (string, error) { if e.IsDir() { continue } - data, err := os.ReadFile(e.Name()) + data, err := os.ReadFile(filepath.Join(caDir, e.Name())) if err != nil { return "", err }