Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

⚠ add TLS overlay for Catalogd v0.13.0 web server TLS #888

Merged
merged 5 commits into from
Jun 13, 2024

Conversation

trgeiger
Copy link
Contributor

@trgeiger trgeiger commented May 23, 2024

Description

Updates the Catalogd dependency to v0.14.0 which uses TLS for the web server and olmv1-system for the namespace

  • shifts manifests structure to use an overlay, similar to catalogd and rukpak
  • installs Catalogd to the operator-controller-system namespace so operator-controller can access its tls.crt
  • adds a flag to the manager specifying the ca cert to use for TLS authentication
  • change default namespace to olmv1-system

Reviewer Checklist

  • API Go Documentation
  • Tests: Unit Tests (and E2E Tests, if appropriate)
  • Comprehensive Commit Messages
  • Links to related GitHub Issue(s)

@trgeiger trgeiger requested a review from a team as a code owner May 23, 2024 19:41
Copy link

netlify bot commented May 23, 2024

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit 3755d66
🔍 Latest deploy log https://app.netlify.com/sites/olmv1/deploys/666b26139aa753000800389e
😎 Deploy Preview https://deploy-preview-888--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@trgeiger trgeiger force-pushed the https-catalogd branch 3 times, most recently from a30b4d6 to 8da32c6 Compare May 23, 2024 20:00
@trgeiger trgeiger marked this pull request as draft May 23, 2024 20:08
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 23, 2024
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 31, 2024
@trgeiger trgeiger changed the title ⚠ add trust-manager overlay for Catalogd v0.13.0 web server TLS ⚠ add TLS overlay for Catalogd v0.13.0 web server TLS Jun 4, 2024
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 4, 2024
@trgeiger trgeiger force-pushed the https-catalogd branch 3 times, most recently from e7c719c to d330542 Compare June 4, 2024 21:28
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 5, 2024
@trgeiger trgeiger marked this pull request as ready for review June 5, 2024 20:01
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 5, 2024
cmd/manager/main.go Outdated Show resolved Hide resolved
Comment on lines 162 to 165
cert, err := os.ReadFile(tlsCert)
if err != nil {
log.Fatalf("Failed to read certificate file: %v", err)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably need to anticipate rotation of this cert as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've been trying to figure out a solution for this, but I'm hitting a wall. It looks like this is an issue others have encountered before and there's not a native mechanism for reloading rootCAs in go: golang/go#35887 (comment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh that looks like a minefield. I suppose for now we can punt on handling CA rotation, and revisit if it becomes a practical issue. Maybe just make a separate issue for this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds good to me, might be a good contribution to make to Go at some point

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cmd/manager/main.go Outdated Show resolved Hide resolved
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 6, 2024
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 7, 2024
@trgeiger
Copy link
Contributor Author

Barring any other feedback, the only remaining issue is deciding how we want to handle installing Catalogd to the operator-controller namespace for the purposes of Tilt. We could add some custom logic to one of the tiltfiles, but we could also change Catalogd's default namespace to just be operator-controller-system if we don't have any compelling reasons to keep it in its own namespace. @everettraven would appreciate your thoughts when you're back in the office.

)
flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
flag.StringVar(&caCert, "ca-cert", "", "The TLS certificate to use for verifying HTTPS connections to the Catalogd web server.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering if we should make it more generic: not only about catalogd. E.g. what if we want to pull bundles from a registry with a self-signed certs?

See #905 (comment) for example.

cc @varshaprasad96

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that is reasonable, but I'd probably recommend doing it in a follow up. Looking at the comment thread you shared, it seems like that is more tailored specifically to the direct image registry client image unpacker hitting a cert issue. It would definitely be nice to generalize the ca certificate loading and behavior but I think it makes the most sense to keep this PR scoped to the catalogd use case and then in a follow up issue look into how we can expand it to support other use cases.

@m1kola m1kola mentioned this pull request Jun 11, 2024
4 tasks
@@ -35,8 +35,8 @@ function kubectl_wait() {
kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/download/${cert_mgr_version}/cert-manager.yaml"
kubectl_wait "cert-manager" "deployment/cert-manager-webhook" "60s"

kubectl apply -f "https://github.com/operator-framework/catalogd/releases/download/${catalogd_version}/catalogd.yaml"
kubectl_wait "catalogd-system" "deployment/catalogd-controller-manager" "60s"
curl -L https://github.com/operator-framework/catalogd/releases/download/${catalogd_version}/catalogd.yaml | sed s/catalogd-system/operator-controller-system/g | kubectl apply -f -
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is fine temporarily, but if we are going to use a common namespace I'd like to see if there is a way we could use something like kustomize to have a more declarative and consistent override than using sed.

I wonder if we could make use of the remote targets functionality in Kustomize to help us achieve this and it be a bit more robust (I think we could make sure it only changes the namespace): https://github.com/kubernetes-sigs/kustomize/blob/master/examples/remoteBuild.md

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. However, if we do decide to make all OLMv1 components just install into the same namespace by default, then we wouldn't need to do this anymore.

Copy link

codecov bot commented Jun 11, 2024

Codecov Report

Attention: Patch coverage is 84.61538% with 4 lines in your changes missing coverage. Please review.

Project coverage is 79.34%. Comparing base (8041cc4) to head (3755d66).

Files Patch % Lines
cmd/manager/main.go 66.66% 1 Missing and 1 partial ⚠️
internal/httputil/httputil.go 86.66% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #888      +/-   ##
==========================================
+ Coverage   79.15%   79.34%   +0.19%     
==========================================
  Files          15       16       +1     
  Lines        1084     1104      +20     
==========================================
+ Hits          858      876      +18     
- Misses        157      158       +1     
- Partials       69       70       +1     
Flag Coverage Δ
e2e 58.15% <84.61%> (+0.95%) ⬆️
unit 53.71% <7.69%> (-1.00%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

everettraven
everettraven previously approved these changes Jun 13, 2024
Fix references to Catalog and CatalogSpec
Use v0.14.0 of Catalogd which also uses olmv1-system namespace
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants