OCPBUGS-24700: Add support for Custom Certificate Authorities for custom signature stores

Signed-off-by: Lalatendu Mohanty <[email protected]>

Author: LalatenduMohanty

pkg/customsignaturestore/customsignaturestore.go

@@ -5,47 +5,46 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/http"
 	"net/url"
 	"strings"
 	"sync"
 
+	configv1 "github.com/openshift/api/config/v1"
 	configv1listers "github.com/openshift/client-go/config/listers/config/v1"
 	"github.com/openshift/library-go/pkg/verify/store"
 	"github.com/openshift/library-go/pkg/verify/store/parallel"
 	"github.com/openshift/library-go/pkg/verify/store/sigstore"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/klog/v2"
 )
 
 type Store struct {
 	// Name is the name of the ClusterVersion object that configures this store.
 	Name string
 
-	// Lister allows the store to fetch the current ClusterVersion configuration.
-	Lister configv1listers.ClusterVersionLister
+	// ClusterVersionLister allows the store to fetch the current ClusterVersion configuration.
+	ClusterVersionLister configv1listers.ClusterVersionLister
 
-	// HTTPClient is called once for each Signatures call to ensure
-	// requests are made with the currently-recommended parameters.
-	HTTPClient sigstore.HTTPClient
+	// HTTPClient construct which respects the customstore CA certs and cluster proxy configuration
+	HTTPClient func(string) (*http.Client, error)
 
 	// lock allows the store to be locked while mutating or accessing internal state.
 	lock sync.Mutex
 
-	// customURIs tracks the most-recently retrieved ClusterVersion configuration.
-	customURIs []*url.URL
+	// customStores tracks the most-recently retrieved ClusterVersion configuration.
+	customStores []configv1.SignatureStore
 }
 
 // Signatures fetches signatures for the provided digest.
 func (s *Store) Signatures(ctx context.Context, name string, digest string, fn store.Callback) error {
-	uris, err := s.refreshConfiguration(ctx)
+	customStores, err := s.refreshConfiguration()
 	if err != nil {
 		return err
-	}
-
-	if uris == nil {
+	} else if customStores == nil {
 		return nil
-	}
-
-	if len(uris) == 0 {
-		return errors.New("ClusterVersion spec.signatureStores is an empty array.  Unset signatureStores entirely if you want to to enable the default signature stores.")
+	} else if len(customStores) == 0 {
+		return errors.New("ClusterVersion spec.signatureStores is an empty array. Unset signatureStores entirely if you want to enable the default signature stores")
 	}
 
 	allDone := false
@@ -58,44 +57,66 @@ func (s *Store) Signatures(ctx context.Context, name string, digest string, fn s
 		return done, err
 	}
 
-	stores := make([]store.Store, 0, len(uris))
-	for i := range uris {
-		uri := *uris[i]
+	var errs []error
+	stores := make([]store.Store, 0, len(customStores))
+	for _, customStore := range customStores {
+		uri, err := url.Parse(customStore.URL)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("failed to parse the ClusterVersion spec.signatureStores %w", err))
+			continue
+		}
+		newHttpClient, err := s.HTTPClient(customStore.CA.Name)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("failed to process the ClusterVersion spec.signatureStores %w", err))
+			continue
+		}
+
 		stores = append(stores, &sigstore.Store{
-			URI:        &uri,
-			HTTPClient: s.HTTPClient,
-		})
+			URI:        uri,
+			HTTPClient: func() (*http.Client, error) { return newHttpClient, nil }})
+	}
+
+	if len(stores) == 0 {
+		return utilerrors.NewAggregate(errs)
 	}
 	store := &parallel.Store{Stores: stores}
-	if err := store.Signatures(ctx, name, digest, wrapper); err != nil || allDone {
-		return err
+	if err := store.Signatures(ctx, name, digest, wrapper); allDone {
+		if len(errs) > 0 {
+			klog.V(2).Infof("%s", utilerrors.NewAggregate(errs))
+		}
+		return nil
+	} else if err != nil {
+		errs = append(errs, err)
+		return utilerrors.NewAggregate(errs)
 	}
-	return errors.New("ClusterVersion spec.signatureStores exhausted without finding a valid signature.")
+
+	errs = append(errs, errors.New("ClusterVersion spec.signatureStores exhausted without finding a valid signature"))
+	return utilerrors.NewAggregate(errs)
 }
 
-func (s *Store) refreshConfiguration(ctx context.Context) ([]*url.URL, error) {
-	config, err := s.Lister.Get(s.Name)
+// refreshConfiguration retrieves the latest configuration from the ClusterVersionLister
+// and updates the customStores with the URL and CA information from the retrieved configuration.
+// It returns the updated customStores slice and any error encountered during the retrieval process.
+func (s *Store) refreshConfiguration() ([]configv1.SignatureStore, error) {
+
+	config, err := s.ClusterVersionLister.Get(s.Name)
 	if err != nil {
 		return nil, err
 	}
 
-	var uris []*url.URL
+	var customStores = make([]configv1.SignatureStore, 0, len(config.Spec.SignatureStores))
 	if config.Spec.SignatureStores != nil {
-		uris = make([]*url.URL, 0, len(config.Spec.SignatureStores))
 		for _, store := range config.Spec.SignatureStores {
-			uri, err := url.Parse(store.URL)
-			if err != nil {
-				return uris, err
-			}
-
-			uris = append(uris, uri)
+			url := store.URL
+			caCert := store.CA
+			customStores = append(customStores, configv1.SignatureStore{URL: url, CA: caCert})
 		}
 	}
 
 	s.lock.Lock()
 	defer s.lock.Unlock()
-	s.customURIs = uris
-	return uris, nil
+	s.customStores = customStores
+	return customStores, nil
 }
 
 // String returns a description of where this store finds
@@ -104,14 +125,14 @@ func (s *Store) String() string {
 	s.lock.Lock()
 	defer s.lock.Unlock()
 
-	if s.customURIs == nil {
-		return "ClusterVersion signatureStores unset, falling back to default stores"
-	} else if len(s.customURIs) == 0 {
+	if s.customStores == nil {
+		return "ClusterVersion signatureStores not set, falling back to default stores"
+	} else if len(s.customStores) == 0 {
 		return "0 ClusterVersion signatureStores"
 	}
-	uris := make([]string, 0, len(s.customURIs))
-	for _, uri := range s.customURIs {
-		uris = append(uris, uri.String())
+	customStores := make([]string, 0, len(s.customStores))
+	for _, customStore := range s.customStores {
+		customStores = append(customStores, customStore.URL)
 	}
-	return fmt.Sprintf("ClusterVersion signatureStores: %s", strings.Join(uris, ", "))
+	return fmt.Sprintf("ClusterVersion signatureStores: %s", strings.Join(customStores, ", "))
 }

pkg/cvo/availableupdates.go

@@ -93,7 +93,7 @@ func (optr *Operator) syncAvailableUpdates(ctx context.Context, config *configv1
 	}
 
 	if needFreshFetch {
-		transport, err := optr.getTransport()
+		transport, err := optr.getTransport("")
 		if err != nil {
 			return err
 		}

pkg/cvo/cvo.go

@@ -294,16 +294,16 @@ func (optr *Operator) LoadInitialPayload(ctx context.Context, startingRequiredFe
 	if err != nil {
 		return nil, fmt.Errorf("the local release contents are invalid - no current version can be determined from disk: %v", err)
 	}
-	httpClientConstructor := sigstore.NewCachedHTTPClientConstructor(optr.HTTPClient, nil)
+	httpClientConstructor := sigstore.NewCachedHTTPClientConstructor(func() (*http.Client, error) { return optr.HTTPClient("") }, nil)
 	configClient, err := coreclientsetv1.NewForConfig(restConfig)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create a configuration client: %v", err)
 	}
 
 	customSignatureStore := &customsignaturestore.Store{
-		Lister:     optr.cvLister,
-		Name:       optr.name,
-		HTTPClient: httpClientConstructor.HTTPClient,
+		Name:                 optr.name,
+		ClusterVersionLister: optr.cvLister,
+		HTTPClient:           optr.HTTPClient,
 	}
 
 	// attempt to load a verifier as defined in the payload
@@ -980,8 +980,8 @@ func (optr *Operator) defaultPreconditionChecks() precondition.List {
 
 // HTTPClient provides a method for generating an HTTP client
 // with the proxy and trust settings, if set in the cluster.
-func (optr *Operator) HTTPClient() (*http.Client, error) {
-	transportOption, err := optr.getTransport()
+func (optr *Operator) HTTPClient(caConfigMap string) (*http.Client, error) {
+	transportOption, err := optr.getTransport(caConfigMap)
 	if err != nil {
 		return nil, err
 	}

pkg/cvo/egress.go

@@ -11,7 +11,9 @@ import (
 	"golang.org/x/net/http/httpproxy"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 
+	"github.com/openshift/cluster-version-operator/pkg/internal"
 	"github.com/openshift/cluster-version-operator/pkg/version"
+	corev1 "k8s.io/api/core/v1"
 )
 
 // Returns a User-Agent to be used for outgoing HTTP requests.
@@ -25,7 +27,7 @@ func (optr *Operator) getUserAgent() string {
 
 // getTransport constructs an HTTP transport configuration, including
 // any custom proxy configuration.
-func (optr *Operator) getTransport() (*http.Transport, error) {
+func (optr *Operator) getTransport(caConfigMap string) (*http.Transport, error) {
 	transport := &http.Transport{}
 
 	proxyConfig, err := optr.getProxyConfig()
@@ -41,7 +43,7 @@ func (optr *Operator) getTransport() (*http.Transport, error) {
 		}
 	}
 
-	tlsConfig, err := optr.getTLSConfig()
+	tlsConfig, err := optr.getTLSConfig(caConfigMap)
 	if err != nil {
 		return transport, err
 	} else if tlsConfig != nil {
@@ -70,8 +72,20 @@ func (optr *Operator) getProxyConfig() (*httpproxy.Config, error) {
 	}, nil
 }
 
-func (optr *Operator) getTLSConfig() (*tls.Config, error) {
-	cm, err := optr.cmConfigManagedLister.Get("trusted-ca-bundle")
+func (optr *Operator) getTLSConfig(caConfigMap string) (*tls.Config, error) {
+	var namespace, key string
+	var cm *corev1.ConfigMap
+	var err error
+	if caConfigMap == "" {
+		namespace = internal.ConfigManagedNamespace
+		caConfigMap = "trusted-ca-bundle"
+		key = "ca-bundle.crt"
+		cm, err = optr.cmConfigManagedLister.Get(caConfigMap)
+	} else {
+		namespace = internal.ConfigNamespace
+		key = "ca.crt"
+		cm, err = optr.cmConfigLister.Get(caConfigMap)
+	}
 	if apierrors.IsNotFound(err) {
 		return nil, nil
 	}
@@ -81,9 +95,9 @@ func (optr *Operator) getTLSConfig() (*tls.Config, error) {
 
 	certPool := x509.NewCertPool()
 
-	if cm.Data["ca-bundle.crt"] != "" {
-		if ok := certPool.AppendCertsFromPEM([]byte(cm.Data["ca-bundle.crt"])); !ok {
-			return nil, fmt.Errorf("unable to add ca-bundle.crt certificates")
+	if cm.Data[key] != "" {
+		if ok := certPool.AppendCertsFromPEM([]byte(cm.Data[key])); !ok {
+			return nil, fmt.Errorf("unable to add %s certificates from the %s ConfigMap in the %s namespace", key, caConfigMap, namespace)
 		}
 	} else {
 		return nil, nil