Merge pull request #226 from jcpowermac/CORS-1162

Add certificate option to cincinnati client

Author: openshift-merge-robot

Gopkg.lock

@@ -1,6 +1,7 @@
 package cincinnati
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -20,13 +21,14 @@ const (
 // Client is a Cincinnati client which can be used to fetch update graphs from
 // an upstream Cincinnati stack.
 type Client struct {
-	id       uuid.UUID
-	proxyURL *url.URL
+	id        uuid.UUID
+	proxyURL  *url.URL
+	tlsConfig *tls.Config
 }
 
 // NewClient creates a new Cincinnati client with the given client identifier.
-func NewClient(id uuid.UUID, proxyURL *url.URL) Client {
-	return Client{id: id, proxyURL: proxyURL}
+func NewClient(id uuid.UUID, proxyURL *url.URL, tlsConfig *tls.Config) Client {
+	return Client{id: id, proxyURL: proxyURL, tlsConfig: tlsConfig}
 }
 
 // Update is a single node from the update graph.
@@ -58,6 +60,9 @@ func (c Client) GetUpdates(upstream string, channel string, version semver.Versi
 		return nil, err
 	}
 	req.Header.Add("Accept", GraphMediaType)
+	if c.tlsConfig != nil {
+		transport.TLSClientConfig = c.tlsConfig
+	}
 
 	if c.proxyURL != nil {
 		transport.Proxy = http.ProxyURL(c.proxyURL)

pkg/cincinnati/cincinnati.go

@@ -1,6 +1,7 @@
 package cincinnati
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -121,8 +122,9 @@ func TestGetUpdates(t *testing.T) {
 			ts := httptest.NewServer(http.HandlerFunc(handler))
 			defer ts.Close()
 			var proxyURL *url.URL
+			var tlsConfig *tls.Config
 
-			c := NewClient(clientID, proxyURL)
+			c := NewClient(clientID, proxyURL, tlsConfig)
 
 			updates, err := c.GetUpdates(ts.URL, channelName, semver.MustParse(test.version))
 			if test.err == "" {

pkg/cincinnati/cincinnati_test.go

@@ -1,21 +1,20 @@
 package cvo
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
-	"time"
-
 	"net/url"
+	"time"
 
 	"github.com/blang/semver"
 	"github.com/google/uuid"
-	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/klog"
-
 	"k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog"
 
 	configv1 "github.com/openshift/api/config/v1"
-
 	"github.com/openshift/cluster-version-operator/lib/resourcemerge"
 	"github.com/openshift/cluster-version-operator/pkg/cincinnati"
 )
@@ -24,6 +23,7 @@ import (
 // object. It will set the RetrievedUpdates condition. Updates are only checked if it has been more than
 // the minimumUpdateCheckInterval since the last check.
 func (optr *Operator) syncAvailableUpdates(config *configv1.ClusterVersion) error {
+	var tlsConfig *tls.Config
 	usedDefaultUpstream := false
 	upstream := string(config.Spec.Upstream)
 	if len(upstream) == 0 {
@@ -39,12 +39,18 @@ func (optr *Operator) syncAvailableUpdates(config *configv1.ClusterVersion) erro
 		return nil
 	}
 
-	proxyURL, err := optr.getHTTPSProxyURL()
+	proxyURL, cmNameRef, err := optr.getHTTPSProxyURL()
 	if err != nil {
 		return err
 	}
+	if cmNameRef != "" {
+		tlsConfig, err = optr.getTLSConfig(cmNameRef)
+		if err != nil {
+			return err
+		}
+	}
 
-	updates, condition := calculateAvailableUpdatesStatus(string(config.Spec.ClusterID), proxyURL, upstream, channel, optr.releaseVersion)
+	updates, condition := calculateAvailableUpdatesStatus(string(config.Spec.ClusterID), proxyURL, tlsConfig, upstream, channel, optr.releaseVersion)
 
 	if usedDefaultUpstream {
 		upstream = ""
@@ -111,7 +117,7 @@ func (optr *Operator) getAvailableUpdates() *availableUpdates {
 	return optr.availableUpdates
 }
 
-func calculateAvailableUpdatesStatus(clusterID string, proxyURL *url.URL, upstream, channel, version string) ([]configv1.Update, configv1.ClusterOperatorStatusCondition) {
+func calculateAvailableUpdatesStatus(clusterID string, proxyURL *url.URL, tlsConfig *tls.Config, upstream, channel, version string) ([]configv1.Update, configv1.ClusterOperatorStatusCondition) {
 	if len(upstream) == 0 {
 		return nil, configv1.ClusterOperatorStatusCondition{
 			Type: configv1.RetrievedUpdates, Status: configv1.ConditionFalse, Reason: "NoUpstream",
@@ -142,7 +148,7 @@ func calculateAvailableUpdatesStatus(clusterID string, proxyURL *url.URL, upstre
 		}
 	}
 
-	updates, err := checkForUpdate(clusterID, proxyURL, upstream, channel, currentVersion)
+	updates, err := checkForUpdate(clusterID, proxyURL, tlsConfig, upstream, channel, currentVersion)
 	if err != nil {
 		klog.V(2).Infof("Upstream server %s could not return available updates: %v", upstream, err)
 		return nil, configv1.ClusterOperatorStatusCondition{
@@ -167,7 +173,7 @@ func calculateAvailableUpdatesStatus(clusterID string, proxyURL *url.URL, upstre
 	}
 }
 
-func checkForUpdate(clusterID string, proxyURL *url.URL, upstream, channel string, currentVersion semver.Version) ([]cincinnati.Update, error) {
+func checkForUpdate(clusterID string, proxyURL *url.URL, tlsConfig *tls.Config, upstream, channel string, currentVersion semver.Version) ([]cincinnati.Update, error) {
 	uuid, err := uuid.Parse(string(clusterID))
 	if err != nil {
 		return nil, err
@@ -176,29 +182,56 @@ func checkForUpdate(clusterID string, proxyURL *url.URL, upstream, channel strin
 	if len(upstream) == 0 {
 		return nil, fmt.Errorf("no upstream URL set for cluster version")
 	}
-	return cincinnati.NewClient(uuid, proxyURL).GetUpdates(upstream, channel, currentVersion)
+	return cincinnati.NewClient(uuid, proxyURL, tlsConfig).GetUpdates(upstream, channel, currentVersion)
 }
 
 // getHTTPSProxyURL returns a url.URL object for the configured
 // https proxy only. It can be nil if does not exist or there is an error.
-func (optr *Operator) getHTTPSProxyURL() (*url.URL, error) {
+func (optr *Operator) getHTTPSProxyURL() (*url.URL, string, error) {
 	proxy, err := optr.proxyLister.Get("cluster")
 
 	if errors.IsNotFound(err) {
-		return nil, nil
+		return nil, "", nil
 	}
 	if err != nil {
-		return nil, err
+		return nil, "", err
 	}
 
 	if &proxy.Spec != nil {
 		if proxy.Spec.HTTPSProxy != "" {
 			proxyURL, err := url.Parse(proxy.Spec.HTTPSProxy)
 			if err != nil {
-				return nil, err
+				return nil, "", err
 			}
-			return proxyURL, nil
+			return proxyURL, proxy.Spec.TrustedCA.Name, nil
+		}
+	}
+	return nil, "", nil
+}
+
+func (optr *Operator) getTLSConfig(cmNameRef string) (*tls.Config, error) {
+	cm, err := optr.cmManagedLister.Get(cmNameRef)
+
+	if err != nil {
+		return nil, err
+	}
+
+	certPool, _ := x509.SystemCertPool()
+	if certPool == nil {
+		certPool = x509.NewCertPool()
+	}
+
+	if cm.Data["ca-bundle.crt"] != "" {
+		if ok := certPool.AppendCertsFromPEM([]byte(cm.Data["ca-bundle.crt"])); !ok {
+			return nil, fmt.Errorf("unable to add ca-bundle.crt certificates")
 		}
+	} else {
+		return nil, nil
 	}
-	return nil, nil
+
+	config := &tls.Config{
+		RootCAs: certPool,
+	}
+
+	return config, nil
 }

pkg/cvo/availableupdates.go

@@ -7,12 +7,8 @@ import (
 	"sync"
 	"time"
 
-	"github.com/openshift/cluster-version-operator/pkg/verify"
-
 	"github.com/blang/semver"
 	"github.com/google/uuid"
-	"k8s.io/klog"
-
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -27,12 +23,12 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
+	"k8s.io/klog"
 
 	configv1 "github.com/openshift/api/config/v1"
 	clientset "github.com/openshift/client-go/config/clientset/versioned"
 	configinformersv1 "github.com/openshift/client-go/config/informers/externalversions/config/v1"
 	configlistersv1 "github.com/openshift/client-go/config/listers/config/v1"
-
 	"github.com/openshift/cluster-version-operator/lib"
 	"github.com/openshift/cluster-version-operator/lib/resourceapply"
 	"github.com/openshift/cluster-version-operator/lib/resourcebuilder"
@@ -41,6 +37,7 @@ import (
 	"github.com/openshift/cluster-version-operator/pkg/cvo/internal/dynamicclient"
 	"github.com/openshift/cluster-version-operator/pkg/internal"
 	"github.com/openshift/cluster-version-operator/pkg/payload"
+	"github.com/openshift/cluster-version-operator/pkg/verify"
 )
 
 const (
@@ -102,11 +99,12 @@ type Operator struct {
 	// syncBackoff allows the tests to use a quicker backoff
 	syncBackoff wait.Backoff
 
-	cvLister    configlistersv1.ClusterVersionLister
-	coLister    configlistersv1.ClusterOperatorLister
-	cmLister    listerscorev1.ConfigMapNamespaceLister
-	proxyLister configlistersv1.ProxyLister
-	cacheSynced []cache.InformerSynced
+	cvLister        configlistersv1.ClusterVersionLister
+	coLister        configlistersv1.ClusterOperatorLister
+	cmConfigLister  listerscorev1.ConfigMapNamespaceLister
+	cmManagedLister listerscorev1.ConfigMapNamespaceLister
+	proxyLister     configlistersv1.ProxyLister
+	cacheSynced     []cache.InformerSynced
 
 	// queue tracks applying updates to a cluster.
 	queue workqueue.RateLimitingInterface
@@ -140,7 +138,8 @@ func New(
 	minimumInterval time.Duration,
 	cvInformer configinformersv1.ClusterVersionInformer,
 	coInformer configinformersv1.ClusterOperatorInformer,
-	cmInformer informerscorev1.ConfigMapInformer,
+	cmConfigInformer informerscorev1.ConfigMapInformer,
+	cmManagedInformer informerscorev1.ConfigMapInformer,
 	proxyInformer configinformersv1.ProxyInformer,
 	client clientset.Interface,
 	kubeClient kubernetes.Interface,
@@ -180,7 +179,8 @@ func New(
 	optr.cvLister = cvInformer.Lister()
 	optr.cacheSynced = append(optr.cacheSynced, cvInformer.Informer().HasSynced)
 
-	optr.cmLister = cmInformer.Lister().ConfigMaps(internal.ConfigNamespace)
+	optr.cmConfigLister = cmConfigInformer.Lister().ConfigMaps(internal.ConfigNamespace)
+	optr.cmManagedLister = cmManagedInformer.Lister().ConfigMaps(internal.ConfigManagedNamespace)
 
 	if enableMetrics {
 		if err := optr.registerMetrics(coInformer.Informer()); err != nil {

pkg/cvo/cvo.go

@@ -32,7 +32,6 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	clientset "github.com/openshift/client-go/config/clientset/versioned"
 	"github.com/openshift/client-go/config/clientset/versioned/fake"
-
 	"github.com/openshift/cluster-version-operator/pkg/payload"
 )
 
@@ -153,16 +152,16 @@ func (r *coLister) Get(name string) (*configv1.ClusterOperator, error) {
 	return nil, errors.NewNotFound(schema.GroupResource{}, name)
 }
 
-type cmLister struct {
+type cmConfigLister struct {
 	Err   error
 	Items []*corev1.ConfigMap
 }
 
-func (l *cmLister) List(selector labels.Selector) ([]*corev1.ConfigMap, error) {
+func (l *cmConfigLister) List(selector labels.Selector) ([]*corev1.ConfigMap, error) {
 	return l.Items, l.Err
 }
 
-func (l *cmLister) Get(name string) (*corev1.ConfigMap, error) {
+func (l *cmConfigLister) Get(name string) (*corev1.ConfigMap, error) {
 	if l.Err != nil {
 		return nil, l.Err
 	}

pkg/cvo/cvo_test.go

@@ -5,14 +5,11 @@ import (
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
-
 	"github.com/prometheus/client_golang/prometheus"
-
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 
 	configv1 "github.com/openshift/api/config/v1"
-
 	"github.com/openshift/cluster-version-operator/lib/resourcemerge"
 	"github.com/openshift/cluster-version-operator/pkg/internal"
 )
@@ -278,7 +275,7 @@ func (m *operatorMetrics) Collect(ch chan<- prometheus.Metric) {
 		ch <- g
 	}
 
-	installer, err := m.optr.cmLister.Get(internal.InstallerConfigMap)
+	installer, err := m.optr.cmConfigLister.Get(internal.InstallerConfigMap)
 	if err == nil {
 		version := "<missing>"
 		invoker := "<missing>"