diff --git a/cmd/package-server-manager/main.go b/cmd/package-server-manager/main.go index c46ebc3704..99e8ec88cd 100644 --- a/cmd/package-server-manager/main.go +++ b/cmd/package-server-manager/main.go @@ -4,9 +4,11 @@ import ( "fmt" "os" + "github.com/sirupsen/logrus" "github.com/spf13/cobra" olmv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1" + "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/server" "k8s.io/apimachinery/pkg/fields" _ "k8s.io/client-go/plugin/pkg/client/auth" @@ -17,7 +19,6 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/cache" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/controller-runtime/pkg/manager" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" @@ -30,8 +31,8 @@ import ( const ( defaultName = "packageserver" defaultNamespace = "openshift-operator-lifecycle-manager" - defaultMetricsPort = "0" - defaultHealthCheckPort = ":8080" + defaultMetricsPort = "0" // Disable controller-runtime metrics (using pkg/lib/server instead) + defaultHealthCheckPort = "" // Disable controller-runtime health (using pkg/lib/server instead) defaultPprofPort = ":6060" defaultInterval = "" leaderElectionConfigmapName = "packageserver-controller-lock" @@ -75,11 +76,43 @@ func run(cmd *cobra.Command, args []string) error { if err != nil { return err } + tlsCertPath, err := cmd.Flags().GetString("tls-cert") + if err != nil { + return err + } + tlsKeyPath, err := cmd.Flags().GetString("tls-key") + if err != nil { + return err + } + clientCAPath, err := cmd.Flags().GetString("client-ca") + if err != nil { + return err + } ctrl.SetLogger(zap.New(zap.UseDevMode(true))) setupLog := ctrl.Log.WithName("setup") restConfig := ctrl.GetConfigOrDie() + + // Create logrus logger for the server library + logger := logrus.New() + + // Start HTTPS server with metrics/health endpoints + listenAndServe, err := server.GetListenAndServeFunc( + server.WithLogger(logger), + server.WithTLS(&tlsCertPath, &tlsKeyPath, &clientCAPath), + server.WithKubeConfig(restConfig), + ) + if err != nil { + setupLog.Error(err, "failed to setup health/metric/pprof service") + return err + } + + go func() { + if err := listenAndServe(); err != nil { + setupLog.Error(err, "server error") + } + }() le := leaderelection.GetLeaderElectionConfig(setupLog, restConfig, !disableLeaderElection) packageserverCSVFields := fields.Set{"metadata.name": name} @@ -136,14 +169,7 @@ func run(cmd *cobra.Command, args []string) error { return err } - if err := mgr.AddReadyzCheck("ping", healthz.Ping); err != nil { - setupLog.Error(err, "failed to establish a readyz check") - return err - } - if err := mgr.AddHealthzCheck("ping", healthz.Ping); err != nil { - setupLog.Error(err, "failed to establish a healthz check") - return err - } + // Health checks are now handled by pkg/lib/server (not controller-runtime) // +kubebuilder:scaffold:builder setupLog.Info("starting manager") if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { diff --git a/cmd/package-server-manager/start.go b/cmd/package-server-manager/start.go index 6c6fd238a7..d94c1fbc45 100644 --- a/cmd/package-server-manager/start.go +++ b/cmd/package-server-manager/start.go @@ -19,6 +19,9 @@ func newStartCmd() *cobra.Command { cmd.Flags().String("interval", defaultInterval, "configures the wakeup interval for the packageserver csc resource") cmd.Flags().String("metrics", defaultMetricsPort, "configures the metrics port that the process exposes") cmd.Flags().Bool("disable-leader-election", false, "configures whether leader election will be disabled") + cmd.Flags().String("tls-cert", "", "path to use for certificate key (requires tls-key)") + cmd.Flags().String("tls-key", "", "path to use for private key (requires tls-cert)") + cmd.Flags().String("client-ca", "", "path to watch for client ca bundle") return cmd } diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml index 32f9efd261..4126023b51 100644 --- a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml @@ -31,33 +31,6 @@ spec: serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:9090/ - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - - --logtostderr=true - image: quay.io/openshift/origin-kube-rbac-proxy:latest - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - ports: - - containerPort: 8443 - name: metrics - protocol: TCP - resources: - requests: - memory: 20Mi - cpu: 10m - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /etc/tls/private - name: package-server-manager-serving-cert - name: package-server-manager securityContext: allowPrivilegeEscalation: false @@ -72,7 +45,12 @@ spec: - $(PACKAGESERVER_NAME) - --namespace - $(PACKAGESERVER_NAMESPACE) - - "--metrics=:9090" + - --tls-cert + - /srv-cert/tls.crt + - --tls-key + - /srv-cert/tls.key + - --client-ca + - /profile-collector-cert/tls.crt image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent env: @@ -92,17 +70,30 @@ spec: requests: cpu: 10m memory: 10Mi + ports: + - containerPort: 8443 + name: metrics + protocol: TCP livenessProbe: httpGet: path: /healthz - port: 8080 + port: 8443 + scheme: HTTPS initialDelaySeconds: 30 readinessProbe: httpGet: path: /healthz - port: 8080 + port: 8443 + scheme: HTTPS initialDelaySeconds: 30 terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - name: srv-cert + mountPath: "/srv-cert" + readOnly: true + - name: profile-collector-cert + mountPath: "/profile-collector-cert" + readOnly: true nodeSelector: kubernetes.io/os: linux tolerations: @@ -118,6 +109,9 @@ spec: operator: Exists tolerationSeconds: 120 volumes: - - name: package-server-manager-serving-cert + - name: srv-cert + secret: + secretName: package-server-manager-serving-cert + - name: profile-collector-cert secret: secretName: package-server-manager-serving-cert diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.yaml index 32bcf18b6d..16da0cfd56 100644 --- a/manifests/0000_50_olm_06-psm-operator.deployment.yaml +++ b/manifests/0000_50_olm_06-psm-operator.deployment.yaml @@ -31,33 +31,6 @@ spec: serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:9090/ - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - - --logtostderr=true - image: quay.io/openshift/origin-kube-rbac-proxy:latest - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - ports: - - containerPort: 8443 - name: metrics - protocol: TCP - resources: - requests: - memory: 20Mi - cpu: 10m - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /etc/tls/private - name: package-server-manager-serving-cert - name: package-server-manager securityContext: allowPrivilegeEscalation: false @@ -72,7 +45,12 @@ spec: - $(PACKAGESERVER_NAME) - --namespace - $(PACKAGESERVER_NAMESPACE) - - "--metrics=:9090" + - --tls-cert + - /srv-cert/tls.crt + - --tls-key + - /srv-cert/tls.key + - --client-ca + - /profile-collector-cert/tls.crt image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent env: @@ -92,17 +70,30 @@ spec: requests: cpu: 10m memory: 10Mi + ports: + - containerPort: 8443 + name: metrics + protocol: TCP livenessProbe: httpGet: path: /healthz - port: 8080 + port: 8443 + scheme: HTTPS initialDelaySeconds: 30 readinessProbe: httpGet: path: /healthz - port: 8080 + port: 8443 + scheme: HTTPS initialDelaySeconds: 30 terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - name: srv-cert + mountPath: "/srv-cert" + readOnly: true + - name: profile-collector-cert + mountPath: "/profile-collector-cert" + readOnly: true nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/master: "" @@ -119,6 +110,9 @@ spec: operator: Exists tolerationSeconds: 120 volumes: - - name: package-server-manager-serving-cert + - name: srv-cert + secret: + secretName: package-server-manager-serving-cert + - name: profile-collector-cert secret: secretName: package-server-manager-serving-cert diff --git a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml index 32f9efd261..4126023b51 100644 --- a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml +++ b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml @@ -31,33 +31,6 @@ spec: serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:9090/ - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - - --logtostderr=true - image: quay.io/openshift/origin-kube-rbac-proxy:latest - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - ports: - - containerPort: 8443 - name: metrics - protocol: TCP - resources: - requests: - memory: 20Mi - cpu: 10m - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /etc/tls/private - name: package-server-manager-serving-cert - name: package-server-manager securityContext: allowPrivilegeEscalation: false @@ -72,7 +45,12 @@ spec: - $(PACKAGESERVER_NAME) - --namespace - $(PACKAGESERVER_NAMESPACE) - - "--metrics=:9090" + - --tls-cert + - /srv-cert/tls.crt + - --tls-key + - /srv-cert/tls.key + - --client-ca + - /profile-collector-cert/tls.crt image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent env: @@ -92,17 +70,30 @@ spec: requests: cpu: 10m memory: 10Mi + ports: + - containerPort: 8443 + name: metrics + protocol: TCP livenessProbe: httpGet: path: /healthz - port: 8080 + port: 8443 + scheme: HTTPS initialDelaySeconds: 30 readinessProbe: httpGet: path: /healthz - port: 8080 + port: 8443 + scheme: HTTPS initialDelaySeconds: 30 terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - name: srv-cert + mountPath: "/srv-cert" + readOnly: true + - name: profile-collector-cert + mountPath: "/profile-collector-cert" + readOnly: true nodeSelector: kubernetes.io/os: linux tolerations: @@ -118,6 +109,9 @@ spec: operator: Exists tolerationSeconds: 120 volumes: - - name: package-server-manager-serving-cert + - name: srv-cert + secret: + secretName: package-server-manager-serving-cert + - name: profile-collector-cert secret: secretName: package-server-manager-serving-cert diff --git a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml index 32bcf18b6d..16da0cfd56 100644 --- a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml +++ b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml @@ -31,33 +31,6 @@ spec: serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:9090/ - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - - --logtostderr=true - image: quay.io/openshift/origin-kube-rbac-proxy:latest - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - ports: - - containerPort: 8443 - name: metrics - protocol: TCP - resources: - requests: - memory: 20Mi - cpu: 10m - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /etc/tls/private - name: package-server-manager-serving-cert - name: package-server-manager securityContext: allowPrivilegeEscalation: false @@ -72,7 +45,12 @@ spec: - $(PACKAGESERVER_NAME) - --namespace - $(PACKAGESERVER_NAMESPACE) - - "--metrics=:9090" + - --tls-cert + - /srv-cert/tls.crt + - --tls-key + - /srv-cert/tls.key + - --client-ca + - /profile-collector-cert/tls.crt image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent env: @@ -92,17 +70,30 @@ spec: requests: cpu: 10m memory: 10Mi + ports: + - containerPort: 8443 + name: metrics + protocol: TCP livenessProbe: httpGet: path: /healthz - port: 8080 + port: 8443 + scheme: HTTPS initialDelaySeconds: 30 readinessProbe: httpGet: path: /healthz - port: 8080 + port: 8443 + scheme: HTTPS initialDelaySeconds: 30 terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - name: srv-cert + mountPath: "/srv-cert" + readOnly: true + - name: profile-collector-cert + mountPath: "/profile-collector-cert" + readOnly: true nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/master: "" @@ -119,6 +110,9 @@ spec: operator: Exists tolerationSeconds: 120 volumes: - - name: package-server-manager-serving-cert + - name: srv-cert + secret: + secretName: package-server-manager-serving-cert + - name: profile-collector-cert secret: secretName: package-server-manager-serving-cert diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh index 4020d60dc3..27a53e1015 100755 --- a/scripts/generate_crds_manifests.sh +++ b/scripts/generate_crds_manifests.sh @@ -192,33 +192,6 @@ spec: serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:9090/ - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - - --logtostderr=true - image: quay.io/openshift/origin-kube-rbac-proxy:latest - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - ports: - - containerPort: 8443 - name: metrics - protocol: TCP - resources: - requests: - memory: 20Mi - cpu: 10m - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /etc/tls/private - name: package-server-manager-serving-cert - name: package-server-manager securityContext: allowPrivilegeEscalation: false @@ -233,7 +206,12 @@ spec: - \$(PACKAGESERVER_NAME) - --namespace - \$(PACKAGESERVER_NAMESPACE) - - "--metrics=:9090" + - --tls-cert + - /srv-cert/tls.crt + - --tls-key + - /srv-cert/tls.key + - --client-ca + - /profile-collector-cert/tls.crt image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent env: @@ -253,17 +231,30 @@ spec: requests: cpu: 10m memory: 10Mi + ports: + - containerPort: 8443 + name: metrics + protocol: TCP livenessProbe: httpGet: path: /healthz - port: 8080 + port: 8443 + scheme: HTTPS initialDelaySeconds: 30 readinessProbe: httpGet: path: /healthz - port: 8080 + port: 8443 + scheme: HTTPS initialDelaySeconds: 30 terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - name: srv-cert + mountPath: "/srv-cert" + readOnly: true + - name: profile-collector-cert + mountPath: "/profile-collector-cert" + readOnly: true nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/master: "" @@ -280,7 +271,10 @@ spec: operator: Exists tolerationSeconds: 120 volumes: - - name: package-server-manager-serving-cert + - name: srv-cert + secret: + secretName: package-server-manager-serving-cert + - name: profile-collector-cert secret: secretName: package-server-manager-serving-cert EOF