⚠ add TLS overlay for Catalogd v0.13.0 web server TLS (#888)

* Update catalogd dep to v0.13.0

Fix references to Catalog and CatalogSpec

* Implement TLS overlay for Catalogd TLS

Signed-off-by: Tayler Geiger <[email protected]>

* Reorganize TLS changes

* Move e2e to its own overlay

* Change default namespace to olmv1-system

Use v0.14.0 of Catalogd which also uses olmv1-system namespace

---------

Signed-off-by: Tayler Geiger <[email protected]>

Author: trgeiger

.gitignore

@@ -39,3 +39,4 @@ install.sh
 site
 
 .tiltbuild/
+.vscode

Makefile

@@ -54,7 +54,7 @@ else
 $(warning Could not find docker or podman in path! This may result in targets requiring a container runtime failing!) 
 endif
 
-KUSTOMIZE_BUILD_DIR := config/default
+KUSTOMIZE_BUILD_DIR := config/overlays/tls
 
 # Disable -j flag for make
 .NOTPARALLEL:
@@ -95,7 +95,7 @@ tidy: #HELP Update dependencies.
 
 .PHONY: manifests
 manifests: $(CONTROLLER_GEN) #EXHELP Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/base/crd/bases
 
 .PHONY: generate
 generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -150,7 +150,7 @@ build-push-e2e-catalog: ## Build the testdata catalog used for e2e tests and pus
 # for example: ARTIFACT_PATH=/tmp/artifacts make test-e2e
 .PHONY: test-e2e
 test-e2e: KIND_CLUSTER_NAME := operator-controller-e2e
-test-e2e: KUSTOMIZE_BUILD_DIR := config/e2e
+test-e2e: KUSTOMIZE_BUILD_DIR := config/overlays/e2e
 test-e2e: GO_BUILD_FLAGS := -cover
 test-e2e: run image-registry build-push-e2e-catalog registry-load-bundles e2e e2e-coverage kind-clean #HELP Run e2e test suite on local kind cluster
 

Tiltfile

@@ -9,7 +9,7 @@ repos = cfg.get('repos', ['operator-controller', 'catalogd'])
 
 repo = {
     'image': 'quay.io/operator-framework/operator-controller',
-    'yaml': 'config/default',
+    'yaml': 'config/overlays/tls',
     'binaries': {
         'manager': 'operator-controller-controller-manager',
     },

cmd/manager/main.go

@@ -20,11 +20,9 @@ import (
 	"crypto/x509"
 	"flag"
 	"fmt"
-	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
-	"time"
 
 	"github.com/spf13/pflag"
 	"go.uber.org/zap/zapcore"
@@ -50,6 +48,7 @@ import (
 	"github.com/operator-framework/operator-controller/internal/catalogmetadata/cache"
 	catalogclient "github.com/operator-framework/operator-controller/internal/catalogmetadata/client"
 	"github.com/operator-framework/operator-controller/internal/controllers"
+	"github.com/operator-framework/operator-controller/internal/httputil"
 	"github.com/operator-framework/operator-controller/internal/labels"
 	"github.com/operator-framework/operator-controller/internal/version"
 	"github.com/operator-framework/operator-controller/pkg/features"
@@ -58,7 +57,7 @@ import (
 
 var (
 	setupLog               = ctrl.Log.WithName("setup")
-	defaultSystemNamespace = "operator-controller-system"
+	defaultSystemNamespace = "olmv1-system"
 )
 
 // podNamespace checks whether the controller is running in a Pod vs.
@@ -82,9 +81,11 @@ func main() {
 		operatorControllerVersion   bool
 		systemNamespace             string
 		provisionerStorageDirectory string
+		caCert                      string
 	)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.StringVar(&caCert, "ca-cert", "", "The TLS certificate to use for verifying HTTPS connections to the Catalogd web server.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
@@ -153,8 +154,13 @@ func main() {
 		os.Exit(1)
 	}
 
+	httpClient, err := httputil.BuildHTTPClient(caCert)
+	if err != nil {
+		setupLog.Error(err, "unable to create catalogd http client")
+	}
+
 	cl := mgr.GetClient()
-	catalogClient := catalogclient.New(cl, cache.NewFilesystemCache(cachePath, &http.Client{Timeout: 10 * time.Second}))
+	catalogClient := catalogclient.New(cl, cache.NewFilesystemCache(cachePath, httpClient))
 
 	cfgGetter, err := helmclient.NewActionConfigGetter(mgr.GetConfig(), mgr.GetRESTMapper(), helmclient.StorageNamespaceMapper(func(o client.Object) (string, error) {
 		return systemNamespace, nil

config/crd/bases/olm.operatorframework.io_clusterextensions.yaml renamed to config/base/crd/bases/olm.operatorframework.io_clusterextensions.yaml

@@ -1,5 +1,5 @@
 # Adds namespace to all resources.
-namespace: operator-controller-system
+namespace: olmv1-system
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
@@ -15,9 +15,9 @@ namePrefix: operator-controller-
 #    someName: someValue
 
 resources:
-- ../crd
-- ../rbac
-- ../manager
+- crd
+- rbac
+- manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- ../webhook

config/crd/kustomization.yaml renamed to config/base/crd/kustomization.yaml

@@ -114,4 +114,4 @@ spec:
         - name: cache
           emptyDir: {}
         - name: bundle-cache
-          emptyDir: {}
+          emptyDir: {}