Separate CA configuration for pulls vs catalogd services

tmshort · tmshort · commit ced10541a996 · 2025-01-30T14:30:40.000-05:00
Rename the flags that provide CAs to image pulling to indicate the use.
Keep the old flag around (for backward compatibility), but prefer the
new flag(s).

Signed-off-by: Todd Short &lt;tshort@redhat.com&gt;
diff --git a/catalogd/cmd/catalogd/main.go b/catalogd/cmd/catalogd/main.go
@@ -98,6 +98,7 @@ func main() {
 		keyFile              string
 		webhookPort          int
 		caCertDir            string
+		pullCertDir          string
 		globalPullSecret     string
 	)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", "", "The address for the metrics endpoint. Requires tls-cert and tls-key. (Default: ':7443')")
@@ -115,7 +116,8 @@ func main() {
 	flag.StringVar(&certFile, "tls-cert", "", "The certificate file used for serving catalog and metrics. Required to enable the metrics server. Requires tls-key.")
 	flag.StringVar(&keyFile, "tls-key", "", "The key file used for serving catalog contents and metrics. Required to enable the metrics server. Requires tls-cert.")
 	flag.IntVar(&webhookPort, "webhook-server-port", 9443, "The port that the mutating webhook server serves at.")
-	flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of CA certificate to use for verifying HTTPS connections to image registries.")
+	flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of CA certificates to use for verifying HTTPS connections to image registries (deprecated).")
+	flag.StringVar(&pullCertDir, "pull-certs-dir", "", "The directory of CA certificates to use for verifying HTTPS connections to image registries.")
 	flag.StringVar(&globalPullSecret, "global-pull-secret", "", "The <namespace>/<name> of the global pull secret that is going to be used to pull bundle images.")
 
 	klog.InitFlags(flag.CommandLine)
@@ -132,6 +134,17 @@ func main() {
 
 	ctrl.SetLogger(textlogger.NewLogger(textlogger.NewConfig()))
 
+	// if the old flag is specified, but not the new flag
+	// use the old flag
+	if caCertDir != "" {
+		if pullCertDir == "" {
+			pullCertDir = caCertDir
+			setupLog.Info("using deprecated --ca-certs-dir flag as --pull-certs-dir flag is not specified")
+		} else {
+			setupLog.Info("deprecated --ca-certs-dir flag ignored due to use of --pull-certs-dir flag")
+		}
+	}
+
 	authFilePath := filepath.Join(os.TempDir(), fmt.Sprintf("%s-%s.json", authFilePrefix, apimachineryrand.String(8)))
 	var globalPullSecretKey *k8stypes.NamespacedName
 	if globalPullSecret != "" {
@@ -271,8 +284,8 @@ func main() {
 		BaseCachePath: unpackCacheBasePath,
 		SourceContextFunc: func(logger logr.Logger) (*types.SystemContext, error) {
 			srcContext := &types.SystemContext{
-				DockerCertPath: caCertDir,
-				OCICertPath:    caCertDir,
+				DockerCertPath: pullCertDir,
+				OCICertPath:    pullCertDir,
 			}
 			if _, err := os.Stat(authFilePath); err == nil && globalPullSecretKey != nil {
 				logger.Info("using available authentication information for pulling image")
diff --git a/catalogd/config/components/ca/patches/manager_deployment_cacerts.yaml b/catalogd/config/components/ca/patches/manager_deployment_cacerts.yaml
@@ -6,4 +6,4 @@
   value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/ca-certs/"}
 - op: add
   path: /spec/template/spec/containers/0/args/-
-  value: "--ca-certs-dir=/var/ca-certs"
+  value: "--pull-certs-dir=/var/ca-certs"
diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go
@@ -102,11 +102,15 @@ func main() {
 		operatorControllerVersion bool
 		systemNamespace           string
 		caCertDir                 string
+		catalogdCertDir           string
+		pullCertDir               string
 		globalPullSecret          string
 	)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", "", "The address for the metrics endpoint. Requires tls-cert and tls-key. (Default: ':8443')")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
-	flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of TLS certificate to use for verifying HTTPS connections to the Catalogd and docker-registry web servers.")
+	flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of TLS certificates to use for verifying HTTPS connections to the Catalogd and docker-registry web servers (deprecated).")
+	flag.StringVar(&catalogdCertDir, "catalogd-certs-dir", "", "The directory of TLS certificates to use for verifying HTTPS connections to the Catalogd web service.")
+	flag.StringVar(&pullCertDir, "pull-certs-dir", "", "The directory of TLS certificates to use for verifying HTTPS connections to image registries.")
 	flag.StringVar(&certFile, "tls-cert", "", "The certificate file used for the metrics server. Required to enable the metrics server. Requires tls-key.")
 	flag.StringVar(&keyFile, "tls-key", "", "The key file used for the metrics server. Required to enable the metrics server. Requires tls-cert")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
@@ -128,6 +132,19 @@ func main() {
 		os.Exit(0)
 	}
 
+	// if the old flag is specified, but neither of the new flags
+	// use the old flag
+	if caCertDir != "" {
+		if catalogdCertDir == "" && pullCertDir == "" {
+			catalogdCertDir = caCertDir
+			pullCertDir = caCertDir
+			setupLog.Info("using deprecated --ca-certs-dir flag as --catalogd-certs-dir or --pull-certs-dir flags are not specified")
+		} else {
+			setupLog.Info("deprecated --ca-certs-dir flag ignored due to use of --catalogd-certs-dir or --pull-certs-dir flags")
+		}
+
+	}
+
 	if (certFile != "" && keyFile == "") || (certFile == "" && keyFile != "") {
 		setupLog.Error(nil, "unable to configure TLS certificates: tls-cert and tls-key flags must be used together")
 		os.Exit(1)
@@ -283,7 +300,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	certPoolWatcher, err := httputil.NewCertPoolWatcher(caCertDir, ctrl.Log.WithName("cert-pool"))
+	certPoolWatcher, err := httputil.NewCertPoolWatcher(catalogdCertDir, ctrl.Log.WithName("cert-pool"))
 	if err != nil {
 		setupLog.Error(err, "unable to create CA certificate pool")
 		os.Exit(1)
@@ -301,8 +318,8 @@ func main() {
 		BaseCachePath: filepath.Join(cachePath, "unpack"),
 		SourceContextFunc: func(logger logr.Logger) (*types.SystemContext, error) {
 			srcContext := &types.SystemContext{
-				DockerCertPath: caCertDir,
-				OCICertPath:    caCertDir,
+				DockerCertPath: pullCertDir,
+				OCICertPath:    pullCertDir,
 			}
 			if _, err := os.Stat(authFilePath); err == nil && globalPullSecretKey != nil {
 				logger.Info("using available authentication information for pulling image")
diff --git a/config/components/tls/patches/manager_deployment_cert.yaml b/config/components/tls/patches/manager_deployment_cert.yaml
@@ -6,7 +6,10 @@
   value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/certs/"}
 - op: add
   path: /spec/template/spec/containers/0/args/-
-  value: "--ca-certs-dir=/var/certs"
+  value: "--catalogd-certs-dir=/var/certs"
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--pull-certs-dir=/var/certs"
 - op: add
   path: /spec/template/spec/containers/0/args/-
   value: "--tls-cert=/var/certs/tls.cert"
