Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Separate CA configuration for pulls vs catalogd services
Browse files Browse the repository at this point in the history
Rename the options that provide CAs to image pulling to indicate the use.

Signed-off-by: Todd Short <tshort@redhat.com>
tmshort committed Jan 30, 2025
1 parent 10e2754 commit 2db703d
Showing 4 changed files with 16 additions and 11 deletions.
8 changes: 4 additions & 4 deletions catalogd/cmd/catalogd/main.go
Original file line number Diff line number Diff line change
@@ -97,7 +97,7 @@ func main() {
certFile string
keyFile string
webhookPort int
caCertDir string
pullCertDir string
globalPullSecret string
)
flag.StringVar(&metricsAddr, "metrics-bind-address", "", "The address for the metrics endpoint. Requires tls-cert and tls-key. (Default: ':7443')")
@@ -115,7 +115,7 @@ func main() {
flag.StringVar(&certFile, "tls-cert", "", "The certificate file used for serving catalog and metrics. Required to enable the metrics server. Requires tls-key.")
flag.StringVar(&keyFile, "tls-key", "", "The key file used for serving catalog contents and metrics. Required to enable the metrics server. Requires tls-cert.")
flag.IntVar(&webhookPort, "webhook-server-port", 9443, "The port that the mutating webhook server serves at.")
flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of CA certificate to use for verifying HTTPS connections to image registries.")
flag.StringVar(&pullCertDir, "pull-certs-dir", "", "The directory of CA certificate to use for verifying HTTPS connections to image registries.")
flag.StringVar(&globalPullSecret, "global-pull-secret", "", "The <namespace>/<name> of the global pull secret that is going to be used to pull bundle images.")

klog.InitFlags(flag.CommandLine)
@@ -271,8 +271,8 @@ func main() {
BaseCachePath: unpackCacheBasePath,
SourceContextFunc: func(logger logr.Logger) (*types.SystemContext, error) {
srcContext := &types.SystemContext{
DockerCertPath: caCertDir,
OCICertPath: caCertDir,
DockerCertPath: pullCertDir,
OCICertPath: pullCertDir,
}
if _, err := os.Stat(authFilePath); err == nil && globalPullSecretKey != nil {
logger.Info("using available authentication information for pulling image")
Original file line number Diff line number Diff line change
@@ -6,4 +6,4 @@
value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/ca-certs/"}
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--ca-certs-dir=/var/ca-certs"
value: "--pull-certs-dir=/var/ca-certs"
12 changes: 7 additions & 5 deletions cmd/operator-controller/main.go
Original file line number Diff line number Diff line change
@@ -101,12 +101,14 @@ func main() {
cachePath string
operatorControllerVersion bool
systemNamespace string
caCertDir string
catalogdCertDir string
pullCertDir string
globalPullSecret string
)
flag.StringVar(&metricsAddr, "metrics-bind-address", "", "The address for the metrics endpoint. Requires tls-cert and tls-key. (Default: ':8443')")
flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of TLS certificate to use for verifying HTTPS connections to the Catalogd and docker-registry web servers.")
flag.StringVar(&catalogdCertDir, "catalogd-certs-dir", "", "The directory of TLS certificate to use for verifying HTTPS connections to the Catalogd web service.")
flag.StringVar(&pullCertDir, "pull-certs-dir", "", "The directory of TLS certificates to use for verifying HTTPS connections to image registries.")
flag.StringVar(&certFile, "tls-cert", "", "The certificate file used for the metrics server. Required to enable the metrics server. Requires tls-key.")
flag.StringVar(&keyFile, "tls-key", "", "The key file used for the metrics server. Required to enable the metrics server. Requires tls-cert")
flag.BoolVar(&enableLeaderElection, "leader-elect", false,
@@ -283,7 +285,7 @@ func main() {
os.Exit(1)
}

certPoolWatcher, err := httputil.NewCertPoolWatcher(caCertDir, ctrl.Log.WithName("cert-pool"))
certPoolWatcher, err := httputil.NewCertPoolWatcher(catalogdCertDir, ctrl.Log.WithName("cert-pool"))
if err != nil {
setupLog.Error(err, "unable to create CA certificate pool")
os.Exit(1)
@@ -301,8 +303,8 @@ func main() {
BaseCachePath: filepath.Join(cachePath, "unpack"),
SourceContextFunc: func(logger logr.Logger) (*types.SystemContext, error) {
srcContext := &types.SystemContext{
DockerCertPath: caCertDir,
OCICertPath: caCertDir,
DockerCertPath: pullCertDir,
OCICertPath: pullCertDir,
}
if _, err := os.Stat(authFilePath); err == nil && globalPullSecretKey != nil {
logger.Info("using available authentication information for pulling image")
5 changes: 4 additions & 1 deletion config/components/tls/patches/manager_deployment_cert.yaml
Original file line number Diff line number Diff line change
@@ -6,7 +6,10 @@
value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/certs/"}
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--ca-certs-dir=/var/certs"
value: "--catalogd-certs-dir=/var/certs"
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--pull-certs-dir=/var/certs"
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--tls-cert=/var/certs/tls.cert"

0 comments on commit 2db703d

Please sign in to comment.