Separate CA configuration for pulls vs catalogd services

Rename the flags that provide CAs to image pulling to indicate the use. Keep the old flag around (for backward compatibility), but prefer the new flag(s). Signed-off-by: Todd Short <[email protected]>
operator-framework · Jan 30, 2025 · ced1054 · ced1054
1 parent 10e2754
commit ced1054
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 9 deletions.
diff --git a/catalogd/cmd/catalogd/main.go b/catalogd/cmd/catalogd/main.go
@@ -98,6 +98,7 @@ func main() {
 		keyFile              string
 		webhookPort          int
 		caCertDir            string
+		pullCertDir          string
 		globalPullSecret     string
 	)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", "", "The address for the metrics endpoint. Requires tls-cert and tls-key. (Default: ':7443')")
@@ -115,7 +116,8 @@ func main() {
 	flag.StringVar(&certFile, "tls-cert", "", "The certificate file used for serving catalog and metrics. Required to enable the metrics server. Requires tls-key.")
 	flag.StringVar(&keyFile, "tls-key", "", "The key file used for serving catalog contents and metrics. Required to enable the metrics server. Requires tls-cert.")
 	flag.IntVar(&webhookPort, "webhook-server-port", 9443, "The port that the mutating webhook server serves at.")
-	flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of CA certificate to use for verifying HTTPS connections to image registries.")
+	flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of CA certificates to use for verifying HTTPS connections to image registries (deprecated).")
+	flag.StringVar(&pullCertDir, "pull-certs-dir", "", "The directory of CA certificates to use for verifying HTTPS connections to image registries.")
 	flag.StringVar(&globalPullSecret, "global-pull-secret", "", "The <namespace>/<name> of the global pull secret that is going to be used to pull bundle images.")
 
 	klog.InitFlags(flag.CommandLine)
@@ -132,6 +134,17 @@ func main() {
 
 	ctrl.SetLogger(textlogger.NewLogger(textlogger.NewConfig()))
 
+	// if the old flag is specified, but not the new flag
+	// use the old flag
+	if caCertDir != "" {
+		if pullCertDir == "" {
+			pullCertDir = caCertDir
+			setupLog.Info("using deprecated --ca-certs-dir flag as --pull-certs-dir flag is not specified")
+		} else {
+			setupLog.Info("deprecated --ca-certs-dir flag ignored due to use of --pull-certs-dir flag")
+		}
+	}
+
 	authFilePath := filepath.Join(os.TempDir(), fmt.Sprintf("%s-%s.json", authFilePrefix, apimachineryrand.String(8)))
 	var globalPullSecretKey *k8stypes.NamespacedName
 	if globalPullSecret != "" {
@@ -271,8 +284,8 @@ func main() {
 		BaseCachePath: unpackCacheBasePath,
 		SourceContextFunc: func(logger logr.Logger) (*types.SystemContext, error) {
 			srcContext := &types.SystemContext{
-				DockerCertPath: caCertDir,
-				OCICertPath:    caCertDir,
+				DockerCertPath: pullCertDir,
+				OCICertPath:    pullCertDir,
 			}
 			if _, err := os.Stat(authFilePath); err == nil && globalPullSecretKey != nil {
 				logger.Info("using available authentication information for pulling image")

diff --git a/catalogd/config/components/ca/patches/manager_deployment_cacerts.yaml b/catalogd/config/components/ca/patches/manager_deployment_cacerts.yaml
@@ -6,4 +6,4 @@
   value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/ca-certs/"}
 - op: add
   path: /spec/template/spec/containers/0/args/-
-  value: "--ca-certs-dir=/var/ca-certs"
+  value: "--pull-certs-dir=/var/ca-certs"
diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go
@@ -102,11 +102,15 @@ func main() {
 		operatorControllerVersion bool
 		systemNamespace           string
 		caCertDir                 string
+		catalogdCertDir           string
+		pullCertDir               string
 		globalPullSecret          string
 	)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", "", "The address for the metrics endpoint. Requires tls-cert and tls-key. (Default: ':8443')")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
-	flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of TLS certificate to use for verifying HTTPS connections to the Catalogd and docker-registry web servers.")
+	flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of TLS certificates to use for verifying HTTPS connections to the Catalogd and docker-registry web servers (deprecated).")
+	flag.StringVar(&catalogdCertDir, "catalogd-certs-dir", "", "The directory of TLS certificates to use for verifying HTTPS connections to the Catalogd web service.")
+	flag.StringVar(&pullCertDir, "pull-certs-dir", "", "The directory of TLS certificates to use for verifying HTTPS connections to image registries.")
 	flag.StringVar(&certFile, "tls-cert", "", "The certificate file used for the metrics server. Required to enable the metrics server. Requires tls-key.")
 	flag.StringVar(&keyFile, "tls-key", "", "The key file used for the metrics server. Required to enable the metrics server. Requires tls-cert")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
@@ -128,6 +132,19 @@ func main() {
 		os.Exit(0)
 	}
 
+	// if the old flag is specified, but neither of the new flags
+	// use the old flag
+	if caCertDir != "" {
+		if catalogdCertDir == "" && pullCertDir == "" {
+			catalogdCertDir = caCertDir
+			pullCertDir = caCertDir
+			setupLog.Info("using deprecated --ca-certs-dir flag as --catalogd-certs-dir or --pull-certs-dir flags are not specified")
+		} else {
+			setupLog.Info("deprecated --ca-certs-dir flag ignored due to use of --catalogd-certs-dir or --pull-certs-dir flags")
+		}
+
+	}
+
 	if (certFile != "" && keyFile == "") || (certFile == "" && keyFile != "") {
 		setupLog.Error(nil, "unable to configure TLS certificates: tls-cert and tls-key flags must be used together")
 		os.Exit(1)
@@ -283,7 +300,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	certPoolWatcher, err := httputil.NewCertPoolWatcher(caCertDir, ctrl.Log.WithName("cert-pool"))
+	certPoolWatcher, err := httputil.NewCertPoolWatcher(catalogdCertDir, ctrl.Log.WithName("cert-pool"))
 	if err != nil {
 		setupLog.Error(err, "unable to create CA certificate pool")
 		os.Exit(1)
@@ -301,8 +318,8 @@ func main() {
 		BaseCachePath: filepath.Join(cachePath, "unpack"),
 		SourceContextFunc: func(logger logr.Logger) (*types.SystemContext, error) {
 			srcContext := &types.SystemContext{
-				DockerCertPath: caCertDir,
-				OCICertPath:    caCertDir,
+				DockerCertPath: pullCertDir,
+				OCICertPath:    pullCertDir,
 			}
 			if _, err := os.Stat(authFilePath); err == nil && globalPullSecretKey != nil {
 				logger.Info("using available authentication information for pulling image")

diff --git a/config/components/tls/patches/manager_deployment_cert.yaml b/config/components/tls/patches/manager_deployment_cert.yaml
@@ -6,7 +6,10 @@
   value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/certs/"}
 - op: add
   path: /spec/template/spec/containers/0/args/-
-  value: "--ca-certs-dir=/var/certs"
+  value: "--catalogd-certs-dir=/var/certs"
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--pull-certs-dir=/var/certs"
 - op: add
   path: /spec/template/spec/containers/0/args/-
   value: "--tls-cert=/var/certs/tls.cert"