diff --git a/catalogd/cmd/catalogd/main.go b/catalogd/cmd/catalogd/main.go index 35854aeae..aa92e5358 100644 --- a/catalogd/cmd/catalogd/main.go +++ b/catalogd/cmd/catalogd/main.go @@ -98,6 +98,7 @@ func main() { keyFile string webhookPort int caCertDir string + pullCertDir string globalPullSecret string ) flag.StringVar(&metricsAddr, "metrics-bind-address", "", "The address for the metrics endpoint. Requires tls-cert and tls-key. (Default: ':7443')") @@ -115,7 +116,8 @@ func main() { flag.StringVar(&certFile, "tls-cert", "", "The certificate file used for serving catalog and metrics. Required to enable the metrics server. Requires tls-key.") flag.StringVar(&keyFile, "tls-key", "", "The key file used for serving catalog contents and metrics. Required to enable the metrics server. Requires tls-cert.") flag.IntVar(&webhookPort, "webhook-server-port", 9443, "The port that the mutating webhook server serves at.") - flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of CA certificate to use for verifying HTTPS connections to image registries.") + flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of CA certificates to use for verifying HTTPS connections to image registries (deprecated).") + flag.StringVar(&pullCertDir, "pull-certs-dir", "", "The directory of CA certificates to use for verifying HTTPS connections to image registries.") flag.StringVar(&globalPullSecret, "global-pull-secret", "", "The / of the global pull secret that is going to be used to pull bundle images.") klog.InitFlags(flag.CommandLine) @@ -132,6 +134,17 @@ func main() { ctrl.SetLogger(textlogger.NewLogger(textlogger.NewConfig())) + // if the old flag is specified, but not the new flag + // use the old flag + if caCertDir != "" { + if pullCertDir == "" { + pullCertDir = caCertDir + setupLog.Info("using deprecated --ca-certs-dir flag as --pull-certs-dir flag is not specified") + } else { + setupLog.Info("deprecated --ca-certs-dir flag ignored due to use of --pull-certs-dir flag") + } + } + authFilePath := filepath.Join(os.TempDir(), fmt.Sprintf("%s-%s.json", authFilePrefix, apimachineryrand.String(8))) var globalPullSecretKey *k8stypes.NamespacedName if globalPullSecret != "" { @@ -271,8 +284,8 @@ func main() { BaseCachePath: unpackCacheBasePath, SourceContextFunc: func(logger logr.Logger) (*types.SystemContext, error) { srcContext := &types.SystemContext{ - DockerCertPath: caCertDir, - OCICertPath: caCertDir, + DockerCertPath: pullCertDir, + OCICertPath: pullCertDir, } if _, err := os.Stat(authFilePath); err == nil && globalPullSecretKey != nil { logger.Info("using available authentication information for pulling image") diff --git a/catalogd/config/components/ca/patches/manager_deployment_cacerts.yaml b/catalogd/config/components/ca/patches/manager_deployment_cacerts.yaml index b5b03633e..cd92530ec 100644 --- a/catalogd/config/components/ca/patches/manager_deployment_cacerts.yaml +++ b/catalogd/config/components/ca/patches/manager_deployment_cacerts.yaml @@ -6,4 +6,4 @@ value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/ca-certs/"} - op: add path: /spec/template/spec/containers/0/args/- - value: "--ca-certs-dir=/var/ca-certs" + value: "--pull-certs-dir=/var/ca-certs" diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go index 6ce04026c..d2c8a3f83 100644 --- a/cmd/operator-controller/main.go +++ b/cmd/operator-controller/main.go @@ -102,11 +102,15 @@ func main() { operatorControllerVersion bool systemNamespace string caCertDir string + catalogdCertDir string + pullCertDir string globalPullSecret string ) flag.StringVar(&metricsAddr, "metrics-bind-address", "", "The address for the metrics endpoint. Requires tls-cert and tls-key. (Default: ':8443')") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") - flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of TLS certificate to use for verifying HTTPS connections to the Catalogd and docker-registry web servers.") + flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of TLS certificates to use for verifying HTTPS connections to the Catalogd and docker-registry web servers (deprecated).") + flag.StringVar(&catalogdCertDir, "catalogd-certs-dir", "", "The directory of TLS certificates to use for verifying HTTPS connections to the Catalogd web service.") + flag.StringVar(&pullCertDir, "pull-certs-dir", "", "The directory of TLS certificates to use for verifying HTTPS connections to image registries.") flag.StringVar(&certFile, "tls-cert", "", "The certificate file used for the metrics server. Required to enable the metrics server. Requires tls-key.") flag.StringVar(&keyFile, "tls-key", "", "The key file used for the metrics server. Required to enable the metrics server. Requires tls-cert") flag.BoolVar(&enableLeaderElection, "leader-elect", false, @@ -128,6 +132,19 @@ func main() { os.Exit(0) } + // if the old flag is specified, but neither of the new flags + // use the old flag + if caCertDir != "" { + if catalogdCertDir == "" && pullCertDir == "" { + catalogdCertDir = caCertDir + pullCertDir = caCertDir + setupLog.Info("using deprecated --ca-certs-dir flag as --catalogd-certs-dir or --pull-certs-dir flags are not specified") + } else { + setupLog.Info("deprecated --ca-certs-dir flag ignored due to use of --catalogd-certs-dir or --pull-certs-dir flags") + } + + } + if (certFile != "" && keyFile == "") || (certFile == "" && keyFile != "") { setupLog.Error(nil, "unable to configure TLS certificates: tls-cert and tls-key flags must be used together") os.Exit(1) @@ -283,7 +300,7 @@ func main() { os.Exit(1) } - certPoolWatcher, err := httputil.NewCertPoolWatcher(caCertDir, ctrl.Log.WithName("cert-pool")) + certPoolWatcher, err := httputil.NewCertPoolWatcher(catalogdCertDir, ctrl.Log.WithName("cert-pool")) if err != nil { setupLog.Error(err, "unable to create CA certificate pool") os.Exit(1) @@ -301,8 +318,8 @@ func main() { BaseCachePath: filepath.Join(cachePath, "unpack"), SourceContextFunc: func(logger logr.Logger) (*types.SystemContext, error) { srcContext := &types.SystemContext{ - DockerCertPath: caCertDir, - OCICertPath: caCertDir, + DockerCertPath: pullCertDir, + OCICertPath: pullCertDir, } if _, err := os.Stat(authFilePath); err == nil && globalPullSecretKey != nil { logger.Info("using available authentication information for pulling image") diff --git a/config/components/tls/patches/manager_deployment_cert.yaml b/config/components/tls/patches/manager_deployment_cert.yaml index 18afac59d..762852701 100644 --- a/config/components/tls/patches/manager_deployment_cert.yaml +++ b/config/components/tls/patches/manager_deployment_cert.yaml @@ -6,7 +6,10 @@ value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/certs/"} - op: add path: /spec/template/spec/containers/0/args/- - value: "--ca-certs-dir=/var/certs" + value: "--catalogd-certs-dir=/var/certs" +- op: add + path: /spec/template/spec/containers/0/args/- + value: "--pull-certs-dir=/var/certs" - op: add path: /spec/template/spec/containers/0/args/- value: "--tls-cert=/var/certs/tls.cert"