diff --git a/catalogd/cmd/catalogd/main.go b/catalogd/cmd/catalogd/main.go index 91d82bedd..35854aeae 100644 --- a/catalogd/cmd/catalogd/main.go +++ b/catalogd/cmd/catalogd/main.go @@ -63,7 +63,6 @@ import ( "github.com/operator-framework/operator-controller/catalogd/internal/storage" "github.com/operator-framework/operator-controller/catalogd/internal/version" "github.com/operator-framework/operator-controller/catalogd/internal/webhook" - "github.com/operator-framework/operator-controller/internal/util" ) var ( @@ -98,7 +97,7 @@ func main() { certFile string keyFile string webhookPort int - pullCasDir string + caCertDir string globalPullSecret string ) flag.StringVar(&metricsAddr, "metrics-bind-address", "", "The address for the metrics endpoint. Requires tls-cert and tls-key. (Default: ':7443')") @@ -116,7 +115,7 @@ func main() { flag.StringVar(&certFile, "tls-cert", "", "The certificate file used for serving catalog and metrics. Required to enable the metrics server. Requires tls-key.") flag.StringVar(&keyFile, "tls-key", "", "The key file used for serving catalog contents and metrics. Required to enable the metrics server. Requires tls-cert.") flag.IntVar(&webhookPort, "webhook-server-port", 9443, "The port that the mutating webhook server serves at.") - flag.StringVar(&pullCasDir, "pull-cas-dir", "", "The directory of TLS certificate authoritiess to use for verifying HTTPS connections to image registries.") + flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of CA certificate to use for verifying HTTPS connections to image registries.") flag.StringVar(&globalPullSecret, "global-pull-secret", "", "The / of the global pull secret that is going to be used to pull bundle images.") klog.InitFlags(flag.CommandLine) @@ -258,8 +257,8 @@ func main() { systemNamespace = podNamespace() } - if err := util.EnsureEmptyDirectory(cacheDir, 0700); err != nil { - setupLog.Error(err, "unable to ensure empty cache directory") + if err := os.MkdirAll(cacheDir, 0700); err != nil { + setupLog.Error(err, "unable to create cache directory") os.Exit(1) } @@ -272,8 +271,8 @@ func main() { BaseCachePath: unpackCacheBasePath, SourceContextFunc: func(logger logr.Logger) (*types.SystemContext, error) { srcContext := &types.SystemContext{ - DockerCertPath: pullCasDir, - OCICertPath: pullCasDir, + DockerCertPath: caCertDir, + OCICertPath: caCertDir, } if _, err := os.Stat(authFilePath); err == nil && globalPullSecretKey != nil { logger.Info("using available authentication information for pulling image") diff --git a/catalogd/config/components/ca/patches/manager_deployment_cacerts.yaml b/catalogd/config/components/ca/patches/manager_deployment_cacerts.yaml index 6b0816706..b5b03633e 100644 --- a/catalogd/config/components/ca/patches/manager_deployment_cacerts.yaml +++ b/catalogd/config/components/ca/patches/manager_deployment_cacerts.yaml @@ -6,4 +6,4 @@ value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/ca-certs/"} - op: add path: /spec/template/spec/containers/0/args/- - value: "--pull-cas-dir=/var/ca-certs" + value: "--ca-certs-dir=/var/ca-certs" diff --git a/catalogd/internal/source/containers_image.go b/catalogd/internal/source/containers_image.go index d67221efc..c00db5c0f 100644 --- a/catalogd/internal/source/containers_image.go +++ b/catalogd/internal/source/containers_image.go @@ -29,8 +29,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/reconcile" catalogdv1 "github.com/operator-framework/operator-controller/catalogd/api/v1" - "github.com/operator-framework/operator-controller/internal/rukpak/source" - "github.com/operator-framework/operator-controller/internal/util" ) const ConfigDirLabel = "operators.operatorframework.io.index.configs.v1" @@ -72,11 +70,12 @@ func (i *ContainersImageRegistry) Unpack(ctx context.Context, catalog *catalogdv // ////////////////////////////////////////////////////// unpackPath := i.unpackPath(catalog.Name, canonicalRef.Digest()) - if isUnpacked, unpackTime, err := source.IsImageUnpacked(unpackPath); isUnpacked && err == nil { + if unpackStat, err := os.Stat(unpackPath); err == nil { + if !unpackStat.IsDir() { + panic(fmt.Sprintf("unexpected file at unpack path %q: expected a directory", unpackPath)) + } l.Info("image already unpacked", "ref", imgRef.String(), "digest", canonicalRef.Digest().String()) - return successResult(unpackPath, canonicalRef, unpackTime), nil - } else if err != nil { - return nil, fmt.Errorf("error checking image already unpacked: %w", err) + return successResult(unpackPath, canonicalRef, unpackStat.ModTime()), nil } ////////////////////////////////////////////////////// @@ -149,7 +148,7 @@ func (i *ContainersImageRegistry) Unpack(ctx context.Context, catalog *catalogdv // ////////////////////////////////////////////////////// if err := i.unpackImage(ctx, unpackPath, layoutRef, specIsCanonical, srcCtx); err != nil { - if cleanupErr := source.DeleteReadOnlyRecursive(unpackPath); cleanupErr != nil { + if cleanupErr := deleteRecursive(unpackPath); cleanupErr != nil { err = errors.Join(err, cleanupErr) } return nil, fmt.Errorf("error unpacking image: %w", err) @@ -190,7 +189,7 @@ func successResult(unpackPath string, canonicalRef reference.Canonical, lastUnpa } func (i *ContainersImageRegistry) Cleanup(_ context.Context, catalog *catalogdv1.ClusterCatalog) error { - if err := source.DeleteReadOnlyRecursive(i.catalogPath(catalog.Name)); err != nil { + if err := deleteRecursive(i.catalogPath(catalog.Name)); err != nil { return fmt.Errorf("error deleting catalog cache: %w", err) } return nil @@ -289,8 +288,8 @@ func (i *ContainersImageRegistry) unpackImage(ctx context.Context, unpackPath st return wrapTerminal(fmt.Errorf("catalog image is missing the required label %q", ConfigDirLabel), specIsCanonical) } - if err := util.EnsureEmptyDirectory(unpackPath, 0700); err != nil { - return fmt.Errorf("error ensuring empty unpack directory: %w", err) + if err := os.MkdirAll(unpackPath, 0700); err != nil { + return fmt.Errorf("error creating unpack directory: %w", err) } l := log.FromContext(ctx) l.Info("unpacking image", "path", unpackPath) @@ -308,10 +307,10 @@ func (i *ContainersImageRegistry) unpackImage(ctx context.Context, unpackPath st l.Info("applied layer", "layer", i) return nil }(); err != nil { - return errors.Join(err, source.DeleteReadOnlyRecursive(unpackPath)) + return errors.Join(err, deleteRecursive(unpackPath)) } } - if err := source.SetReadOnlyRecursive(unpackPath); err != nil { + if err := setReadOnlyRecursive(unpackPath); err != nil { return fmt.Errorf("error making unpack directory read-only: %w", err) } return nil @@ -355,13 +354,69 @@ func (i *ContainersImageRegistry) deleteOtherImages(catalogName string, digestTo continue } imgDirPath := filepath.Join(catalogPath, imgDir.Name()) - if err := source.DeleteReadOnlyRecursive(imgDirPath); err != nil { + if err := deleteRecursive(imgDirPath); err != nil { return fmt.Errorf("error removing image directory: %w", err) } } return nil } +func setReadOnlyRecursive(root string) error { + if err := filepath.WalkDir(root, func(path string, d os.DirEntry, err error) error { + if err != nil { + return err + } + + fi, err := d.Info() + if err != nil { + return err + } + + if err := func() error { + switch typ := fi.Mode().Type(); typ { + case os.ModeSymlink: + // do not follow symlinks + // 1. if they resolve to other locations in the root, we'll find them anyway + // 2. if they resolve to other locations outside the root, we don't want to change their permissions + return nil + case os.ModeDir: + return os.Chmod(path, 0500) + case 0: // regular file + return os.Chmod(path, 0400) + default: + return fmt.Errorf("refusing to change ownership of file %q with type %v", path, typ.String()) + } + }(); err != nil { + return err + } + return nil + }); err != nil { + return fmt.Errorf("error making catalog cache read-only: %w", err) + } + return nil +} + +func deleteRecursive(root string) error { + if err := filepath.WalkDir(root, func(path string, d os.DirEntry, err error) error { + if os.IsNotExist(err) { + return nil + } + if err != nil { + return err + } + if !d.IsDir() { + return nil + } + if err := os.Chmod(path, 0700); err != nil { + return err + } + return nil + }); err != nil { + return fmt.Errorf("error making catalog cache writable for deletion: %w", err) + } + return os.RemoveAll(root) +} + func wrapTerminal(err error, isTerminal bool) error { if !isTerminal { return err diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go index a1f1bc68d..b7b8551a4 100644 --- a/cmd/operator-controller/main.go +++ b/cmd/operator-controller/main.go @@ -68,7 +68,6 @@ import ( "github.com/operator-framework/operator-controller/internal/rukpak/preflights/crdupgradesafety" "github.com/operator-framework/operator-controller/internal/rukpak/source" "github.com/operator-framework/operator-controller/internal/scheme" - "github.com/operator-framework/operator-controller/internal/util" "github.com/operator-framework/operator-controller/internal/version" ) @@ -102,14 +101,12 @@ func main() { cachePath string operatorControllerVersion bool systemNamespace string - catalogdCasDir string - pullCasDir string + caCertDir string globalPullSecret string ) flag.StringVar(&metricsAddr, "metrics-bind-address", "", "The address for the metrics endpoint. Requires tls-cert and tls-key. (Default: ':8443')") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") - flag.StringVar(&catalogdCasDir, "catalogd-cas-dir", "", "The directory of TLS certificate authorities to use for verifying HTTPS connections to the Catalogd web service.") - flag.StringVar(&pullCasDir, "pull-cas-dir", "", "The directory of TLS certificate authorities to use for verifying HTTPS connections to image registries.") + flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of TLS certificate to use for verifying HTTPS connections to the Catalogd and docker-registry web servers.") flag.StringVar(&certFile, "tls-cert", "", "The certificate file used for the metrics server. Required to enable the metrics server. Requires tls-key.") flag.StringVar(&keyFile, "tls-key", "", "The key file used for the metrics server. Required to enable the metrics server. Requires tls-cert") flag.BoolVar(&enableLeaderElection, "leader-elect", false, @@ -286,7 +283,7 @@ func main() { os.Exit(1) } - certPoolWatcher, err := httputil.NewCertPoolWatcher(catalogdCasDir, ctrl.Log.WithName("cert-pool")) + certPoolWatcher, err := httputil.NewCertPoolWatcher(caCertDir, ctrl.Log.WithName("cert-pool")) if err != nil { setupLog.Error(err, "unable to create CA certificate pool") os.Exit(1) @@ -300,17 +297,12 @@ func main() { } } - if err := util.EnsureEmptyDirectory(cachePath, 0700); err != nil { - setupLog.Error(err, "unable to ensure empty cache directory") - os.Exit(1) - } - unpacker := &source.ContainersImageRegistry{ BaseCachePath: filepath.Join(cachePath, "unpack"), SourceContextFunc: func(logger logr.Logger) (*types.SystemContext, error) { srcContext := &types.SystemContext{ - DockerCertPath: pullCasDir, - OCICertPath: pullCasDir, + DockerCertPath: caCertDir, + OCICertPath: caCertDir, } if _, err := os.Stat(authFilePath); err == nil && globalPullSecretKey != nil { logger.Info("using available authentication information for pulling image") @@ -369,7 +361,7 @@ func main() { crdupgradesafety.NewPreflight(aeClient.CustomResourceDefinitions()), } - helmApplier := &applier.Helm{ + applier := &applier.Helm{ ActionClientGetter: acg, Preflights: preflights, } @@ -389,7 +381,7 @@ func main() { Client: cl, Resolver: resolver, Unpacker: unpacker, - Applier: helmApplier, + Applier: applier, InstalledBundleGetter: &controllers.DefaultInstalledBundleGetter{ActionClientGetter: acg}, Finalizers: clusterExtensionFinalizers, Manager: cm, diff --git a/config/components/tls/patches/manager_deployment_cert.yaml b/config/components/tls/patches/manager_deployment_cert.yaml index 8fbdb5592..18afac59d 100644 --- a/config/components/tls/patches/manager_deployment_cert.yaml +++ b/config/components/tls/patches/manager_deployment_cert.yaml @@ -6,10 +6,7 @@ value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/certs/"} - op: add path: /spec/template/spec/containers/0/args/- - value: "--catalogd-cas-dir=/var/certs" -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--pull-cas-dir=/var/certs" + value: "--ca-certs-dir=/var/certs" - op: add path: /spec/template/spec/containers/0/args/- value: "--tls-cert=/var/certs/tls.cert" diff --git a/internal/httputil/certpoolwatcher.go b/internal/httputil/certpoolwatcher.go index 0cce70312..2a250d069 100644 --- a/internal/httputil/certpoolwatcher.go +++ b/internal/httputil/certpoolwatcher.go @@ -4,8 +4,6 @@ import ( "crypto/x509" "fmt" "os" - "slices" - "strings" "sync" "time" @@ -46,26 +44,8 @@ func NewCertPoolWatcher(caDir string, log logr.Logger) (*CertPoolWatcher, error) if err != nil { return nil, err } - - // If the SSL_CERT_DIR or SSL_CERT_FILE environment variables are - // specified, this means that we have some control over the system root - // location, thus they may change, thus we should watch those locations. - watchPaths := strings.Split(os.Getenv("SSL_CERT_DIR"), ":") - watchPaths = append(watchPaths, caDir, os.Getenv("SSL_CERT_FILE")) - watchPaths = slices.DeleteFunc(watchPaths, func(p string) bool { - if p == "" { - return true - } - if _, err := os.Stat(p); err != nil { - return true - } - return false - }) - - for _, p := range watchPaths { - if err := watcher.Add(p); err != nil { - return nil, err - } + if err = watcher.Add(caDir); err != nil { + return nil, err } cpw := &CertPoolWatcher{ diff --git a/internal/httputil/certpoolwatcher_test.go b/internal/httputil/certpoolwatcher_test.go index 2ea3f862a..bfebebd28 100644 --- a/internal/httputil/certpoolwatcher_test.go +++ b/internal/httputil/certpoolwatcher_test.go @@ -72,10 +72,6 @@ func TestCertPoolWatcher(t *testing.T) { t.Logf("Create cert file at %q\n", certName) createCert(t, certName) - // Update environment variables for the watcher - some of these should not exist - os.Setenv("SSL_CERT_DIR", tmpDir+":/tmp/does-not-exist.dir") - os.Setenv("SSL_CERT_FILE", "/tmp/does-not-exist.file") - // Create the cert pool watcher cpw, err := httputil.NewCertPoolWatcher(tmpDir, log.FromContext(context.Background())) require.NoError(t, err) diff --git a/internal/rukpak/source/containers_image.go b/internal/rukpak/source/containers_image.go index 12a822a2b..22f072da2 100644 --- a/internal/rukpak/source/containers_image.go +++ b/internal/rukpak/source/containers_image.go @@ -23,8 +23,6 @@ import ( "github.com/opencontainers/go-digest" "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/reconcile" - - "github.com/operator-framework/operator-controller/internal/util" ) type ContainersImageRegistry struct { @@ -64,11 +62,12 @@ func (i *ContainersImageRegistry) Unpack(ctx context.Context, bundle *BundleSour // ////////////////////////////////////////////////////// unpackPath := i.unpackPath(bundle.Name, canonicalRef.Digest()) - if isUnpacked, _, err := IsImageUnpacked(unpackPath); isUnpacked && err == nil { + if unpackStat, err := os.Stat(unpackPath); err == nil { + if !unpackStat.IsDir() { + panic(fmt.Sprintf("unexpected file at unpack path %q: expected a directory", unpackPath)) + } l.Info("image already unpacked", "ref", imgRef.String(), "digest", canonicalRef.Digest().String()) return successResult(bundle.Name, unpackPath, canonicalRef), nil - } else if err != nil { - return nil, fmt.Errorf("error checking bundle already unpacked: %w", err) } ////////////////////////////////////////////////////// @@ -141,7 +140,7 @@ func (i *ContainersImageRegistry) Unpack(ctx context.Context, bundle *BundleSour // ////////////////////////////////////////////////////// if err := i.unpackImage(ctx, unpackPath, layoutRef, srcCtx); err != nil { - if cleanupErr := DeleteReadOnlyRecursive(unpackPath); cleanupErr != nil { + if cleanupErr := deleteRecursive(unpackPath); cleanupErr != nil { err = errors.Join(err, cleanupErr) } return nil, fmt.Errorf("error unpacking image: %w", err) @@ -169,7 +168,7 @@ func successResult(bundleName, unpackPath string, canonicalRef reference.Canonic } func (i *ContainersImageRegistry) Cleanup(_ context.Context, bundle *BundleSource) error { - return DeleteReadOnlyRecursive(i.bundlePath(bundle.Name)) + return deleteRecursive(i.bundlePath(bundle.Name)) } func (i *ContainersImageRegistry) bundlePath(bundleName string) string { @@ -252,8 +251,8 @@ func (i *ContainersImageRegistry) unpackImage(ctx context.Context, unpackPath st return fmt.Errorf("error creating image source: %w", err) } - if err := util.EnsureEmptyDirectory(unpackPath, 0700); err != nil { - return fmt.Errorf("error ensuring empty unpack directory: %w", err) + if err := os.MkdirAll(unpackPath, 0700); err != nil { + return fmt.Errorf("error creating unpack directory: %w", err) } l := log.FromContext(ctx) l.Info("unpacking image", "path", unpackPath) @@ -271,10 +270,10 @@ func (i *ContainersImageRegistry) unpackImage(ctx context.Context, unpackPath st l.Info("applied layer", "layer", i) return nil }(); err != nil { - return errors.Join(err, DeleteReadOnlyRecursive(unpackPath)) + return errors.Join(err, deleteRecursive(unpackPath)) } } - if err := SetReadOnlyRecursive(unpackPath); err != nil { + if err := setReadOnlyRecursive(unpackPath); err != nil { return fmt.Errorf("error making unpack directory read-only: %w", err) } return nil @@ -311,9 +310,65 @@ func (i *ContainersImageRegistry) deleteOtherImages(bundleName string, digestToK continue } imgDirPath := filepath.Join(bundlePath, imgDir.Name()) - if err := DeleteReadOnlyRecursive(imgDirPath); err != nil { + if err := deleteRecursive(imgDirPath); err != nil { return fmt.Errorf("error removing image directory: %w", err) } } return nil } + +func setReadOnlyRecursive(root string) error { + if err := filepath.WalkDir(root, func(path string, d os.DirEntry, err error) error { + if err != nil { + return err + } + + fi, err := d.Info() + if err != nil { + return err + } + + if err := func() error { + switch typ := fi.Mode().Type(); typ { + case os.ModeSymlink: + // do not follow symlinks + // 1. if they resolve to other locations in the root, we'll find them anyway + // 2. if they resolve to other locations outside the root, we don't want to change their permissions + return nil + case os.ModeDir: + return os.Chmod(path, 0500) + case 0: // regular file + return os.Chmod(path, 0400) + default: + return fmt.Errorf("refusing to change ownership of file %q with type %v", path, typ.String()) + } + }(); err != nil { + return err + } + return nil + }); err != nil { + return fmt.Errorf("error making bundle cache read-only: %w", err) + } + return nil +} + +func deleteRecursive(root string) error { + if err := filepath.WalkDir(root, func(path string, d os.DirEntry, err error) error { + if os.IsNotExist(err) { + return nil + } + if err != nil { + return err + } + if !d.IsDir() { + return nil + } + if err := os.Chmod(path, 0700); err != nil { + return err + } + return nil + }); err != nil { + return fmt.Errorf("error making bundle cache writable for deletion: %w", err) + } + return os.RemoveAll(root) +} diff --git a/internal/rukpak/source/containers_image_test.go b/internal/rukpak/source/containers_image_test.go index 29f2788c6..ea7a69832 100644 --- a/internal/rukpak/source/containers_image_test.go +++ b/internal/rukpak/source/containers_image_test.go @@ -277,16 +277,7 @@ func TestUnpackUnexpectedFile(t *testing.T) { require.NoError(t, os.WriteFile(unpackPath, []byte{}, 0600)) // Attempt to pull and unpack the image - _, err := unpacker.Unpack(context.Background(), bundleSource) - require.NoError(t, err) - - // Ensure unpack path is now a directory - stat, err := os.Stat(unpackPath) - require.NoError(t, err) - require.True(t, stat.IsDir()) - - // Unset read-only to allow cleanup - require.NoError(t, source.UnsetReadOnlyRecursive(unpackPath)) + assert.Panics(t, func() { _, _ = unpacker.Unpack(context.Background(), bundleSource) }) } func TestUnpackCopySucceedsMountFails(t *testing.T) { diff --git a/internal/rukpak/source/util.go b/internal/rukpak/source/util.go deleted file mode 100644 index ca9aa9c2b..000000000 --- a/internal/rukpak/source/util.go +++ /dev/null @@ -1,86 +0,0 @@ -package source - -import ( - "errors" - "fmt" - "os" - "path/filepath" - "time" -) - -// SetReadOnlyRecursive sets directory with path given by `root` as read-only -func SetReadOnlyRecursive(root string) error { - return filepath.WalkDir(root, func(path string, d os.DirEntry, err error) error { - if err != nil { - return err - } - - fi, err := d.Info() - if err != nil { - return err - } - - if err := func() error { - switch typ := fi.Mode().Type(); typ { - case os.ModeSymlink: - // do not follow symlinks - // 1. if they resolve to other locations in the root, we'll find them anyway - // 2. if they resolve to other locations outside the root, we don't want to change their permissions - return nil - case os.ModeDir: - return os.Chmod(path, 0500) - case 0: // regular file - return os.Chmod(path, 0400) - default: - return fmt.Errorf("refusing to change ownership of file %q with type %v", path, typ.String()) - } - }(); err != nil { - return err - } - return nil - }) -} - -// UnsetReadOnlyRecursive unsets directory with path given by `root` as read-only -func UnsetReadOnlyRecursive(root string) error { - return filepath.WalkDir(root, func(path string, d os.DirEntry, err error) error { - if os.IsNotExist(err) { - return nil - } - if err != nil { - return err - } - if !d.IsDir() { - return nil - } - if err := os.Chmod(path, 0700); err != nil { - return err - } - return nil - }) -} - -// DeleteReadOnlyRecursive deletes read-only directory with path given by `root` -func DeleteReadOnlyRecursive(root string) error { - if err := UnsetReadOnlyRecursive(root); err != nil { - return fmt.Errorf("error making directory writable for deletion: %w", err) - } - return os.RemoveAll(root) -} - -// IsImageUnpacked checks whether an image has been unpacked in `unpackPath`. -// If true, time of unpack will also be returned. If false unpack time is gibberish (zero/epoch time). -// If `unpackPath` is a file, it will be deleted and false will be returned without an error. -func IsImageUnpacked(unpackPath string) (bool, time.Time, error) { - unpackStat, err := os.Stat(unpackPath) - if err != nil { - if errors.Is(err, os.ErrNotExist) { - return false, time.Time{}, nil - } - return false, time.Time{}, err - } - if !unpackStat.IsDir() { - return false, time.Time{}, os.Remove(unpackPath) - } - return true, unpackStat.ModTime(), nil -} diff --git a/internal/util/fs.go b/internal/util/fs.go deleted file mode 100644 index 137b0735d..000000000 --- a/internal/util/fs.go +++ /dev/null @@ -1,23 +0,0 @@ -package util - -import ( - "io/fs" - "os" - "path/filepath" -) - -// EnsureEmptyDirectory ensures the directory given by `path` is empty. -// If the directory does not exist, it will be created with permission bits -// given by `perm`. -func EnsureEmptyDirectory(path string, perm fs.FileMode) error { - entries, err := os.ReadDir(path) - if err != nil && !os.IsNotExist(err) { - return err - } - for _, entry := range entries { - if err := os.RemoveAll(filepath.Join(path, entry.Name())); err != nil { - return err - } - } - return os.MkdirAll(path, perm) -} diff --git a/openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml b/openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml index 540e545a8..2a8207da6 100644 --- a/openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml +++ b/openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml @@ -3,13 +3,19 @@ value: {"name":"catalogserver-certs", "secret":{"optional":false,"secretName":"catalogserver-cert"}} - op: add path: /spec/template/spec/volumes/- - value: {"name":"ca-certs", "projected": {"sources":[{"configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}},{"configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}]}} + value: {"name":"trusted-ca-bundle", "configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}} +- op: add + path: /spec/template/spec/volumes/- + value: {"name":"service-ca", "configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}} - op: add path: /spec/template/spec/containers/0/volumeMounts/- value: {"name":"catalogserver-certs", "mountPath":"/var/certs"} - op: add path: /spec/template/spec/containers/0/volumeMounts/- - value: {"name":"ca-certs", "mountPath":"/var/ca-certs", "readOnly": true} + value: {"name":"trusted-ca-bundle", "mountPath":"/var/trusted-cas/ca-bundle.crt", "subPath":"ca-bundle.crt"} +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: {"name":"service-ca", "mountPath":"/var/trusted-cas/service-ca.crt", "subPath":"service-ca.crt"} - op: add path: /spec/template/spec/containers/0/args/- value: "--tls-cert=/var/certs/tls.crt" @@ -17,5 +23,5 @@ path: /spec/template/spec/containers/0/args/- value: "--tls-key=/var/certs/tls.key" - op: add - path: /spec/template/spec/containers/0/env - value: [{"name":"SSL_CERT_DIR", "value":"/var/ca-certs"}] + path: /spec/template/spec/containers/0/args/- + value: "--ca-certs-dir=/var/trusted-cas" diff --git a/openshift/catalogd/manifests/14-deployment-openshift-catalogd-catalogd-controller-manager.yml b/openshift/catalogd/manifests/14-deployment-openshift-catalogd-catalogd-controller-manager.yml index 6d22a31a7..f2297bc3c 100644 --- a/openshift/catalogd/manifests/14-deployment-openshift-catalogd-catalogd-controller-manager.yml +++ b/openshift/catalogd/manifests/14-deployment-openshift-catalogd-catalogd-controller-manager.yml @@ -46,13 +46,11 @@ spec: - --external-address=catalogd-service.openshift-catalogd.svc - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key + - --ca-certs-dir=/var/trusted-cas - --v=${LOG_VERBOSITY} - --global-pull-secret=openshift-config/pull-secret command: - ./catalogd - env: - - name: SSL_CERT_DIR - value: /var/ca-certs image: ${CATALOGD_IMAGE} imagePullPolicy: IfNotPresent livenessProbe: @@ -83,9 +81,12 @@ spec: name: cache - mountPath: /var/certs name: catalogserver-certs - - mountPath: /var/ca-certs - name: ca-certs - readOnly: true + - mountPath: /var/trusted-cas/ca-bundle.crt + name: trusted-ca-bundle + subPath: ca-bundle.crt + - mountPath: /var/trusted-cas/service-ca.crt + name: service-ca + subPath: service-ca.crt - mountPath: /etc/containers name: etc-containers readOnly: true @@ -120,21 +121,20 @@ spec: secret: optional: false secretName: catalogserver-cert - - name: ca-certs - projected: - sources: - - configMap: - items: - - key: ca-bundle.crt - path: ca-bundle.crt - name: catalogd-trusted-ca-bundle - optional: false - - configMap: - items: - - key: service-ca.crt - path: service-ca.crt - name: openshift-service-ca.crt - optional: false + - configMap: + items: + - key: ca-bundle.crt + path: ca-bundle.crt + name: catalogd-trusted-ca-bundle + optional: false + name: trusted-ca-bundle + - configMap: + items: + - key: service-ca.crt + path: service-ca.crt + name: openshift-service-ca.crt + optional: false + name: service-ca - hostPath: path: /etc/containers type: Directory diff --git a/openshift/operator-controller/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml b/openshift/operator-controller/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml index 874a496a6..4100ff569 100644 --- a/openshift/operator-controller/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml +++ b/openshift/operator-controller/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml @@ -3,13 +3,19 @@ value: {"name":"operator-controller-certs", "secret":{"optional":false,"secretName":"operator-controller-cert"}} - op: add path: /spec/template/spec/volumes/- - value: {"name":"ca-certs", "projected": {"sources":[{"configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}},{"configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}]}} + value: {"name":"trusted-ca-bundle", "configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}} +- op: add + path: /spec/template/spec/volumes/- + value: {"name":"service-ca", "configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}} - op: add path: /spec/template/spec/containers/0/volumeMounts/- value: {"name":"operator-controller-certs", "mountPath":"/var/certs"} - op: add path: /spec/template/spec/containers/0/volumeMounts/- - value: {"name":"ca-certs", "mountPath":"/var/ca-certs", "readOnly": true} + value: {"name":"trusted-ca-bundle", "mountPath":"/var/trusted-cas/ca-bundle.crt", "subPath":"ca-bundle.crt" } +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: {"name":"service-ca", "mountPath":"/var/trusted-cas/service-ca.crt", "subPath":"service-ca.crt" } - op: add path: /spec/template/spec/containers/0/args/- value: "--tls-cert=/var/certs/tls.crt" @@ -17,5 +23,5 @@ path: /spec/template/spec/containers/0/args/- value: "--tls-key=/var/certs/tls.key" - op: add - path: /spec/template/spec/containers/0/env - value: [{"name":"SSL_CERT_DIR", "value":"/var/ca-certs"}] + path: /spec/template/spec/containers/0/args/- + value: "--ca-certs-dir=/var/trusted-cas" diff --git a/openshift/operator-controller/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml b/openshift/operator-controller/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml index 1f407b2f9..3cb5f9ad0 100644 --- a/openshift/operator-controller/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml +++ b/openshift/operator-controller/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml @@ -45,13 +45,11 @@ spec: - --leader-elect - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key + - --ca-certs-dir=/var/trusted-cas - --v=${LOG_VERBOSITY} - --global-pull-secret=openshift-config/pull-secret command: - /operator-controller - env: - - name: SSL_CERT_DIR - value: /var/ca-certs image: ${OPERATOR_CONTROLLER_IMAGE} imagePullPolicy: IfNotPresent livenessProbe: @@ -82,9 +80,12 @@ spec: name: cache - mountPath: /var/certs name: operator-controller-certs - - mountPath: /var/ca-certs - name: ca-certs - readOnly: true + - mountPath: /var/trusted-cas/ca-bundle.crt + name: trusted-ca-bundle + subPath: ca-bundle.crt + - mountPath: /var/trusted-cas/service-ca.crt + name: service-ca + subPath: service-ca.crt - mountPath: /etc/containers name: etc-containers readOnly: true @@ -119,21 +120,20 @@ spec: secret: optional: false secretName: operator-controller-cert - - name: ca-certs - projected: - sources: - - configMap: - items: - - key: ca-bundle.crt - path: ca-bundle.crt - name: operator-controller-trusted-ca-bundle - optional: false - - configMap: - items: - - key: service-ca.crt - path: service-ca.crt - name: openshift-service-ca.crt - optional: false + - configMap: + items: + - key: ca-bundle.crt + path: ca-bundle.crt + name: operator-controller-trusted-ca-bundle + optional: false + name: trusted-ca-bundle + - configMap: + items: + - key: service-ca.crt + path: service-ca.crt + name: openshift-service-ca.crt + optional: false + name: service-ca - hostPath: path: /etc/containers type: Directory