-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
⚠️ Serve catalog over HTTPS #263
Conversation
adds cert-manager as a dependency again to create self-signed certs for the catalog server Signed-off-by: everettraven <[email protected]>
Signed-off-by: everettraven <[email protected]>
This allows the use of alternate certificate managers. Signed-off-by: Tayler Geiger <[email protected]>
30449a5
to
5428233
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main operator-framework/catalogd#263 +/- ##
=======================================
Coverage 48.84% 48.84%
=======================================
Files 8 8
Lines 434 434
=======================================
Hits 212 212
Misses 201 201
Partials 21 21 ☔ View full report in Codecov by Sentry. |
c20a488
to
d42ad79
Compare
Fix a few manifest issues as well. Signed-off-by: Tayler Geiger <[email protected]>
81314f6
to
02e3232
Compare
- apiGroups: | ||
- "" | ||
resources: | ||
- pods |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of scope for this PR, but seeing this I don't think we need these permissions on pods anymore. we don't use a pod to unpack the catalog contents anymore and probably forgot to come back and cleanup these permissions. I'll create an issue for this.
904d3d7
to
04cc7c0
Compare
internal/serverutil/serverutil.go
Outdated
"sigs.k8s.io/controller-runtime/pkg/certwatcher" | ||
) | ||
|
||
func ConfigureListener(cert string, key string, addr string, catalogAddr string, mgr ctrl.Manager) (net.Listener, string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I mentioned in Slack, I didn't realize how complex the signature for this function would be when I suggested it. At this point, it seems like we might as well go one step further and setup the entire server as part of this function.
I think just adding the storeDir
would give us all the info we need to do that?
Also some nit suggestions on naming and order of parameters.
- Put the manager parameter first. That aligns with other functions that configure/add stuff to the manager.
- Group
storeDir
andexternalAddr
together, since they are used to build the storage struct. - Use
certFile
andkeyFile
(instead ofcert
andkey
to make it more clear that they are the filenames of the cert and key, not the cert and key themselves) - Group listenAddr, certFile, and keyFile together since they are used to build the listener
Putting all that together, WDYT of this?
func AddCatalogServerToManager(mgr ctrl.Manager, storeDir, externalAddr, listenAddr, certFile, keyFile string) error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we are concerned about the size of the function signature, it can probably be reduced to something like:
type CatalogServerConfig struct {
...
}
func AddCatalogServerToManager(mgr ctrl.Manager, cfg CatalogServerConfig) (net.Listener, string, error) {
...
}
7577dc3
to
fa4bb3c
Compare
- Add error for missing either tls-key or tls-cert arguments. - Move server creation and configuration to serverutil Signed-off-by: Tayler Geiger <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - thanks @trgeiger . I'll hold merging for a bit to allow @joelanford to take another pass
Thanks, Bryce. Should we adjust anything in the readme's quickstart instructions or anywhere else in docs? |
Ah, great question (and good catch). We should probably update the quickstart instructions for port-forwarding and the |
How should we handle changing the instructions, given that HTTP is still supported if no TLS keys are provided, and the cert-manager is now an overlay. Do we just add that information as caveats to the instructions? Should I detail pulling down the cert and providing it to curl? etc. |
I'm not too familiar with how the overlays work, but IIUC the default deployment (i.e what is released) is going to be including the cert-manager resources and enable TLS (please correct me if I am wrong). If that is the default I would document whatever the default is. I would not document pulling down the cert and providing it to curl and instead document with |
I made a couple small edits to README.md and https://github.com/operator-framework/catalogd/blob/main/docs/fetching-catalog-contents.md, let me know what you think |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple nits on the docs edits but I won't hold this PR on those. Great work @trgeiger !
Those were quick fixes, just made em so no need to hold off for another issue/pr for those. |
This adds the ability to use HTTPS on the catalog server.
If the TLS cert and key filenames are provided via the relevant flags, then the server will be set to use HTTPS. If neither or only one of those options are provided, the server will use HTTP.
This also changes the http-external-address flag to just external-address, with the user no longer prepending the address with http or https.
This PR also includes an overhaul of the organization of the manifests. Following the example of rukpak, cert-manager is used in the Makefile build targets so HTTPS is enabled in kind, but cert-manager is not a required dependency of catalogd. Instead, it's applied as an overlay which we target in the Makefile.