Reorganize TLS changes

Author: trgeiger

cmd/manager/main.go

@@ -17,15 +17,11 @@ limitations under the License.
 package main
 
 import (
-	"crypto/tls"
 	"crypto/x509"
 	"flag"
 	"fmt"
-	"log"
-	"net/http"
 	"net/url"
 	"os"
-	"time"
 
 	"github.com/spf13/pflag"
 	"go.uber.org/zap/zapcore"
@@ -48,6 +44,7 @@ import (
 	catalogclient "github.com/operator-framework/operator-controller/internal/catalogmetadata/client"
 	"github.com/operator-framework/operator-controller/internal/controllers"
 	"github.com/operator-framework/operator-controller/internal/handler"
+	"github.com/operator-framework/operator-controller/internal/httputil"
 	"github.com/operator-framework/operator-controller/internal/labels"
 	"github.com/operator-framework/operator-controller/internal/version"
 	"github.com/operator-framework/operator-controller/pkg/features"
@@ -82,11 +79,11 @@ func main() {
 		systemNamespace             string
 		unpackImage                 string
 		provisionerStorageDirectory string
-		tlsCert                     string
+		caCert                      string
 	)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
-	flag.StringVar(&tlsCert, "tls-cert", "", "The TLS certificate to use for verifying HTTPS connections to the Catalogd web server.")
+	flag.StringVar(&caCert, "ca-cert", "", "The TLS certificate to use for verifying HTTPS connections to the Catalogd web server.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
@@ -156,23 +153,9 @@ func main() {
 		os.Exit(1)
 	}
 
-	httpClient := &http.Client{Timeout: 10 * time.Second}
-
-	if tlsCert != "" {
-		cert, err := os.ReadFile(tlsCert)
-		if err != nil {
-			log.Fatalf("Failed to read certificate file: %v", err)
-		}
-		caCertPool := x509.NewCertPool()
-		caCertPool.AppendCertsFromPEM(cert)
-		tlsConfig := &tls.Config{
-			RootCAs:    caCertPool,
-			MinVersion: tls.VersionTLS12,
-		}
-		tlsTransport := &http.Transport{
-			TLSClientConfig: tlsConfig,
-		}
-		httpClient.Transport = tlsTransport
+	httpClient, err := httputil.BuildHTTPClient(caCert)
+	if err != nil {
+		setupLog.Error(err, "unable to create catalogd http client")
 	}
 
 	cl := mgr.GetClient()

config/base/default/kustomization.yaml config/base/kustomization.yamlconfig/base/default/kustomization.yaml renamed to config/base/kustomization.yaml

@@ -15,9 +15,9 @@ namePrefix: operator-controller-
 #    someName: someValue
 
 resources:
-- ../crd
-- ../rbac
-- ../manager
+- crd
+- rbac
+- manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- ../webhook

config/base/manager/manager.yaml

@@ -114,6 +114,6 @@ spec:
       terminationGracePeriodSeconds: 10
       volumes:
         - name: cache
-          emptyDir: {} 
+          emptyDir: {}
         - name: bundle-cache
           emptyDir: {}

config/overlays/tls/kustomization.yaml

@@ -6,15 +6,12 @@ namespace: operator-controller-system
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: operator-controller-
 
 # the following config is for teaching kustomize how to do var substitution
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base/crd
-- ../../base/rbac
-- ../../base/manager
+- ../../base
 
 patches:
 - target:

config/overlays/tls/patches/manager_deployment_cert.yaml

@@ -6,4 +6,4 @@
   value: {"name":"ca-certificate", "readOnly": true, "mountPath":"/var/certs"}
 - op: add
   path: /spec/template/spec/containers/0/args/-
-  value: "--tls-cert=/var/certs/tls.crt"
+  value: "--ca-cert=/var/certs/tls.crt"

internal/httputil/httputil.go

@@ -0,0 +1,34 @@
+package httputil
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"net/http"
+	"os"
+	"time"
+)
+
+func BuildHTTPClient(caCert string) (*http.Client, error) {
+	httpClient := &http.Client{Timeout: 10 * time.Second}
+
+	if caCert != "" {
+		// tlsFileWatcher, err := certwatcher.New(caCert, "")
+
+		cert, err := os.ReadFile(caCert)
+		if err != nil {
+			return nil, err
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(cert)
+		tlsConfig := &tls.Config{
+			RootCAs:    caCertPool,
+			MinVersion: tls.VersionTLS12,
+		}
+		tlsTransport := &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
+		httpClient.Transport = tlsTransport
+	}
+
+	return httpClient, nil
+}