Bug 1765044: Adds proxy support to ingress operator

cmd/ingress-operator/start.go

@@ -1,12 +1,15 @@
 package main
 
 import (
+	"bytes"
 	"context"
 	"fmt"
+	"io/ioutil"
 	"os"
 
 	"github.com/ghodss/yaml"
 	"github.com/spf13/cobra"
+	"gopkg.in/fsnotify.v1"
 
 	"github.com/openshift/cluster-ingress-operator/pkg/dns"
 	awsdns "github.com/openshift/cluster-ingress-operator/pkg/dns/aws"
@@ -35,6 +38,9 @@ const (
 	// operator's namespace that will hold the credentials that the operator
 	// will use to authenticate with the cloud API.
 	cloudCredentialsSecretName = "cloud-credentials"
+	// defaultTrustedCABundle is the fully qualified path of the trusted CA bundle
+	// that is mounted from configmap openshift-ingress-operator/trusted-ca.
+	defaultTrustedCABundle = "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
 )
 
 func NewStartCommand() *cobra.Command {
@@ -118,12 +124,67 @@ func start() error {
 		os.Exit(1)
 	}
 
+	// Set up the channels for the watcher and operator.
+	stop := make(chan struct{})
+	signal := signals.SetupSignalHandler()
+
+	// Set up and start the file watcher.
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		log.Error(err, "failed to create watcher")
+		os.Exit(1)
+	}
+	defer watcher.Close()
+	if err := watcher.Add(defaultTrustedCABundle); err != nil {
+		log.Error(err, "failed to add file to watcher", "filename", defaultTrustedCABundle)
+		os.Exit(1)
+	}
+	log.Info("watching file", "filename", defaultTrustedCABundle)
+	orig, err := ioutil.ReadFile(defaultTrustedCABundle)
+	if err != nil {
+		log.Error(err, "failed to read watched file", "filename", defaultTrustedCABundle)
+		os.Exit(1)
+	}
+	go func() {
+		for {
+			select {
+			case <-signal:
+				close(stop)
+				return
+			case _, ok := <-watcher.Events:
+				if !ok {
+					log.Info("file watch events channel closed")
+					close(stop)
+					return
+				}
+				latest, err := ioutil.ReadFile(defaultTrustedCABundle)
+				if err != nil {
+					log.Error(err, "failed to read watched file", "filename", defaultTrustedCABundle)
+					close(stop)
+					return
+				}
+				if !bytes.Equal(orig, latest) {
+					log.Info("watched file changed, stopping operator", "filename", defaultTrustedCABundle)
+					close(stop)
+					return
+				}
+			case err, ok := <-watcher.Errors:
+				if !ok {
+					log.Info("file watch error channel closed")
+					close(stop)
+					return
+				}
+				log.Error(err, "file watch error")
+			}
+		}
+	}()
+
 	// Set up and start the operator.
 	op, err := operator.New(operatorConfig, dnsProvider, kubeConfig)
 	if err != nil {
 		return fmt.Errorf("failed to create operator: %v", err)
 	}
-	return op.Start(signals.SetupSignalHandler())
+	return op.Start(stop)
 }
 
 // createDNSManager creates a DNS manager compatible with the given cluster

manifests/01-trusted-ca-configmap.yaml

@@ -0,0 +1,11 @@
+# The network operator is responsible for injecting
+# the trusted ca bundle into this configmap.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations:
+    release.openshift.io/create-only: "true"
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
+  name: trusted-ca
+  namespace: openshift-ingress-operator

manifests/02-deployment.yaml

@@ -3,6 +3,8 @@ kind: Deployment
 metadata:
   name: ingress-operator
   namespace: openshift-ingress-operator
+  annotations:
+    config.openshift.io/inject-proxy: ingress-operator
 spec:
   replicas: 1
   strategy:
@@ -52,6 +54,10 @@ spec:
           resources:
             requests:
               cpu: 10m
+          volumeMounts:
+          - name: trusted-ca
+            mountPath: /etc/pki/ca-trust/extracted/pem
+            readOnly: true
         - name: kube-rbac-proxy
           image: quay.io/openshift/origin-kube-rbac-proxy:latest
           args:
@@ -76,3 +82,9 @@ spec:
       - name: metrics-tls
         secret:
           secretName: metrics-tls
+      - name: trusted-ca
+        configMap:
+          name: trusted-ca
+          items:
+            - key: ca-bundle.crt
+              path: tls-ca-bundle.pem