diff --git a/manifests/0000_50_olm_00-pprof-config.yaml b/manifests/0000_50_olm_00-pprof-config.yaml index b7313efce9..8e45534f0d 100644 --- a/manifests/0000_50_olm_00-pprof-config.yaml +++ b/manifests/0000_50_olm_00-pprof-config.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/create-only: "true" + release.openshift.io/delete: "true" capability.openshift.io/name: "OperatorLifecycleManager" name: collect-profiles-config namespace: openshift-operator-lifecycle-manager diff --git a/manifests/0000_50_olm_00-pprof-rbac.yaml b/manifests/0000_50_olm_00-pprof-rbac.yaml index d874c74a25..84f99db4b3 100644 --- a/manifests/0000_50_olm_00-pprof-rbac.yaml +++ b/manifests/0000_50_olm_00-pprof-rbac.yaml @@ -5,6 +5,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" capability.openshift.io/name: "OperatorLifecycleManager" name: collect-profiles namespace: openshift-operator-lifecycle-manager @@ -23,6 +24,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" capability.openshift.io/name: "OperatorLifecycleManager" name: collect-profiles namespace: openshift-operator-lifecycle-manager @@ -42,6 +44,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" capability.openshift.io/name: "OperatorLifecycleManager" name: collect-profiles namespace: openshift-operator-lifecycle-manager diff --git a/manifests/0000_50_olm_00-pprof-secret.yaml b/manifests/0000_50_olm_00-pprof-secret.yaml index 5035a25523..f7f98d8614 100644 --- a/manifests/0000_50_olm_00-pprof-secret.yaml +++ b/manifests/0000_50_olm_00-pprof-secret.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/create-only: "true" + release.openshift.io/delete: "true" openshift.io/owning-component: "Operator Framework / operator-lifecycle-manager" capability.openshift.io/name: "OperatorLifecycleManager" name: pprof-cert diff --git a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml index eb878c4786..c6c2fae7eb 100644 --- a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml +++ b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml @@ -5,6 +5,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" capability.openshift.io/name: "OperatorLifecycleManager" name: collect-profiles namespace: openshift-operator-lifecycle-manager diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml index a9ee8f4a51..b8edc86dd2 100644 --- a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml @@ -33,9 +33,6 @@ spec: - name: srv-cert secret: secretName: olm-operator-serving-cert - - name: profile-collector-cert - secret: - secretName: pprof-cert containers: - name: olm-operator securityContext: @@ -46,9 +43,6 @@ spec: - name: srv-cert mountPath: "/srv-cert" readOnly: true - - name: profile-collector-cert - mountPath: "/profile-collector-cert" - readOnly: true command: - /bin/olm args: @@ -62,8 +56,6 @@ spec: - /srv-cert/tls.crt - --tls-key - /srv-cert/tls.key - - --client-ca - - /profile-collector-cert/tls.crt - --protectedCopiedCSVNamespaces - openshift image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.yaml index 05bd24878d..6954e5965f 100644 --- a/manifests/0000_50_olm_07-olm-operator.deployment.yaml +++ b/manifests/0000_50_olm_07-olm-operator.deployment.yaml @@ -32,9 +32,6 @@ spec: - name: srv-cert secret: secretName: olm-operator-serving-cert - - name: profile-collector-cert - secret: - secretName: pprof-cert containers: - name: olm-operator securityContext: @@ -45,9 +42,6 @@ spec: - name: srv-cert mountPath: "/srv-cert" readOnly: true - - name: profile-collector-cert - mountPath: "/profile-collector-cert" - readOnly: true command: - /bin/olm args: @@ -61,8 +55,6 @@ spec: - /srv-cert/tls.crt - --tls-key - /srv-cert/tls.key - - --client-ca - - /profile-collector-cert/tls.crt - --protectedCopiedCSVNamespaces - openshift image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml index e646ea96cb..83dea02aae 100644 --- a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml @@ -33,9 +33,6 @@ spec: - name: srv-cert secret: secretName: catalog-operator-serving-cert - - name: profile-collector-cert - secret: - secretName: pprof-cert containers: - name: catalog-operator securityContext: @@ -46,9 +43,6 @@ spec: - name: srv-cert mountPath: "/srv-cert" readOnly: true - - name: profile-collector-cert - mountPath: "/profile-collector-cert" - readOnly: true command: - /bin/catalog args: @@ -64,8 +58,6 @@ spec: - /srv-cert/tls.crt - --tls-key - /srv-cert/tls.key - - --client-ca - - /profile-collector-cert/tls.crt - --set-workload-user-id=false image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml index e923733d8a..b5c6abb05c 100644 --- a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml @@ -32,9 +32,6 @@ spec: - name: srv-cert secret: secretName: catalog-operator-serving-cert - - name: profile-collector-cert - secret: - secretName: pprof-cert containers: - name: catalog-operator securityContext: @@ -45,9 +42,6 @@ spec: - name: srv-cert mountPath: "/srv-cert" readOnly: true - - name: profile-collector-cert - mountPath: "/profile-collector-cert" - readOnly: true command: - /bin/catalog args: @@ -63,8 +57,6 @@ spec: - /srv-cert/tls.crt - --tls-key - /srv-cert/tls.key - - --client-ca - - /profile-collector-cert/tls.crt - --set-workload-user-id=false image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent diff --git a/microshift-manifests/0000_50_olm_00-pprof-config.yaml b/microshift-manifests/0000_50_olm_00-pprof-config.yaml deleted file mode 100644 index b7313efce9..0000000000 --- a/microshift-manifests/0000_50_olm_00-pprof-config.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/hypershift: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/create-only: "true" - capability.openshift.io/name: "OperatorLifecycleManager" - name: collect-profiles-config - namespace: openshift-operator-lifecycle-manager -data: - pprof-config.yaml: | - disabled: False diff --git a/microshift-manifests/0000_50_olm_00-pprof-rbac.yaml b/microshift-manifests/0000_50_olm_00-pprof-rbac.yaml deleted file mode 100644 index d874c74a25..0000000000 --- a/microshift-manifests/0000_50_olm_00-pprof-rbac.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/hypershift: "true" - include.release.openshift.io/self-managed-high-availability: "true" - capability.openshift.io/name: "OperatorLifecycleManager" - name: collect-profiles - namespace: openshift-operator-lifecycle-manager -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "create", "delete"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/hypershift: "true" - include.release.openshift.io/self-managed-high-availability: "true" - capability.openshift.io/name: "OperatorLifecycleManager" - name: collect-profiles - namespace: openshift-operator-lifecycle-manager -subjects: - - kind: ServiceAccount - name: collect-profiles - namespace: openshift-operator-lifecycle-manager -roleRef: - kind: Role - name: collect-profiles - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/hypershift: "true" - include.release.openshift.io/self-managed-high-availability: "true" - capability.openshift.io/name: "OperatorLifecycleManager" - name: collect-profiles - namespace: openshift-operator-lifecycle-manager diff --git a/microshift-manifests/0000_50_olm_00-pprof-secret.yaml b/microshift-manifests/0000_50_olm_00-pprof-secret.yaml deleted file mode 100644 index 5035a25523..0000000000 --- a/microshift-manifests/0000_50_olm_00-pprof-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/hypershift: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/create-only: "true" - openshift.io/owning-component: "Operator Framework / operator-lifecycle-manager" - capability.openshift.io/name: "OperatorLifecycleManager" - name: pprof-cert - namespace: openshift-operator-lifecycle-manager -type: kubernetes.io/tls -data: - tls.crt: "" - tls.key: "" diff --git a/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml deleted file mode 100644 index eb878c4786..0000000000 --- a/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/hypershift: "true" - include.release.openshift.io/self-managed-high-availability: "true" - capability.openshift.io/name: "OperatorLifecycleManager" - name: collect-profiles - namespace: openshift-operator-lifecycle-manager -spec: - schedule: "*/15 * * * *" - concurrencyPolicy: "Replace" - jobTemplate: - spec: - template: - metadata: - annotations: - target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: restricted-v2 - spec: - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: collect-profiles - priorityClassName: openshift-user-critical - containers: - - name: collect-profiles - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 - imagePullPolicy: IfNotPresent - command: - - bin/collect-profiles - args: - - -n - - openshift-operator-lifecycle-manager - - --config-mount-path - - /etc/config - - --cert-mount-path - - /var/run/secrets/serving-cert - - olm-operator-heap-:https://olm-operator-metrics:8443/debug/pprof/heap - - catalog-operator-heap-:https://catalog-operator-metrics:8443/debug/pprof/heap - volumeMounts: - - mountPath: /etc/config - name: config-volume - - mountPath: /var/run/secrets/serving-cert - name: secret-volume - resources: - requests: - cpu: 10m - memory: 80Mi - terminationMessagePolicy: FallbackToLogsOnError - volumes: - - name: config-volume - configMap: - name: collect-profiles-config - - name: secret-volume - secret: - secretName: pprof-cert - restartPolicy: Never diff --git a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml index a9ee8f4a51..b8edc86dd2 100644 --- a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml +++ b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml @@ -33,9 +33,6 @@ spec: - name: srv-cert secret: secretName: olm-operator-serving-cert - - name: profile-collector-cert - secret: - secretName: pprof-cert containers: - name: olm-operator securityContext: @@ -46,9 +43,6 @@ spec: - name: srv-cert mountPath: "/srv-cert" readOnly: true - - name: profile-collector-cert - mountPath: "/profile-collector-cert" - readOnly: true command: - /bin/olm args: @@ -62,8 +56,6 @@ spec: - /srv-cert/tls.crt - --tls-key - /srv-cert/tls.key - - --client-ca - - /profile-collector-cert/tls.crt - --protectedCopiedCSVNamespaces - openshift image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 diff --git a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml index 2e9c360d9d..be21908d93 100644 --- a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml +++ b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml @@ -32,9 +32,6 @@ spec: - name: srv-cert secret: secretName: olm-operator-serving-cert - - name: profile-collector-cert - secret: - secretName: pprof-cert containers: - name: olm-operator securityContext: @@ -45,9 +42,6 @@ spec: - name: srv-cert mountPath: "/srv-cert" readOnly: true - - name: profile-collector-cert - mountPath: "/profile-collector-cert" - readOnly: true command: - /bin/olm args: @@ -57,8 +51,6 @@ spec: - /srv-cert/tls.crt - --tls-key - /srv-cert/tls.key - - --client-ca - - /profile-collector-cert/tls.crt - --protectedCopiedCSVNamespaces - openshift image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 diff --git a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml index e646ea96cb..83dea02aae 100644 --- a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml +++ b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml @@ -33,9 +33,6 @@ spec: - name: srv-cert secret: secretName: catalog-operator-serving-cert - - name: profile-collector-cert - secret: - secretName: pprof-cert containers: - name: catalog-operator securityContext: @@ -46,9 +43,6 @@ spec: - name: srv-cert mountPath: "/srv-cert" readOnly: true - - name: profile-collector-cert - mountPath: "/profile-collector-cert" - readOnly: true command: - /bin/catalog args: @@ -64,8 +58,6 @@ spec: - /srv-cert/tls.crt - --tls-key - /srv-cert/tls.key - - --client-ca - - /profile-collector-cert/tls.crt - --set-workload-user-id=false image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent diff --git a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml index e923733d8a..b5c6abb05c 100644 --- a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml @@ -32,9 +32,6 @@ spec: - name: srv-cert secret: secretName: catalog-operator-serving-cert - - name: profile-collector-cert - secret: - secretName: pprof-cert containers: - name: catalog-operator securityContext: @@ -45,9 +42,6 @@ spec: - name: srv-cert mountPath: "/srv-cert" readOnly: true - - name: profile-collector-cert - mountPath: "/profile-collector-cert" - readOnly: true command: - /bin/catalog args: @@ -63,8 +57,6 @@ spec: - /srv-cert/tls.crt - --tls-key - /srv-cert/tls.key - - --client-ca - - /profile-collector-cert/tls.crt - --set-workload-user-id=false image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh index 4daffba68e..31339c5886 100755 --- a/scripts/generate_crds_manifests.sh +++ b/scripts/generate_crds_manifests.sh @@ -289,6 +289,7 @@ metadata: include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/create-only: "true" + release.openshift.io/delete: "true" name: collect-profiles-config namespace: openshift-operator-lifecycle-manager data: @@ -304,6 +305,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" name: collect-profiles namespace: openshift-operator-lifecycle-manager rules: @@ -321,6 +323,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" name: collect-profiles namespace: openshift-operator-lifecycle-manager subjects: @@ -339,6 +342,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" name: collect-profiles namespace: openshift-operator-lifecycle-manager EOF @@ -352,6 +356,7 @@ metadata: include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/create-only: "true" + release.openshift.io/delete: "true" openshift.io/owning-component: "Operator Framework / operator-lifecycle-manager" name: pprof-cert namespace: openshift-operator-lifecycle-manager @@ -369,6 +374,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" name: collect-profiles namespace: openshift-operator-lifecycle-manager spec: @@ -560,3 +566,11 @@ ${SED} -i '/- --writeStatusName/,+3d' ${ROOT_DIR}/microshift-manifests/0000_50_o # Replace the namespace openshift, as it doesn't exist on microshift, in the rbac file ${SED} -i 's/ namespace: openshift/ namespace: openshift-operator-lifecycle-manager/g' ${ROOT_DIR}/microshift-manifests/0000_50_olm_15-csv-viewer.rbac.yaml + +# Deleting manifests from CVO takes multiple releases. an annotation was added in 4.22 development to remove the collect-profiles +# resources from the CVO payload. For microshift, since there is no CVO payload and no in process upgrade, let's delete these now. +# In 4.23 development, the CVO manifests should be deleted and this step should be removed. +rm -f "${ROOT_DIR}/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml" +rm -f "${ROOT_DIR}/microshift-manifests/0000_50_olm_00-pprof-config.yaml" +rm -f "${ROOT_DIR}/microshift-manifests/0000_50_olm_00-pprof-rbac.yaml" +rm -f "${ROOT_DIR}/microshift-manifests/0000_50_olm_00-pprof-secret.yaml" diff --git a/staging/operator-lifecycle-manager/pkg/lib/server/server.go b/staging/operator-lifecycle-manager/pkg/lib/server/server.go index 3d79a192e0..65f46fee2c 100644 --- a/staging/operator-lifecycle-manager/pkg/lib/server/server.go +++ b/staging/operator-lifecycle-manager/pkg/lib/server/server.go @@ -3,6 +3,7 @@ package server import ( "context" "crypto/tls" + "crypto/x509" "fmt" "net/http" "path/filepath" @@ -13,6 +14,11 @@ import ( "github.com/sirupsen/logrus" ) +// certPoolGetter is an interface for getting a certificate pool +type certPoolGetter interface { + GetCertPool() *x509.CertPool +} + // Option applies a configuration option to the given config. type Option func(s *serverConfig) @@ -83,6 +89,10 @@ func (sc *serverConfig) getAddress(tlsEnabled bool) string { return ":8080" } +func (sc *serverConfig) clientCAEnabled() bool { + return sc.clientCAPath != nil && *sc.clientCAPath != "" +} + func (sc serverConfig) getListenAndServeFunc() (func() error, error) { tlsEnabled, err := sc.tlsEnabled() if err != nil { @@ -116,15 +126,23 @@ func (sc serverConfig) getListenAndServeFunc() (func() error, error) { return nil, fmt.Errorf("error creating cert file watcher: %v", err) } csw.Run(context.Background()) - certPoolStore, err := filemonitor.NewCertPoolStore(*sc.clientCAPath) - if err != nil { - return nil, fmt.Errorf("certificate monitoring for client-ca failed: %v", err) - } - cpsw, err := filemonitor.NewWatch(sc.logger, []string{filepath.Dir(*sc.clientCAPath)}, certPoolStore.HandleCABundleUpdate) - if err != nil { - return nil, fmt.Errorf("error creating cert file watcher: %v", err) + + // Only setup client CA monitoring if clientCAPath is provided + var certPoolStore certPoolGetter + if sc.clientCAEnabled() { + cps, err := filemonitor.NewCertPoolStore(*sc.clientCAPath) + if err != nil { + return nil, fmt.Errorf("certificate monitoring for client-ca failed: %v", err) + } + cpsw, err := filemonitor.NewWatch(sc.logger, []string{filepath.Dir(*sc.clientCAPath)}, cps.HandleCABundleUpdate) + if err != nil { + return nil, fmt.Errorf("error creating cert file watcher: %v", err) + } + cpsw.Run(context.Background()) + certPoolStore = cps + } else { + sc.logger.Info("No client CA provided, client certificate verification disabled") } - cpsw.Run(context.Background()) s.TLSConfig = &tls.Config{ GetCertificate: func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) { @@ -135,11 +153,15 @@ func (sc serverConfig) getListenAndServeFunc() (func() error, error) { if cert := certStore.GetCertificate(); cert != nil { certs = append(certs, *cert) } - return &tls.Config{ + tlsCfg := &tls.Config{ Certificates: certs, - ClientCAs: certPoolStore.GetCertPool(), - ClientAuth: tls.VerifyClientCertIfGiven, - }, nil + } + // Only configure client CA verification if certPoolStore is available + if certPoolStore != nil { + tlsCfg.ClientCAs = certPoolStore.GetCertPool() + tlsCfg.ClientAuth = tls.VerifyClientCertIfGiven + } + return tlsCfg, nil }, } return func() error { diff --git a/values.yaml b/values.yaml index 0887f0d680..854025ec5a 100644 --- a/values.yaml +++ b/values.yaml @@ -21,7 +21,6 @@ olm: service: internalPort: 8443 externalPort: 8443 - clientCASecret: pprof-cert nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/master: "" @@ -52,7 +51,6 @@ catalog: service: internalPort: 8443 externalPort: 8443 - clientCASecret: pprof-cert tlsSecret: catalog-operator-serving-cert nodeSelector: kubernetes.io/os: linux diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/lib/server/server.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/lib/server/server.go index 3d79a192e0..65f46fee2c 100644 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/lib/server/server.go +++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/lib/server/server.go @@ -3,6 +3,7 @@ package server import ( "context" "crypto/tls" + "crypto/x509" "fmt" "net/http" "path/filepath" @@ -13,6 +14,11 @@ import ( "github.com/sirupsen/logrus" ) +// certPoolGetter is an interface for getting a certificate pool +type certPoolGetter interface { + GetCertPool() *x509.CertPool +} + // Option applies a configuration option to the given config. type Option func(s *serverConfig) @@ -83,6 +89,10 @@ func (sc *serverConfig) getAddress(tlsEnabled bool) string { return ":8080" } +func (sc *serverConfig) clientCAEnabled() bool { + return sc.clientCAPath != nil && *sc.clientCAPath != "" +} + func (sc serverConfig) getListenAndServeFunc() (func() error, error) { tlsEnabled, err := sc.tlsEnabled() if err != nil { @@ -116,15 +126,23 @@ func (sc serverConfig) getListenAndServeFunc() (func() error, error) { return nil, fmt.Errorf("error creating cert file watcher: %v", err) } csw.Run(context.Background()) - certPoolStore, err := filemonitor.NewCertPoolStore(*sc.clientCAPath) - if err != nil { - return nil, fmt.Errorf("certificate monitoring for client-ca failed: %v", err) - } - cpsw, err := filemonitor.NewWatch(sc.logger, []string{filepath.Dir(*sc.clientCAPath)}, certPoolStore.HandleCABundleUpdate) - if err != nil { - return nil, fmt.Errorf("error creating cert file watcher: %v", err) + + // Only setup client CA monitoring if clientCAPath is provided + var certPoolStore certPoolGetter + if sc.clientCAEnabled() { + cps, err := filemonitor.NewCertPoolStore(*sc.clientCAPath) + if err != nil { + return nil, fmt.Errorf("certificate monitoring for client-ca failed: %v", err) + } + cpsw, err := filemonitor.NewWatch(sc.logger, []string{filepath.Dir(*sc.clientCAPath)}, cps.HandleCABundleUpdate) + if err != nil { + return nil, fmt.Errorf("error creating cert file watcher: %v", err) + } + cpsw.Run(context.Background()) + certPoolStore = cps + } else { + sc.logger.Info("No client CA provided, client certificate verification disabled") } - cpsw.Run(context.Background()) s.TLSConfig = &tls.Config{ GetCertificate: func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) { @@ -135,11 +153,15 @@ func (sc serverConfig) getListenAndServeFunc() (func() error, error) { if cert := certStore.GetCertificate(); cert != nil { certs = append(certs, *cert) } - return &tls.Config{ + tlsCfg := &tls.Config{ Certificates: certs, - ClientCAs: certPoolStore.GetCertPool(), - ClientAuth: tls.VerifyClientCertIfGiven, - }, nil + } + // Only configure client CA verification if certPoolStore is available + if certPoolStore != nil { + tlsCfg.ClientCAs = certPoolStore.GetCertPool() + tlsCfg.ClientAuth = tls.VerifyClientCertIfGiven + } + return tlsCfg, nil }, } return func() error {