[CA] Use Certificate Authority bundle

deploy/configmap.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    # This label ensures that the OpenShift Certificate Authority bundle
+    # is added to the ConfigMap.
+    config.openshift.io/inject-trusted-cabundle: "true"
+  name: marketplace-trusted-ca
+  namespace: openshift-marketplace

deploy/operator.yaml

@@ -67,3 +67,14 @@ spec:
             - name: "RELEASE_VERSION"
               # The string "0.0.1-snapshot" is substituted by the CVO with the version of the payload
               value: "0.0.1-snapshot"
+          volumeMounts:
+            - name: marketplace-trusted-ca
+              mountPath: /etc/pki/ca-trust/extracted/pem/
+      volumes:
+        - name: marketplace-trusted-ca
+          configMap:
+            name: marketplace-trusted-ca
+            items:
+            # Require that this data is present in the ConfigMap before the operator is deployed.
+            - key: ca-bundle.crt
+              path: tls-ca-bundle.pem

deploy/role.yaml

@@ -3,6 +3,14 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: marketplace-operator
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - config.openshift.io
   resources:

manifests/05_role.yaml

@@ -3,6 +3,14 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: marketplace-operator
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - config.openshift.io
   resources:

manifests/07_configmap.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    # This label ensures that the OpenShift Certificate Authority bundle
+    # is added to the ConfigMap.
+    config.openshift.io/inject-trusted-cabundle: "true"
+  name: marketplace-trusted-ca
+  namespace: openshift-marketplace

manifests/07_operator.yaml → manifests/08_operator.yaml

@@ -67,3 +67,14 @@ spec:
             - name: "RELEASE_VERSION"
               # The string "0.0.1-snapshot" is substituted by the CVO with the version of the payload
               value: "0.0.1-snapshot"
+          volumeMounts:
+            - name: marketplace-trusted-ca
+              mountPath: /etc/pki/ca-trust/extracted/pem/
+      volumes:
+        - name: marketplace-trusted-ca
+          configMap:
+            name: marketplace-trusted-ca
+            items:
+            # Require that this data is present in the ConfigMap before the operator is deployed.
+            - key: ca-bundle.crt
+              path: tls-ca-bundle.pem

pkg/certificateauthority/mount.go

@@ -0,0 +1,52 @@
+package certificateauthority
+
+import (
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+const (
+	// TrustedCaConfigMapName is the name of the Marketplace ConfigMap that store Certificate Authority information.
+	TrustedCaConfigMapName = "marketplace-trusted-ca"
+
+	// TrustedCaMountPath is the path to the directory where the Certificate Authority should be mounted.
+	TrustedCaMountPath = "/etc/pki/ca-trust/extracted/pem/"
+
+	// The key value that stores Certificate Authorities.
+	caBundleKey = "ca-bundle.crt"
+
+	// The path where we will mount the Certificate Authorities.
+	caBundlePath = "tls-ca-bundle.pem"
+)
+
+// MountConfigMap creates a Volume and VolumeMount for a ConfigMap of the same name and
+// adds it to a deployment.
+func MountConfigMap(name, mountPath string, deployment *appsv1.Deployment) {
+	// Create and add the Volume to the deployment.
+	deployment.Spec.Template.Spec.Volumes = []corev1.Volume{
+		corev1.Volume{
+			Name: name,
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: name,
+					},
+					Items: []corev1.KeyToPath{
+						corev1.KeyToPath{
+							Key:  caBundleKey,
+							Path: caBundlePath,
+						},
+					},
+				},
+			},
+		},
+	}
+
+	// Create and add the VolumeMount to the first container in a deployment.
+	deployment.Spec.Template.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{
+		corev1.VolumeMount{
+			Name:      name,
+			MountPath: mountPath,
+		},
+	}
+}

pkg/controller/add_configmap.go

@@ -0,0 +1,10 @@
+package controller
+
+import (
+	"github.com/operator-framework/operator-marketplace/pkg/controller/configmap"
+)
+
+func init() {
+	// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
+	AddToManagerFuncs = append(AddToManagerFuncs, configmap.Add)
+}

pkg/controller/configmap/configmap_controller.go

@@ -0,0 +1,98 @@
+package configmap
+
+import (
+	"os"
+
+	mktconfig "github.com/operator-framework/operator-marketplace/pkg/apis/config/v1"
+	"github.com/operator-framework/operator-marketplace/pkg/apis/operators/shared"
+	ca "github.com/operator-framework/operator-marketplace/pkg/certificateauthority"
+	log "github.com/sirupsen/logrus"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+// Add creates a new ConfigMap Controller and adds it to the Manager. The Manager will set fields on the Controller
+// and Start it when the Manager is Started.
+func Add(mgr manager.Manager) error {
+	return add(mgr, newReconciler(mgr))
+}
+
+// newReconciler returns a new ReconcileConfigMap.
+func newReconciler(mgr manager.Manager) *ReconcileConfigMap {
+	return &ReconcileConfigMap{}
+}
+
+// add adds a new Controller to mgr with r as the ReconcileConfigMap.
+func add(mgr manager.Manager, r *ReconcileConfigMap) error {
+	if !mktconfig.IsAPIAvailable() {
+		return nil
+	}
+
+	// Create a new controller
+	c, err := controller.New("configmap-controller", mgr, controller.Options{Reconciler: r})
+	if err != nil {
+		return err
+	}
+
+	// Watch for changes to primary resource ConfigMap.
+	err = c.Watch(&source.Kind{Type: &corev1.ConfigMap{}}, &handler.EnqueueRequestForObject{}, getPredicateFunctions())
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// getPredicateFunctions returns the predicate functions used to identify the configmap
+// that contains Certificate Authority information.
+// True should only be returned when the ConfigMap is updated by the cert-injector-controller.
+func getPredicateFunctions() predicate.Funcs {
+	return predicate.Funcs{
+		CreateFunc: func(e event.CreateEvent) bool {
+			return false
+		},
+		UpdateFunc: func(e event.UpdateEvent) bool {
+			// If the ConfigMap is ever changed we should kick off an event.
+			if e.MetaOld.GetName() == ca.TrustedCaConfigMapName {
+				return true
+			}
+			return false
+		},
+		DeleteFunc: func(e event.DeleteEvent) bool {
+			return false
+		},
+		GenericFunc: func(e event.GenericEvent) bool {
+			return false
+		},
+	}
+}
+
+var _ reconcile.Reconciler = &ReconcileConfigMap{}
+
+// ReconcileConfigMap reconciles a ConfigMap object.
+type ReconcileConfigMap struct {
+}
+
+// Reconcile will restart the marketplace operator.
+func (r *ReconcileConfigMap) Reconcile(request reconcile.Request) (reconcile.Result, error) {
+	// Check if the CA ConfigMap is in the same namespace that Marketplace is deployed in.
+	objectInOtherNamespace, err := shared.IsObjectInOtherNamespace(request.Namespace)
+	if err != nil {
+		return reconcile.Result{}, err
+	}
+
+	// If the CA ConfigMap is in the same namespace we should restart marketplace.
+	if !objectInOtherNamespace {
+		log.Infof("Certificate Authorization ConfigMap %s/%s has been updated, restarting marketplace.", request.Namespace, request.Name)
+		os.Exit(0)
+	}
+
+	// Otherwise ignore the event.
+	return reconcile.Result{}, nil
+}

pkg/registry/registry.go

@@ -6,9 +6,11 @@ import (
 	"strconv"
 	"time"
 
+	configv1 "github.com/operator-framework/operator-marketplace/pkg/apis/config/v1"
 	"github.com/operator-framework/operator-marketplace/pkg/apis/operators/v1"
 	"github.com/operator-framework/operator-marketplace/pkg/apis/operators/v2"
 	"github.com/operator-framework/operator-marketplace/pkg/builders"
+	ca "github.com/operator-framework/operator-marketplace/pkg/certificateauthority"
 	wrapper "github.com/operator-framework/operator-marketplace/pkg/client"
 	"github.com/operator-framework/operator-marketplace/pkg/datastore"
 	"github.com/operator-framework/operator-marketplace/pkg/proxy"
@@ -141,6 +143,12 @@ func (r *registry) ensureDeployment(appRegistries []string, needServiceAccount b
 			// Update proxy environment variables to match those in the operator.
 			deployment.Spec.Template.Spec.Containers[0].Env = proxy.GetProxyEnvVars()
 		}
+
+		// Mount the Certificate Authority into the deployment.
+		if configv1.IsAPIAvailable() {
+			ca.MountConfigMap(ca.TrustedCaConfigMapName, ca.TrustedCaMountPath, deployment)
+		}
+
 		// Set or update the annotation to force an update. This is required so that we get updates
 		// from Quay during the sync cycle when packages have not been added or removed from the spec.
 		meta.SetMetaDataAnnotation(&deployment.Spec.Template.ObjectMeta, deploymentUpdateAnnotation,