OCPBUGS-54877: Add catalogd-cas-dir option to op-con

[tmshort]

This forces us to explicitly watch the /var/ca-certs dir, and properly reload the certs when the x509.SystemCertPool() may not.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tmshort

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS [tmshort]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[grokspawn]

Kinda feel like we should take this out of the manifests since we're providing a nearly-equivalent (but better) option as part of this PR.
If SSL_CERT_FILE is being used for container/images, then does it need to also be updated to be able to read updates to those paths successfully?
Because of https://github.com/golang/go/blob/master/src/crypto/x509/cert_pool.go?name=release#L116 ?

[tmshort]

I'm reluctant to, since it's still being used as a base for the SystemCertPool, and thus used by container/images.

[tmshort]

And setting the --pull-cas-dir completely changes the behavior (we lose additionalTrustedCA support)
And I just realized, the SSL_CERTS_DIR is needed for running our upstream e2e testing using a local repo that is a local service

[joelanford]

I feel like we should copy some of this out-of-codebase, out-of-mind knowledge into this file as comments to explain to our future selves:

1. What the heck all this is for
2. Any gotchas that we know about, so that we avoid tripping over them in the future

If folks agree with that, it'd be maybe better in a follow-up once we've got it all figured out and we're not in fire drill mode.

[tmshort]

There's already something documented in Google Docs.

[joelanford]

My main thing is having a breadcrumb here that helps us make sense if what's here. Can we link the google doc here?

[tmshort]

Yes... but followup?

[openshift-ci-robot]

@tmshort: This pull request explicitly references no jira issue.

In response to this:

This forces us to explicitly watch the /var/ca-certs dir, and properly reload the certs when the x509.SystemCertPool() may not.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tmshort]

/payload-aggregate periodic-ci-openshift-multiarch-master-nightly-4.19-ocp-e2e-azure-ovn-multi-x-ax 10

[openshift-ci]

@tmshort: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-multiarch-master-nightly-4.19-ocp-e2e-azure-ovn-multi-x-ax

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/1b33d920-1a1a-11f0-8c5f-ee739d333a54-0

[tmshort]

/payload-aggregate periodic-ci-openshift-release-master-nightly-4.19-e2e-vsphere-ovn 10

[openshift-ci]

@tmshort: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.19-e2e-vsphere-ovn

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/1fb394e0-1a1a-11f0-8220-72a13906a7d1-0

[anik120]

/retitle OCPBUGS-54877: Add catalogd-cas-dir option to op-con

[openshift-ci-robot]

@tmshort: This pull request references Jira Issue OCPBUGS-54877, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.0) matches configured target version for branch (4.19.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @Xia-Zhao-rh

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This forces us to explicitly watch the /var/ca-certs dir, and properly reload the certs when the x509.SystemCertPool() may not.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[anik120]

the e2e-aws-techpreview job failed but I don't see the "x509" error, which was reliably there in the previous failures. Retesting after a while since both e2e-aws and e2e-techpreview failed with:

install should succeed: infrastructure 
-- | --
{  openshift cluster install failed with infrastructure setup}

which looks like aws cluster provisioning issue

[tmshort]

/retest-required
It's been an hour

[tmshort]

/test openshift-e2e-aws-techpreview

[oceanc80]

/test openshift-e2e-aws

[tmshort]

/payload-aggregate-with-prs periodic-ci-openshift-multiarch-master-nightly-4.19-ocp-e2e-azure-ovn-multi-x-ax 5 #316

[openshift-ci]

@tmshort: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-multiarch-master-nightly-4.19-ocp-e2e-azure-ovn-multi-x-ax

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/a34b5390-1a3f-11f0-9ec5-1d03e7a8039c-0

[openshift-ci]

@tmshort: This PR was included in a payload test run from #316
trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-multiarch-master-nightly-4.19-ocp-e2e-azure-ovn-multi-x-ax

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/a34b5390-1a3f-11f0-9ec5-1d03e7a8039c-0

[tmshort]

/payload-aggregate periodic-ci-openshift-release-master-nightly-4.19-e2e-vsphere-ovn 10

[openshift-ci]

@tmshort: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.19-e2e-vsphere-ovn

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/af65c6b0-1a3f-11f0-9286-4615665673f7-0

[joelanford]

/retest-required

[jianzhangbjz]

Trigger a test via the cluster-bot:

workflow-launch cucushift-agent-vsphere-install-ha #316
a cluster is being created - I'll send you the credentials when the cluster is ready.

[oceanc80]

/test openshift-e2e-aws-techpreview

[tmshort]

The periodic-ci-openshift-multiarch-master-nightly-4.19-ocp-e2e-azure-ovn-multi-x-ax tests do not seem to be running with this PR316. The --catalogd-cas-dir setting is not on the operator-controller deployment.
The periodic-ci-openshift-release-master-nightly-4.19-e2e-vsphere-ovn tests do seem to be running with this PR316, however, they seem to be based on 4.19.0-0.nightly-2025-04-10-031621 and not on something more recent...

[jianzhangbjz]

Test pass, see: https://issues.redhat.com/browse/OCPBUGS-54877
/label qe-approved
/lgtm

[openshift-ci-robot]

@tmshort: This pull request references Jira Issue OCPBUGS-54877, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.0) matches configured target version for branch (4.19.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (jiazha@redhat.com), skipping review request.

In response to this:

This forces us to explicitly watch the /var/ca-certs dir, and properly reload the certs when the x509.SystemCertPool() may not.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 209ff44 and 2 for PR HEAD ae69917 in total

[openshift-ci]

@tmshort: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	ae69917	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@tmshort: Jira Issue OCPBUGS-54877: Some pull requests linked via external trackers have merged:

• openshift/cluster-olm-operator#114

The following pull requests linked via external trackers have not merged:

• openshift/operator-framework-operator-controller#311 is open

These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-54877 has not been moved to the MODIFIED state.

In response to this:

This forces us to explicitly watch the /var/ca-certs dir, and properly reload the certs when the x509.SystemCertPool() may not.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-olm-catalogd
This PR has been included in build ose-olm-catalogd-container-v4.19.0-202504161306.p0.gad55882.assembly.stream.el9.
All builds following this will include this PR.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-olm-operator-controller
This PR has been included in build ose-olm-operator-controller-container-v4.19.0-202504161306.p0.gad55882.assembly.stream.el9.
All builds following this will include this PR.

[tmshort]

/cherry-pick release-4.18

[openshift-cherrypick-robot]

@tmshort: #316 failed to apply on top of branch "release-4.18":

Applying: UPSTREAM: <carry>: Add caalogd-cas-dir option to op-con
Using index info to reconstruct a base tree...
A	openshift/operator-controller/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml
A	openshift/operator-controller/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml
Falling back to patching base and 3-way merge...
Auto-merging openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml
CONFLICT (content): Merge conflict in openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml
Auto-merging openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml
CONFLICT (content): Merge conflict in openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 UPSTREAM: <carry>: Add caalogd-cas-dir option to op-con

In response to this:

/cherry-pick release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tmshort]

Will have to cherry-pick manually.