HOSTEDCP-1000: Add user CA(s) to ocm-trusted-ca-bundle ConfigMap

https://issues.redhat.com/browse/HOSTEDCP-1000 Adds the CA certificates for mirror registries specified by the user to the ocm-trusted-ca-bundle injected in openshift#2437 so that these certificates may be used to pull images from these mirror registries.
CrystalChun · Jul 13, 2023 · 2711b2f · 2711b2f
1 parent 34029b7
commit 2711b2f
Showing 1 changed file with 130 additions and 4 deletions.
diff --git a/hypershift-operator/main.go b/hypershift-operator/main.go
@@ -15,8 +15,10 @@ limitations under the License.
 package main
 
 import (
+	"bytes"
 	"context"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"strings"
 	"time"
@@ -28,10 +30,12 @@ import (
 
 	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/go-logr/logr"
+	configapi "github.com/openshift/api/config/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
 	hyperapi "github.com/openshift/hypershift/api"
 	hyperv1 "github.com/openshift/hypershift/api/v1beta1"
 	awsutil "github.com/openshift/hypershift/cmd/infra/aws/util"
+	"github.com/openshift/hypershift/cmd/util"
 	"github.com/openshift/hypershift/hypershift-operator/controllers/hostedcluster"
 	"github.com/openshift/hypershift/hypershift-operator/controllers/nodepool"
 	"github.com/openshift/hypershift/hypershift-operator/controllers/platform/aws"
@@ -61,6 +65,10 @@ import (
 )
 
 func main() {
+	ctrl.SetLogger(zap.New(zap.UseDevMode(true), zap.JSONEncoder(func(o *zapcore.EncoderConfig) {
+		o.EncodeTime = zapcore.RFC3339TimeEncoder
+	})))
+
 	cmd := &cobra.Command{
 		Use: "hypershift-operator",
 		Run: func(cmd *cobra.Command, args []string) {
@@ -72,6 +80,7 @@ func main() {
 	cmd.Version = version.String()
 
 	cmd.AddCommand(NewStartCommand())
+	cmd.AddCommand(NewInitCommand())
 
 	if err := cmd.Execute(); err != nil {
 		fmt.Fprintf(os.Stderr, "%v\n", err)
@@ -97,10 +106,6 @@ type StartOptions struct {
 }
 
 func NewStartCommand() *cobra.Command {
-	ctrl.SetLogger(zap.New(zap.UseDevMode(true), zap.JSONEncoder(func(o *zapcore.EncoderConfig) {
-		o.EncodeTime = zapcore.RFC3339TimeEncoder
-	})))
-
 	cmd := &cobra.Command{
 		Use:   "run",
 		Short: "Runs the Hypershift operator",
@@ -438,3 +443,124 @@ func run(ctx context.Context, opts *StartOptions, log logr.Logger) error {
 	log.Info("starting manager")
 	return mgr.Start(ctx)
 }
+
+func NewInitCommand() *cobra.Command {
+	ctrl.SetLogger(zap.New(zap.UseDevMode(true), zap.JSONEncoder(func(o *zapcore.EncoderConfig) {
+		o.EncodeTime = zapcore.RFC3339TimeEncoder
+	})))
+
+	cmd := &cobra.Command{
+		Use:   "init",
+		Short: "Initializes the environment for the Hypershift Operator",
+	}
+
+	cmd.Run = func(cmd *cobra.Command, args []string) {
+		ctx, cancel := context.WithCancel(ctrl.SetupSignalHandler())
+		defer cancel()
+
+		if err := runInit(ctx, ctrl.Log.WithName("init")); err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+	}
+
+	return cmd
+}
+
+func runInit(ctx context.Context, log logr.Logger) error {
+	log.Info("Initializing environment for Hypershift Operator")
+	client, err := util.GetClient()
+	if err != nil {
+		return err
+	}
+	config, err := ctrl.GetConfig()
+	if err != nil {
+		return err
+	}
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(config)
+	if err != nil {
+		return fmt.Errorf("unable to get discovery client: %w", err)
+	}
+	mgmtClusterCaps, err := capabilities.DetectManagementClusterCapabilities(discoveryClient)
+	if err != nil {
+		return fmt.Errorf("unable to detect management cluster capabilities: %w", err)
+	}
+
+	if !(mgmtClusterCaps.Has(capabilities.CapabilityImage) && mgmtClusterCaps.Has(capabilities.CapabilityProxy)) {
+		return nil
+	}
+
+	imageRegistryCABundle, err := getImageRegistryCABundle(ctx, client)
+	if err != nil {
+		return err
+	}
+	trustedCABundle := new(bytes.Buffer)
+	ocmTrustedCABundle, err := ioutil.ReadFile("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem")
+	if err != nil {
+		log.Info("error reading tls-ca-bundle.pem")
+		return err
+	}
+	trustedCABundle.Write(ocmTrustedCABundle)
+	if imageRegistryCABundle != nil {
+		trustedCABundle.Write(imageRegistryCABundle.Bytes())
+	}
+	ioutil.WriteFile("/trust-bundle/tls-ca-bundle.pem", trustedCABundle.Bytes(), 0644)
+
+	log.Info("Finished initializing environment for Hypershift Operator")
+	return nil
+}
+
+func apply(ctx context.Context, client crclient.Client, object crclient.Object) error {
+	var objectBytes bytes.Buffer
+	if err := hyperapi.YamlSerializer.Encode(object, &objectBytes); err != nil {
+		return err
+	}
+
+	if err := client.Patch(ctx, object, crclient.RawPatch(types.ApplyPatchType, objectBytes.Bytes()), crclient.ForceOwnership, crclient.FieldOwner("hypershift")); err != nil {
+		return err
+	}
+	fmt.Printf("applied %s %s/%s\n", object.GetObjectKind().GroupVersionKind().Kind, object.GetNamespace(), object.GetName())
+	return nil
+}
+
+// getMgmtClusterCapabilities initializes the ManagementClusterCabilities object
+// to determine if the management cluster has the listed capabilities
+func getMgmtClusterCapabilities() (*capabilities.ManagementClusterCapabilities, error) {
+	config, err := util.GetConfig()
+	if err != nil {
+		return nil, fmt.Errorf("unable to get kubernetes config: %w", err)
+	}
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(config)
+	if err != nil {
+		return nil, fmt.Errorf("unable to get discovery client: %w", err)
+	}
+	return capabilities.DetectManagementClusterCapabilities(discoveryClient)
+}
+
+// getImageRegistryCABundle retrieves the image registry CAs listed under image.config.openshift.io
+// and merges them into one CA bundle
+func getImageRegistryCABundle(ctx context.Context, client crclient.Client) (*bytes.Buffer, error) {
+	img := &configapi.Image{}
+	if err := client.Get(ctx, types.NamespacedName{Name: "cluster"}, img); err != nil {
+		return nil, err
+	}
+	if img == nil || img.Spec.AdditionalTrustedCA.Name == "" {
+		return nil, nil
+	}
+	configmap := &corev1.ConfigMap{}
+	if err := client.Get(ctx, types.NamespacedName{Name: img.Spec.AdditionalTrustedCA.Name, Namespace: "openshift-config"}, configmap); err != nil {
+		return nil, err
+	}
+	if configmap.Data != nil {
+		// Merge all registry CA certificates together into one bundle
+		var buf bytes.Buffer
+		for _, crt := range configmap.Data {
+			buf.WriteString(crt)
+		}
+		if buf.Len() > 0 {
+			return &buf, nil
+		}
+	}
+
+	return nil, nil
+}