Update coroot operator with new TLS Support configs

[vishnukumarkvs]

Adding TLS configurations to coroot operator which we already support now for coroot components in latest releases

[vishnukumarkvs]

Bumped controller-gen to 0.20.1 (latest) in Makefile as 0.16.1 version is not compatible with go 1.25 version

make generate
Downloading sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.1
# golang.org/x/tools/internal/tokeninternal
../../../../go/pkg/mod/golang.org/x/tools@v0.24.0/internal/tokeninternal/tokeninternal.go:64:9: invalid array length -delta * delta (constant -256 of type int64)
make: *** [/Users/kvsvishnukumar/VishnuKvs/Workspace/myrepos/coroot-operator/bin/controller-gen] Error 1 

Not facing above issue with latest version

[vishnukumarkvs]

I ran k3s in ubuntu vm. I have used openssl and created certs and keys. Used this custom resource and deployed coroot to start in TLS mode

I ran make run to test this operator code

[vishnukumarkvs]

[vishnukumarkvs]

cc: @def

[vishnukumarkvs]

Hi @def ,

I have tested these changes and it looks good. Pls review this MR.

Also, I need your input for below things.

1. When deploying via operator, I used 8443 as default port for https. We have two env vars. HTTPS_LISTEN and HTTP_DISABLED. In coroot CR, if we just pass httpDisabled: true, it will use 8443 (cr.Spec.Service.HTTPSPort = 8443) and will set env var HTTPS_LISTEN to ":8443". Is this ok?

2. When in HTTP_DISABLED mode, the below entry in coroot k8s service is useless

  ports:
  - name: http
    port: 8080
    protocol: TCP
    targetPort: http

So, should I add code to remove this or shall we keep it for fallback?

[def]

I feels like we need to configure CASecret in NodeAgentSpec only. I was a wrong decision to configure TLSSkipVerify right here (let's keep it here for back compatibility)

[vishnukumarkvs]

updated here: 7d7589b

[def]

let's set it to cr.Spec.AgentsOnly.TLSSkipVerify or cr.Spec.NodeAgent.TLS.TLSSkipVerify (if TLS != nil)

[def]

this should be set only from cr.Spec.NodeAgent.TLS

[vishnukumarkvs]

I think using NodeAgent TLS config inside ClusterAgent would be confusing. This will remove the redundancy and we can just add one CA Secret in NodeAgent Spec but wont it confuse?

[def]

Surely we need to keep both: one for NodeAgent, another for ClusterAgent. I meant AgentsOnly should contain only the Coroot URL. Other agent configuration (such as resource requests/limits) should come from NodeAgent and ClusterAgent, so it would be good to have TLS configs in those sections as well.

[vishnukumarkvs]

yes, updated in this commit: 7d7589b

[def]

i'm not sure that using resource.ParseQuantity is necessary

[vishnukumarkvs]

Used strconv, here: dd340c8

[def]

the same as for ClusterAgent

[def]

Let's add this only if !cr.Spec.HTTPDisabled ?

[vishnukumarkvs]

Added in b9ad4a0 with other related ingress changes

[vishnukumarkvs]

Hi @def , let me know if any other changes are required.

[def]

@vishnukumarkvs thank you, and apologies for the delay on my end