MGMT-16508: Add API to AgentServiceConfig CRD to allow pass of CA cer…

…tificates for image pull.

This PR introduces a new field to the AgentServiceConfig CRD `imagePullCAConfigMap` which is a LocalObjectReference to a config map containing CA certificates
These certificates are to be used by the image service for the purpose of verifying the CA of HTTPS connections used for pulling images.

If `imagePullCAConfigMap` has an influence over a volume definition for "additional-ca-bundle" in the StatefulSet for assisted-image-service.
Any certificates defined within the data section of the map are to be stored in "/additional-ca-bundle"

This code sets up the Volume for this and maps to either an empty directory or maps the content of the ConfigMap.

This will ensure that the CA's will be available for use by the image service.

api/v1beta1/agentserviceconfig_types.go

@@ -109,6 +109,12 @@ type AgentServiceConfigSpec struct {
 	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="List of container registries without authentication"
 	// +optional
 	UnauthenticatedRegistries []string `json:"unauthenticatedRegistries,omitempty"`
+	// ImagePullCAConfigMapRef is a reference to a config map containing a certificate authority certificate
+	// this is an optional certificate to allow a customer to add a certificate authority for a HTTPS source of images
+	// this certificate will be used by the assisted-image-service when pulling OS images.
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Image pull CA config map reference"
+	// +optional
+	ImagePullCAConfigMapRef *corev1.LocalObjectReference `json:"imagePullCAConfigMapRef,omitempty"`
 }
 
 // ConditionType related to our reconcile loop in addition to all the reasons

config/crd/bases/agent-install.openshift.io_agentserviceconfigs.yaml

@@ -379,6 +379,18 @@ spec:
                 - enabled
                 - disabled
                 type: string
+              imagePullCAConfigMapRef:
+                description: ImagePullCAConfigMapRef is a reference to a config map
+                  containing a certificate authority certificate this is an optional
+                  certificate to allow a customer to add a certificate authority for
+                  a HTTPS source of images this certificate will be used by the assisted-image-service
+                  when pulling OS images.
+                properties:
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?'
+                    type: string
+                type: object
               imageStorage:
                 description: ImageStorage defines the spec of the PersistentVolumeClaim
                   to be created for each replica of the image service. If a PersistentVolumeClaim

config/crd/bases/agent-install.openshift.io_hypershiftagentserviceconfigs.yaml

@@ -382,6 +382,18 @@ spec:
                 - enabled
                 - disabled
                 type: string
+              imagePullCAConfigMapRef:
+                description: ImagePullCAConfigMapRef is a reference to a config map
+                  containing a certificate authority certificate this is an optional
+                  certificate to allow a customer to add a certificate authority for
+                  a HTTPS source of images this certificate will be used by the assisted-image-service
+                  when pulling OS images.
+                properties:
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?'
+                    type: string
+                type: object
               imageStorage:
                 description: ImageStorage defines the spec of the PersistentVolumeClaim
                   to be created for each replica of the image service. If a PersistentVolumeClaim

config/crd/resources.yaml

@@ -1476,6 +1476,18 @@ spec:
                 - enabled
                 - disabled
                 type: string
+              imagePullCAConfigMapRef:
+                description: ImagePullCAConfigMapRef is a reference to a config map
+                  containing a certificate authority certificate this is an optional
+                  certificate to allow a customer to add a certificate authority for
+                  a HTTPS source of images this certificate will be used by the assisted-image-service
+                  when pulling OS images.
+                properties:
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?'
+                    type: string
+                type: object
               imageStorage:
                 description: ImageStorage defines the spec of the PersistentVolumeClaim
                   to be created for each replica of the image service. If a PersistentVolumeClaim
@@ -2147,6 +2159,18 @@ spec:
                 - enabled
                 - disabled
                 type: string
+              imagePullCAConfigMapRef:
+                description: ImagePullCAConfigMapRef is a reference to a config map
+                  containing a certificate authority certificate this is an optional
+                  certificate to allow a customer to add a certificate authority for
+                  a HTTPS source of images this certificate will be used by the assisted-image-service
+                  when pulling OS images.
+                properties:
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?'
+                    type: string
+                type: object
               imageStorage:
                 description: ImageStorage defines the spec of the PersistentVolumeClaim
                   to be created for each replica of the image service. If a PersistentVolumeClaim

config/manifests/bases/assisted-service-operator.clusterserviceversion.yaml

@@ -48,6 +48,12 @@ spec:
           in -image-service'
         displayName: Expose IPXE HTTP route
         path: iPXEHTTPRoute
+      - description: ImagePullCAConfigMapRef is a reference to a config map containing
+          a certificate authority certificate this is an optional certificate to allow
+          a customer to add a certificate authority for a HTTPS source of images this
+          certificate will be used by the assisted-image-service when pulling OS images.
+        displayName: Image pull CA config map reference
+        path: imagePullCAConfigMapRef
       - description: ImageStorage defines the spec of the PersistentVolumeClaim to
           be created for each replica of the image service. If a PersistentVolumeClaim
           is provided 2GiB per OSImage entry is required

deploy/olm-catalog/manifests/agent-install.openshift.io_agentserviceconfigs.yaml

@@ -377,6 +377,18 @@ spec:
                 - enabled
                 - disabled
                 type: string
+              imagePullCAConfigMapRef:
+                description: ImagePullCAConfigMapRef is a reference to a config map
+                  containing a certificate authority certificate this is an optional
+                  certificate to allow a customer to add a certificate authority for
+                  a HTTPS source of images this certificate will be used by the assisted-image-service
+                  when pulling OS images.
+                properties:
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?'
+                    type: string
+                type: object
               imageStorage:
                 description: ImageStorage defines the spec of the PersistentVolumeClaim
                   to be created for each replica of the image service. If a PersistentVolumeClaim

deploy/olm-catalog/manifests/agent-install.openshift.io_hypershiftagentserviceconfigs.yaml

@@ -380,6 +380,18 @@ spec:
                 - enabled
                 - disabled
                 type: string
+              imagePullCAConfigMapRef:
+                description: ImagePullCAConfigMapRef is a reference to a config map
+                  containing a certificate authority certificate this is an optional
+                  certificate to allow a customer to add a certificate authority for
+                  a HTTPS source of images this certificate will be used by the assisted-image-service
+                  when pulling OS images.
+                properties:
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?'
+                    type: string
+                type: object
               imageStorage:
                 description: ImageStorage defines the spec of the PersistentVolumeClaim
                   to be created for each replica of the image service. If a PersistentVolumeClaim

deploy/olm-catalog/manifests/assisted-service-operator.clusterserviceversion.yaml

@@ -256,6 +256,12 @@ spec:
           in -image-service'
         displayName: Expose IPXE HTTP route
         path: iPXEHTTPRoute
+      - description: ImagePullCAConfigMapRef is a reference to a config map containing
+          a certificate authority certificate this is an optional certificate to allow
+          a customer to add a certificate authority for a HTTPS source of images this
+          certificate will be used by the assisted-image-service when pulling OS images.
+        displayName: Image pull CA config map reference
+        path: imagePullCAConfigMapRef
       - description: ImageStorage defines the spec of the PersistentVolumeClaim to
           be created for each replica of the image service. If a PersistentVolumeClaim
           is provided 2GiB per OSImage entry is required

internal/bminventory/inventory.go

@@ -623,8 +623,7 @@ func (b *bareMetalInventory) RegisterClusterInternal(
 	}
 	cluster.MonitoredOperators = append(monitoredOperators, newOLMOperators...)
 
-	if err = featuresupport.ValidateIncompatibleFeatures(log, params.NewClusterParams.CPUArchitecture, cluster, nil, nil); err != nil {
-		b.log.Error(err)
+	if err = b.validateFeatureSupportLevel(ctx, cluster, params.NewClusterParams); err != nil {
 		return nil, common.NewApiError(http.StatusBadRequest, err)
 	}
 
@@ -678,6 +677,48 @@ func (b *bareMetalInventory) RegisterClusterInternal(
 	return cluster, err
 }
 
+// Validates support level features incompatibilities and validates all active features implementing
+// SupportLevelFeatureValidator interface. This function can be used to validate both cluster creation
+// and cluster update as it accepts parameters of type *models.V2ClusterUpdateParams
+// or *models.ClusterCreateParams as argument. If the argument is not of one of those types
+// it will be ignored.
+func (b *bareMetalInventory) validateFeatureSupportLevel(ctx context.Context, cluster *common.Cluster, params interface{}) error {
+	var cpuArchitecture string
+	var updateParams *models.V2ClusterUpdateParams
+	if createParams, ok := params.(*models.ClusterCreateParams); ok {
+		cpuArchitecture = createParams.CPUArchitecture
+	}
+	if uParams, ok := params.(*models.V2ClusterUpdateParams); ok {
+		updateParams = uParams
+	}
+
+	// infraEnvs will be available only in case of update. No infra env when registering cluster
+	infraEnvs, err := b.ListInfraEnvsInternal(ctx, cluster.ID, nil)
+	if err != nil {
+		return err
+	}
+
+	// Validate with infra-envs architecture
+	for _, infraEnv := range infraEnvs {
+		if err := featuresupport.ValidateActiveFeatures(b.log, cluster, infraEnv, nil); err != nil {
+			return common.NewApiError(http.StatusBadRequest, err)
+		}
+		if err := featuresupport.ValidateIncompatibleFeatures(b.log, infraEnv.CPUArchitecture, cluster, infraEnv, updateParams); err != nil {
+			return common.NewApiError(http.StatusBadRequest, err)
+		}
+	}
+
+	// Validate with cluster architecture - CPUArchitecture can be multi when multi cpu architecture is selected
+	if err := featuresupport.ValidateActiveFeatures(b.log, cluster, nil, updateParams); err != nil {
+		return common.NewApiError(http.StatusBadRequest, err)
+	}
+
+	if err := featuresupport.ValidateIncompatibleFeatures(b.log, cpuArchitecture, cluster, nil, updateParams); err != nil {
+		return common.NewApiError(http.StatusBadRequest, err)
+	}
+	return nil
+}
+
 func setDiskEncryptionWithDefaultValues(c *models.Cluster, config *models.DiskEncryption) {
 	// When enabling the encryption we set the mode to TPMv2 unless the request contains an
 	// explicit value.
@@ -1915,7 +1956,7 @@ func (b *bareMetalInventory) validateUpdateCluster(
 		return params, common.NewApiError(http.StatusBadRequest, err)
 	}
 
-	params, err = b.validateUpdateClusterIncompatibleFeatures(ctx, cluster, params)
+	err = b.validateFeatureSupportLevel(ctx, cluster, params.ClusterUpdateParams)
 	if err != nil {
 		return params, err
 	}
@@ -1944,28 +1985,6 @@ func (b *bareMetalInventory) setUpdatedPlatformParams(log logrus.FieldLogger, cl
 	return params, nil
 }
 
-func (b *bareMetalInventory) validateUpdateClusterIncompatibleFeatures(ctx context.Context, cluster *common.Cluster, params installer.V2UpdateClusterParams) (installer.V2UpdateClusterParams, error) {
-	infraEnvs, err := b.ListInfraEnvsInternal(ctx, cluster.ID, nil)
-	if err != nil {
-		return params, err
-	}
-
-	// Validate with infra-envs architecture
-	for _, infraEnv := range infraEnvs {
-		if err = featuresupport.ValidateIncompatibleFeatures(b.log, infraEnv.CPUArchitecture, cluster, infraEnv, params.ClusterUpdateParams); err != nil {
-			b.log.Error(err)
-			return params, common.NewApiError(http.StatusBadRequest, err)
-		}
-	}
-	// Validate with cluster architecture - CPUArchitecture can be multi when multi cpu architecture is selected
-	if err = featuresupport.ValidateIncompatibleFeatures(b.log, cluster.CPUArchitecture, cluster, nil, params.ClusterUpdateParams); err != nil {
-		b.log.Error(err)
-		return params, common.NewApiError(http.StatusBadRequest, err)
-	}
-
-	return params, nil
-}
-
 func (b *bareMetalInventory) v2UpdateClusterInternal(ctx context.Context, params installer.V2UpdateClusterParams, interactivity Interactivity) (*common.Cluster, error) {
 	log := logutil.FromContext(ctx, b.log)
 	var cluster *common.Cluster