handle CA bundle for k8s platform (#135)

Signed-off-by: Riccardo Piccoli <rpiccoli@redhat.com>

Author: rccrdpccl

Makefile

@@ -169,6 +169,9 @@ docker-buildx: ## Build and push docker image for the manager for cross-platform
 generate-published-manifests: build-installer
 	cp $(DIST_DIR)/controlplane_install.yaml controlplane-components.yaml
 	cp $(DIST_DIR)/bootstrap_install.yaml bootstrap-components.yaml
+	cp $(DIST_DIR)/controlplane_install.yaml test/e2e/manifests/capcoa/controlplane_install.yaml
+	cp $(DIST_DIR)/bootstrap_install.yaml test/e2e/manifests/capboa/bootstrap_install.yaml
+
 
 .PHONY: build-installer
 build-installer:

assistedinstaller/client.go

@@ -4,8 +4,10 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"net/http"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -17,27 +19,39 @@ func GetAssistedHTTPClient(config ServiceConfig, c client.Client) (*http.Client,
 		return &http.Client{}, nil
 	}
 	if config.AssistedCABundleName == "" || config.AssistedCABundleNamespace == "" {
-		return nil, fmt.Errorf("ASSISTED_CA_BUNDLE_NAME and ASSISTED_CA_BUNDLE_NAMESPACE must either both be set or unset")
+		return nil, errors.New("ASSISTED_CA_BUNDLE_NAME and ASSISTED_CA_BUNDLE_NAMESPACE must either both be set or unset")
+	}
+	if config.AssistedCABundleResource != "secret" && config.AssistedCABundleResource != "configmap" {
+		return nil, errors.New("ASSISTED_CA_BUNDLE_RESOURCE must be either configmap or secret")
 	}
 
-	cmNSName := types.NamespacedName{
+	caCertPool, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, fmt.Errorf("failed to obtain system cert pool: %w", err)
+	}
+
+	namespacedName := types.NamespacedName{
 		Name:      config.AssistedCABundleName,
 		Namespace: config.AssistedCABundleNamespace,
 	}
-	cm := &corev1.ConfigMap{}
-	if err := c.Get(context.Background(), cmNSName, cm); err != nil {
-		return nil, err
-	}
-	bundlePEM, present := cm.Data[config.AssistedCABundleKey]
-	if !present {
-		return nil, fmt.Errorf("key %s not found in configmap %s", config.AssistedCABundleKey, cmNSName)
+	var bundlePEM []byte
+
+	if strings.EqualFold(config.AssistedCABundleResource, "secret") {
+		var secretErr error
+		bundlePEM, secretErr = getBundlePEMFromSecret(namespacedName, config.AssistedCABundleKey, c)
+		if secretErr != nil {
+			return nil, fmt.Errorf("failed to retrieve cert from secret %s: %w", namespacedName, secretErr)
+		}
 	}
 
-	caCertPool, err := x509.SystemCertPool()
-	if err != nil {
-		return nil, fmt.Errorf("failed to obtain system cert pool: %w", err)
+	if strings.EqualFold(config.AssistedCABundleResource, "configmap") {
+		var configmapErr error
+		bundlePEM, configmapErr = getBundlePEMFromConfigmap(namespacedName, config.AssistedCABundleKey, c)
+		if configmapErr != nil {
+			return nil, fmt.Errorf("failed to retrieve cert from configmap %s: %w", namespacedName, configmapErr)
+		}
 	}
-	if !caCertPool.AppendCertsFromPEM([]byte(bundlePEM)) {
+	if bundlePEM == nil || !caCertPool.AppendCertsFromPEM(bundlePEM) {
 		return nil, fmt.Errorf("failed to append additional certificates")
 	}
 
@@ -52,3 +66,31 @@ func GetAssistedHTTPClient(config ServiceConfig, c client.Client) (*http.Client,
 
 	return &http.Client{Transport: transport}, nil
 }
+
+func getBundlePEMFromConfigmap(namespacedName types.NamespacedName, certKey string, c client.Client) ([]byte, error) {
+	configmap := &corev1.ConfigMap{}
+
+	if err := c.Get(context.Background(), namespacedName, configmap); err != nil {
+		return nil, fmt.Errorf("failed to get configmap %s: %w", namespacedName, err)
+	}
+
+	bundlePEM, present := configmap.Data[certKey]
+	if !present {
+		return nil, fmt.Errorf("key %s not found in configmap %s", certKey, namespacedName)
+	}
+	return []byte(bundlePEM), nil
+}
+
+func getBundlePEMFromSecret(namespacedName types.NamespacedName, certKey string, c client.Client) ([]byte, error) {
+	secret := &corev1.Secret{}
+
+	if err := c.Get(context.Background(), namespacedName, secret); err != nil {
+		return nil, fmt.Errorf("failed to get secret %s: %w", namespacedName, err)
+	}
+
+	bundlePEMBytes, present := secret.Data[certKey]
+	if !present {
+		return nil, fmt.Errorf("key %s not found in secret %s", certKey, namespacedName)
+	}
+	return bundlePEMBytes, nil
+}

assistedinstaller/client_test.go

@@ -68,6 +68,28 @@ var _ = Describe("GetAssistedHTTPClient", func() {
 		Expect(err).ToNot(BeNil())
 	})
 
+	It("fails when the referenced resource is not valid", func() {
+		cm := &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-cm-name",
+				Namespace: "test-cm-namespace",
+			},
+			Data: map[string]string{
+				"bundle.crt": testCert,
+			},
+		}
+		Expect(c.Create(context.Background(), cm)).To(Succeed())
+
+		config := ServiceConfig{
+			AssistedCABundleName:      "test-cm-name",
+			AssistedCABundleNamespace: "test-cm-namespace",
+			AssistedCABundleKey:       "bundle.crt",
+			AssistedCABundleResource:  "deployment",
+		}
+		_, err := GetAssistedHTTPClient(config, c)
+		Expect(err).ToNot(BeNil())
+	})
+
 	It("fails when the referenced CM key is not present", func() {
 		cm := &corev1.ConfigMap{
 			ObjectMeta: metav1.ObjectMeta{
@@ -84,6 +106,7 @@ var _ = Describe("GetAssistedHTTPClient", func() {
 			AssistedCABundleName:      "test-cm-name",
 			AssistedCABundleNamespace: "test-cm-namespace",
 			AssistedCABundleKey:       "bundle.crt",
+			AssistedCABundleResource:  "secret",
 		}
 		_, err := GetAssistedHTTPClient(config, c)
 		Expect(err).ToNot(BeNil())
@@ -105,6 +128,29 @@ var _ = Describe("GetAssistedHTTPClient", func() {
 			AssistedCABundleName:      "test-cm-name",
 			AssistedCABundleNamespace: "test-cm-namespace",
 			AssistedCABundleKey:       "bundle.crt",
+			AssistedCABundleResource:  "configmap",
+		}
+		_, err := GetAssistedHTTPClient(config, c)
+		Expect(err).To(BeNil())
+	})
+
+	It("creates a client using the referenced certs with secret", func() {
+		cm := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-cm-name",
+				Namespace: "test-cm-namespace",
+			},
+			Data: map[string][]byte{
+				"bundle.crt": []byte(testCert),
+			},
+		}
+		Expect(c.Create(context.Background(), cm)).To(Succeed())
+
+		config := ServiceConfig{
+			AssistedCABundleName:      "test-cm-name",
+			AssistedCABundleNamespace: "test-cm-namespace",
+			AssistedCABundleKey:       "bundle.crt",
+			AssistedCABundleResource:  "secret",
 		}
 		_, err := GetAssistedHTTPClient(config, c)
 		Expect(err).To(BeNil())

assistedinstaller/config.go

@@ -16,6 +16,7 @@ type ServiceConfig struct {
 	// Name and namespace of a configmap containing the CA bundle to trust when querying assisted-service
 	AssistedCABundleNamespace string `envconfig:"ASSISTED_CA_BUNDLE_NAMESPACE"`
 	AssistedCABundleName      string `envconfig:"ASSISTED_CA_BUNDLE_NAME"`
+	AssistedCABundleResource  string `envconfig:"ASSISTED_CA_BUNDLE_RESOURCE" default:"configmap"`
 	// Key name to reference in the CA bundle configmap where the cert bundle is stored
 	AssistedCABundleKey string `envconfig:"ASSISTED_CA_BUNDLE_KEY" default:"ca-bundle.crt"`
 }