feat(operator): Mount CA into Upgrade Job Container (#2183)

* feat(velero): add support for mitm proxy

* f

* f

* f

* f

* f

* f

* f

* velero use ca from host

* http proxy dryrun test

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* refactor host ca retrieval

* add unit tests

* add dry run capability for adminconsole addon

* make adminconsole unit test consistent with other addons

* remove privateCa from admin console

* update adminconsole version and add integration test

* add tests for cabundle to dryrun

* update TestInstallWithPrivateCAs e2e test

* fix dry run tests to make sure they use dry run client

* more debug

* more debug

* fix tests

* fix tests

* remove debug values

* debug integration test

* fix integration test

* move cert generation to bash

* debug privateca e2e test

* debug privateca e2e test

* re-add privateca in order to get operator working correctly for mitm tests

* fix create configmap

* remove uneeded e2e test

* consolidate unit test

* remove privateca from static values

* remove redundant dry run test

* retreive hostcabundlepath from runtime config

* add debug log statements

* bump kots version for latest kots kinds

* remove debug logging

---------

Co-authored-by: Ethan Mosbaugh <[email protected]>

Author: diamonwiggins

operator/pkg/upgrade/job.go

@@ -43,6 +43,7 @@ func CreateUpgradeJob(
 	localArtifactMirrorImage, licenseID, appSlug, channelID, appVersion string,
 	previousInstallVersion string,
 ) error {
+	log := controllerruntime.LoggerFrom(ctx)
 	// check if the job already exists - if it does, we've already rolled out images and can return now
 	job := &batchv1.Job{}
 	err := cli.Get(ctx, client.ObjectKey{Namespace: upgradeJobNamespace, Name: fmt.Sprintf(upgradeJobName, in.Name)}, job)
@@ -118,10 +119,6 @@ func CreateUpgradeJob(
 			Name:  "JOB_NAMESPACE",
 			Value: upgradeJobNamespace,
 		},
-		{
-			Name:  "SSL_CERT_DIR",
-			Value: "/certs",
-		},
 	}
 
 	if in.Spec.Proxy != nil {
@@ -195,17 +192,6 @@ func CreateUpgradeJob(
 								},
 							},
 						},
-						{
-							Name: "private-cas",
-							VolumeSource: corev1.VolumeSource{
-								ConfigMap: &corev1.ConfigMapVolumeSource{
-									LocalObjectReference: corev1.LocalObjectReference{
-										Name: "kotsadm-private-cas",
-									},
-									Optional: ptr.To(true),
-								},
-							},
-						},
 						{
 							Name: "ec-charts-dir",
 							VolumeSource: corev1.VolumeSource{
@@ -236,10 +222,6 @@ func CreateUpgradeJob(
 									Name:      "config",
 									MountPath: "/config",
 								},
-								{
-									Name:      "private-cas",
-									MountPath: "/certs",
-								},
 								{
 									Name:      "ec-charts-dir",
 									MountPath: runtimeconfig.EmbeddedClusterChartsSubDirNoCreate(),
@@ -253,6 +235,48 @@ func CreateUpgradeJob(
 		},
 	}
 
+	// Add the host CA bundle volume, mount, and env var if it's available in the installation
+	hostCABundlePath := ""
+	if in.Spec.RuntimeConfig != nil {
+		hostCABundlePath = in.Spec.RuntimeConfig.HostCABundlePath
+	}
+
+	if hostCABundlePath != "" {
+		log.Info("Using host CA bundle from installation", "path", hostCABundlePath)
+
+		// Add the CA bundle volume
+		job.Spec.Template.Spec.Volumes = append(job.Spec.Template.Spec.Volumes, corev1.Volume{
+			Name: "host-ca-bundle",
+			VolumeSource: corev1.VolumeSource{
+				HostPath: &corev1.HostPathVolumeSource{
+					Path: hostCABundlePath,
+					Type: ptr.To(corev1.HostPathFileOrCreate),
+				},
+			},
+		})
+
+		// Add the CA bundle mount
+		job.Spec.Template.Spec.Containers[0].VolumeMounts = append(
+			job.Spec.Template.Spec.Containers[0].VolumeMounts,
+			corev1.VolumeMount{
+				Name:      "host-ca-bundle",
+				MountPath: "/certs/ca-certificates.crt",
+			},
+		)
+
+		// Add the SSL_CERT_DIR environment variable
+		job.Spec.Template.Spec.Containers[0].Env = append(
+			job.Spec.Template.Spec.Containers[0].Env,
+			corev1.EnvVar{
+				Name:  "SSL_CERT_DIR",
+				Value: "/certs",
+			},
+		)
+	} else {
+		log.Info("No host CA bundle path found in installation, no CA bundle will be used")
+	}
+
+	// Create the job with all configuration in place
 	if err = cli.Create(ctx, job); err != nil {
 		return fmt.Errorf("failed to create upgrade job: %w", err)
 	}

operator/pkg/upgrade/job_test.go

@@ -88,3 +88,214 @@ func TestCreateUpgradeJob_NodeAffinity(t *testing.T) {
 	assert.Equal(t, corev1.NodeSelectorOpExists, preferredTerms[0].Preference.MatchExpressions[0].Operator,
 		"Node affinity operator should be 'Exists'")
 }
+
+func TestCreateUpgradeJob_HostCABundle(t *testing.T) {
+	// Test with HostCABundlePath set
+	t.Run("with HostCABundlePath set", func(t *testing.T) {
+		scheme := runtime.NewScheme()
+		require.NoError(t, ecv1beta1.AddToScheme(scheme))
+		require.NoError(t, batchv1.AddToScheme(scheme))
+		require.NoError(t, corev1.AddToScheme(scheme))
+
+		// Version used for testing
+		testVersion := "1.2.3"
+		testCAPath := "/etc/ssl/certs/ca-certificates.crt"
+
+		// Create a minimal installation CR with RuntimeConfig.HostCABundlePath set
+		installation := &ecv1beta1.Installation{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-installation",
+				Namespace: "default",
+			},
+			Spec: ecv1beta1.InstallationSpec{
+				BinaryName: "test-binary",
+				Config: &ecv1beta1.ConfigSpec{
+					Version: testVersion,
+					Domains: ecv1beta1.Domains{
+						ProxyRegistryDomain: "registry.example.com",
+					},
+				},
+				RuntimeConfig: &ecv1beta1.RuntimeConfigSpec{
+					HostCABundlePath: testCAPath,
+				},
+			},
+		}
+
+		// Create a cached metadata for the test version
+		// This avoids having to properly create a ConfigMap
+		testMeta := types.ReleaseMetadata{
+			Images: []string{"registry.example.com/embedded-cluster-operator-image:1.2.3"},
+		}
+		release.CacheMeta(testVersion, testMeta)
+
+		// Create a fake client with the installation
+		cli := fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(installation).
+			Build()
+
+		// Call the function under test
+		err := CreateUpgradeJob(
+			context.Background(), cli, installation,
+			"registry.example.com/local-artifact-mirror:1.2.3",
+			"license-id", "app-slug", "channel-id", testVersion,
+			"1.2.2",
+		)
+		require.NoError(t, err)
+
+		// Get the job that was created
+		job := &batchv1.Job{}
+		err = cli.Get(context.Background(), client.ObjectKey{
+			Namespace: upgradeJobNamespace,
+			Name:      "embedded-cluster-upgrade-test-installation",
+		}, job)
+		require.NoError(t, err)
+
+		// Verify that the host CA bundle volume exists
+		var hostCABundleVolumeFound bool
+		for _, volume := range job.Spec.Template.Spec.Volumes {
+			if volume.Name == "host-ca-bundle" {
+				hostCABundleVolumeFound = true
+				// Verify the volume properties
+				require.NotNil(t, volume.HostPath, "Host CA bundle volume should be a hostPath volume")
+				assert.Equal(t, testCAPath, volume.HostPath.Path, "Host CA bundle path should match RuntimeConfig.HostCABundlePath")
+				assert.Equal(t, corev1.HostPathFileOrCreate, *volume.HostPath.Type, "Host CA bundle type should be FileOrCreate")
+				break
+			}
+		}
+		assert.True(t, hostCABundleVolumeFound, "Host CA bundle volume should exist")
+
+		// Verify that the volume mount exists
+		var hostCABundleMountFound bool
+		for _, mount := range job.Spec.Template.Spec.Containers[0].VolumeMounts {
+			if mount.Name == "host-ca-bundle" {
+				hostCABundleMountFound = true
+				// Verify the mount properties
+				assert.Equal(t, "/certs/ca-certificates.crt", mount.MountPath, "Host CA bundle mount path should be correct")
+				break
+			}
+		}
+		assert.True(t, hostCABundleMountFound, "Host CA bundle mount should exist")
+
+		// Verify that the SSL_CERT_DIR environment variable exists
+		var sslCertDirEnvFound bool
+		for _, env := range job.Spec.Template.Spec.Containers[0].Env {
+			if env.Name == "SSL_CERT_DIR" {
+				sslCertDirEnvFound = true
+				// Verify the env var value
+				assert.Equal(t, "/certs", env.Value, "SSL_CERT_DIR value should be correct")
+				break
+			}
+		}
+		assert.True(t, sslCertDirEnvFound, "SSL_CERT_DIR environment variable should exist")
+
+		// Verify the "private-cas" volume does NOT exist
+		var privateCasVolumeFound bool
+		for _, volume := range job.Spec.Template.Spec.Volumes {
+			if volume.Name == "private-cas" {
+				privateCasVolumeFound = true
+				break
+			}
+		}
+		assert.False(t, privateCasVolumeFound, "private-cas volume should not exist")
+	})
+
+	// Test without HostCABundlePath set
+	t.Run("without HostCABundlePath set", func(t *testing.T) {
+		scheme := runtime.NewScheme()
+		require.NoError(t, ecv1beta1.AddToScheme(scheme))
+		require.NoError(t, batchv1.AddToScheme(scheme))
+		require.NoError(t, corev1.AddToScheme(scheme))
+
+		// Version used for testing
+		testVersion := "1.2.3"
+
+		// Create a minimal installation CR without RuntimeConfig.HostCABundlePath
+		installation := &ecv1beta1.Installation{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-installation",
+				Namespace: "default",
+			},
+			Spec: ecv1beta1.InstallationSpec{
+				BinaryName: "test-binary",
+				Config: &ecv1beta1.ConfigSpec{
+					Version: testVersion,
+					Domains: ecv1beta1.Domains{
+						ProxyRegistryDomain: "registry.example.com",
+					},
+				},
+				// No RuntimeConfig or empty RuntimeConfig
+			},
+		}
+
+		// Create a cached metadata for the test version
+		// This avoids having to properly create a ConfigMap
+		testMeta := types.ReleaseMetadata{
+			Images: []string{"registry.example.com/embedded-cluster-operator-image:1.2.3"},
+		}
+		release.CacheMeta(testVersion, testMeta)
+
+		// Create a fake client with the installation
+		cli := fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(installation).
+			Build()
+
+		// Call the function under test
+		err := CreateUpgradeJob(
+			context.Background(), cli, installation,
+			"registry.example.com/local-artifact-mirror:1.2.3",
+			"license-id", "app-slug", "channel-id", testVersion,
+			"1.2.2",
+		)
+		require.NoError(t, err)
+
+		// Get the job that was created
+		job := &batchv1.Job{}
+		err = cli.Get(context.Background(), client.ObjectKey{
+			Namespace: upgradeJobNamespace,
+			Name:      "embedded-cluster-upgrade-test-installation",
+		}, job)
+		require.NoError(t, err)
+
+		// Verify that the host CA bundle volume does NOT exist
+		var hostCABundleVolumeFound bool
+		for _, volume := range job.Spec.Template.Spec.Volumes {
+			if volume.Name == "host-ca-bundle" {
+				hostCABundleVolumeFound = true
+				break
+			}
+		}
+		assert.False(t, hostCABundleVolumeFound, "Host CA bundle volume should not exist when HostCABundlePath is not set")
+
+		// Verify that the volume mount does NOT exist
+		var hostCABundleMountFound bool
+		for _, mount := range job.Spec.Template.Spec.Containers[0].VolumeMounts {
+			if mount.Name == "host-ca-bundle" {
+				hostCABundleMountFound = true
+				break
+			}
+		}
+		assert.False(t, hostCABundleMountFound, "Host CA bundle mount should not exist when HostCABundlePath is not set")
+
+		// Verify that the SSL_CERT_DIR environment variable does NOT exist
+		var sslCertDirEnvFound bool
+		for _, env := range job.Spec.Template.Spec.Containers[0].Env {
+			if env.Name == "SSL_CERT_DIR" {
+				sslCertDirEnvFound = true
+				break
+			}
+		}
+		assert.False(t, sslCertDirEnvFound, "SSL_CERT_DIR environment variable should not exist when HostCABundlePath is not set")
+
+		// Verify the "private-cas" volume does NOT exist
+		var privateCasVolumeFound bool
+		for _, volume := range job.Spec.Template.Spec.Volumes {
+			if volume.Name == "private-cas" {
+				privateCasVolumeFound = true
+				break
+			}
+		}
+		assert.False(t, privateCasVolumeFound, "private-cas volume should not exist")
+	})
+}

pkg/addons/adminconsole/static/metadata.yaml

@@ -5,24 +5,24 @@
 # $ make buildtools
 # $ output/bin/buildtools update addon <addon name>
 #
-version: 1.124.16-ec.4
+version: 1.124.16-ec.5
 location: oci://proxy.replicated.com/anonymous/registry.replicated.com/library/admin-console
 images:
     kotsadm:
         repo: proxy.replicated.com/anonymous/kotsadm/kotsadm
         tag:
-            amd64: v1.124.16-ec.4-amd64@sha256:25867454b00cae4c36dcb1cab30fe833227337fa698afe1d9450e85d0dda0461
-            arm64: v1.124.16-ec.4-arm64@sha256:76d95bd8c53a9e7f3e170b927f847c6b308457dd83a7e37229c0f0770e40d0d6
+            amd64: v1.124.16-ec.5-amd64@sha256:f4519dd15b4b978157e699ea16616fba646d7b599e8c579b0e83774c1e2e02bd
+            arm64: v1.124.16-ec.5-arm64@sha256:53310cc5e666a8d1acafa4309a88aceedc134a86616f58306f1f665a89ddf9ed
     kotsadm-migrations:
         repo: proxy.replicated.com/anonymous/kotsadm/kotsadm-migrations
         tag:
-            amd64: v1.124.16-ec.4-amd64@sha256:b0ac39c9cd9a727ab8e11738aa28ba8e3f5415fdf444b3d7e10dbdc47078b281
-            arm64: v1.124.16-ec.4-arm64@sha256:7b6754b4e444436c429161a0b292f5c6afe2d9aa7a04083cab588a2ecdb5e87f
+            amd64: v1.124.16-ec.5-amd64@sha256:1c3daf5c301fc6a9d64dc7f8776d40db9be5a0e82766ba21d2fd4daa35a525eb
+            arm64: v1.124.16-ec.5-arm64@sha256:8139f3566f96f772bf52244c0f9ddaad94193a39e64b76ee700e02adad8b441a
     kurl-proxy:
         repo: proxy.replicated.com/anonymous/kotsadm/kurl-proxy
         tag:
-            amd64: v1.124.16-ec.4-amd64@sha256:5296b3ce56fbf55eee420efc7e939514fc11e0e6c83ff1240288ecca36c47473
-            arm64: v1.124.16-ec.4-arm64@sha256:35af6a5e0566416b5a9d06da20725fdbfaa10727f255cb31520715e422c220e3
+            amd64: v1.124.16-ec.5-amd64@sha256:1a367bae52522e45eb6a30794d7a5796b6010703926524aca31e151eca382d8a
+            arm64: v1.124.16-ec.5-arm64@sha256:d0629818c1bb38a2a876becdce3c94c4b96dfd9f9d21e4f3d7225703994518d0
     rqlite:
         repo: proxy.replicated.com/anonymous/kotsadm/rqlite
         tag: