fixed e2e tests (via refactoring of image registry setup)

Signed-off-by: Joe Lanford <joe.lanford@gmail.com>

Author: joelanford

Makefile

@@ -244,7 +244,6 @@ E2E_REGISTRY_IMAGE=localhost/e2e-test-registry:devel
 image-registry: export GOOS=linux
 image-registry: export GOARCH=amd64
 image-registry: ## Build the testdata catalog used for e2e tests and push it to the image registry
-	go build $(GO_BUILD_FLAGS) $(GO_BUILD_EXTRA_FLAGS) -tags '$(GO_BUILD_TAGS)' -ldflags '$(GO_BUILD_LDFLAGS)' -gcflags '$(GO_BUILD_GCFLAGS)' -asmflags '$(GO_BUILD_ASMFLAGS)' -o ./testdata/registry/bin/registry ./testdata/registry/registry.go
 	go build $(GO_BUILD_FLAGS) $(GO_BUILD_EXTRA_FLAGS) -tags '$(GO_BUILD_TAGS)' -ldflags '$(GO_BUILD_LDFLAGS)' -gcflags '$(GO_BUILD_GCFLAGS)' -asmflags '$(GO_BUILD_ASMFLAGS)' -o ./testdata/push/bin/push         ./testdata/push/push.go
 	$(CONTAINER_RUNTIME) build -f ./testdata/Dockerfile -t $(E2E_REGISTRY_IMAGE) ./testdata
 	$(CONTAINER_RUNTIME) save $(E2E_REGISTRY_IMAGE) | $(KIND) load image-archive /dev/stdin --name $(KIND_CLUSTER_NAME)
@@ -263,6 +262,7 @@ test-e2e: run image-registry e2e e2e-coverage kind-clean #HELP Run e2e test suit
 
 .PHONY: extension-developer-e2e
 extension-developer-e2e: KIND_CLUSTER_NAME := operator-controller-ext-dev-e2e
+extension-developer-e2e: KUSTOMIZE_BUILD_DIR := config-new/overlays/community-e2e
 extension-developer-e2e: export INSTALL_DEFAULT_CATALOGS := false
 extension-developer-e2e: run image-registry test-ext-dev-e2e kind-clean #EXHELP Run extension-developer e2e on local kind cluster
 
@@ -356,7 +356,7 @@ run: docker-build kind-cluster kind-load kind-deploy wait #HELP Build the operat
 CATD_NAMESPACE := olmv1-system
 wait:
 	kubectl wait --for=condition=Available --namespace=$(CATD_NAMESPACE) deployment/catalogd-controller-manager --timeout=60s
-	kubectl wait --for=condition=Ready --namespace=$(CATD_NAMESPACE) certificate/catalogd-service-cert # Avoid upgrade test flakes when reissuing cert
+	kubectl wait --for=condition=Ready --namespace=$(CATD_NAMESPACE) certificate/catalogd-cert # Avoid upgrade test flakes when reissuing cert
 
 .PHONY: docker-build
 docker-build: build-linux #EXHELP Build docker image for operator-controller and catalog with GOOS=linux and local GOARCH.

cmd/catalogd/main.go

@@ -199,6 +199,7 @@ func run(ctx context.Context) error {
 	}
 	cfg.externalAddr = protocol + cfg.externalAddr
 
+	setupLog.Info("server certificate", "cert", cfg.certFile, "key", cfg.keyFile)
 	cw, err := certwatcher.New(cfg.certFile, cfg.keyFile)
 	if err != nil {
 		setupLog.Error(err, "failed to initialize certificate watcher")

config-new/components/cert-manager/catalogd_certificate.yaml

@@ -1,10 +1,10 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: catalogd-service-cert
+  name: catalogd-cert
   namespace: __NAMESPACE_PLACEHOLDER__
 spec:
-  secretName: catalogd-service-cert-${VERSION}
+  secretName: catalogd-cert-${VERSION}
   dnsNames:
     - catalogd-service.__NAMESPACE_PLACEHOLDER__.svc
     - catalogd-service.__NAMESPACE_PLACEHOLDER__.svc.cluster.local

config-new/components/cert-manager/operator_controller_certificate.yaml

@@ -1,9 +1,9 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: olmv1-cert
+  name: operator-controller-cert
 spec:
-  secretName: olmv1-cert
+  secretName: operator-controller-cert
   dnsNames:
     - operator-controller-service.__NAMESPACE_PLACEHOLDER__.svc
     - operator-controller-service.__NAMESPACE_PLACEHOLDER__.svc.cluster.local

config-new/components/cert-manager/patches/catalogd_deployment.yaml

@@ -1,21 +1,13 @@
+# operator-controller's server cert (e.g. for serving the catalogd API and prometheus metrics)
 - op: add
   path: /spec/template/spec/volumes/-
-  value: {"name":"olmv1-certificate", "secret":{"secretName":"catalogd-service-cert-${VERSION}", "optional": false, "items": [{"key": "ca.crt", "path": "olm-ca.crt"}]}}
+  value: {"name":"server-cert","secret":{"secretName":"catalogd-cert-${VERSION}","optional":false,"items":[{"key":"tls.crt","path":"tls.crt"},{"key":"tls.key","path":"tls.key"}]}}
 - op: add
   path: /spec/template/spec/containers/0/volumeMounts/-
-  value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/ca-certs/"}
+  value: {"name":"server-cert","mountPath":"/var/server-cert"}
 - op: add
   path: /spec/template/spec/containers/0/args/-
-  value: "--pull-cas-dir=/var/ca-certs"
-- op: add
-  path: /spec/template/spec/volumes/-
-  value: {"name":"catalogserver-certs", "secret":{"secretName":"catalogd-service-cert-${VERSION}"}}
-- op: add
-  path: /spec/template/spec/containers/0/volumeMounts/-
-  value: {"name":"catalogserver-certs", "mountPath":"/var/certs"}
-- op: add
-  path: /spec/template/spec/containers/0/args/-
-  value: "--tls-cert=/var/certs/tls.crt"
+  value: "--tls-cert=/var/server-cert/tls.crt"
 - op: add
   path: /spec/template/spec/containers/0/args/-
-  value: "--tls-key=/var/certs/tls.key"
+  value: "--tls-key=/var/server-cert/tls.key"

config-new/components/cert-manager/patches/operator_controller_deployment.yaml

@@ -1,18 +1,24 @@
+# operator-controller's server cert (e.g. for serving prometheus metrics)
 - op: add
   path: /spec/template/spec/volumes/-
-  value: {"name":"olmv1-certificate", "secret":{"secretName":"olmv1-cert", "optional": false, "items": [{"key": "ca.crt", "path": "olm-ca.crt"}, {"key": "tls.crt", "path": "tls.cert"}, {"key": "tls.key", "path": "tls.key"}]}}
+  value: {"name":"server-cert", "secret":{"secretName":"operator-controller-cert", "optional": false, "items": [{"key": "tls.crt", "path": "tls.cert"}, {"key": "tls.key", "path": "tls.key"}]}}
 - op: add
   path: /spec/template/spec/containers/0/volumeMounts/-
-  value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/certs/"}
+  value: {"name":"server-cert", "readOnly": true, "mountPath":"/var/certs/server-cert"}
 - op: add
   path: /spec/template/spec/containers/0/args/-
-  value: "--catalogd-cas-dir=/var/certs"
+  value: "--tls-cert=/var/certs/server-cert/tls.cert"
 - op: add
   path: /spec/template/spec/containers/0/args/-
-  value: "--pull-cas-dir=/var/certs"
+  value: "--tls-key=/var/certs/server-cert/tls.key"
+
+# catalogd CA, so that operator-controller's http client can verify catalogd's server cert
 - op: add
-  path: /spec/template/spec/containers/0/args/-
-  value: "--tls-cert=/var/certs/tls.cert"
+  path: /spec/template/spec/volumes/-
+  value: {"name":"catalogd-ca", "secret":{"secretName":"catalogd-cert-${VERSION}", "optional": false, "items":[{"key": "ca.crt", "path": "ca.crt"}]}}
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value: {"name":"catalogd-ca", "readOnly": true, "mountPath":"/var/certs/catalogd-ca"}
 - op: add
   path: /spec/template/spec/containers/0/args/-
-  value: "--tls-key=/var/certs/tls.key"
+  value: "--catalogd-cas-dir=/var/certs/catalogd-ca"

config-new/components/e2e/cert-manager-namespace/e2e_cluster_issuer.yaml

@@ -0,0 +1,35 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: e2e-self-sign-issuer
+  namespace: cert-manager
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: e2e-ca
+  namespace: cert-manager
+spec:
+  isCA: true
+  commonName: e2e-ca
+  secretName: e2e-ca
+  secretTemplate:
+    annotations:
+      cert-manager.io/allow-direct-injection: "true"
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: e2e-self-sign-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: e2e-ca
+spec:
+  ca:
+    secretName: e2e-ca

config-new/components/e2e/cert-manager-namespace/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - e2e_cluster_issuer.yaml

config-new/components/e2e/coverage_copy_pod.yaml renamed to config-new/components/e2e/install-namespace/coverage_copy_pod.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: e2e-coverage-copy-pod
+  namespace: olmv1-system
 spec:
   restartPolicy: Never
   securityContext:

config-new/components/e2e/coverage_pvc.yaml renamed to config-new/components/e2e/install-namespace/coverage_pvc.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: e2e-coverage
+  namespace: olmv1-system
 spec:
   accessModes:
     - ReadWriteOnce