feat(adminconsole): Mount Host CA Bundle into Admin Console Containers (#2175)

* feat(velero): add support for mitm proxy

* f

* f

* f

* f

* f

* f

* f

* velero use ca from host

* http proxy dryrun test

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* refactor host ca retrieval

* add unit tests

* add dry run capability for adminconsole addon

* make adminconsole unit test consistent with other addons

* remove privateCa from admin console

* update adminconsole version and add integration test

* add tests for cabundle to dryrun

* update TestInstallWithPrivateCAs e2e test

* fix dry run tests to make sure they use dry run client

* more debug

* more debug

* fix tests

* fix tests

* remove debug values

* debug integration test

* fix integration test

* move cert generation to bash

* debug privateca e2e test

* debug privateca e2e test

* re-add privateca in order to get operator working correctly for mitm tests

* fix create configmap

* remove uneeded e2e test

* consolidate unit test

* remove privateca from static values

* remove redundant dry run test

---------

Co-authored-by: Ethan Mosbaugh <ethan@replicated.com>

Author: diamonwiggins

e2e/install_test.go

@@ -2,7 +2,6 @@ package e2e
 
 import (
 	"encoding/base64"
-	"encoding/json"
 	"fmt"
 	"os"
 	"strings"
@@ -11,12 +10,10 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
-	corev1 "k8s.io/api/core/v1"
 
 	"github.com/replicatedhq/embedded-cluster/e2e/cluster/cmx"
 	"github.com/replicatedhq/embedded-cluster/e2e/cluster/docker"
 	"github.com/replicatedhq/embedded-cluster/e2e/cluster/lxd"
-	"github.com/replicatedhq/embedded-cluster/pkg/certs"
 )
 
 func TestSingleNodeInstallation(t *testing.T) {
@@ -1728,62 +1725,6 @@ func TestFiveNodesAirgapUpgrade(t *testing.T) {
 	t.Logf("%s: test complete", time.Now().Format(time.RFC3339))
 }
 
-func TestInstallWithPrivateCAs(t *testing.T) {
-	RequireEnvVars(t, []string{"SHORT_SHA"})
-
-	input := &lxd.ClusterInput{
-		T:                   t,
-		Nodes:               1,
-		Image:               "ubuntu/jammy",
-		LicensePath:         "licenses/license.yaml",
-		EmbeddedClusterPath: "../output/bin/embedded-cluster",
-	}
-	tc := lxd.NewCluster(input)
-	defer tc.Cleanup()
-
-	certBuilder, err := certs.NewBuilder()
-	require.NoError(t, err, "unable to create new cert builder")
-	crtContent, _, err := certBuilder.Generate()
-	require.NoError(t, err, "unable to build test certificate")
-
-	tmpfile, err := os.CreateTemp("", "test-temp-cert-*.crt")
-	require.NoError(t, err, "unable to create temp file")
-	defer os.Remove(tmpfile.Name())
-
-	_, err = tmpfile.WriteString(crtContent)
-	require.NoError(t, err, "unable to write to temp file")
-	tmpfile.Close()
-
-	lxd.CopyFileToNode(input, tc.Nodes[0], lxd.File{
-		SourcePath: tmpfile.Name(),
-		DestPath:   "/tmp/ca.crt",
-		Mode:       0666,
-	})
-
-	installSingleNodeWithOptions(t, tc, installOptions{
-		privateCA: "/tmp/ca.crt",
-	})
-
-	if _, _, err := tc.SetupPlaywrightAndRunTest("deploy-app"); err != nil {
-		t.Fatalf("fail to run playwright test deploy-app: %v", err)
-	}
-
-	checkInstallationState(t, tc)
-
-	t.Logf("checking if the configmap was created with the right values")
-	line := []string{"kubectl", "get", "cm", "kotsadm-private-cas", "-n", "kotsadm", "-o", "json"}
-	stdout, _, err := tc.RunCommandOnNode(0, line, lxd.WithECShellEnv("/var/lib/embedded-cluster"))
-	require.NoError(t, err, "unable get kotsadm-private-cas configmap")
-
-	var cm corev1.ConfigMap
-	err = json.Unmarshal([]byte(stdout), &cm)
-	require.NoErrorf(t, err, "unable to unmarshal output to configmap: %q", stdout)
-	require.Contains(t, cm.Data, "ca_0.crt", "index ca_0.crt not found in ca secret")
-	require.Equal(t, crtContent, cm.Data["ca_0.crt"], "content mismatch")
-
-	t.Logf("%s: test complete", time.Now().Format(time.RFC3339))
-}
-
 func TestInstallWithConfigValues(t *testing.T) {
 	t.Parallel()
 

pkg/addons/adminconsole/adminconsole.go

@@ -26,6 +26,14 @@ type AdminConsole struct {
 	ReplicatedAppDomain      string
 	ProxyRegistryDomain      string
 	ReplicatedRegistryDomain string
+	HostCABundlePath         string
+
+	// DryRun is a flag to enable dry-run mode for Admin Console.
+	// If true, Admin Console will only render the helm template and additional manifests, but not install
+	// the release.
+	DryRun bool
+
+	dryRunManifests [][]byte
 }
 
 type KotsInstaller func(msg *spinner.MessageWriter) error
@@ -110,3 +118,8 @@ func (a *AdminConsole) ChartLocation() string {
 	}
 	return chartName
 }
+
+// DryRunManifests returns the manifests generated during a dry run.
+func (a *AdminConsole) DryRunManifests() [][]byte {
+	return a.dryRunManifests
+}

pkg/addons/adminconsole/install.go

@@ -1,6 +1,7 @@
 package adminconsole
 
 import (
+	"bytes"
 	"context"
 	"encoding/base64"
 	"fmt"
@@ -9,13 +10,27 @@ import (
 	"github.com/pkg/errors"
 	"github.com/replicatedhq/embedded-cluster/pkg/addons/registry"
 	"github.com/replicatedhq/embedded-cluster/pkg/helm"
+	"github.com/replicatedhq/embedded-cluster/pkg/kubeutils"
 	"github.com/replicatedhq/embedded-cluster/pkg/spinner"
 	"golang.org/x/crypto/bcrypt"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	jsonserializer "k8s.io/apimachinery/pkg/runtime/serializer/json"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+var (
+	serializer runtime.Serializer
+)
+
+func init() {
+	scheme := kubeutils.Scheme
+	serializer = jsonserializer.NewSerializerWithOptions(jsonserializer.DefaultMetaFactory, scheme, scheme, jsonserializer.SerializerOptions{
+		Yaml: true,
+	})
+}
+
 func (a *AdminConsole) Install(ctx context.Context, kcli client.Client, hcli helm.Client, overrides []string, writer *spinner.MessageWriter) error {
 	// some resources are not part of the helm chart and need to be created before the chart is installed
 	// TODO: move this to the helm chart
@@ -28,40 +43,49 @@ func (a *AdminConsole) Install(ctx context.Context, kcli client.Client, hcli hel
 		return errors.Wrap(err, "generate helm values")
 	}
 
-	_, err = hcli.Install(ctx, helm.InstallOptions{
+	opts := helm.InstallOptions{
 		ReleaseName:  releaseName,
 		ChartPath:    a.ChartLocation(),
 		ChartVersion: Metadata.Version,
 		Values:       values,
 		Namespace:    namespace,
 		Labels:       getBackupLabels(),
-	})
-	if err != nil {
-		return errors.Wrap(err, "helm install")
 	}
 
-	// install the application
-
-	if a.KotsInstaller != nil {
-		err := a.KotsInstaller(writer)
+	if a.DryRun {
+		manifests, err := hcli.Render(ctx, opts)
 		if err != nil {
-			return err
+			return errors.Wrap(err, "dry run render")
+		}
+		a.dryRunManifests = append(a.dryRunManifests, manifests...)
+	} else {
+		_, err = hcli.Install(ctx, opts)
+		if err != nil {
+			return errors.Wrap(err, "helm install")
+		}
+
+		// install the application
+		if a.KotsInstaller != nil {
+			err := a.KotsInstaller(writer)
+			if err != nil {
+				return err
+			}
 		}
 	}
 
 	return nil
 }
 
 func (a *AdminConsole) createPreRequisites(ctx context.Context, kcli client.Client) error {
-	if err := createNamespace(ctx, kcli, namespace); err != nil {
+	if err := a.createNamespace(ctx, kcli, namespace); err != nil {
 		return errors.Wrap(err, "create namespace")
 	}
 
-	if err := createPasswordSecret(ctx, kcli, namespace, a.Password); err != nil {
+	if err := a.createPasswordSecret(ctx, kcli, namespace, a.Password); err != nil {
 		return errors.Wrap(err, "create kots password secret")
 	}
 
-	if err := createCAConfigmap(ctx, kcli, namespace, a.PrivateCAs); err != nil {
+	if err := a.createCAConfigmap(ctx, kcli, namespace, a.PrivateCAs); err != nil {
 		return errors.Wrap(err, "create kots CA configmap")
 	}
 
@@ -70,90 +94,115 @@ func (a *AdminConsole) createPreRequisites(ctx context.Context, kcli client.Clie
 		if err != nil {
 			return errors.Wrap(err, "get registry cluster IP")
 		}
-		if err := createRegistrySecret(ctx, kcli, namespace, registryIP); err != nil {
+		if err := a.createRegistrySecret(ctx, kcli, namespace, registryIP); err != nil {
 			return errors.Wrap(err, "create registry secret")
 		}
 	}
 
 	return nil
 }
 
-func createNamespace(ctx context.Context, kcli client.Client, namespace string) error {
-	ns := corev1.Namespace{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: namespace,
-		},
-	}
-	if err := kcli.Create(ctx, &ns); client.IgnoreAlreadyExists(err) != nil {
-		return err
-	}
-	return nil
-}
-
-func createPasswordSecret(ctx context.Context, kcli client.Client, namespace string, password string) error {
-	passwordBcrypt, err := bcrypt.GenerateFromPassword([]byte(password), 10)
+func (a *AdminConsole) createCAConfigmap(ctx context.Context, cli client.Client, namespace string, privateCAs []string) error {
+	cas, err := privateCAsToMap(privateCAs)
 	if err != nil {
-		return errors.Wrap(err, "generate bcrypt from password")
+		return errors.Wrap(err, "create private cas map")
 	}
 
-	kotsPasswordSecret := corev1.Secret{
+	kotsCAConfigmap := corev1.ConfigMap{
 		TypeMeta: metav1.TypeMeta{
-			Kind:       "Secret",
+			Kind:       "ConfigMap",
 			APIVersion: "v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "kotsadm-password",
+			Name:      "kotsadm-private-cas",
 			Namespace: namespace,
 			Labels: map[string]string{
 				"kots.io/kotsadm":                        "true",
 				"replicated.com/disaster-recovery":       "infra",
 				"replicated.com/disaster-recovery-chart": "admin-console",
 			},
 		},
-		Data: map[string][]byte{
-			"passwordBcrypt": []byte(passwordBcrypt),
-		},
+		Data: cas,
 	}
 
-	err = kcli.Create(ctx, &kotsPasswordSecret)
-	if err != nil {
-		return errors.Wrap(err, "create kotsadm-password secret")
+	if a.DryRun {
+		b := bytes.NewBuffer(nil)
+		if err := serializer.Encode(&kotsCAConfigmap, b); err != nil {
+			return errors.Wrap(err, "serialize CA configmap")
+		}
+		a.dryRunManifests = append(a.dryRunManifests, b.Bytes())
+	} else {
+		if err := cli.Create(ctx, &kotsCAConfigmap); client.IgnoreAlreadyExists(err) != nil {
+			return errors.Wrap(err, "create kotsadm-private-cas configmap")
+		}
 	}
 
 	return nil
 }
 
-func createCAConfigmap(ctx context.Context, cli client.Client, namespace string, privateCAs []string) error {
-	cas, err := privateCAsToMap(privateCAs)
+func (a *AdminConsole) createNamespace(ctx context.Context, kcli client.Client, namespace string) error {
+	ns := corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: namespace,
+		},
+	}
+
+	if a.DryRun {
+		b := bytes.NewBuffer(nil)
+		if err := serializer.Encode(&ns, b); err != nil {
+			return errors.Wrap(err, "serialize namespace")
+		}
+		a.dryRunManifests = append(a.dryRunManifests, b.Bytes())
+	} else {
+		if err := kcli.Create(ctx, &ns); client.IgnoreAlreadyExists(err) != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (a *AdminConsole) createPasswordSecret(ctx context.Context, kcli client.Client, namespace string, password string) error {
+	passwordBcrypt, err := bcrypt.GenerateFromPassword([]byte(password), 10)
 	if err != nil {
-		return errors.Wrap(err, "create private cas map")
+		return errors.Wrap(err, "generate bcrypt from password")
 	}
 
-	kotsCAConfigmap := corev1.ConfigMap{
+	kotsPasswordSecret := corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
-			Kind:       "ConfigMap",
+			Kind:       "Secret",
 			APIVersion: "v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "kotsadm-private-cas",
+			Name:      "kotsadm-password",
 			Namespace: namespace,
 			Labels: map[string]string{
 				"kots.io/kotsadm":                        "true",
 				"replicated.com/disaster-recovery":       "infra",
 				"replicated.com/disaster-recovery-chart": "admin-console",
 			},
 		},
-		Data: cas,
+		Data: map[string][]byte{
+			"passwordBcrypt": []byte(passwordBcrypt),
+		},
 	}
 
-	if err := cli.Create(ctx, &kotsCAConfigmap); client.IgnoreAlreadyExists(err) != nil {
-		return errors.Wrap(err, "create kotsadm-private-cas configmap")
+	if a.DryRun {
+		b := bytes.NewBuffer(nil)
+		if err := serializer.Encode(&kotsPasswordSecret, b); err != nil {
+			return errors.Wrap(err, "serialize password secret")
+		}
+		a.dryRunManifests = append(a.dryRunManifests, b.Bytes())
+	} else {
+		err = kcli.Create(ctx, &kotsPasswordSecret)
+		if err != nil {
+			return errors.Wrap(err, "create kotsadm-password secret")
+		}
 	}
 
 	return nil
 }
 
-func createRegistrySecret(ctx context.Context, kcli client.Client, namespace string, registryIP string) error {
+func (a *AdminConsole) createRegistrySecret(ctx context.Context, kcli client.Client, namespace string, registryIP string) error {
 	authString := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("embedded-cluster:%s", registry.GetRegistryPassword())))
 	authConfig := fmt.Sprintf(`{"auths":{"%s:5000":{"username": "embedded-cluster", "password": "%s", "auth": "%s"}}}`, registryIP, registry.GetRegistryPassword(), authString)
 
@@ -177,16 +226,30 @@ func createRegistrySecret(ctx context.Context, kcli client.Client, namespace str
 		Type: "kubernetes.io/dockerconfigjson",
 	}
 
-	err := kcli.Create(ctx, &registryCreds)
-	if err != nil {
-		return errors.Wrap(err, "create registry-auth secret")
+	if a.DryRun {
+		b := bytes.NewBuffer(nil)
+		if err := serializer.Encode(&registryCreds, b); err != nil {
+			return errors.Wrap(err, "serialize registry secret")
+		}
+		a.dryRunManifests = append(a.dryRunManifests, b.Bytes())
+	} else {
+		err := kcli.Create(ctx, &registryCreds)
+		if err != nil {
+			return errors.Wrap(err, "create registry-auth secret")
+		}
 	}
 
 	return nil
 }
 
 func privateCAsToMap(privateCAs []string) (map[string]string, error) {
 	cas := map[string]string{}
+
+	// Handle nil privateCAs
+	if privateCAs == nil {
+		return cas, nil
+	}
+
 	for i, path := range privateCAs {
 		data, err := os.ReadFile(path)
 		if err != nil {