fix: rename the certificate secret and fix mounting of the root certificate (#57)

Author: Skarlso

.goreleaser.yaml

@@ -37,8 +37,6 @@ changelog:
 # for more information on what this target does: https://goreleaser.com/errors/docker-build/
 dockers:
   - id: linux-build
-    extra_files:
-    - ./hack/entrypoint.sh
     image_templates:
     - "{{ .Env.REGISTRY }}/open-component-model/{{ .ProjectName }}:{{ .Tag }}"
     - "{{ .Env.REGISTRY }}/open-component-model/{{ .ProjectName }}:latest"

Dockerfile

@@ -29,8 +29,6 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o ma
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
-COPY hack/entrypoint.sh /entrypoint.sh
 USER 65532:65532
 
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["/manager"]
+ENTRYPOINT ["/manager"]

Tiltfile

@@ -6,35 +6,15 @@ kubectl_cmd = "kubectl"
 if str(local("command -v " + kubectl_cmd + " || true", quiet = True)) == "":
     fail("Required command '" + kubectl_cmd + "' not found in PATH")
 
-# set defaults
-settings = {
-    "root_certificate_secret": {
-        "enable": True,
-        "name": "registry-certs",
-    },
-}
-
-# global settings
-tilt_file = "./tilt-settings.yaml" if os.path.exists("./tilt-settings.yaml") else "./tilt-settings.json"
-settings.update(read_yaml(
-    tilt_file,
-    default = {},
-))
-
 # Use kustomize to build the install yaml files
 install = kustomize('config/default')
 
 # Update the root security group. Tilt requires root access to update the
 # running process.
 objects = decode_yaml_stream(install)
-root_certificate = settings.get("root_certificate_secret")
 for o in objects:
     if o.get('kind') == 'Deployment' and o.get('metadata').get('name') == 'git-controller':
         o['spec']['template']['spec']['securityContext']['runAsNonRoot'] = False
-        if root_certificate.get("enable"):
-            print('updating git-controller deployment to add generated certificates')
-            o['spec']['template']['spec']['volumes'] = [{'name': 'root-certificate', 'secret': {'secretName': root_certificate.get("name"), 'items': [{'key': 'caFile', 'path': 'ca.pem'}]}}]
-            o['spec']['template']['spec']['containers'][0]['volumeMounts'] = [{'mountPath': '/certs', 'name': 'root-certificate'}]
         break
 
 updated_install = encode_yaml_stream(objects)
@@ -62,7 +42,6 @@ local_resource(
         "apis",
         "controllers",
         "pkg",
-        "hack/entrypoint.sh",
     ],
 )
 
@@ -72,7 +51,7 @@ local_resource(
 # on _any_ file change. We only want to monitor the binary.
 # If debugging is enabled, we switch to a different docker file using
 # the delve port.
-entrypoint = ['/entrypoint.sh', '/manager']
+entrypoint = ['/manager']
 dockerfile = 'tilt.dockerfile'
 docker_build_with_restart(
     'ghcr.io/open-component-model/git-controller',
@@ -81,10 +60,8 @@ docker_build_with_restart(
     entrypoint = entrypoint,
     only=[
       './bin',
-      './hack/entrypoint.sh',
     ],
     live_update = [
         sync('./bin/manager', '/manager'),
-        sync('./hack/entrypoint.sh', '/entrypoint.sh'),
     ],
 )

config/manager/kustomization.yaml

@@ -11,5 +11,5 @@ images:
   newTag: latest
 
 # Comment to disable HTTPS for the registry
-# patches:
-# - path: ./patches/add_root_certificates.yaml
+patches:
+- path: ./patches/add_root_certificates.yaml

config/manager/patches/add_root_certificates.yaml

@@ -3,7 +3,8 @@ kind: Deployment
 metadata:
   name: git-controller
   labels:
-    control-plane: controller
+    app: git-controller
+  namespace: ocm-system
 spec:
   selector:
     matchLabels:
@@ -13,16 +14,14 @@ spec:
       containers:
         - name: manager
           image: open-component-model/git-controller
-          env:
-            - name: REGISTRY_ROOT_CERTIFICATE # optionally define to override default location
-              value: /certs/ca.pem
           volumeMounts:
-            - mountPath: "/certs"
+            - mountPath: "/etc/ssl/certs/registry-root.pem"
+              subPath: "registry-root.pem"
               name: "certificates"
       volumes:
         - name: "certificates"
           secret:
-            secretName: "registry-certs"
+            secretName: "ocm-registry-tls-certs"
             items:
-              - key: "ca.pem"
-                path: "ca.pem"
+              - key: "caFile"
+                path: "registry-root.pem"

goreleaser.dockerfile

@@ -1,8 +1,6 @@
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY git-controller /manager
-COPY ./hack/entrypoint.sh /entrypoint.sh
 USER 65532:65532
 
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["/manager"]
+ENTRYPOINT ["/manager"]

hack/entrypoint.sh

@@ -61,7 +61,7 @@ func main() {
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.StringVar(&storagePath, "storage-path", "/data", "The location which to use for temporary storage. Should be mounted into the pod.")
 	flag.StringVar(&ociRegistryAddr, "oci-registry-addr", ":5000", "The address of the OCI registry.")
-	flag.StringVar(&ociRegistryCertSecretName, "certificate-secret-name", v1alpha1.DefaultRegistryCertificateSecretName, "")
+	flag.StringVar(&ociRegistryCertSecretName, "certificate-secret-name", "ocm-registry-tls-certs", "")
 	flag.StringVar(&ociRegistryNamespace, "oci-registry-namespace", "ocm-system", "The namespace in which the registry is running in.")
 	flag.StringVar(&eventsAddr, "events-addr", "", "The address of the events receiver.")
 

main.go

@@ -1,7 +1,6 @@
 FROM alpine
 WORKDIR /
 COPY ./bin/manager /manager
-COPY ./hack/entrypoint.sh /entrypoint.sh
 
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["/manager"]
+ENTRYPOINT ["/manager"]
+