From 6e04e4318f3c598e48b75f0122d27137659a8967 Mon Sep 17 00:00:00 2001
From: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Date: Fri, 25 Aug 2023 12:48:36 +0200
Subject: [PATCH] fix: rename the certificate secret and fix mounting of the
 root certificate

---
 .goreleaser.yaml                              |  2 --
 Dockerfile                                    |  4 +--
 Tiltfile                                      | 25 +------------------
 config/manager/kustomization.yaml             |  4 +--
 .../patches/add_root_certificates.yaml        | 15 ++++++-----
 goreleaser.dockerfile                         |  4 +--
 hack/entrypoint.sh                            | 16 ------------
 main.go                                       |  2 +-
 tilt.dockerfile                               |  5 ++--
 9 files changed, 15 insertions(+), 62 deletions(-)
 delete mode 100755 hack/entrypoint.sh

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index d261919..f174d31 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -37,8 +37,6 @@ changelog:
 # for more information on what this target does: https://goreleaser.com/errors/docker-build/
 dockers:
   - id: linux-build
-    extra_files:
-    - ./hack/entrypoint.sh
     image_templates:
     - "{{ .Env.REGISTRY }}/open-component-model/{{ .ProjectName }}:{{ .Tag }}"
     - "{{ .Env.REGISTRY }}/open-component-model/{{ .ProjectName }}:latest"
diff --git a/Dockerfile b/Dockerfile
index 0e0d28f..0b464b8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -29,8 +29,6 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o ma
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
-COPY hack/entrypoint.sh /entrypoint.sh
 USER 65532:65532
 
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["/manager"]
+ENTRYPOINT ["/manager"]
diff --git a/Tiltfile b/Tiltfile
index d8263ea..65fcebb 100644
--- a/Tiltfile
+++ b/Tiltfile
@@ -6,35 +6,15 @@ kubectl_cmd = "kubectl"
 if str(local("command -v " + kubectl_cmd + " || true", quiet = True)) == "":
     fail("Required command '" + kubectl_cmd + "' not found in PATH")
 
-# set defaults
-settings = {
-    "root_certificate_secret": {
-        "enable": True,
-        "name": "registry-certs",
-    },
-}
-
-# global settings
-tilt_file = "./tilt-settings.yaml" if os.path.exists("./tilt-settings.yaml") else "./tilt-settings.json"
-settings.update(read_yaml(
-    tilt_file,
-    default = {},
-))
-
 # Use kustomize to build the install yaml files
 install = kustomize('config/default')
 
 # Update the root security group. Tilt requires root access to update the
 # running process.
 objects = decode_yaml_stream(install)
-root_certificate = settings.get("root_certificate_secret")
 for o in objects:
     if o.get('kind') == 'Deployment' and o.get('metadata').get('name') == 'git-controller':
         o['spec']['template']['spec']['securityContext']['runAsNonRoot'] = False
-        if root_certificate.get("enable"):
-            print('updating git-controller deployment to add generated certificates')
-            o['spec']['template']['spec']['volumes'] = [{'name': 'root-certificate', 'secret': {'secretName': root_certificate.get("name"), 'items': [{'key': 'caFile', 'path': 'ca.pem'}]}}]
-            o['spec']['template']['spec']['containers'][0]['volumeMounts'] = [{'mountPath': '/certs', 'name': 'root-certificate'}]
         break
 
 updated_install = encode_yaml_stream(objects)
@@ -62,7 +42,6 @@ local_resource(
         "apis",
         "controllers",
         "pkg",
-        "hack/entrypoint.sh",
     ],
 )
 
@@ -72,7 +51,7 @@ local_resource(
 # on _any_ file change. We only want to monitor the binary.
 # If debugging is enabled, we switch to a different docker file using
 # the delve port.
-entrypoint = ['/entrypoint.sh', '/manager']
+entrypoint = ['/manager']
 dockerfile = 'tilt.dockerfile'
 docker_build_with_restart(
     'ghcr.io/open-component-model/git-controller',
@@ -81,10 +60,8 @@ docker_build_with_restart(
     entrypoint = entrypoint,
     only=[
       './bin',
-      './hack/entrypoint.sh',
     ],
     live_update = [
         sync('./bin/manager', '/manager'),
-        sync('./hack/entrypoint.sh', '/entrypoint.sh'),
     ],
 )
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
index 01d1b76..da06831 100644
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -11,5 +11,5 @@ images:
   newTag: latest
 
 # Comment to disable HTTPS for the registry
-# patches:
-# - path: ./patches/add_root_certificates.yaml
+patches:
+- path: ./patches/add_root_certificates.yaml
diff --git a/config/manager/patches/add_root_certificates.yaml b/config/manager/patches/add_root_certificates.yaml
index 6c2db49..a13f0fb 100644
--- a/config/manager/patches/add_root_certificates.yaml
+++ b/config/manager/patches/add_root_certificates.yaml
@@ -3,7 +3,8 @@ kind: Deployment
 metadata:
   name: git-controller
   labels:
-    control-plane: controller
+    app: git-controller
+  namespace: ocm-system
 spec:
   selector:
     matchLabels:
@@ -13,16 +14,14 @@ spec:
       containers:
         - name: manager
           image: open-component-model/git-controller
-          env:
-            - name: REGISTRY_ROOT_CERTIFICATE # optionally define to override default location
-              value: /certs/ca.pem
           volumeMounts:
-            - mountPath: "/certs"
+            - mountPath: "/etc/ssl/certs/registry-root.pem"
+              subPath: "registry-root.pem"
               name: "certificates"
       volumes:
         - name: "certificates"
           secret:
-            secretName: "registry-certs"
+            secretName: "ocm-registry-tls-certs"
             items:
-              - key: "ca.pem"
-                path: "ca.pem"
+              - key: "caFile"
+                path: "registry-root.pem"
diff --git a/goreleaser.dockerfile b/goreleaser.dockerfile
index 7da156e..4aac16e 100644
--- a/goreleaser.dockerfile
+++ b/goreleaser.dockerfile
@@ -1,8 +1,6 @@
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY git-controller /manager
-COPY ./hack/entrypoint.sh /entrypoint.sh
 USER 65532:65532
 
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["/manager"]
+ENTRYPOINT ["/manager"]
diff --git a/hack/entrypoint.sh b/hack/entrypoint.sh
deleted file mode 100755
index 6a60b95..0000000
--- a/hack/entrypoint.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/usr/bin/env sh
-
-rootCA=${REGISTRY_ROOT_CERTIFICATE:-/certs/ca.pem}
-
-if [ ! -e "${rootCA}" ]; then
-  echo "warning... root certificate at location ${rootCA} not found."
-
-  exec "$@"
-fi
-
-echo "updating root certificate with provided certificate..."
-tee -a /etc/ssl/certs/ca-certificates.crt < "${rootCA}"
-
-echo "done."
-
-exec "$@"
diff --git a/main.go b/main.go
index ea18065..ef21e0c 100644
--- a/main.go
+++ b/main.go
@@ -61,7 +61,7 @@ func main() {
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.StringVar(&storagePath, "storage-path", "/data", "The location which to use for temporary storage. Should be mounted into the pod.")
 	flag.StringVar(&ociRegistryAddr, "oci-registry-addr", ":5000", "The address of the OCI registry.")
-	flag.StringVar(&ociRegistryCertSecretName, "certificate-secret-name", v1alpha1.DefaultRegistryCertificateSecretName, "")
+	flag.StringVar(&ociRegistryCertSecretName, "certificate-secret-name", "ocm-registry-tls-certs", "")
 	flag.StringVar(&ociRegistryNamespace, "oci-registry-namespace", "ocm-system", "The namespace in which the registry is running in.")
 	flag.StringVar(&eventsAddr, "events-addr", "", "The address of the events receiver.")
 
diff --git a/tilt.dockerfile b/tilt.dockerfile
index 59e1d57..0e0ed32 100644
--- a/tilt.dockerfile
+++ b/tilt.dockerfile
@@ -1,7 +1,6 @@
 FROM alpine
 WORKDIR /
 COPY ./bin/manager /manager
-COPY ./hack/entrypoint.sh /entrypoint.sh
 
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["/manager"]
+ENTRYPOINT ["/manager"]
+