Skip to content

THREESCALE-10236 Custom CA certificate support for operator deployment#1181

Draft
borisurbanik wants to merge 7 commits into
3scale:masterfrom
borisurbanik:THREESCALE-10236
Draft

THREESCALE-10236 Custom CA certificate support for operator deployment#1181
borisurbanik wants to merge 7 commits into
3scale:masterfrom
borisurbanik:THREESCALE-10236

Conversation

@borisurbanik

@borisurbanik borisurbanik commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

WIP

The 3scale operator connects to the 3scale Admin API (and, via the Tenant controller, the Master API) to reconcile capabilities CRs (Backend, Product, Application, ActiveDoc, etc.). These connections use HTTPS.

In environments where 3scale is deployed with internal or self-signed CA, the operator's HTTP client rejects the connection because the CA is not in the system trust store. The existing workarounds — the insecure_skip_verify annotation and patching the operator Subscription to mount a CA via SSL_CERT_FILE (Red Hat Solution 7049968) — are either insecure or fragile (overwritten on upgrades).

Customers need a way to provide a custom CA bundle so the operator can trust internal CAs without disabling verification.

Sources of 3scale connections (each with different credential configuration):

  1. Explicit providerAccountRef: the CR references a Secret containing adminURL and token.
  2. Default threescale-provider-account secret: a well-known Secret name. Same schema as source 1 but discovered by convention.
  3. Local APIManager: the operator discovers an APIManager CR in the namespace and derives the admin URL and token from system-seed.
  4. Tenant controller / Master API: the Tenant CR references a masterCredentialsRef secret (defaulting to system-seed) containing master API credentials.

@borisurbanik
feat(helper): implement CAProvider and PEM validation for ca-bundle-l…
6c0136e 
…oading
@borisurbanik
Add PortaClientFromURLWithTLSConfig and tests
c92da0f 
Implements openspec task ca-client-configuration.

- Add PortaClientFromURLWithTLSConfig to pkg/controller/helper/threescale_api.go:
  when tlsConfig is non-nil it is used directly as the transport TLS config;
  when nil, delegates to PortaClientFromURL unchanged.
- Add three test cases to threescale_api_test.go covering: nil+insecureSkipVerify=false
  rejects untrusted cert, custom CA succeeds, nil+insecureSkipVerify=true accepts cert.
@borisurbanik
Wire CAProvider into all capabilities controllers for TLS-aware 3scal…
0dc5463 
…e API calls

- Add PortaClientWithTLSConfig convenience wrapper to pkg/controller/helper/threescale_api.go
- Add CAProvider field to all 11 capabilities reconciler structs
- Replace PortaClient call sites in 9 controllers with CAProvider.TLSConfig() + PortaClientWithTLSConfig
- Rewrite TenantReconciler.setupPortaClient to use url.Parse + PortaClientFromURLWithTLSConfig
- Construct a single shared *CAProvider in main.go and inject into all 11 reconcilers
- Add per-controller unit tests verifying invalid CA bundle surfaces as a status condition
@borisurbanik
Use CertPool helper to add certs
be1ef8b
@borisurbanik
ca_provider: pick up ConfigMap rotations without operator restart
9d6f26d 
Replace the one-shot loaded flag with a ResourceVersion-keyed cache.
TLSConfig re-parses only when the ConfigMap version changes; the Get is
served from the controller-runtime in-memory cache so there is no extra
network cost per reconcile.

Thread ctx through the helper methods in each capabilities controller so
the Get can be cancelled with the reconcile context.

Adds TestCAProvider_AutoReload (no Reload needed after cm update) and
TestCAProvider_CacheHit (same pointer returned on cache hit).
@borisurbanik
lint: fix gofmt and duplicate import flagged by golangci-lint
1675fa8
@borisurbanik
refactor(ca_provider): group cache fields into cacheEntry value type
4e6fcc1 
Introduce cacheEntry struct holding config, cachedErr and
resourceVersion together. All three fields are now read and written
as a single value under the mutex, eliminating the possibility of a
partial read across the three fields.

loadFromConfigMap becomes a pure function returning a cacheEntry
instead of a method that mutates shared state while the caller holds
the write lock.

Remove concurrency tests that used time.Sleep-bounded loops;
drop the now-unused sync and time imports.
@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@codecov-commenter

codecov-commenter commented Jun 25, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 60.82949% with 85 lines in your changes missing coverage. Please review.
✅ Project coverage is 47.52%. Comparing base (ade0ed0) to head (4e6fcc1).
⚠️ Report is 21 commits behind head on master.

Files with missing lines Patch % Lines
pkg/controller/helper/ca_provider.go 75.00% 14 Missing and 5 partials ⚠️
main.go 0.00% 11 Missing ⚠️
controllers/capabilities/backend_controller.go 46.15% 7 Missing ⚠️
...ollers/capabilities/developeraccount_controller.go 46.15% 7 Missing ⚠️
...ntrollers/capabilities/developeruser_controller.go 46.15% 7 Missing ⚠️
controllers/capabilities/product_controller.go 46.15% 7 Missing ⚠️
...rollers/capabilities/applicationauth_controller.go 45.45% 4 Missing and 2 partials ⚠️
...lers/capabilities/proxyconfigpromote_controller.go 45.45% 4 Missing and 2 partials ⚠️
pkg/controller/helper/threescale_api.go 64.70% 3 Missing and 3 partials ⚠️
controllers/capabilities/application_controller.go 75.00% 2 Missing and 2 partials ⚠️
... and 3 more
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #1181      +/-   ##
==========================================
+ Coverage   42.67%   47.52%   +4.84%     
==========================================
  Files         204      205       +1     
  Lines       20899    21101     +202     
==========================================
+ Hits         8919    10028    +1109     
+ Misses      11212    10079    -1133     
- Partials      768      994     +226
Flag Coverage Δ
unit 47.52% <60.82%> (+4.84%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
apis/apps/v1alpha1 (u) 63.56% <ø> (+4.27%) ⬆️
apis/capabilities/v1alpha1 (u) 24.56% <ø> (+21.05%) ⬆️
apis/capabilities/v1beta1 (u) 29.78% <ø> (+9.56%) ⬆️
controllers (i) 21.17% <70.20%> (+11.85%) ⬆️
pkg (u) 63.97% <75.23%> (+0.95%) ⬆️
Files with missing lines Coverage Δ
controllers/capabilities/activedoc_controller.go 28.86% <85.71%> (+28.86%) ⬆️
.../capabilities/custompolicydefinition_controller.go 30.35% <85.71%> (+30.35%) ⬆️
controllers/capabilities/tenant_controller.go 23.36% <66.66%> (+23.36%) ⬆️
controllers/capabilities/application_controller.go 52.38% <75.00%> (+2.66%) ⬆️
...rollers/capabilities/applicationauth_controller.go 33.51% <45.45%> (+8.66%) ⬆️
...lers/capabilities/proxyconfigpromote_controller.go 40.13% <45.45%> (+6.55%) ⬆️
pkg/controller/helper/threescale_api.go 74.35% <64.70%> (-7.46%) ⬇️
controllers/capabilities/backend_controller.go 14.94% <46.15%> (+14.94%) ⬆️
...ollers/capabilities/developeraccount_controller.go 21.73% <46.15%> (+21.73%) ⬆️
...ntrollers/capabilities/developeruser_controller.go 22.52% <46.15%> (+22.52%) ⬆️
... and 3 more

... and 31 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

do-not-merge/work-in-progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@borisurbanik @codecov-commenter