Merge pull request #32 from mlbiam/main

mlbiam · web-flow · commit 7c6da5a06b09 · 2026-02-27T15:23:54.000-05:00
add oci ca cert path
diff --git a/build.sh b/build.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-export VERSION="0.0.15"
+export VERSION="0.0.16"
 
 rm -rf target
 mkdir -p target
diff --git a/cmd/installAuthPortal.go b/cmd/installAuthPortal.go
@@ -28,7 +28,7 @@ var installAuthPortalCmd = &cobra.Command{
 
 		pathToValuesYaml = args[0]
 
-		openunisonDeployment, err := openunison.NewOpenUnisonDeployment(namespace, operatorChart, orchestraChart, orchestraLoginPortalChart, pathToValuesYaml, secretFile, clusterManagementChart, pathToDbPassword, pathToSmtpPassword, skipClusterManagement, parseChartSlices(&additionalCharts), parseChartSlices(&preCharts), parseNamespaceLabels(&namespaceLabels), skipCharts)
+		openunisonDeployment, err := openunison.NewOpenUnisonDeployment(namespace, operatorChart, orchestraChart, orchestraLoginPortalChart, pathToValuesYaml, secretFile, clusterManagementChart, pathToDbPassword, pathToSmtpPassword, skipClusterManagement, parseChartSlices(&additionalCharts), parseChartSlices(&preCharts), parseNamespaceLabels(&namespaceLabels), skipCharts, ociCaCertPath)
 
 		if err != nil {
 			panic(err)
@@ -87,6 +87,7 @@ func init() {
 	installAuthPortalCmd.PersistentFlags().StringSliceVarP(&additionalCharts, "additional-helm-charts", "r", []string{}, "Comma separated list of chart=path to deploy additional charts after OpenUnison is deployed, adding '@version' installs the specific version")
 
 	installAuthPortalCmd.PersistentFlags().StringSliceVarP(&namespaceLabels, "namespace-labels", "j", []string{}, "Comma separated list of name=value of labels to add to the openunison namespace")
+	installAuthPortalCmd.PersistentFlags().StringVarP(&ociCaCertPath, "oci-cacert-path", "p", "", "Path to a PEM file containing the CA certificate")
 	// Cobra supports local flags which will only run when this command
 	// is called directly, e.g.:
 	// installAuthPortalCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
diff --git a/cmd/installSatelite.go b/cmd/installSatelite.go
@@ -32,7 +32,7 @@ var installSateliteCmd = &cobra.Command{
 		controlPlaneCtxName := args[1]
 		sateliteCtxName := args[2]
 
-		openunisonDeployment, err := openunison.NewSateliteDeployment(namespace, operatorChart, orchestraChart, orchestraLoginPortalChart, pathToValuesYaml, secretFile, controlPlaneCtxName, sateliteCtxName, addClusterChart, pathToSateliteYaml, parseChartSlices(&additionalCharts), parseChartSlices(&preCharts), parseNamespaceLabels(&namespaceLabels), controlPlaneOrchestraChartName, controlPlaneSecretName, skipCPIntegration, skipCharts)
+		openunisonDeployment, err := openunison.NewSateliteDeployment(namespace, operatorChart, orchestraChart, orchestraLoginPortalChart, pathToValuesYaml, secretFile, controlPlaneCtxName, sateliteCtxName, addClusterChart, pathToSateliteYaml, parseChartSlices(&additionalCharts), parseChartSlices(&preCharts), parseNamespaceLabels(&namespaceLabels), controlPlaneOrchestraChartName, controlPlaneSecretName, skipCPIntegration, skipCharts, ociCaCertPath)
 
 		if err != nil {
 			panic(err)
@@ -68,4 +68,6 @@ func init() {
 
 	installSateliteCmd.PersistentFlags().BoolVarP(&skipCPIntegration, "skip-controlplane-integration", "k", false, "Set to true if skipping the control plane integration step.  Used when upgrading a satelite.")
 	installSateliteCmd.PersistentFlags().StringSliceVarP(&skipCharts, "skip-charts", "i", []string{}, "Comma separated list of charts to skip during the deployment.  May be used to run 'hot upgrades' that doesn't require restarts")
+
+	installSateliteCmd.PersistentFlags().StringVarP(&ociCaCertPath, "oci-cacert-path", "p", "", "Path to a PEM file containing the CA certificate")
 }
diff --git a/cmd/root.go b/cmd/root.go
@@ -53,6 +53,8 @@ var controlPlaneSecretName string
 var skipCPIntegration bool
 var skipCharts []string
 
+var ociCaCertPath string
+
 // Execute adds all child commands to the root command and sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
 func Execute() {
diff --git a/openunison/deployer.go b/openunison/deployer.go
@@ -3,6 +3,8 @@ package openunison
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"flag"
@@ -11,6 +13,7 @@ import (
 	"io/ioutil"
 	"log"
 	"math/rand"
+	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
@@ -109,11 +112,13 @@ type OpenUnisonDeployment struct {
 	approversGroup         string
 
 	skipCharts map[string]bool
+
+	ociCaCertPath string
 }
 
 // creates a new deployment structure
-func NewOpenUnisonDeployment(namespace string, operatorChart string, orchestraChart string, orchestraLoginPortalChart string, pathToValuesYaml string, secretFile string, clusterManagementChart string, pathToDbPassword string, pathToSmtpPassword string, skipClusterManagement bool, additionalCharts []HelmChartInfo, preCharts []HelmChartInfo, namespaceLabels map[string]string, skipCharts []string) (*OpenUnisonDeployment, error) {
-	ou, err := NewSateliteDeployment(namespace, operatorChart, orchestraChart, orchestraLoginPortalChart, pathToValuesYaml, secretFile, "", "", "", "", additionalCharts, preCharts, namespaceLabels, "orchestra", "orchestra-secrets-source", false, skipCharts)
+func NewOpenUnisonDeployment(namespace string, operatorChart string, orchestraChart string, orchestraLoginPortalChart string, pathToValuesYaml string, secretFile string, clusterManagementChart string, pathToDbPassword string, pathToSmtpPassword string, skipClusterManagement bool, additionalCharts []HelmChartInfo, preCharts []HelmChartInfo, namespaceLabels map[string]string, skipCharts []string, ociCaCertPath string) (*OpenUnisonDeployment, error) {
+	ou, err := NewSateliteDeployment(namespace, operatorChart, orchestraChart, orchestraLoginPortalChart, pathToValuesYaml, secretFile, "", "", "", "", additionalCharts, preCharts, namespaceLabels, "orchestra", "orchestra-secrets-source", false, skipCharts, ociCaCertPath)
 
 	if err != nil {
 		return nil, err
@@ -128,7 +133,7 @@ func NewOpenUnisonDeployment(namespace string, operatorChart string, orchestraCh
 }
 
 // creates a new deployment structure
-func NewSateliteDeployment(namespace string, operatorChart string, orchestraChart string, orchestraLoginPortalChart string, pathToValuesYaml string, secretFile string, controlPlanContextName string, sateliteContextName string, addClusterChart string, pathToSateliteYaml string, additionalCharts []HelmChartInfo, preCharts []HelmChartInfo, namespaceLabels map[string]string, cpOrchestraName string, cpSecretName string, skipCpIntegration bool, skipCharts []string) (*OpenUnisonDeployment, error) {
+func NewSateliteDeployment(namespace string, operatorChart string, orchestraChart string, orchestraLoginPortalChart string, pathToValuesYaml string, secretFile string, controlPlanContextName string, sateliteContextName string, addClusterChart string, pathToSateliteYaml string, additionalCharts []HelmChartInfo, preCharts []HelmChartInfo, namespaceLabels map[string]string, cpOrchestraName string, cpSecretName string, skipCpIntegration bool, skipCharts []string, ociCaCertPath string) (*OpenUnisonDeployment, error) {
 	ou := &OpenUnisonDeployment{IsolatateRequestAccess: IsolateRequestAccess{Enabled: false, AzRules: make([]AzRule, 0)}}
 
 	ou.namespace = namespace
@@ -172,6 +177,8 @@ func NewSateliteDeployment(namespace string, operatorChart string, orchestraChar
 		ou.skipCharts[skipCharts[chartToSkip]] = true
 	}
 
+	ou.ociCaCertPath = ociCaCertPath
+
 	return ou, nil
 }
 
@@ -1472,15 +1479,54 @@ func (ou *OpenUnisonDeployment) locateChart(configChartName string, chartPathOpt
 	if strings.HasPrefix(chartName, "oci://") {
 		fmt.Printf("OCI chart detected: %s\n", chartName)
 
-		// Step 1: Initialize OCI client
-		ociClient, err := registry.NewClient(
-			registry.ClientOptEnableCache(true),
-			registry.ClientOptDebug(true),
-		)
-		if err != nil {
-			return nil, fmt.Errorf("failed to initialize OCI client: %v", err)
+		var ociClient *registry.Client
+
+		if ou.ociCaCertPath != "" {
+
+			// there's a ca cert
+			var err error
+			caCert, err := os.ReadFile(ou.ociCaCertPath)
+			if err != nil {
+				panic(err)
+			}
+
+			caPool := x509.NewCertPool()
+			if ok := caPool.AppendCertsFromPEM(caCert); !ok {
+				panic("failed to append CA cert")
+			}
+
+			tlsConfig := &tls.Config{
+				RootCAs: caPool,
+			}
+
+			httpClient := &http.Client{
+				Transport: &http.Transport{
+					TLSClientConfig: tlsConfig,
+				},
+			}
+
+			ociClient, err = registry.NewClient(
+				registry.ClientOptEnableCache(true),
+				registry.ClientOptDebug(true),
+				registry.ClientOptHTTPClient(httpClient),
+			)
+
+			if err != nil {
+				return nil, fmt.Errorf("failed to initialize OCI client: %v", err)
+			}
+		} else {
+			var err error
+			ociClient, err = registry.NewClient(
+				registry.ClientOptEnableCache(true),
+				registry.ClientOptDebug(true),
+			)
+			if err != nil {
+				return nil, fmt.Errorf("failed to initialize OCI client: %v", err)
+			}
 		}
 
+		// Step 1: Initialize OCI client
+
 		// Step 2: Create a temporary directory
 		tempDir, err := os.MkdirTemp("", "helm-oci-*")
 		if err != nil {
