Skip to content

CM-716: Add HTTP01 Challenge Proxy controller #398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sebrandon1 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CM-716: Add HTTP01 Challenge Proxy controller #398

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,10 +322,12 @@ local-run: build ## Run the operator locally against the cluster configured in ~
RELATED_IMAGE_CERT_MANAGER_ACMESOLVER=quay.io/jetstack/cert-manager-acmesolver:$(CERT_MANAGER_VERSION) \
RELATED_IMAGE_CERT_MANAGER_ISTIOCSR=quay.io/jetstack/cert-manager-istio-csr:$(ISTIO_CSR_VERSION) \
RELATED_IMAGE_CERT_MANAGER_TRUST_MANAGER=quay.io/jetstack/trust-manager:$(TRUST_MANAGER_VERSION) \
RELATED_IMAGE_CERT_MANAGER_HTTP01PROXY=quay.io/bapalm/cert-mgr-http01-proxy:latest \
OPERATOR_NAME=cert-manager-operator \
OPERAND_IMAGE_VERSION=$(BUNDLE_VERSION) \
ISTIOCSR_OPERAND_IMAGE_VERSION=$(ISTIO_CSR_VERSION) \
TRUSTMANAGER_OPERAND_IMAGE_VERSION=$(TRUST_MANAGER_VERSION) \
HTTP01PROXY_OPERAND_IMAGE_VERSION=0.1.0 \
Comment on lines +325 to +330
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Avoid mutable latest for the HTTP01 proxy image.

Using :latest here makes local runs non-reproducible and can silently pull unreviewed bits; it also conflicts with the explicit HTTP01PROXY_OPERAND_IMAGE_VERSION=0.1.0. Pin this to a fixed tag (or digest) and keep both variables aligned.

Suggested fix 
-	RELATED_IMAGE_CERT_MANAGER_HTTP01PROXY=quay.io/bapalm/cert-mgr-http01-proxy:latest \
+	RELATED_IMAGE_CERT_MANAGER_HTTP01PROXY=quay.io/bapalm/cert-mgr-http01-proxy:v0.1.0 \
 ...
-	HTTP01PROXY_OPERAND_IMAGE_VERSION=0.1.0 \
+	HTTP01PROXY_OPERAND_IMAGE_VERSION=v0.1.0 \
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RELATED_IMAGE_CERT_MANAGER_HTTP01PROXY=quay.io/bapalm/cert-mgr-http01-proxy:latest \
OPERATOR_NAME=cert-manager-operator \
OPERAND_IMAGE_VERSION=$(BUNDLE_VERSION) \
ISTIOCSR_OPERAND_IMAGE_VERSION=$(ISTIO_CSR_VERSION) \
TRUSTMANAGER_OPERAND_IMAGE_VERSION=$(TRUST_MANAGER_VERSION) \
HTTP01PROXY_OPERAND_IMAGE_VERSION=0.1.0 \
RELATED_IMAGE_CERT_MANAGER_HTTP01PROXY=quay.io/bapalm/cert-mgr-http01-proxy:v0.1.0 \
OPERATOR_NAME=cert-manager-operator \
OPERAND_IMAGE_VERSION=$(BUNDLE_VERSION) \
ISTIOCSR_OPERAND_IMAGE_VERSION=$(ISTIO_CSR_VERSION) \
TRUSTMANAGER_OPERAND_IMAGE_VERSION=$(TRUST_MANAGER_VERSION) \
HTTP01PROXY_OPERAND_IMAGE_VERSION=v0.1.0 \
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 325 - 330, The RELATED_IMAGE_CERT_MANAGER_HTTP01PROXY
value currently uses the mutable tag ":latest" while
HTTP01PROXY_OPERAND_IMAGE_VERSION is set to "0.1.0"; change
RELATED_IMAGE_CERT_MANAGER_HTTP01PROXY to use a fixed tag or digest that matches
HTTP01PROXY_OPERAND_IMAGE_VERSION (or derive the tag from
HTTP01PROXY_OPERAND_IMAGE_VERSION) so both variables are aligned and the image
is pinned for reproducible, reviewable runs; update any documentation/comments
to reflect the pinning.

OPERATOR_IMAGE_VERSION=$(BUNDLE_VERSION) \
./cert-manager-operator start \
--config=./hack/local-run-config.yaml \
Expand Down
10 changes: 10 additions & 0 deletions api/operator/v1alpha1/features.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,19 @@ var (
// For more details,
// https://github.com/openshift/enhancements/blob/master/enhancements/cert-manager/trust-manager-controller.md
FeatureTrustManager featuregate.Feature = "TrustManager"

// HTTP01Proxy enables the controller for http01proxies.operator.openshift.io resource,
// which extends cert-manager-operator to deploy and manage the HTTP01 challenge proxy.
// The proxy enables cert-manager to complete HTTP01 ACME challenges for the API endpoint
// on baremetal platforms where the API VIP is not exposed via OpenShift Ingress.
//
// For more details,
// https://github.com/openshift/enhancements/pull/1929
FeatureHTTP01Proxy featuregate.Feature = "HTTP01Proxy"
)

var OperatorFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
FeatureIstioCSR: {Default: true, PreRelease: featuregate.GA},
FeatureTrustManager: {Default: false, PreRelease: "TechPreview"},
FeatureHTTP01Proxy: {Default: false, PreRelease: featuregate.Alpha},
}
109 changes: 109 additions & 0 deletions api/operator/v1alpha1/http01proxy_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
package v1alpha1

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func init() {
SchemeBuilder.Register(&HTTP01Proxy{}, &HTTP01ProxyList{})
}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:object:root=true

// HTTP01ProxyList is a list of HTTP01Proxy objects.
type HTTP01ProxyList struct {
metav1.TypeMeta `json:",inline"`

// metadata is the standard list's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ListMeta `json:"metadata"`
Items []HTTP01Proxy `json:"items"`
}

// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:resource:path=http01proxies,scope=Namespaced,categories={cert-manager-operator},shortName=http01proxy
// +kubebuilder:printcolumn:name="Mode",type="string",JSONPath=".spec.mode"
// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].message"
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:metadata:labels={"app.kubernetes.io/name=http01proxy", "app.kubernetes.io/part-of=cert-manager-operator"}

// HTTP01Proxy describes the configuration for the HTTP01 challenge proxy
// that redirects traffic from the API endpoint on port 80 to ingress routers.
// This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
// The name must be `default` to make HTTP01Proxy a singleton.
//
// When an HTTP01Proxy is created, the proxy DaemonSet is deployed on control plane nodes.
//
// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'default'",message="http01proxy is a singleton, .metadata.name must be 'default'"
// +operator-sdk:csv:customresourcedefinitions:displayName="HTTP01Proxy"
type HTTP01Proxy struct {
metav1.TypeMeta `json:",inline"`

// metadata is the standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ObjectMeta `json:"metadata,omitempty"`

// spec is the specification of the desired behavior of the HTTP01Proxy.
// +kubebuilder:validation:Required
// +required
Spec HTTP01ProxySpec `json:"spec"`

// status is the most recently observed status of the HTTP01Proxy.
// +kubebuilder:validation:Optional
// +optional
Status HTTP01ProxyStatus `json:"status,omitempty"`
}

// HTTP01ProxyMode controls how the HTTP01 challenge proxy is deployed.
// +kubebuilder:validation:Enum=DefaultDeployment;CustomDeployment
type HTTP01ProxyMode string

const (
// HTTP01ProxyModeDefault enables the proxy with default configuration.
HTTP01ProxyModeDefault HTTP01ProxyMode = "DefaultDeployment"

// HTTP01ProxyModeCustom enables the proxy with user-specified configuration.
HTTP01ProxyModeCustom HTTP01ProxyMode = "CustomDeployment"
)

// HTTP01ProxySpec is the specification of the desired behavior of the HTTP01Proxy.
// +kubebuilder:validation:XValidation:rule="self.mode == 'CustomDeployment' ? has(self.customDeployment) : !has(self.customDeployment)",message="customDeployment is required when mode is CustomDeployment and forbidden otherwise"
type HTTP01ProxySpec struct {
// mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
// DefaultDeployment enables the proxy with default configuration.
// CustomDeployment enables the proxy with user-specified configuration.
// +kubebuilder:validation:Required
// +required
Mode HTTP01ProxyMode `json:"mode"`

// customDeployment contains configuration options when mode is CustomDeployment.
// This field is only valid when mode is CustomDeployment.
// +kubebuilder:validation:Optional
// +optional
CustomDeployment *HTTP01ProxyCustomDeploymentSpec `json:"customDeployment,omitempty"`
}

// HTTP01ProxyCustomDeploymentSpec contains configuration for custom proxy deployment.
type HTTP01ProxyCustomDeploymentSpec struct {
// internalPort specifies the internal port used by the proxy service.
// Valid values are 1024-65535.
// +kubebuilder:validation:Minimum=1024
// +kubebuilder:validation:Maximum=65535
// +kubebuilder:default=8888
// +optional
InternalPort int32 `json:"internalPort,omitempty"`
}

// HTTP01ProxyStatus is the most recently observed status of the HTTP01Proxy.
type HTTP01ProxyStatus struct {
// conditions holds information about the current state of the HTTP01 proxy deployment.
ConditionalStatus `json:",inline,omitempty"`

// proxyImage is the name of the image and the tag used for deploying the proxy.
ProxyImage string `json:"proxyImage,omitempty"`
}
110 changes: 110 additions & 0 deletions api/operator/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

34 changes: 34 additions & 0 deletions bindata/http01-proxy/cert-manager-http01-proxy-clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-http01-proxy
labels:
app: cert-manager-http01-proxy
app.kubernetes.io/name: cert-manager-http01-proxy
app.kubernetes.io/part-of: cert-manager-operator
rules:
- apiGroups:
- config.openshift.io
resources:
- clusterversions
- infrastructures
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- operator.openshift.io
resources:
- machineconfigurations
verbs:
- update
- apiGroups:
- machineconfiguration.openshift.io
resources:
- machineconfigs
verbs:
- get
- list
- create
- update
Comment on lines +26 to +34
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Tighten MachineConfig write permissions (least-privilege gap).

This grants cluster-wide create/update on machineconfigs, which is high-impact node-level access. Scope these verbs to only what is strictly required (for example, isolate write access to a dedicated controller identity and constrain by deterministic resource names where possible).

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@bindata/http01-proxy/cert-manager-http01-proxy-clusterrole.yaml` around lines
26 - 34, The ClusterRole block granting verbs ["create","update"] on the
cluster-scoped resource "machineconfigs" is too broad; remove the "create" and
"update" verbs from the cluster-wide ClusterRole in
cert-manager-http01-proxy-clusterrole.yaml and instead either (a) move necessary
write privileges into a namespaced Role bound to a dedicated controller
ServiceAccount, or (b) if cluster-scoped writes are unavoidable, replace the
ClusterRole entry with a more restrictive rule using "resourceNames" limited to
the specific deterministic MachineConfig names and bind it only to the dedicated
controller identity; update any RoleBinding/ClusterRoleBinding to target that
controller ServiceAccount accordingly.

16 changes: 16 additions & 0 deletions bindata/http01-proxy/cert-manager-http01-proxy-clusterrolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-http01-proxy
labels:
app: cert-manager-http01-proxy
app.kubernetes.io/name: cert-manager-http01-proxy
app.kubernetes.io/part-of: cert-manager-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-http01-proxy
subjects:
- kind: ServiceAccount
name: cert-manager-http01-proxy
namespace: cert-manager-operator
60 changes: 60 additions & 0 deletions bindata/http01-proxy/cert-manager-http01-proxy-daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cert-manager-http01-proxy
namespace: cert-manager-operator
labels:
app: cert-manager-http01-proxy
app.kubernetes.io/name: cert-manager-http01-proxy
app.kubernetes.io/part-of: cert-manager-operator
spec:
selector:
matchLabels:
app: cert-manager-http01-proxy
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
app: cert-manager-http01-proxy
app.kubernetes.io/name: cert-manager-http01-proxy
app.kubernetes.io/part-of: cert-manager-operator
spec:
serviceAccountName: cert-manager-http01-proxy
hostNetwork: true
Comment on lines +23 to +24
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Do Kubernetes NetworkPolicies apply to Pods running with hostNetwork: true?

💡 Result:

No, Kubernetes NetworkPolicies do not reliably apply to Pods running with hostNetwork: true. The official Kubernetes documentation states that NetworkPolicy behavior for hostNetwork pods is undefined, depending on the CNI plugin implementation. In the most common case, hostNetwork pods are ignored by podSelectors and treated as node/host traffic since they share the host's network namespace and IP. CNIs like Calico explicitly do not apply standard k8s NetworkPolicies to them, recommending host endpoints instead.

Citations:

hostNetwork makes the proxy's NetworkPolicies ineffective.

This pod joins the node network namespace, so the NetworkPolicies created for the feature will not provide the isolation they appear to promise. Kubernetes NetworkPolicies do not reliably apply to pods with hostNetwork: true—the common behavior across CNI implementations (including Calico) is to ignore such pods in policy rules. If least-privilege egress is a requirement, use node-level filtering or redesign without hostNetwork instead.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@bindata/http01-proxy/cert-manager-http01-proxy-daemonset.yaml` around lines
23 - 24, The DaemonSet currently sets hostNetwork: true which prevents
Kubernetes NetworkPolicies from applying; edit the cert-manager-http01-proxy
DaemonSet spec to remove or set hostNetwork to false (i.e., stop joining the
node network namespace) and instead expose required ports via container hostPort
or a NodePort/HostPort + proper selector, or enforce node-level firewall rules
if node networking is required; update the pod spec (where serviceAccountName:
cert-manager-http01-proxy appears) to use hostPort or a Service-backed approach
and verify NetworkPolicy rules now target the podSelector so least-privilege
egress works as intended.

nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
containers:
- name: http01-proxy
image: ${RELATED_IMAGE_CERT_MANAGER_HTTP01PROXY}
ports:
- name: proxy
containerPort: 8888
hostPort: 8888
protocol: TCP
env:
- name: PROXY_PORT
value: "8888"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
drop:
- ALL
runAsNonRoot: false
resources:
Comment thread
coderabbitai[bot] marked this conversation as resolved.
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 64Mi
priorityClassName: system-cluster-critical
16 changes: 16 additions & 0 deletions bindata/http01-proxy/cert-manager-http01-proxy-scc-rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-http01-proxy-scc
labels:
app: cert-manager-http01-proxy
app.kubernetes.io/name: cert-manager-http01-proxy
app.kubernetes.io/part-of: cert-manager-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:privileged
subjects:
- kind: ServiceAccount
name: cert-manager-http01-proxy
namespace: cert-manager-operator
9 changes: 9 additions & 0 deletions bindata/http01-proxy/cert-manager-http01-proxy-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager-http01-proxy
namespace: cert-manager-operator
labels:
app: cert-manager-http01-proxy
app.kubernetes.io/name: cert-manager-http01-proxy
app.kubernetes.io/part-of: cert-manager-operator
Loading