:bug: OPRUN-4110: Restart when SystemCertPool should change by tmshort · Pull Request #2175

:bug: OPRUN-4110: Restart when SystemCertPool should change by tmshort · Pull Request #2175 · operator-framework/operator-controller
This fixes a downstream bug

There was a problem downstream where the OpenShift servivce-ca was not yet available,
and due to the way the manifests were set up, the service-ca was considered to be
part of the SystemCertPool. The problem is that the SystemCertPool, once initialized,
will never reload itself.

We can get into this situation when we use SSL_CERT_DIR and SSL_CERT_FILE to provide
OpenShift CAs to be used by containers/image for pulling. These environment variables
change the source of the SystemCertPool. The CertPoolWatcher then watches these
locations, and tries to update the pool it provides to the HTTPS client connecting to
catalogd. But the SystemCertPool is never updated. (It did not help that there was
no explicit CertPoolWatcher for the pull CAs.)

I tried to fix this downstream by removing SSL_CERT_DIR, and specifying the
`--pull-cas-dir` option. This means that containers/image would directly use
certificates that we specify, rather than the default location.

But this breaks the use of custom CAs for local image registries.

The containers/image package does not provide a way to manipulate the certificate
locations beyond a simple directory setting, and we need to leave that directory
setting as the default in downstream because it (i.e. /etc/docker/certs.d) is a host-
mounted directory that contains certificates for local image registries. And it is
possible to configure a custom CA for a local image registry, so that directory
must be included, ALONG with the OpenShift provided CAs and service-ca, which is
defined by SSL_CERT_DIR.

But because of the use of SSL_CERT_DIR to include the OpenShift service-ca, if the
service-ca was not available at startup, but became available later, it was not
possible to reload the SystemCertPool. Which could cause problems in operator-controller
when it tried to connect to catalogd.

The fundamental problem is that there's no way to refresh the SystemCertPool,
which will become more and more of an issue as certificate lifetimes decrease.

Using SSL_CERT_DIR allows us to use the CertPoolWatcher to notice changes to the
SystemCertPool. This will allow us to restart the process when certificates
change (e.g. OpenShift service-ca becomes available).

Changes:
* Update CertPoolWatcher to restart on changes to SSL_CERT_DIR and SSL_CERT_FILE
* Update CertPoolWatcher to use a Runnable interface, so that it can be added to
the manager, and started later, which may improve the changes that the service-ca
is ready.
* Update CertPoolWatcher to not be created when there's nothing to watch.
* Add CertPoolWatcher to catalogd for pull CAs
* Add CertPoolWatcher to operator-controller for pull CAs
* Improve logging

With this, my downstream manifest change should be reverted.

Signed-off-by: Todd Short <tshort@redhat.com>
Assisted-by: Claude Code (alternatives)