🌱 Add logging to certpoolwatcher and client

[tmshort]

Logging now indicates what certificate (by file and X.509 name) is being watched

Update:

• Remove firstExpiration as it's no longer calculated
• Default logging to V(4), using a constant
• Add cert logging for catalogd pull failure

Log when an unknown server cert is encountered:

E0203 20:46:01.629763       1 client.go:124] "unverified cert" err="Get \"https://catalogd-service.olmv1-system.svc/catalogs/operatorhubio/api/v1/all\": tls: failed to verify certificate: x509: certificate signed by unknown authority" logger="catalog-client" n=1 subject="" issuer="CN=olmv1-ca" DNSNames=["localhost","catalogd-service.olmv1-system.svc","catalogd-service.olmv1-system.svc.cluster.local"] serial="197916310015755767059581167694871409392"

Loading and Watching certificates:

I0203 20:29:03.579864       1 certlog.go:81] "loading certificate file" logger="cert-pool" directory="/var/certs" file="olm-ca.crt" subject="CN=olmv1-ca"
I0203 20:29:03.580046       1 certlog.go:81] "watching certificate directory" logger="cert-pool" directory="/var/certs" file="olm-ca.crt" subject="CN=olmv1-ca"
I0203 20:29:03.580236       1 certlog.go:81] "watching certificate file" logger="cert-pool" file="/etc/ssl/certs/ca-certificates.crt" subject="CN=ACCVRAIZ1,OU=PKIACCV,O=ACCV,C=ES"
I0203 20:29:03.580264       1 certlog.go:81] "watching certificate file" logger="cert-pool" file="/etc/ssl/certs/ca-certificates.crt" subject="OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES"

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	3773bb6
🔍 Latest deploy log	https://app.netlify.com/sites/olmv1/deploys/67aa63fd974407000840081f
😎 Deploy Preview	https://deploy-preview-1684--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

Attention: Patch coverage is 46.76259% with 74 lines in your changes missing coverage. Please review.

Project coverage is 67.70%. Comparing base (6ca68c4) to head (3773bb6).
Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/httputil/certlog.go	41.50%	54 Missing and 8 partials ⚠️
catalogd/cmd/catalogd/main.go	0.00%	3 Missing ⚠️
catalogd/internal/source/containers_image.go	62.50%	2 Missing and 1 partial ⚠️
cmd/operator-controller/main.go	0.00%	2 Missing and 1 partial ⚠️
internal/rukpak/source/containers_image.go	62.50%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1684      +/-   ##
==========================================
- Coverage   68.24%   67.70%   -0.54%     
==========================================
  Files          58       59       +1     
  Lines        4988     5128     +140     
==========================================
+ Hits         3404     3472      +68     
- Misses       1342     1403      +61     
- Partials      242      253      +11     

Flag	Coverage Δ
e2e	52.58% <46.09%> (-0.35%)	⬇️
unit	55.01% <36.69%> (-0.45%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[perdasilva]

lgtm ^^

[perdasilva]

you may need to rebase to pick up the upgrade-e2e mitigations =S

[joelanford]

Would you mind adding some example output to the description of the PR?

[tmshort]

Example logging at start:

I0203 20:29:03.579864       1 certlog.go:81] "loading certificate file" logger="cert-pool" directory="/var/certs" file="olm-ca.crt" subject="CN=olmv1-ca"
I0203 20:29:03.579910       1 certlog.go:81] "loading certificate file" logger="cert-pool" directory="/var/certs" file="tls.cert" DNSNames=["operator-controller-service.olmv1-system.svc","operator-controller-service.olmv1-system.svc.cluster.local"]
E0203 20:29:03.579947       1 certlog.go:64] "error in x509.ParseCertificate()" err="x509: malformed tbs certificate" logger="cert-pool" file="tls.key"
I0203 20:29:03.580012       1 certlog.go:37] "ignoring subdirectory" logger="cert-pool" directory="/var/certs/..2025_02_03_20_29_03.3099064557"
I0203 20:29:03.580020       1 certlog.go:37] "ignoring subdirectory" logger="cert-pool" directory="/var/certs/..data"
I0203 20:29:03.580046       1 certlog.go:81] "watching certificate directory" logger="cert-pool" directory="/var/certs" file="olm-ca.crt" subject="CN=olmv1-ca"
I0203 20:29:03.580084       1 certlog.go:81] "watching certificate directory" logger="cert-pool" directory="/var/certs" file="tls.cert" DNSNames=["operator-controller-service.olmv1-system.svc","operator-controller-service.olmv1-system.svc.cluster.local"]
E0203 20:29:03.580106       1 certlog.go:64] "error in x509.ParseCertificate()" err="x509: malformed tbs certificate" logger="cert-pool" file="tls.key"
I0203 20:29:03.580236       1 certlog.go:81] "watching certificate file" logger="cert-pool" file="/etc/ssl/certs/ca-certificates.crt" subject="CN=ACCVRAIZ1,OU=PKIACCV,O=ACCV,C=ES"
I0203 20:29:03.580264       1 certlog.go:81] "watching certificate file" logger="cert-pool" file="/etc/ssl/certs/ca-certificates.crt" subject="OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES"
...

[tmshort]

Example logging of an unknown certificate:

E0203 20:46:01.629763       1 client.go:124] "Unverified Cert" err="Get \"https://catalogd-service.olmv1-system.svc/catalogs/operatorhubio/api/v1/all\": tls: failed to verify certificate: x509: certificate signed by unknown authority" logger="catalog-client" n=1 subject="" issuer="CN=olmv1-ca" DNSNames=["localhost","catalogd-service.olmv1-system.svc","catalogd-service.olmv1-system.svc.cluster.local"] serial="197916310015755767059581167694871409392"
I0203 20:46:01.629867       1 clustercatalog_controller.go:87] "reconcile ending" logger="cluster-catalog" controller="clustercatalog" controllerGroup="olm.operatorframework.io" controllerKind="ClusterCatalog" ClusterCatalog="operatorhubio" namespace="" name="operatorhubio" reconcileID="b5c3fd7f-0bc5-447e-a2cf-ab7bc08d86e5"
E0203 20:46:01.629929       1 controller.go:316] "Reconciler error" err="error populating cache for catalog \"operatorhubio\": error performing request: Get \"https://catalogd-service.olmv1-system.svc/catalogs/operatorhubio/api/v1/all\": tls: failed to verify certificate: x509: certificate signed by unknown authority" controller="clustercatalog" controllerGroup="olm.operatorframework.io" controllerKind="ClusterCatalog" ClusterCatalog="operatorhubio" namespace="" name="operatorhubio" reconcileID="b5c3fd7f-0bc5-447e-a2cf-ab7bc08d86e5"

[LalatenduMohanty]

it kind if weird that the certlog is in httputil pkg. Should we keep outside of httputil? Same comment for internal/httputil/certutil.go.

It is nit pick and not blocker for this PR.

[tmshort]

I was thinking of moving the cert utility stuff into it's own package, but that can be done later.

[LalatenduMohanty]

Why are we ignoring the return here?

// This function unwraps the given error to find an CertificateVerificationError.
// It then logs the list of certificates found in the unwrapped error
// Returns:
// * true if a CertificateVerificationError is found
// * false if no CertificateVerificationError is found
func LogCertificateVerificationError(err error, log logr.Logger) bool {

[tmshort]

Because we don't need to log certs in /etc/docker here, because this is used for catalogd connections, not pulling images, The other places this is called, the return is used to determine if we want to look at /etc/docker

[LalatenduMohanty]

I see, so we just called the function to log error in to the logfile.

[LalatenduMohanty]

/lgtm