Merge pull request #263 from nimrod-becker/backport_to_2_1

Backport to 2.1

pkg/diagnose/diagnose.go

@@ -120,10 +120,7 @@ func (c *Collector) CollectPodLogs(corePodSelector labels.Selector) {
 
 // 	targetAddress := fmt.Sprintf("%s/metrics/counter", mgmtURL.String())
 // 	log.Printf("JENIA THIS IS THE URL %s", targetAddress)
-// 	tr := &http.Transport{
-// 		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-// 	}
-// 	client := &http.Client{Transport: tr}
+// 	client := &http.Client{Transport: util.InsecureHTTPTransport}
 // 	resp, err := client.Get(targetAddress)
 // 	if err != nil {
 // 		log.Printf(`%s`, err)

pkg/nb/rpc.go

@@ -1,11 +1,11 @@
 package nb
 
 import (
-	"crypto/tls"
 	"net/http"
 	"strings"
 	"sync"
 
+	util "github.com/noobaa/noobaa-operator/v2/pkg/util"
 	"github.com/sirupsen/logrus"
 )
 
@@ -125,10 +125,7 @@ var _ error = &RPCError{}
 func NewRPC() *RPC {
 	return &RPC{
 		HTTPClient: http.Client{
-			//Timeout: 120 * time.Second,
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
+			Transport: util.InsecureHTTPTransport,
 		},
 		ConnMap:     make(map[string]RPCConn),
 		ConnMapLock: sync.Mutex{},

pkg/system/reconciler.go

@@ -292,19 +292,16 @@ func (r *Reconciler) ReconcilePhases() error {
 	if err := r.ReconcilePhaseVerifying(); err != nil {
 		return err
 	}
-	r.PrintMemUsage("Verifying")
 	if err := r.ReconcilePhaseCreating(); err != nil {
 		return err
 	}
-	r.PrintMemUsage("Creating")
 	if err := r.ReconcilePhaseConnecting(); err != nil {
 		return err
 	}
-	r.PrintMemUsage("Connecting")
 	if err := r.ReconcilePhaseConfiguring(); err != nil {
 		return err
 	}
-	r.PrintMemUsage("Configuring")
+	r.PrintMemUsage("Finishing")
 	return nil
 }
 

pkg/util/util.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
@@ -50,7 +51,10 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 )
 
-const oAuthWellKnownEndpoint = "https://openshift.default.svc/.well-known/oauth-authorization-server"
+const (
+	oAuthWellKnownEndpoint = "https://openshift.default.svc/.well-known/oauth-authorization-server"
+	serviceCAPath          = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
+)
 
 // OAuth2Endpoints holds OAuth2 endpoints information.
 type OAuth2Endpoints struct {
@@ -64,8 +68,37 @@ var (
 	lazyConfig *rest.Config
 	lazyRest   *rest.RESTClient
 	lazyClient client.Client
+
+	// InsecureHTTPTransport is a global insecure http transport
+	InsecureHTTPTransport = &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	// SecureHTTPTransport is a global secured http transport
+	SecureHTTPTransport = newSecureHTTPTransport()
 )
 
+// newSecureHTTPTransport initializes a secured http transport. http.Transport may cause memory leaks when overused
+func newSecureHTTPTransport() *http.Transport {
+	// Load CA cert
+	caCert, err := ioutil.ReadFile(serviceCAPath)
+	if err != nil {
+		return &http.Transport{}
+	}
+
+	caCertPool, _ := x509.SystemCertPool()
+	if caCertPool == nil {
+		caCertPool = x509.NewCertPool()
+	}
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	// Setup HTTPS client
+	tlsConfig := &tls.Config{
+		RootCAs: caCertPool,
+	}
+	transport := &http.Transport{TLSClientConfig: tlsConfig}
+	return transport
+
+}
 func init() {
 	Panic(apiextv1beta1.AddToScheme(scheme.Scheme))
 	Panic(nbapis.AddToScheme(scheme.Scheme))
@@ -851,13 +884,16 @@ func PrintThisNoteWhenFinishedApplyingAndStartWaitLoop() {
 // DiscoverOAuthEndpoints uses a well known url to get info on the cluster oauth2 endpoints
 func DiscoverOAuthEndpoints() (*OAuth2Endpoints, error) {
 	client := http.Client{
-		Timeout: 120 * time.Second,
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-		},
+		Timeout:   120 * time.Second,
+		Transport: SecureHTTPTransport,
 	}
 
 	res, err := client.Get(oAuthWellKnownEndpoint)
+	defer func() {
+		if res != nil && res.Body != nil {
+			res.Body.Close()
+		}
+	}()
 	if err != nil {
 		return nil, err
 	}