Remove TLSVerify/PullSecret fields

Remove fields that will not have long term support committed to them to
prepare for the v1.0 release.

Removed Fields:
- spec.source.image.insecureSkipTLSVerify
- spec.source.image.pullSecret

GH Issue Ref: #355

api/core/v1alpha1/clustercatalog_types.go

@@ -149,21 +149,12 @@ type ResolvedImageSource struct {
 type ImageSource struct {
 	// ref contains the reference to a container image containing Catalog contents.
 	Ref string `json:"ref"`
-	// pullSecret contains the name of the image pull secret in the namespace that catalogd is deployed.
-	// +optional
-	PullSecret string `json:"pullSecret,omitempty"`
 	// pollInterval indicates the interval at which the image source should be polled for new content,
 	// specified as a duration (e.g., "5m", "1h", "24h", "etc".). Note that PollInterval may not be
 	// specified for a catalog image referenced by a sha256 digest.
 	// +kubebuilder:validation:Format:=duration
 	// +optional
 	PollInterval *metav1.Duration `json:"pollInterval,omitempty"`
-	// insecureSkipTLSVerify indicates that TLS certificate validation should be skipped.
-	// If this option is specified, the HTTPS protocol will still be used to
-	// fetch the specified image reference.
-	// This should not be used in a production environment.
-	// +optional
-	InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"`
 }
 
 func init() {

config/base/crd/bases/olm.operatorframework.io_clustercatalogs.yaml

@@ -64,24 +64,13 @@ spec:
                     description: image is the catalog image that backs the content
                       of this catalog.
                     properties:
-                      insecureSkipTLSVerify:
-                        description: |-
-                          insecureSkipTLSVerify indicates that TLS certificate validation should be skipped.
-                          If this option is specified, the HTTPS protocol will still be used to
-                          fetch the specified image reference.
-                          This should not be used in a production environment.
-                        type: boolean
                       pollInterval:
                         description: |-
                           pollInterval indicates the interval at which the image source should be polled for new content,
                           specified as a duration (e.g., "5m", "1h", "24h", "etc".). Note that PollInterval may not be
                           specified for a catalog image referenced by a sha256 digest.
                         format: duration
                         type: string
-                      pullSecret:
-                        description: pullSecret contains the name of the image pull
-                          secret in the namespace that catalogd is deployed.
-                        type: string
                       ref:
                         description: ref contains the reference to a container image
                           containing Catalog contents.

internal/source/image_registry_client.go

@@ -3,19 +3,15 @@ package source
 import (
 	"archive/tar"
 	"context"
-	"crypto/tls"
 	"errors"
 	"fmt"
 	"io/fs"
-	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 
 	"github.com/containerd/containerd/archive"
-	"github.com/google/go-containerregistry/pkg/authn/k8schain"
-	gcrkube "github.com/google/go-containerregistry/pkg/authn/kubernetes"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -51,32 +47,6 @@ func (i *ImageRegistry) Unpack(ctx context.Context, catalog *catalogdv1alpha1.Cl
 	}
 
 	remoteOpts := []remote.Option{}
-	if catalog.Spec.Source.Image.PullSecret != "" {
-		chainOpts := k8schain.Options{
-			ImagePullSecrets: []string{catalog.Spec.Source.Image.PullSecret},
-			Namespace:        i.AuthNamespace,
-			// TODO: Do we want to use any secrets that are included in the catalogd service account?
-			// If so, we will need to add the permission to get service accounts and specify
-			// the catalogd service account name here.
-			ServiceAccountName: gcrkube.NoServiceAccount,
-		}
-		authChain, err := k8schain.NewInCluster(ctx, chainOpts)
-		if err != nil {
-			return nil, fmt.Errorf("error getting auth keychain: %w", err)
-		}
-
-		remoteOpts = append(remoteOpts, remote.WithAuthFromKeychain(authChain))
-	}
-
-	if catalog.Spec.Source.Image.InsecureSkipTLSVerify {
-		insecureTransport := remote.DefaultTransport.(*http.Transport).Clone()
-		if insecureTransport.TLSClientConfig == nil {
-			insecureTransport.TLSClientConfig = &tls.Config{} // nolint:gosec
-		}
-		insecureTransport.TLSClientConfig.InsecureSkipVerify = true // nolint:gosec
-		remoteOpts = append(remoteOpts, remote.WithTransport(insecureTransport))
-	}
-
 	digest, isDigest := imgRef.(name.Digest)
 	if isDigest {
 		hexVal := strings.TrimPrefix(digest.DigestStr(), "sha256:")

internal/source/image_registry_client_test.go

@@ -299,40 +299,6 @@ func TestImageRegistry(t *testing.T) {
 				return img
 			}(),
 		},
-		{
-			name: "digest ref, insecure specified, happy path",
-			catalog: &v1alpha1.ClusterCatalog{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "test",
-				},
-				Spec: v1alpha1.ClusterCatalogSpec{
-					Source: v1alpha1.CatalogSource{
-						Type: v1alpha1.SourceTypeImage,
-						Image: &v1alpha1.ImageSource{
-							Ref:                   "",
-							InsecureSkipTLSVerify: true,
-						},
-					},
-				},
-			},
-			wantErr: false,
-			refType: "digest",
-			image: func() v1.Image {
-				img, err := random.Image(20, 3)
-				if err != nil {
-					panic(err)
-				}
-				img, err = mutate.Config(img, v1.Config{
-					Labels: map[string]string{
-						source.ConfigDirLabel: "/configs",
-					},
-				})
-				if err != nil {
-					panic(err)
-				}
-				return img
-			}(),
-		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			// Create context, temporary cache directory,

test/e2e/unpack_test.go

@@ -54,8 +54,7 @@ var _ = Describe("ClusterCatalog Unpacking", func() {
 					Source: catalogd.CatalogSource{
 						Type: catalogd.SourceTypeImage,
 						Image: &catalogd.ImageSource{
-							Ref:                   catalogImageRef(),
-							InsecureSkipTLSVerify: true,
+							Ref: catalogImageRef(),
 						},
 					},
 				},