[epic] Use encryption (HTTPS) for catalogd webserver responses

[joelanford]

Before we GA, catalogd's webserver needs to be updated to use encryption, for two primary reasons:

1. In 2024, encryption is table stakes for webservers.
2. If we ever get requirements to add authentication and authorization checks for catalogd's endpoints, encryption is required to avoid leaking client credentials in cleartext.

Adding encryption after GA would be a breaking change.

Tasks:

• Implement HTTPS support for the catalogd webserver
  • PR: ⚠️ Serve catalog over HTTPS #263
• Cut a release of catalogd
• Update operator-controller's catalogd dependency

[trgeiger]

/assign

[everettraven]

Existing draft PR: #243

@trgeiger I'm not sure when I'll have cycles to circle back around to ^ so feel free to spin off a new PR with that one as inspiration. I'm happy to be a point of contact and answer any questions/pair program if needed

[trgeiger]

Awesome, I was just about to ask. Thanks for getting most of the work done!

[itroyano]

Do we want to maintain cert files, or can we use a Serving Cert here?

[itroyano]

Serving certs are being handled by service-ca-operator which is an OpenShift Cluster Operator so -

• Pros: this rotates and provides keys for us, in standard k8s secret format, so we don't have to maintain certs.
• Cons:
  1. creates a dependency between OLM and CA Operator, so need to verify both can be alive at the same time.
  2. not applicable for upstream k8s clusters.

[everettraven]

@itroyano Since this is an upstream project we should use something like Cert Manager (#243 should have an example). I imagine that a vendor like OpenShift would have some logic to substitute the Cert Manager usage with something like the service-ca-operator

[trgeiger]

draft PR #263

[trgeiger]

#263 has been merged. Next we will need to cut a release of catalogd so we can update the dependency in operator-controller and make any changes needed in operator-controller.

[trgeiger]

Bug related to HTTPS: #270