CM-716: Add HTTP01 Challenge Proxy controller

Add the HTTP01 Challenge Proxy feature to cert-manager-operator, enabling
cert-manager to complete HTTP01 ACME challenges for the API endpoint on
baremetal platforms where the API VIP is not exposed via OpenShift Ingress.

This follows the IstioCSR/TrustManager controller pattern and includes:

- HTTP01Proxy CRD with mode (DefaultDeployment/CustomDeployment) and
  optional customDeployment.internalPort configuration
- Full controller-runtime reconciler with finalizer handling, status
  conditions (Ready/Degraded), and managed resource watches
- Platform validation via Infrastructure CR — only deploys on BareMetal
  platforms with distinct API/Ingress VIPs, sets Degraded condition with
  descriptive message on unsupported platforms
- DaemonSet deployment on control plane nodes with hostNetwork, nftables
  NET_ADMIN capability, and privileged SCC
- RBAC for reading cluster config and managing MachineConfig resources
- NetworkPolicies for deny-all and allow-egress
- FeatureHTTP01Proxy feature gate (Alpha, default: false)
- Integrated with unified cache builder and common package utilities
- Controller-runtime metrics on :8085 to avoid library-go port conflict
- Generated clientset, informers, listers, and apply configurations

Ref: openshift/enhancements#1929

Author: sebrandon1

Makefile

@@ -322,10 +322,12 @@ local-run: build ## Run the operator locally against the cluster configured in ~
 	RELATED_IMAGE_CERT_MANAGER_ACMESOLVER=quay.io/jetstack/cert-manager-acmesolver:$(CERT_MANAGER_VERSION) \
 	RELATED_IMAGE_CERT_MANAGER_ISTIOCSR=quay.io/jetstack/cert-manager-istio-csr:$(ISTIO_CSR_VERSION) \
 	RELATED_IMAGE_CERT_MANAGER_TRUST_MANAGER=quay.io/jetstack/trust-manager:$(TRUST_MANAGER_VERSION) \
+	RELATED_IMAGE_CERT_MANAGER_HTTP01PROXY=quay.io/bapalm/cert-mgr-http01-proxy:latest \
 	OPERATOR_NAME=cert-manager-operator \
 	OPERAND_IMAGE_VERSION=$(BUNDLE_VERSION) \
 	ISTIOCSR_OPERAND_IMAGE_VERSION=$(ISTIO_CSR_VERSION) \
 	TRUSTMANAGER_OPERAND_IMAGE_VERSION=$(TRUST_MANAGER_VERSION) \
+	HTTP01PROXY_OPERAND_IMAGE_VERSION=0.1.0 \
 	OPERATOR_IMAGE_VERSION=$(BUNDLE_VERSION) \
 	./cert-manager-operator start \
 		--config=./hack/local-run-config.yaml \

api/operator/v1alpha1/features.go

@@ -21,9 +21,19 @@ var (
 	// For more details,
 	// https://github.com/openshift/enhancements/blob/master/enhancements/cert-manager/trust-manager-controller.md
 	FeatureTrustManager featuregate.Feature = "TrustManager"
+
+	// HTTP01Proxy enables the controller for http01proxies.operator.openshift.io resource,
+	// which extends cert-manager-operator to deploy and manage the HTTP01 challenge proxy.
+	// The proxy enables cert-manager to complete HTTP01 ACME challenges for the API endpoint
+	// on baremetal platforms where the API VIP is not exposed via OpenShift Ingress.
+	//
+	// For more details,
+	// https://github.com/openshift/enhancements/pull/1929
+	FeatureHTTP01Proxy featuregate.Feature = "HTTP01Proxy"
 )
 
 var OperatorFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
 	FeatureIstioCSR:     {Default: true, PreRelease: featuregate.GA},
 	FeatureTrustManager: {Default: false, PreRelease: "TechPreview"},
+	FeatureHTTP01Proxy:  {Default: false, PreRelease: featuregate.Alpha},
 }

api/operator/v1alpha1/http01proxy_types.go

@@ -0,0 +1,109 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func init() {
+	SchemeBuilder.Register(&HTTP01Proxy{}, &HTTP01ProxyList{})
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+
+// HTTP01ProxyList is a list of HTTP01Proxy objects.
+type HTTP01ProxyList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+	Items           []HTTP01Proxy `json:"items"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:path=http01proxies,scope=Namespaced,categories={cert-manager-operator},shortName=http01proxy
+// +kubebuilder:printcolumn:name="Mode",type="string",JSONPath=".spec.mode"
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
+// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].message"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:metadata:labels={"app.kubernetes.io/name=http01proxy", "app.kubernetes.io/part-of=cert-manager-operator"}
+
+// HTTP01Proxy describes the configuration for the HTTP01 challenge proxy
+// that redirects traffic from the API endpoint on port 80 to ingress routers.
+// This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+// The name must be `default` to make HTTP01Proxy a singleton.
+//
+// When an HTTP01Proxy is created, the proxy DaemonSet is deployed on control plane nodes.
+//
+// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'default'",message="http01proxy is a singleton, .metadata.name must be 'default'"
+// +operator-sdk:csv:customresourcedefinitions:displayName="HTTP01Proxy"
+type HTTP01Proxy struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec is the specification of the desired behavior of the HTTP01Proxy.
+	// +kubebuilder:validation:Required
+	// +required
+	Spec HTTP01ProxySpec `json:"spec"`
+
+	// status is the most recently observed status of the HTTP01Proxy.
+	// +kubebuilder:validation:Optional
+	// +optional
+	Status HTTP01ProxyStatus `json:"status,omitempty"`
+}
+
+// HTTP01ProxyMode controls how the HTTP01 challenge proxy is deployed.
+// +kubebuilder:validation:Enum=DefaultDeployment;CustomDeployment
+type HTTP01ProxyMode string
+
+const (
+	// HTTP01ProxyModeDefault enables the proxy with default configuration.
+	HTTP01ProxyModeDefault HTTP01ProxyMode = "DefaultDeployment"
+
+	// HTTP01ProxyModeCustom enables the proxy with user-specified configuration.
+	HTTP01ProxyModeCustom HTTP01ProxyMode = "CustomDeployment"
+)
+
+// HTTP01ProxySpec is the specification of the desired behavior of the HTTP01Proxy.
+// +kubebuilder:validation:XValidation:rule="self.mode == 'CustomDeployment' ? has(self.customDeployment) : !has(self.customDeployment)",message="customDeployment is required when mode is CustomDeployment and forbidden otherwise"
+type HTTP01ProxySpec struct {
+	// mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+	// DefaultDeployment enables the proxy with default configuration.
+	// CustomDeployment enables the proxy with user-specified configuration.
+	// +kubebuilder:validation:Required
+	// +required
+	Mode HTTP01ProxyMode `json:"mode"`
+
+	// customDeployment contains configuration options when mode is CustomDeployment.
+	// This field is only valid when mode is CustomDeployment.
+	// +kubebuilder:validation:Optional
+	// +optional
+	CustomDeployment *HTTP01ProxyCustomDeploymentSpec `json:"customDeployment,omitempty"`
+}
+
+// HTTP01ProxyCustomDeploymentSpec contains configuration for custom proxy deployment.
+type HTTP01ProxyCustomDeploymentSpec struct {
+	// internalPort specifies the internal port used by the proxy service.
+	// Valid values are 1024-65535.
+	// +kubebuilder:validation:Minimum=1024
+	// +kubebuilder:validation:Maximum=65535
+	// +kubebuilder:default=8888
+	// +optional
+	InternalPort int32 `json:"internalPort,omitempty"`
+}
+
+// HTTP01ProxyStatus is the most recently observed status of the HTTP01Proxy.
+type HTTP01ProxyStatus struct {
+	// conditions holds information about the current state of the HTTP01 proxy deployment.
+	ConditionalStatus `json:",inline,omitempty"`
+
+	// proxyImage is the name of the image and the tag used for deploying the proxy.
+	ProxyImage string `json:"proxyImage,omitempty"`
+}

api/operator/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,34 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-http01-proxy
+  labels:
+    app: cert-manager-http01-proxy
+    app.kubernetes.io/name: cert-manager-http01-proxy
+    app.kubernetes.io/part-of: cert-manager-operator
+rules:
+  - apiGroups:
+      - config.openshift.io
+    resources:
+      - clusterversions
+      - infrastructures
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - operator.openshift.io
+    resources:
+      - machineconfigurations
+    verbs:
+      - update
+  - apiGroups:
+      - machineconfiguration.openshift.io
+    resources:
+      - machineconfigs
+    verbs:
+      - get
+      - list
+      - create
+      - update

bindata/http01-proxy/cert-manager-http01-proxy-clusterrole.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-http01-proxy
+  labels:
+    app: cert-manager-http01-proxy
+    app.kubernetes.io/name: cert-manager-http01-proxy
+    app.kubernetes.io/part-of: cert-manager-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-http01-proxy
+subjects:
+  - kind: ServiceAccount
+    name: cert-manager-http01-proxy
+    namespace: cert-manager-operator

bindata/http01-proxy/cert-manager-http01-proxy-clusterrolebinding.yaml

@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: cert-manager-http01-proxy
+  namespace: cert-manager-operator
+  labels:
+    app: cert-manager-http01-proxy
+    app.kubernetes.io/name: cert-manager-http01-proxy
+    app.kubernetes.io/part-of: cert-manager-operator
+spec:
+  selector:
+    matchLabels:
+      app: cert-manager-http01-proxy
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: cert-manager-http01-proxy
+        app.kubernetes.io/name: cert-manager-http01-proxy
+        app.kubernetes.io/part-of: cert-manager-operator
+    spec:
+      serviceAccountName: cert-manager-http01-proxy
+      hostNetwork: true
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+          effect: NoSchedule
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule
+      containers:
+        - name: http01-proxy
+          image: ${RELATED_IMAGE_CERT_MANAGER_HTTP01PROXY}
+          ports:
+            - name: proxy
+              containerPort: 8888
+              hostPort: 8888
+              protocol: TCP
+          env:
+            - name: PROXY_PORT
+              value: "8888"
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+              drop:
+                - ALL
+            runAsNonRoot: false
+          resources:
+            requests:
+              cpu: 10m
+              memory: 32Mi
+            limits:
+              cpu: 100m
+              memory: 64Mi
+      priorityClassName: system-cluster-critical

bindata/http01-proxy/cert-manager-http01-proxy-daemonset.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-http01-proxy-scc
+  labels:
+    app: cert-manager-http01-proxy
+    app.kubernetes.io/name: cert-manager-http01-proxy
+    app.kubernetes.io/part-of: cert-manager-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+subjects:
+  - kind: ServiceAccount
+    name: cert-manager-http01-proxy
+    namespace: cert-manager-operator

bindata/http01-proxy/cert-manager-http01-proxy-scc-rolebinding.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-http01-proxy
+  namespace: cert-manager-operator
+  labels:
+    app: cert-manager-http01-proxy
+    app.kubernetes.io/name: cert-manager-http01-proxy
+    app.kubernetes.io/part-of: cert-manager-operator