UPSTREAM: <carry>: Add support for proxy trustedCAs

tmshort · ci-robot · commit 60020674c3d6 · 2025-02-15T00:07:02.000Z
Just map the list of trusted ca certs into the deployment

Signed-off-by: Todd Short &lt;todd.short@me.com&gt;
diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
   - ../../../../../config/base/crd
   - ../../../../../config/base/rbac
   - ../../../../../config/base/manager
+  - trusted-ca/operator_controller_trusted_ca_configmap.yaml
 
 patches:
   - target:
@@ -15,10 +16,6 @@ patches:
       kind: ClusterRole
       name: manager-role
     path: patches/manager_role.yaml
-  - target:
-      kind: Deployment
-      name: controller-manager
-    path: patches/manager_deployment_ca.yaml
   - target:
       kind: Deployment
       name: controller-manager
diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_ca.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_ca.yaml
diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml
@@ -1,12 +1,27 @@
 - op: add
   path: /spec/template/spec/volumes/-
   value: {"name":"operator-controller-certs", "secret":{"optional":false,"secretName":"operator-controller-cert"}}
+- op: add
+  path: /spec/template/spec/volumes/-
+  value: {"name":"trusted-ca-bundle", "configMap":{"optional":false,"name":"trusted-ca-bundle"}}
+- op: add
+  path: /spec/template/spec/volumes/-
+  value: {"name":"service-ca", "configMap":{"optional":false,"name":"openshift-service-ca.crt"}}
 - op: add
   path: /spec/template/spec/containers/0/volumeMounts/-
   value: {"name":"operator-controller-certs", "mountPath":"/var/certs"}
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value: {"name":"trusted-ca-bundle", "mountPath":"/var/trusted-cas/ca-bundle.crt", "subPath":"ca-bundle.crt" }
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value: {"name":"service-ca", "mountPath":"/var/trusted-cas/service-ca.crt", "subPath":"service-ca.crt" }
 - op: add
   path: /spec/template/spec/containers/0/args/-
   value: "--tls-cert=/var/certs/tls.crt"
 - op: add
   path: /spec/template/spec/containers/0/args/-
   value: "--tls-key=/var/certs/tls.key"
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--ca-certs-dir=/var/trusted-cas"
diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/trusted-ca/operator_controller_trusted_ca_configmap.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/trusted-ca/operator_controller_trusted_ca_configmap.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
+  name: trusted-ca-bundle
diff --git a/openshift/manifests/18-configmap-openshift-operator-controller-operator-controller-trusted-ca-bundle.yml b/openshift/manifests/18-configmap-openshift-operator-controller-operator-controller-trusted-ca-bundle.yml
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
+  name: operator-controller-trusted-ca-bundle
+  namespace: openshift-operator-controller
diff --git a/openshift/manifests/19-service-openshift-operator-controller-operator-controller-service.yml b/openshift/manifests/19-service-openshift-operator-controller-operator-controller-service.yml
diff --git a/openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml b/openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml
@@ -43,9 +43,9 @@ spec:
             - --health-probe-bind-address=:8081
             - --metrics-bind-address=:8443
             - --leader-elect
-            - --ca-certs-dir=/run/secrets/kubernetes.io/serviceaccount
             - --tls-cert=/var/certs/tls.crt
             - --tls-key=/var/certs/tls.key
+            - --ca-certs-dir=/var/trusted-cas
             - --v=${LOG_VERBOSITY}
             - --global-pull-secret=openshift-config/pull-secret
           command:
@@ -80,6 +80,12 @@ spec:
               name: cache
             - mountPath: /var/certs
               name: operator-controller-certs
+            - mountPath: /var/trusted-cas/ca-bundle.crt
+              name: trusted-ca-bundle
+              subPath: ca-bundle.crt
+            - mountPath: /var/trusted-cas/service-ca.crt
+              name: service-ca
+              subPath: service-ca.crt
             - mountPath: /etc/containers
               name: etc-containers
               readOnly: true
@@ -111,6 +117,14 @@ spec:
           secret:
             optional: false
             secretName: operator-controller-cert
+        - configMap:
+            name: operator-controller-trusted-ca-bundle
+            optional: false
+          name: trusted-ca-bundle
+        - configMap:
+            name: openshift-service-ca.crt
+            optional: false
+          name: service-ca
         - hostPath:
             path: /etc/containers
             type: Directory
