Skip to content

Commit 789cbab

Browse files
joelanfordci-robot
joelanford
authored and
ci-robot
committed
UPSTREAM: <carry>: use projected volume for CAs to avoid subPath limitations
Signed-off-by: Joe Lanford <[email protected]>
1 parent a264c15 commit 789cbab

File tree

4 files changed

+62
-64
lines changed

4 files changed

+62
-64
lines changed

openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml

Lines changed: 5 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,21 @@
11
- op: add
22
path: /spec/template/spec/volumes/-
3-
value: {"name":"catalogserver-certs", "secret":{"optional":false,"secretName":"catalogserver-cert"}}
3+
value: {"name":"catalogserver-certs", "secret":{"optional":false,"secretName":"catalogserver-cert","items":[{"key":"tls.crt","path":"tls.crt"},{"key":"tls.key","path":"tls.key"}]}}
44
- op: add
55
path: /spec/template/spec/volumes/-
6-
value: {"name":"trusted-ca-bundle", "configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}}
7-
- op: add
8-
path: /spec/template/spec/volumes/-
9-
value: {"name":"service-ca", "configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}
6+
value: {"name":"ca-certs", "projected": {"sources":[{"configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}},{"configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}]}}
107
- op: add
118
path: /spec/template/spec/containers/0/volumeMounts/-
129
value: {"name":"catalogserver-certs", "mountPath":"/var/certs"}
1310
- op: add
1411
path: /spec/template/spec/containers/0/volumeMounts/-
15-
value: {"name":"trusted-ca-bundle", "mountPath":"/var/trusted-cas/ca-bundle.crt", "subPath":"ca-bundle.crt"}
16-
- op: add
17-
path: /spec/template/spec/containers/0/volumeMounts/-
18-
value: {"name":"service-ca", "mountPath":"/var/trusted-cas/service-ca.crt", "subPath":"service-ca.crt"}
12+
value: {"name":"ca-certs", "mountPath":"/var/ca-certs", "readOnly": true}
1913
- op: add
2014
path: /spec/template/spec/containers/0/args/-
2115
value: "--tls-cert=/var/certs/tls.crt"
2216
- op: add
2317
path: /spec/template/spec/containers/0/args/-
2418
value: "--tls-key=/var/certs/tls.key"
2519
- op: add
26-
path: /spec/template/spec/containers/0/args/-
27-
value: "--ca-certs-dir=/var/trusted-cas"
20+
path: /spec/template/spec/containers/0/env
21+
value: [{"name":"SSL_CERT_DIR", "value":"/var/ca-certs"}]

openshift/catalogd/manifests/14-deployment-openshift-catalogd-catalogd-controller-manager.yml

Lines changed: 26 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -46,11 +46,13 @@ spec:
4646
- --external-address=catalogd-service.openshift-catalogd.svc
4747
- --tls-cert=/var/certs/tls.crt
4848
- --tls-key=/var/certs/tls.key
49-
- --ca-certs-dir=/var/trusted-cas
5049
- --v=${LOG_VERBOSITY}
5150
- --global-pull-secret=openshift-config/pull-secret
5251
command:
5352
- ./catalogd
53+
env:
54+
- name: SSL_CERT_DIR
55+
value: /var/ca-certs
5456
image: ${CATALOGD_IMAGE}
5557
imagePullPolicy: IfNotPresent
5658
livenessProbe:
@@ -81,12 +83,9 @@ spec:
8183
name: cache
8284
- mountPath: /var/certs
8385
name: catalogserver-certs
84-
- mountPath: /var/trusted-cas/ca-bundle.crt
85-
name: trusted-ca-bundle
86-
subPath: ca-bundle.crt
87-
- mountPath: /var/trusted-cas/service-ca.crt
88-
name: service-ca
89-
subPath: service-ca.crt
86+
- mountPath: /var/ca-certs
87+
name: ca-certs
88+
readOnly: true
9089
- mountPath: /etc/containers
9190
name: etc-containers
9291
readOnly: true
@@ -119,22 +118,28 @@ spec:
119118
name: cache
120119
- name: catalogserver-certs
121120
secret:
122-
optional: false
123-
secretName: catalogserver-cert
124-
- configMap:
125121
items:
126-
- key: ca-bundle.crt
127-
path: ca-bundle.crt
128-
name: catalogd-trusted-ca-bundle
122+
- key: tls.crt
123+
path: tls.crt
124+
- key: tls.key
125+
path: tls.key
129126
optional: false
130-
name: trusted-ca-bundle
131-
- configMap:
132-
items:
133-
- key: service-ca.crt
134-
path: service-ca.crt
135-
name: openshift-service-ca.crt
136-
optional: false
137-
name: service-ca
127+
secretName: catalogserver-cert
128+
- name: ca-certs
129+
projected:
130+
sources:
131+
- configMap:
132+
items:
133+
- key: ca-bundle.crt
134+
path: ca-bundle.crt
135+
name: catalogd-trusted-ca-bundle
136+
optional: false
137+
- configMap:
138+
items:
139+
- key: service-ca.crt
140+
path: service-ca.crt
141+
name: openshift-service-ca.crt
142+
optional: false
138143
- hostPath:
139144
path: /etc/containers
140145
type: Directory

openshift/operator-controller/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml

Lines changed: 5 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,21 @@
11
- op: add
22
path: /spec/template/spec/volumes/-
3-
value: {"name":"operator-controller-certs", "secret":{"optional":false,"secretName":"operator-controller-cert"}}
3+
value: {"name":"operator-controller-certs", "secret":{"optional":false,"secretName":"operator-controller-cert","items":[{"key":"tls.crt","path":"tls.crt"},{"key":"tls.key","path":"tls.key"}]}}
44
- op: add
55
path: /spec/template/spec/volumes/-
6-
value: {"name":"trusted-ca-bundle", "configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}}
7-
- op: add
8-
path: /spec/template/spec/volumes/-
9-
value: {"name":"service-ca", "configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}
6+
value: {"name":"ca-certs", "projected": {"sources":[{"configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}},{"configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}]}}
107
- op: add
118
path: /spec/template/spec/containers/0/volumeMounts/-
129
value: {"name":"operator-controller-certs", "mountPath":"/var/certs"}
1310
- op: add
1411
path: /spec/template/spec/containers/0/volumeMounts/-
15-
value: {"name":"trusted-ca-bundle", "mountPath":"/var/trusted-cas/ca-bundle.crt", "subPath":"ca-bundle.crt" }
16-
- op: add
17-
path: /spec/template/spec/containers/0/volumeMounts/-
18-
value: {"name":"service-ca", "mountPath":"/var/trusted-cas/service-ca.crt", "subPath":"service-ca.crt" }
12+
value: {"name":"ca-certs", "mountPath":"/var/ca-certs", "readOnly": true}
1913
- op: add
2014
path: /spec/template/spec/containers/0/args/-
2115
value: "--tls-cert=/var/certs/tls.crt"
2216
- op: add
2317
path: /spec/template/spec/containers/0/args/-
2418
value: "--tls-key=/var/certs/tls.key"
2519
- op: add
26-
path: /spec/template/spec/containers/0/args/-
27-
value: "--ca-certs-dir=/var/trusted-cas"
20+
path: /spec/template/spec/containers/0/env
21+
value: [{"name":"SSL_CERT_DIR", "value":"/var/ca-certs"}]

openshift/operator-controller/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml

Lines changed: 26 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -45,11 +45,13 @@ spec:
4545
- --leader-elect
4646
- --tls-cert=/var/certs/tls.crt
4747
- --tls-key=/var/certs/tls.key
48-
- --ca-certs-dir=/var/trusted-cas
4948
- --v=${LOG_VERBOSITY}
5049
- --global-pull-secret=openshift-config/pull-secret
5150
command:
5251
- /operator-controller
52+
env:
53+
- name: SSL_CERT_DIR
54+
value: /var/ca-certs
5355
image: ${OPERATOR_CONTROLLER_IMAGE}
5456
imagePullPolicy: IfNotPresent
5557
livenessProbe:
@@ -80,12 +82,9 @@ spec:
8082
name: cache
8183
- mountPath: /var/certs
8284
name: operator-controller-certs
83-
- mountPath: /var/trusted-cas/ca-bundle.crt
84-
name: trusted-ca-bundle
85-
subPath: ca-bundle.crt
86-
- mountPath: /var/trusted-cas/service-ca.crt
87-
name: service-ca
88-
subPath: service-ca.crt
85+
- mountPath: /var/ca-certs
86+
name: ca-certs
87+
readOnly: true
8988
- mountPath: /etc/containers
9089
name: etc-containers
9190
readOnly: true
@@ -118,22 +117,28 @@ spec:
118117
name: cache
119118
- name: operator-controller-certs
120119
secret:
121-
optional: false
122-
secretName: operator-controller-cert
123-
- configMap:
124120
items:
125-
- key: ca-bundle.crt
126-
path: ca-bundle.crt
127-
name: operator-controller-trusted-ca-bundle
121+
- key: tls.crt
122+
path: tls.crt
123+
- key: tls.key
124+
path: tls.key
128125
optional: false
129-
name: trusted-ca-bundle
130-
- configMap:
131-
items:
132-
- key: service-ca.crt
133-
path: service-ca.crt
134-
name: openshift-service-ca.crt
135-
optional: false
136-
name: service-ca
126+
secretName: operator-controller-cert
127+
- name: ca-certs
128+
projected:
129+
sources:
130+
- configMap:
131+
items:
132+
- key: ca-bundle.crt
133+
path: ca-bundle.crt
134+
name: operator-controller-trusted-ca-bundle
135+
optional: false
136+
- configMap:
137+
items:
138+
- key: service-ca.crt
139+
path: service-ca.crt
140+
name: openshift-service-ca.crt
141+
optional: false
137142
- hostPath:
138143
path: /etc/containers
139144
type: Directory

0 commit comments

Comments
 (0)