UPSTREAM: <carry>: generate and mount service-ca server cert

joelanford · ci-robot · commit c9cbfa6ca169 · 2025-02-14T03:35:09.000Z
Signed-off-by: Joe Lanford &lt;joe.lanford@gmail.com&gt;
diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml
@@ -7,6 +7,10 @@ resources:
   - ../../../../../config/base/manager
 
 patches:
+  - target:
+      kind: Service
+      name: service
+    path: patches/manager_service.yaml
   - target:
       kind: ClusterRole
       name: manager-role
@@ -15,6 +19,10 @@ patches:
       kind: Deployment
       name: controller-manager
     path: patches/manager_deployment_ca.yaml
+  - target:
+      kind: Deployment
+      name: controller-manager
+    path: patches/manager_deployment_certs.yaml
   - target:
       kind: Deployment
       name: controller-manager
diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml
@@ -0,0 +1,12 @@
+- op: add
+  path: /spec/template/spec/volumes/-
+  value: {"name":"operator-controller-certs", "secret":{"optional":false,"secretName":"operator-controller-cert"}}
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value: {"name":"operator-controller-certs", "mountPath":"/var/certs"}
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--tls-cert=/var/certs/tls.crt"
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--tls-key=/var/certs/tls.key"
diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_service.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_service.yaml
@@ -0,0 +1,4 @@
+- op: add
+  path: /metadata/annotations
+  value:
+    service.beta.openshift.io/serving-cert-secret-name: operator-controller-cert
diff --git a/openshift/manifests/18-service-openshift-operator-controller-operator-controller-service.yml b/openshift/manifests/18-service-openshift-operator-controller-operator-controller-service.yml
@@ -2,6 +2,8 @@
 apiVersion: v1
 kind: Service
 metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: operator-controller-cert
   labels:
     control-plane: operator-controller-controller-manager
   name: operator-controller-service
diff --git a/openshift/manifests/19-deployment-openshift-operator-controller-operator-controller-controller-manager.yml b/openshift/manifests/19-deployment-openshift-operator-controller-operator-controller-controller-manager.yml
@@ -44,6 +44,8 @@ spec:
             - --metrics-bind-address=:8443
             - --leader-elect
             - --ca-certs-dir=/run/secrets/kubernetes.io/serviceaccount
+            - --tls-cert=/var/certs/tls.crt
+            - --tls-key=/var/certs/tls.key
             - --v=${LOG_VERBOSITY}
             - --global-pull-secret=openshift-config/pull-secret
           command:
@@ -76,6 +78,8 @@ spec:
           volumeMounts:
             - mountPath: /var/cache
               name: cache
+            - mountPath: /var/certs
+              name: operator-controller-certs
             - mountPath: /etc/containers
               name: etc-containers
               readOnly: true
@@ -103,6 +107,10 @@ spec:
       volumes:
         - emptyDir: {}
           name: cache
+        - name: operator-controller-certs
+          secret:
+            optional: false
+            secretName: operator-controller-cert
         - hostPath:
             path: /etc/containers
             type: Directory

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +- op: add
 +  path: /metadata/annotations
 +  value:
 +    service.beta.openshift.io/serving-cert-secret-name: operator-controller-cert