Skip to content

UPSTREAM: <carry>: use projected volume for CAs to avoid subPath limitations #253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

UPSTREAM: <carry>: use projected volume for CAs to avoid subPath limitations #253

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 4 additions & 10 deletions ...hift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,25 +3,19 @@
value: {"name":"catalogserver-certs", "secret":{"optional":false,"secretName":"catalogserver-cert"}}
- op: add
path: /spec/template/spec/volumes/-
value: {"name":"trusted-ca-bundle", "configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}}
- op: add
path: /spec/template/spec/volumes/-
value: {"name":"service-ca", "configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}
value: {"name":"ca-certs", "projected": {"sources":[{"configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}},{"configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}]}}
- op: add
path: /spec/template/spec/containers/0/volumeMounts/-
value: {"name":"catalogserver-certs", "mountPath":"/var/certs"}
- op: add
path: /spec/template/spec/containers/0/volumeMounts/-
value: {"name":"trusted-ca-bundle", "mountPath":"/var/trusted-cas/ca-bundle.crt", "subPath":"ca-bundle.crt"}
- op: add
path: /spec/template/spec/containers/0/volumeMounts/-
value: {"name":"service-ca", "mountPath":"/var/trusted-cas/service-ca.crt", "subPath":"service-ca.crt"}
value: {"name":"ca-certs", "mountPath":"/var/ca-certs", "readOnly": true}
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--tls-cert=/var/certs/tls.crt"
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--tls-key=/var/certs/tls.key"
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--ca-certs-dir=/var/trusted-cas"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we changing the name here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Avoid confusion since trusted-ca-bundle and service-ca are combined?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But I don't have a strong opinion here, especially if we're going to end up splitting these up and using separate flags for various CA usages.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But they were combined before. The latest solution I have avoids the use of the flags...

path: /spec/template/spec/containers/0/env
value: [{"name":"SSL_CERT_DIR", "value":"/var/ca-certs"}]
42 changes: 21 additions & 21 deletions ...shift/catalogd/manifests/14-deployment-openshift-catalogd-catalogd-controller-manager.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,13 @@ spec:
- --external-address=catalogd-service.openshift-catalogd.svc
- --tls-cert=/var/certs/tls.crt
- --tls-key=/var/certs/tls.key
- --ca-certs-dir=/var/trusted-cas
- --v=${LOG_VERBOSITY}
- --global-pull-secret=openshift-config/pull-secret
command:
- ./catalogd
env:
- name: SSL_CERT_DIR
value: /var/ca-certs
image: ${CATALOGD_IMAGE}
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -81,12 +83,9 @@ spec:
name: cache
- mountPath: /var/certs
name: catalogserver-certs
- mountPath: /var/trusted-cas/ca-bundle.crt
name: trusted-ca-bundle
subPath: ca-bundle.crt
- mountPath: /var/trusted-cas/service-ca.crt
name: service-ca
subPath: service-ca.crt
- mountPath: /var/ca-certs
name: ca-certs
readOnly: true
- mountPath: /etc/containers
name: etc-containers
readOnly: true
Expand Down Expand Up @@ -121,20 +120,21 @@ spec:
secret:
optional: false
secretName: catalogserver-cert
- configMap:
items:
- key: ca-bundle.crt
path: ca-bundle.crt
name: catalogd-trusted-ca-bundle
optional: false
name: trusted-ca-bundle
- configMap:
items:
- key: service-ca.crt
path: service-ca.crt
name: openshift-service-ca.crt
optional: false
name: service-ca
- name: ca-certs
projected:
sources:
- configMap:
items:
- key: ca-bundle.crt
path: ca-bundle.crt
name: catalogd-trusted-ca-bundle
optional: false
- configMap:
items:
- key: service-ca.crt
path: service-ca.crt
name: openshift-service-ca.crt
optional: false
- hostPath:
path: /etc/containers
type: Directory
Expand Down
14 changes: 4 additions & 10 deletions ...or-controller/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,25 +3,19 @@
value: {"name":"operator-controller-certs", "secret":{"optional":false,"secretName":"operator-controller-cert"}}
- op: add
path: /spec/template/spec/volumes/-
value: {"name":"trusted-ca-bundle", "configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}}
- op: add
path: /spec/template/spec/volumes/-
value: {"name":"service-ca", "configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}
value: {"name":"ca-certs", "projected": {"sources":[{"configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}},{"configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}]}}
- op: add
path: /spec/template/spec/containers/0/volumeMounts/-
value: {"name":"operator-controller-certs", "mountPath":"/var/certs"}
- op: add
path: /spec/template/spec/containers/0/volumeMounts/-
value: {"name":"trusted-ca-bundle", "mountPath":"/var/trusted-cas/ca-bundle.crt", "subPath":"ca-bundle.crt" }
- op: add
path: /spec/template/spec/containers/0/volumeMounts/-
value: {"name":"service-ca", "mountPath":"/var/trusted-cas/service-ca.crt", "subPath":"service-ca.crt" }
value: {"name":"ca-certs", "mountPath":"/var/ca-certs", "readOnly": true}
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--tls-cert=/var/certs/tls.crt"
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--tls-key=/var/certs/tls.key"
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--ca-certs-dir=/var/trusted-cas"
path: /spec/template/spec/containers/0/env
value: [{"name":"SSL_CERT_DIR", "value":"/var/ca-certs"}]
42 changes: 21 additions & 21 deletions ...ts/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,11 +45,13 @@ spec:
- --leader-elect
- --tls-cert=/var/certs/tls.crt
- --tls-key=/var/certs/tls.key
- --ca-certs-dir=/var/trusted-cas
- --v=${LOG_VERBOSITY}
- --global-pull-secret=openshift-config/pull-secret
command:
- /operator-controller
env:
- name: SSL_CERT_DIR
value: /var/ca-certs
image: ${OPERATOR_CONTROLLER_IMAGE}
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -80,12 +82,9 @@ spec:
name: cache
- mountPath: /var/certs
name: operator-controller-certs
- mountPath: /var/trusted-cas/ca-bundle.crt
name: trusted-ca-bundle
subPath: ca-bundle.crt
- mountPath: /var/trusted-cas/service-ca.crt
name: service-ca
subPath: service-ca.crt
- mountPath: /var/ca-certs
name: ca-certs
readOnly: true
- mountPath: /etc/containers
name: etc-containers
readOnly: true
Expand Down Expand Up @@ -120,20 +119,21 @@ spec:
secret:
optional: false
secretName: operator-controller-cert
- configMap:
items:
- key: ca-bundle.crt
path: ca-bundle.crt
name: operator-controller-trusted-ca-bundle
optional: false
name: trusted-ca-bundle
- configMap:
items:
- key: service-ca.crt
path: service-ca.crt
name: openshift-service-ca.crt
optional: false
name: service-ca
- name: ca-certs
projected:
sources:
- configMap:
items:
- key: ca-bundle.crt
path: ca-bundle.crt
name: operator-controller-trusted-ca-bundle
optional: false
- configMap:
items:
- key: service-ca.crt
path: service-ca.crt
name: openshift-service-ca.crt
optional: false
- hostPath:
path: /etc/containers
type: Directory
Expand Down