Skip to content

🐛 Fix webhook cert duplicate volume mount path bug #2002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 2, 2025
Merged

🐛 Fix webhook cert duplicate volume mount path bug #2002

merged 3 commits into from
Jun 2, 2025

Conversation

@perdasilva
Copy link
Contributor

Description

  1. Removes the APIService volume mount - since we don't yet support APIServices (let's avoid adding things that aren't needed yet)
  2. Moves the tls.crt and tls.key magic strings to constants
  3. Addresses the following bug:

When installing the Red Hat Network Observability operator, we were faced with the following error:

"error for resolved bundle \"network-observability-operator.v1.7.0\" with version \"1.7.0\": failed to create resource: Deployment.apps \"netobserv-controller-manager\" is invalid: spec.template.spec.containers[0].volumeMounts[2].mountPath: Invalid value: \"/tmp/k8s-webhook-server/serving-certs\": must be unique",

The root cause is related to the operator's Deployment's Pod template spec described in the CSV that included a volume mount pointing to the webhook certificate volume mount path (but had a different name than 'webhook-cert'):

volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
  name: cert
  readOnly: true

This PR updates the bundle deployment generator to replace any volume/mount referencing a protected path with the OLM generated values.

Before fixes, OLMv1 generated a deployment like:

volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
  name: cert
- mountPath: /etc/tls/private
  name: manager-metric-tls
  readOnly: true
- mountPath: /apiserver.local.config/certificates
  name: apiservice-cert
- mountPath: /tmp/k8s-webhook-server/serving-certs
  name: webhook-cert

volumes:
- name: cert
  secret:
    defaultMode: 420
    secretName: webhook-server-cert
- name: manager-metric-tls
  secret:
    defaultMode: 420
    secretName: manager-metrics-tls
- name: apiservice-cert
  secret:
    items:
    - key: tls.crt
      path: apiserver.crt
    - key: tls.key
      path: apiserver.key
    secretName: netobserv-controller-manager-service-cert
- name: webhook-cert
  secret:
    items:
    - key: tls.crt
      path: tls.crt
    - key: tls.key
      path: tls.key
    secretName: netobserv-controller-manager-service-cert

Now, it looks like:

volumeMounts:
- mountPath: /etc/tls/private
  name: manager-metric-tls
  readOnly: true
- mountPath: /tmp/k8s-webhook-server/serving-certs
  name: webhook-cert

volumes:
- name: manager-metric-tls
  secret:
    defaultMode: 420
    secretName: manager-metrics-tls
- name: webhook-cert
  secret:
    items:
    - key: tls.crt
      path: tls.crt
    - key: tls.key
      path: tls.key
    secretName: netobserv-controller-manager-service-cert

Reviewer Checklist

  • API Go Documentation
  • Tests: Unit Tests (and E2E Tests, if appropriate)
  • Comprehensive Commit Messages
  • Links to related GitHub Issue(s)

Per Goncalves da Silva added 3 commits June 2, 2025 12:46
Remove api-service certificate volume from operator deployment
c4fb011 
Signed-off-by: Per Goncalves da Silva <pegoncal@redhat.com>
Add tls.crt and tls.key constants
ca311f1 
Signed-off-by: Per Goncalves da Silva <pegoncal@redhat.com>
Ensure volumes with volume mounts referencing protected cert paths ge…
91dc9a1 
…t replaced

Signed-off-by: Per Goncalves da Silva <pegoncal@redhat.com>
@perdasilva perdasilva requested a review from a team as a code owner June 2, 2025 11:27
@openshift-ci openshift-ci bot requested review from gavinmbell and kevinrizza June 2, 2025 11:27
@netlify
Copy link

netlify bot commented Jun 2, 2025
edited
Loading

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit 91dc9a1
🔍 Latest deploy log https://app.netlify.com/projects/olmv1/deploys/683d8aad1924f40008794ad1
😎 Deploy Preview https://deploy-preview-2002--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

camilamacedo86
camilamacedo86 approved these changes Jun 2, 2025
View reviewed changes
Copy link
Contributor

@camilamacedo86 camilamacedo86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It really make sense 👍

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 2, 2025
@openshift-ci
Copy link

openshift-ci bot commented Jun 2, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: camilamacedo86

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 2, 2025
@codecov
Copy link

codecov bot commented Jun 2, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 69.17%. Comparing base (d41ddd0) to head (91dc9a1).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2002   +/-   ##
=======================================
  Coverage   69.17%   69.17%           
=======================================
  Files          79       79           
  Lines        7027     7037   +10     
=======================================
+ Hits         4861     4868    +7     
- Misses       1885     1887    +2     
- Partials      281      282    +1
Flag Coverage Δ
e2e 43.00% <0.00%> (-0.14%) ⬇️
unit 60.05% <100.00%> (+0.04%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@openshift-merge-bot openshift-merge-bot bot merged commit 8f81c23 into operator-framework:main Jun 2, 2025
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@camilamacedo86 camilamacedo86 camilamacedo86 approved these changes

@gavinmbell gavinmbell Awaiting requested review from gavinmbell

@kevinrizza kevinrizza Awaiting requested review from kevinrizza

Assignees

@camilamacedo86 camilamacedo86

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@perdasilva @camilamacedo86