Stop using service ca from service account token

Inclusion of the service ca in token configmaps is discontinued in 4.5.
openshift · May 12, 2020 · 243001a · 243001a
1 parent 66179bb
commit 243001a
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 2 deletions.
diff --git a/manifests/04-service-ca-configmap.yaml b/manifests/04-service-ca-configmap.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-insights
+  name: service-ca-bundle
+  annotations:
+    release.openshift.io/create-only: "true"
+    service.beta.openshift.io/inject-cabundle: "true"
diff --git a/manifests/06-deployment.yaml b/manifests/06-deployment.yaml
@@ -42,6 +42,10 @@ spec:
         configMap:
           name: trusted-ca-bundle
           optional: true
+      - name: service-ca-bundle
+        configMap:
+          name: service-ca-bundle
+          optional: true
       - name: serving-cert
         secret:
           secretName: openshift-insights-serving-cert
@@ -56,6 +60,9 @@ spec:
         - mountPath: /var/run/configmaps/trusted-ca-bundle
           name: trusted-ca-bundle
           readOnly: true
+        - mountPath: /var/run/configmaps/service-ca-bundle
+          name: service-ca-bundle
+          readOnly: true
         - mountPath: /var/run/secrets/serving-cert
           name: serving-cert
         ports:

diff --git a/pkg/cmd/start/start.go b/pkg/cmd/start/start.go
@@ -17,7 +17,7 @@ import (
 	"github.com/openshift/insights-operator/pkg/controller"
 )
 
-const serviceCACertPath = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
+const serviceCACertPath = "/var/run/configmaps/service-ca-bundle/service-ca.crt"
 
 func NewOperator() *cobra.Command {
 	operator := &controller.Support{
@@ -55,6 +55,8 @@ func NewOperator() *cobra.Command {
 			// if the service CA is rotated, we want to restart
 			if data, err := ioutil.ReadFile(serviceCACertPath); err == nil {
 				startingFileContent[serviceCACertPath] = data
+			} else {
+				klog.V(4).Infof("Unable to read service ca bundle: %v", err)
 			}
 			observedFiles = append(observedFiles, serviceCACertPath)
 

diff --git a/pkg/controller/operator.go b/pkg/controller/operator.go
@@ -84,7 +84,7 @@ func (s *Support) Run(ctx context.Context, controller *controllercmd.ControllerC
 	// TODO: the oauth-proxy and delegating authorizer do not support Impersonate-User,
 	//   so we do not impersonate gather
 	metricsGatherKubeConfig := rest.CopyConfig(controller.KubeConfig)
-	metricsGatherKubeConfig.CAFile = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
+	metricsGatherKubeConfig.CAFile = "/var/run/configmaps/service-ca-bundle/service-ca.crt"
 	metricsGatherKubeConfig.NegotiatedSerializer = scheme.Codecs
 	metricsGatherKubeConfig.GroupVersion = &schema.GroupVersion{}
 	metricsGatherKubeConfig.APIPath = "/"