Skip to content

Commit 3f5082b

Browse files
joelanfordjoelanford
committed
UPSTREAM: <carry>: use projected volume for CAs to avoid subPath limitations
Signed-off-by: Joe Lanford <joe.lanford@gmail.com>
1 parent 8f2307c commit 3f5082b

File tree

4 files changed

+42
-60
lines changed

4 files changed

+42
-60
lines changed

openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml

Lines changed: 3 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -3,19 +3,13 @@
33
value: {"name":"catalogserver-certs", "secret":{"optional":false,"secretName":"catalogserver-cert"}}
44
- op: add
55
path: /spec/template/spec/volumes/-
6-
value: {"name":"trusted-ca-bundle", "configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}}
7-
- op: add
8-
path: /spec/template/spec/volumes/-
9-
value: {"name":"service-ca", "configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}
6+
value: {"name":"ca-certs", "projected": {"sources":[{"configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}},{"configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}]}}
107
- op: add
118
path: /spec/template/spec/containers/0/volumeMounts/-
129
value: {"name":"catalogserver-certs", "mountPath":"/var/certs"}
1310
- op: add
1411
path: /spec/template/spec/containers/0/volumeMounts/-
15-
value: {"name":"trusted-ca-bundle", "mountPath":"/var/trusted-cas/ca-bundle.crt", "subPath":"ca-bundle.crt"}
16-
- op: add
17-
path: /spec/template/spec/containers/0/volumeMounts/-
18-
value: {"name":"service-ca", "mountPath":"/var/trusted-cas/service-ca.crt", "subPath":"service-ca.crt"}
12+
value: {"name":"ca-certs", "mountPath":"/var/ca-certs"}
1913
- op: add
2014
path: /spec/template/spec/containers/0/args/-
2115
value: "--tls-cert=/var/certs/tls.crt"
@@ -24,4 +18,4 @@
2418
value: "--tls-key=/var/certs/tls.key"
2519
- op: add
2620
path: /spec/template/spec/containers/0/args/-
27-
value: "--ca-certs-dir=/var/trusted-cas"
21+
value: "--ca-certs-dir=/var/ca-certs"

openshift/catalogd/manifests/14-deployment-openshift-catalogd-catalogd-controller-manager.yml

Lines changed: 18 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ spec:
4646
- --external-address=catalogd-service.openshift-catalogd.svc
4747
- --tls-cert=/var/certs/tls.crt
4848
- --tls-key=/var/certs/tls.key
49-
- --ca-certs-dir=/var/trusted-cas
49+
- --ca-certs-dir=/var/ca-certs
5050
- --v=${LOG_VERBOSITY}
5151
- --global-pull-secret=openshift-config/pull-secret
5252
command:
@@ -81,12 +81,8 @@ spec:
8181
name: cache
8282
- mountPath: /var/certs
8383
name: catalogserver-certs
84-
- mountPath: /var/trusted-cas/ca-bundle.crt
85-
name: trusted-ca-bundle
86-
subPath: ca-bundle.crt
87-
- mountPath: /var/trusted-cas/service-ca.crt
88-
name: service-ca
89-
subPath: service-ca.crt
84+
- mountPath: /var/ca-certs
85+
name: ca-certs
9086
- mountPath: /etc/containers
9187
name: etc-containers
9288
readOnly: true
@@ -121,20 +117,21 @@ spec:
121117
secret:
122118
optional: false
123119
secretName: catalogserver-cert
124-
- configMap:
125-
items:
126-
- key: ca-bundle.crt
127-
path: ca-bundle.crt
128-
name: catalogd-trusted-ca-bundle
129-
optional: false
130-
name: trusted-ca-bundle
131-
- configMap:
132-
items:
133-
- key: service-ca.crt
134-
path: service-ca.crt
135-
name: openshift-service-ca.crt
136-
optional: false
137-
name: service-ca
120+
- name: ca-certs
121+
projected:
122+
sources:
123+
- configMap:
124+
items:
125+
- key: ca-bundle.crt
126+
path: ca-bundle.crt
127+
name: catalogd-trusted-ca-bundle
128+
optional: false
129+
- configMap:
130+
items:
131+
- key: service-ca.crt
132+
path: service-ca.crt
133+
name: openshift-service-ca.crt
134+
optional: false
138135
- hostPath:
139136
path: /etc/containers
140137
type: Directory

openshift/operator-controller/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml

Lines changed: 3 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -3,19 +3,13 @@
33
value: {"name":"operator-controller-certs", "secret":{"optional":false,"secretName":"operator-controller-cert"}}
44
- op: add
55
path: /spec/template/spec/volumes/-
6-
value: {"name":"trusted-ca-bundle", "configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}}
7-
- op: add
8-
path: /spec/template/spec/volumes/-
9-
value: {"name":"service-ca", "configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}
6+
value: {"name":"ca-certs", "projected": {"sources":[{"configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}},{"configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}]}}
107
- op: add
118
path: /spec/template/spec/containers/0/volumeMounts/-
129
value: {"name":"operator-controller-certs", "mountPath":"/var/certs"}
1310
- op: add
1411
path: /spec/template/spec/containers/0/volumeMounts/-
15-
value: {"name":"trusted-ca-bundle", "mountPath":"/var/trusted-cas/ca-bundle.crt", "subPath":"ca-bundle.crt" }
16-
- op: add
17-
path: /spec/template/spec/containers/0/volumeMounts/-
18-
value: {"name":"service-ca", "mountPath":"/var/trusted-cas/service-ca.crt", "subPath":"service-ca.crt" }
12+
value: {"name":"ca-certs", "mountPath":"/var/ca-certs"}
1913
- op: add
2014
path: /spec/template/spec/containers/0/args/-
2115
value: "--tls-cert=/var/certs/tls.crt"
@@ -24,4 +18,4 @@
2418
value: "--tls-key=/var/certs/tls.key"
2519
- op: add
2620
path: /spec/template/spec/containers/0/args/-
27-
value: "--ca-certs-dir=/var/trusted-cas"
21+
value: "--ca-certs-dir=/var/ca-certs"

openshift/operator-controller/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml

Lines changed: 18 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ spec:
4545
- --leader-elect
4646
- --tls-cert=/var/certs/tls.crt
4747
- --tls-key=/var/certs/tls.key
48-
- --ca-certs-dir=/var/trusted-cas
48+
- --ca-certs-dir=/var/ca-certs
4949
- --v=${LOG_VERBOSITY}
5050
- --global-pull-secret=openshift-config/pull-secret
5151
command:
@@ -80,12 +80,8 @@ spec:
8080
name: cache
8181
- mountPath: /var/certs
8282
name: operator-controller-certs
83-
- mountPath: /var/trusted-cas/ca-bundle.crt
84-
name: trusted-ca-bundle
85-
subPath: ca-bundle.crt
86-
- mountPath: /var/trusted-cas/service-ca.crt
87-
name: service-ca
88-
subPath: service-ca.crt
83+
- mountPath: /var/ca-certs
84+
name: ca-certs
8985
- mountPath: /etc/containers
9086
name: etc-containers
9187
readOnly: true
@@ -120,20 +116,21 @@ spec:
120116
secret:
121117
optional: false
122118
secretName: operator-controller-cert
123-
- configMap:
124-
items:
125-
- key: ca-bundle.crt
126-
path: ca-bundle.crt
127-
name: operator-controller-trusted-ca-bundle
128-
optional: false
129-
name: trusted-ca-bundle
130-
- configMap:
131-
items:
132-
- key: service-ca.crt
133-
path: service-ca.crt
134-
name: openshift-service-ca.crt
135-
optional: false
136-
name: service-ca
119+
- name: ca-certs
120+
projected:
121+
sources:
122+
- configMap:
123+
items:
124+
- key: ca-bundle.crt
125+
path: ca-bundle.crt
126+
name: operator-controller-trusted-ca-bundle
127+
optional: false
128+
- configMap:
129+
items:
130+
- key: service-ca.crt
131+
path: service-ca.crt
132+
name: openshift-service-ca.crt
133+
optional: false
137134
- hostPath:
138135
path: /etc/containers
139136
type: Directory

0 commit comments

Comments
 (0)