Prevent automatically generated TLS secret to be mounted if the CA bu…

…ndle is detected - Add CA location to OAuth proxy - Mount annotated secret for oauth - Use annotated secret for oauth - Automatic devFlag branch from issue-219-tls - operator: quay.io/ruimvieira/trustyai-service-operator:devFlag-issue-219-tls / service quay.io/trustyai/trustyai-service:latest
ruivieira · Feb 27, 2024 · 3fc99be · 3fc99be
1 parent e70a3bd
commit 3fc99be
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 45 deletions.
diff --git a/config/base/params.env b/config/base/params.env
@@ -1,3 +1,3 @@
 trustyaiServiceImage=quay.io/trustyai/trustyai-service:latest
 trustyaiOperatorImage=quay.io/trustyai/trustyai-service-operator:latest
-oauthProxyImage= quay.io/openshift/origin-oauth-proxy:4.14.0
+oauthProxyImage=quay.io/openshift/origin-oauth-proxy:4.14.0
diff --git a/controllers/deployment_test.go b/controllers/deployment_test.go
@@ -343,38 +343,19 @@ var _ = Describe("TrustyAI operator", func() {
 
 			Expect(deployment.Spec.Template.Spec.ServiceAccountName).To(Equal(instance.Name + "-proxy"))
 
-			foundTrustedCAVolume := false
-			for _, volume := range deployment.Spec.Template.Spec.Volumes {
-				if volume.Name == caBundleName && volume.ConfigMap != nil && volume.ConfigMap.Name == caBundleName {
-					foundTrustedCAVolume = true
-					Expect(volume.ConfigMap.Items).To(ContainElement(corev1.KeyToPath{
-						Key:  "ca-bundle.crt",
-						Path: "tls-ca-bundle.pem",
-					}))
-				}
-			}
-			Expect(foundTrustedCAVolume).To(BeTrue(), caBundleName+" volume not found")
+			foundCustomCertificatesBundleVolumeMount := false
 
-			foundTrustedCAVolumeMount := false
+			customCertificatesBundleMountPath := "/etc/ssl/certs/ca-bundle.crt"
 			for _, container := range deployment.Spec.Template.Spec.Containers {
 				for _, volumeMount := range container.VolumeMounts {
-					if volumeMount.Name == caBundleName && volumeMount.MountPath == "/etc/pki/ca-trust/extracted/pem" {
-						foundTrustedCAVolumeMount = true
-					}
-
-					if container.Name == "oauth-proxy" {
-						foundOpenshiftCAArg := false
-						for _, arg := range container.Args {
-							if arg == "--openshift-ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" {
-								foundOpenshiftCAArg = true
-							}
-						}
-						Expect(foundOpenshiftCAArg).To(BeTrue(), "oauth-proxy container missing --openshift-ca argument")
+					if volumeMount.Name == caBundleName && volumeMount.MountPath == customCertificatesBundleMountPath {
+						foundCustomCertificatesBundleVolumeMount = true
 					}
 				}
 			}
-			Expect(foundTrustedCAVolumeMount).To(BeTrue(), caBundleName+"trusted-ca volume mount not found in any container")
-			Expect(k8sClient.Delete(ctx, caBundleConfigMap)).To(Succeed(), "failed to delete custom CA bundle ConfigMap")
+			Expect(foundCustomCertificatesBundleVolumeMount).To(BeTrue(), caBundleName+" volume mount not found in any container")
+
+			Expect(k8sClient.Delete(ctx, caBundleConfigMap)).To(Succeed(), "failed to delete custom certificates bundle ConfigMap")
 
 		})
 	})

diff --git a/controllers/templates/service/deployment.tmpl.yaml b/controllers/templates/service/deployment.tmpl.yaml
@@ -93,26 +93,26 @@ spec:
               containerPort: 8443
               protocol: TCP
           volumeMounts:
-            - name: {{ .Instance.Name }}-tls
-              mountPath: /etc/tls/private
-            {{ if .CustomCertificatesBundle.IsDefined }}
+          {{ if .CustomCertificatesBundle.IsDefined }}
             - name: {{ .CustomCertificatesBundle.VolumeName }}
               readOnly: true
-              mountPath: /etc/pki/ca-trust/extracted/pem
-            {{ end }}
+              mountPath: /etc/ssl/certs/ca-bundle.crt
+              subPath: ca-bundle.crt
+              {{ end }}
+            - name: {{ .Instance.Name }}-tls
+              mountPath: /etc/tls/private
           image: {{ .OAuthImage }}
           args:
             - '--cookie-secret=SECRET'
             - '--https-address=:8443'
             - '--email-domain=*'
             - '--openshift-service-account={{ .Instance.Name }}-proxy'
-            - '--provider=openshift'
             {{ if .CustomCertificatesBundle.IsDefined }}
-            - '--openshift-ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem'
-            {{ else }}
+            - '--openshift-ca=/etc/ssl/certs/ca-bundle.crt'
+            {{ end }}
+            - '--provider=openshift'
             - '--tls-cert=/etc/tls/private/tls.crt'
             - '--tls-key=/etc/tls/private/tls.key'
-            {{ end}}
             - '--upstream=http://localhost:8080'
             - '--skip-auth-regex=''(^/apis/v1beta1/healthz)'''
             - >-
@@ -122,19 +122,16 @@ spec:
               "pods", "verb": "get"}}
       serviceAccount: {{ .Instance.Name }}-proxy
       volumes:
-        - name: {{ .Instance.Name}}-tls
-          secret:
-            secretName: {{ .Instance.Name }}-tls
-            defaultMode: 420
         - name: volume
           persistentVolumeClaim:
             claimName: {{ .PVCClaimName }}
         {{ if .CustomCertificatesBundle.IsDefined }}
         - name: {{ .CustomCertificatesBundle.VolumeName}}
           configMap:
             name: {{ .CustomCertificatesBundle.ConfigMapName }}
-            items:
-              - key: ca-bundle.crt
-                path: tls-ca-bundle.pem
             defaultMode: 420
         {{ end }}
+        - name: {{ .Instance.Name}}-tls
+          secret:
+            secretName: {{ .Instance.Name }}-tls
+            defaultMode: 420
diff --git a/controllers/templates/service/service-tls.tmpl.yaml b/controllers/templates/service/service-tls.tmpl.yaml
@@ -1,10 +1,8 @@
 kind: Service
 apiVersion: v1
 metadata:
-    {{ if not .CustomCertificatesBundle.IsDefined }}
     annotations:
         service.beta.openshift.io/serving-cert-secret-name: {{ .Instance.Name }}-tls
-    {{ end }}
     name: {{ .Instance.Name }}-tls
     namespace: {{ .Instance.Namespace }}
     labels: