Prevent automatically generated TLS secret to be mounted if the CA bu…

…ndle is detected

- Add CA location to OAuth proxy
- Mount annotated secret for oauth
- Use annotated secret for oauth
- Automatic devFlag branch from issue-219-tls
- operator: quay.io/ruimvieira/trustyai-service-operator:devFlag-issue-219-tls / service quay.io/trustyai/trustyai-service:latest

config/base/params.env

@@ -1,3 +1,3 @@
 trustyaiServiceImage=quay.io/trustyai/trustyai-service:latest
 trustyaiOperatorImage=quay.io/trustyai/trustyai-service-operator:latest
-oauthProxyImage= quay.io/openshift/origin-oauth-proxy:4.14.0
+oauthProxyImage= quay.io/openshift/origin-oauth-proxy:4.14.0

controllers/deployment_test.go

@@ -361,16 +361,6 @@ var _ = Describe("TrustyAI operator", func() {
 					if volumeMount.Name == caBundleName && volumeMount.MountPath == "/etc/pki/ca-trust/extracted/pem" {
 						foundTrustedCAVolumeMount = true
 					}
-
-					if container.Name == "oauth-proxy" {
-						foundOpenshiftCAArg := false
-						for _, arg := range container.Args {
-							if arg == "--openshift-ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" {
-								foundOpenshiftCAArg = true
-							}
-						}
-						Expect(foundOpenshiftCAArg).To(BeTrue(), "oauth-proxy container missing --openshift-ca argument")
-					}
 				}
 			}
 			Expect(foundTrustedCAVolumeMount).To(BeTrue(), caBundleName+"trusted-ca volume mount not found in any container")

controllers/templates/service/deployment.tmpl.yaml

@@ -93,26 +93,25 @@ spec:
               containerPort: 8443
               protocol: TCP
           volumeMounts:
-            - name: {{ .Instance.Name }}-tls
-              mountPath: /etc/tls/private
-            {{ if .CustomCertificatesBundle.IsDefined }}
+          {{ if .CustomCertificatesBundle.IsDefined }}
             - name: {{ .CustomCertificatesBundle.VolumeName }}
               readOnly: true
               mountPath: /etc/pki/ca-trust/extracted/pem
-            {{ end }}
+              {{ end }}
+            - name: {{ .Instance.Name }}-tls
+              mountPath: /etc/tls/private
           image: {{ .OAuthImage }}
           args:
             - '--cookie-secret=SECRET'
             - '--https-address=:8443'
             - '--email-domain=*'
             - '--openshift-service-account={{ .Instance.Name }}-proxy'
-            - '--provider=openshift'
             {{ if .CustomCertificatesBundle.IsDefined }}
-            - '--openshift-ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem'
-            {{ else }}
+            - '--openshift-ca=/etc/pki/tls/certs/ca-bundle.crt'
+            {{ end }}
+            - '--provider=openshift'
             - '--tls-cert=/etc/tls/private/tls.crt'
             - '--tls-key=/etc/tls/private/tls.key'
-            {{ end}}
             - '--upstream=http://localhost:8080'
             - '--skip-auth-regex=''(^/apis/v1beta1/healthz)'''
             - >-
@@ -122,10 +121,6 @@ spec:
               "pods", "verb": "get"}}
       serviceAccount: {{ .Instance.Name }}-proxy
       volumes:
-        - name: {{ .Instance.Name}}-tls
-          secret:
-            secretName: {{ .Instance.Name }}-tls
-            defaultMode: 420
         - name: volume
           persistentVolumeClaim:
             claimName: {{ .PVCClaimName }}
@@ -138,3 +133,7 @@ spec:
                 path: tls-ca-bundle.pem
             defaultMode: 420
         {{ end }}
+        - name: {{ .Instance.Name}}-tls
+          secret:
+            secretName: {{ .Instance.Name }}-tls
+            defaultMode: 420

controllers/templates/service/service-tls.tmpl.yaml

@@ -1,10 +1,8 @@
 kind: Service
 apiVersion: v1
 metadata:
-    {{ if not .CustomCertificatesBundle.IsDefined }}
     annotations:
         service.beta.openshift.io/serving-cert-secret-name: {{ .Instance.Name }}-tls
-    {{ end }}
     name: {{ .Instance.Name }}-tls
     namespace: {{ .Instance.Namespace }}
     labels: