Inject operator's trust store with trusted-ca-bundle

stlaz · stlaz · commit 03ebe5b76720 · 2019-08-19T15:55:19.000+02:00
diff --git a/manifests/03_configmap.yaml b/manifests/03_configmap.yaml
@@ -10,6 +10,16 @@ data:
 ---
 apiVersion: v1
 kind: ConfigMap
+metadata:
+  namespace: openshift-authentication-operator
+  name: trusted-ca-bundle
+  annotations:
+    release.openshift.io/create-only: "true"
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
+---
+apiVersion: v1
+kind: ConfigMap
 metadata:
   namespace: openshift-authentication
   name: v4-0-config-trusted-ca-bundle
diff --git a/manifests/07_deployment.yaml b/manifests/07_deployment.yaml
@@ -36,6 +36,9 @@ spec:
           name: config
         - mountPath: /var/run/secrets/serving-cert
           name: serving-cert
+        - mountPath: /etc/pki/ca-trust/extracted/pem
+          name: trusted-ca-bundle
+          readOnly: true
         env:
         - name: IMAGE
           value: quay.io/openshift/origin-oauth-server:v4.2
@@ -53,6 +56,13 @@ spec:
         configMap:
           defaultMode: 440
           name: authentication-operator-config
+      - name: trusted-ca-bundle
+        configMap:
+          name: trusted-ca
+          optional: true
+          items:
+          - key: ca-bundle.crt
+            path: tls-ca-bundle.pem
       - name: serving-cert
         secret:
           secretName: serving-cert
diff --git a/pkg/operator2/transport.go b/pkg/operator2/transport.go
@@ -22,21 +22,27 @@ func transportFor(serverName string, caData, certData, keyData []byte) (http.Rou
 }
 
 func transportForInner(serverName string, caData, certData, keyData []byte) (http.RoundTripper, error) {
-	if len(caData) == 0 && len(certData) == 0 && len(keyData) == 0 {
-		return http.DefaultTransport, nil
-	}
-
-	if (len(certData) == 0) != (len(keyData) == 0) {
-		return nil, errors.New("cert and key data must be specified together")
-	}
-
 	// copy default transport
 	transport := net.SetTransportDefaults(&http.Transport{
 		TLSClientConfig: &tls.Config{
 			ServerName: serverName,
 		},
 	})
 
+	if len(caData) == 0 && len(certData) == 0 && len(keyData) == 0 {
+		// reload system cert pool in case trusted-ca-bundle changed
+		systemCertPool, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, err
+		}
+		transport.TLSClientConfig.RootCAs = systemCertPool
+		return transport, nil
+	}
+
+	if (len(certData) == 0) != (len(keyData) == 0) {
+		return nil, errors.New("cert and key data must be specified together")
+	}
+
 	if len(caData) != 0 {
 		roots := x509.NewCertPool()
 		if ok := roots.AppendCertsFromPEM(caData); !ok {
