Insert trusted-ca-bundle from managed config NS into oauth-server trust store

This uses the ResourceSyncer to get the trusted-ca-bundle from the
openshift-config-managed into openshift-authentication namespace
with name prefixed in a way so that the config map's resourceVersion is
watched and oauth-server is reloaded upon its change.

Author: stlaz

pkg/operator2/deployment.go

@@ -81,6 +81,24 @@ func defaultDeployment(
 	volumes, mounts = toVolumesAndMounts(syncData.idpSecrets, volumes, mounts)
 	volumes, mounts = toVolumesAndMounts(syncData.tplSecrets, volumes, mounts)
 
+	volumes = append(volumes, corev1.Volume{
+		Name: trustedCABundleLocalName,
+		VolumeSource: corev1.VolumeSource{
+			ConfigMap: &corev1.ConfigMapVolumeSource{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: trustedCABundleLocalName,
+				},
+				Items: []corev1.KeyToPath{{Key: trustedCABundleKey, Path: trustedCABundleMountFile}},
+			},
+		},
+	})
+
+	mounts = append(mounts, corev1.VolumeMount{
+		Name:      trustedCABundleLocalName,
+		ReadOnly:  true,
+		MountPath: trustedCABundleMountDir,
+	})
+
 	// force redeploy when any associated resource changes
 	// we use a hash to prevent this value from growing indefinitely
 	// need to sort first in order to get a stable array

pkg/operator2/operator.go

@@ -62,7 +62,8 @@ const (
 	kasServiceAndEndpointName = "kubernetes"
 	kasServiceFullName        = kasServiceAndEndpointName + "." + corev1.NamespaceDefault + ".svc"
 
-	rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+	systemTrustStoreDirPath = "/etc/pki/ca-trust/extracted/pem"
+	rootCAFile              = systemTrustStoreDirPath + "/tls-ca-bundle.pem"
 
 	systemConfigPath           = "/var/config/system"
 	systemConfigPathConfigMaps = systemConfigPath + "/configmaps"
@@ -109,6 +110,12 @@ const (
 	consoleConfigMapLocalName  = systemConfigPrefix + consoleConfigMapSharedName
 	consoleConfigKey           = consoleConfigMapSharedName + ".yaml"
 
+	trustedCABundleSharedName = "trusted-ca-bundle"
+	trustedCABundleLocalName  = systemConfigPrefix + trustedCABundleSharedName
+	trustedCABundleKey        = "ca-bundle.crt"
+	trustedCABundleMountDir   = systemTrustStoreDirPath
+	trustedCABundleMountFile  = "tls-ca-bundle.pem"
+
 	ocpBrandingSecretName   = systemConfigPrefix + "ocp-branding-template"
 	ocpBrandingSecretMount  = systemConfigPathSecrets + "/" + ocpBrandingSecretName
 	ocpBrandingLoginPath    = ocpBrandingSecretMount + "/" + configv1.LoginTemplateKey

pkg/operator2/starter.go

@@ -122,6 +122,14 @@ func RunOperator(ctx *controllercmd.ControllerContext) error {
 		return err
 	}
 
+	// add syncing for the console-config ConfigMap (indirect watch for changes)
+	if err := resourceSyncer.SyncConfigMap(
+		resourcesynccontroller.ResourceLocation{Namespace: targetNamespace, Name: trustedCABundleLocalName},
+		resourcesynccontroller.ResourceLocation{Namespace: machineConfigNamespace, Name: trustedCABundleSharedName},
+	); err != nil {
+		return err
+	}
+
 	versionGetter := status.NewVersionGetter()
 
 	operator := NewAuthenticationOperator(