Inject payload's system store with proxy CA when specified

Author: stlaz

pkg/operator2/deployment.go

@@ -21,6 +21,7 @@ import (
 func defaultDeployment(
 	operatorConfig *operatorv1.Authentication,
 	syncData *configSyncData,
+	combinedCA *corev1.ConfigMap,
 	routerSecret *corev1.Secret,
 	proxyConfig *configv1.Proxy,
 	operatorDeployment *appsv1.Deployment,
@@ -80,6 +81,7 @@ func defaultDeployment(
 	volumes, mounts = toVolumesAndMounts(syncData.idpConfigMaps, volumes, mounts)
 	volumes, mounts = toVolumesAndMounts(syncData.idpSecrets, volumes, mounts)
 	volumes, mounts = toVolumesAndMounts(syncData.tplSecrets, volumes, mounts)
+	volumes, mounts = appendCombinedCAToVolumesAndMounts(volumes, mounts, combinedCA)
 
 	// force redeploy when any associated resource changes
 	// we use a hash to prevent this value from growing indefinitely

pkg/operator2/operator.go

@@ -90,6 +90,9 @@ const (
 	// root path for template data
 	userConfigPathPrefixTemplate = userConfigPath + "/" + "template"
 
+	// system-wide tls cert store to mount the combined CA if Proxy has config specified
+	systemTrustStorePath = "/etc/pki/ca-trust/extracted/pem"
+
 	sessionNameAndKey = systemConfigPrefix + "session"
 	sessionMount      = systemConfigPathSecrets + "/" + sessionNameAndKey
 	sessionPath       = sessionMount + "/" + sessionNameAndKey
@@ -105,6 +108,11 @@ const (
 	servingCertPathCert = servingCertMount + "/" + corev1.TLSCertKey
 	servingCertPathKey  = servingCertMount + "/" + corev1.TLSPrivateKeyKey
 
+	proxyCAName       = systemConfigPrefix + "combined-ca"
+	proxyCAKey        = "ca-bundle.crt"
+	proxyCAVolumePath = "tls-ca-bundle.pem"
+	proxyCAMount      = systemTrustStorePath
+
 	consoleConfigMapSharedName = "console-config"
 	consoleConfigMapLocalName  = systemConfigPrefix + consoleConfigMapSharedName
 	consoleConfigKey           = consoleConfigMapSharedName + ".yaml"
@@ -387,6 +395,11 @@ func (c *authOperator) handleSync(operatorConfig *operatorv1.Authentication) err
 	proxyConfig := c.handleProxyConfig()
 	resourceVersions = append(resourceVersions, proxyConfig.ResourceVersion)
 
+	combinedCA, err := c.handleProxyCA(proxyConfig)
+	if err != nil {
+		return fmt.Errorf("failed handling the combined CA: %v", err)
+	}
+
 	operatorDeployment, err := c.deployments.Deployments(targetNamespaceOperator).Get(targetNameOperator, metav1.GetOptions{})
 	if err != nil {
 		return err
@@ -404,6 +417,7 @@ func (c *authOperator) handleSync(operatorConfig *operatorv1.Authentication) err
 	expectedDeployment := defaultDeployment(
 		operatorConfig,
 		syncData,
+		combinedCA,
 		routerSecret,
 		proxyConfig,
 		operatorDeployment,

pkg/operator2/proxy.go

@@ -1,12 +1,21 @@
 package operator2
 
 import (
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/klog"
 
 	configv1 "github.com/openshift/api/config/v1"
 )
 
+const (
+	injectProxyCAName  = "config.openshift.io/inject-trusted-cabundle"
+	injectProxyCAValue = "true"
+)
+
 func (c *authOperator) handleProxyConfig() *configv1.Proxy {
 	proxyConfig, err := c.proxy.Get(globalConfigName, metav1.GetOptions{})
 	if err != nil {
@@ -15,3 +24,80 @@ func (c *authOperator) handleProxyConfig() *configv1.Proxy {
 	}
 	return proxyConfig
 }
+
+func (c *authOperator) handleProxyCA(proxy *configv1.Proxy) (*corev1.ConfigMap, error) {
+	cmClient := c.configMaps.ConfigMaps(targetNamespace)
+	shouldHaveProxyCA := proxy != nil && len(proxy.Spec.TrustedCA.Name) > 0
+
+	proxyCACM, err := cmClient.Get(proxyCAName, metav1.GetOptions{})
+	if errors.IsNotFound(err) {
+		if !shouldHaveProxyCA {
+			return nil, nil
+		}
+		proxyCACM, err = cmClient.Create(defaultProxyCACM())
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	if !shouldHaveProxyCA {
+		return nil, cmClient.Delete(proxyCAName, &metav1.DeleteOptions{})
+	}
+
+	if err := isValidProxyCACM(proxyCACM); err != nil {
+		// delete the proxy CA config map so that it is replaced with the proper one in next reconcile loop
+		klog.Infof("deleting invalid proxy CA config map: %#v", proxyCACM)
+		opts := &metav1.DeleteOptions{Preconditions: &metav1.Preconditions{UID: &proxyCACM.UID}}
+		if err := cmClient.Delete(proxyCACM.Name, opts); err != nil && !errors.IsNotFound(err) {
+			klog.Infof("failed to delete invalid proxy CA config map: %v", err)
+		}
+		return nil, err
+	}
+
+	return proxyCACM, nil
+}
+
+func isValidProxyCACM(cm *corev1.ConfigMap) error {
+	if cm.Annotations[injectProxyCAName] != injectProxyCAValue {
+		return fmt.Errorf("config map missing injection annotation: %#v", cm)
+	}
+	return nil
+}
+
+func defaultProxyCACM() *corev1.ConfigMap {
+	meta := defaultMeta()
+	meta.Name = proxyCAName
+	meta.Annotations[injectProxyCAName] = injectProxyCAValue
+	return &corev1.ConfigMap{
+		ObjectMeta: meta,
+	}
+}
+
+func appendCombinedCAToVolumesAndMounts(volumes []corev1.Volume, mounts []corev1.VolumeMount, combinedCACM *corev1.ConfigMap) ([]corev1.Volume, []corev1.VolumeMount) {
+	// nothing got injected in that CM, we shouldn't mount it to trust store
+	if combinedCACM == nil || len(combinedCACM.Data) == 0 {
+		return volumes, mounts
+	}
+
+	combinedCAVolume := corev1.Volume{
+		Name: proxyCAName,
+		VolumeSource: corev1.VolumeSource{
+			ConfigMap: &corev1.ConfigMapVolumeSource{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: proxyCAName,
+				},
+				Items: []corev1.KeyToPath{{Key: proxyCAKey, Path: proxyCAVolumePath}},
+			},
+		},
+	}
+	volumes = append(volumes, combinedCAVolume)
+
+	combinedCAMount := corev1.VolumeMount{
+		Name:      proxyCAName,
+		ReadOnly:  true,
+		MountPath: proxyCAMount,
+	}
+	mounts = append(mounts, combinedCAMount)
+
+	return volumes, mounts
+}