Inject operator's trust store with trusted-ca-bundle

stlaz · stlaz · commit 61bdcf0155a3 · 2019-08-20T16:37:53.000+02:00
diff --git a/manifests/03_configmap.yaml b/manifests/03_configmap.yaml
@@ -10,6 +10,16 @@ data:
 ---
 apiVersion: v1
 kind: ConfigMap
+metadata:
+  namespace: openshift-authentication-operator
+  name: trusted-ca-bundle
+  annotations:
+    release.openshift.io/create-only: "true"
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
+---
+apiVersion: v1
+kind: ConfigMap
 metadata:
   namespace: openshift-authentication
   name: v4-0-config-trusted-ca-bundle
diff --git a/manifests/07_deployment.yaml b/manifests/07_deployment.yaml
@@ -36,6 +36,9 @@ spec:
           name: config
         - mountPath: /var/run/secrets/serving-cert
           name: serving-cert
+        - mountPath: /var/run/configmaps/trusted-ca-bundle
+          name: trusted-ca-bundle
+          readOnly: true
         env:
         - name: IMAGE
           value: quay.io/openshift/origin-oauth-server:v4.2
@@ -53,6 +56,10 @@ spec:
         configMap:
           defaultMode: 440
           name: authentication-operator-config
+      - name: trusted-ca-bundle
+        configMap:
+          name: trusted-ca-bundle
+          optional: true
       - name: serving-cert
         secret:
           secretName: serving-cert
diff --git a/pkg/operator2/idp.go b/pkg/operator2/idp.go
@@ -3,6 +3,7 @@ package operator2
 import (
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strings"
@@ -293,7 +294,7 @@ func (c *authOperator) discoverOpenIDURLs(issuer, key string, ca configv1.Config
 
 func (c *authOperator) transportForCARef(ca configv1.ConfigMapNameReference, key string) (http.RoundTripper, error) {
 	if len(ca.Name) == 0 {
-		return transportFor("", nil, nil, nil)
+		return transportForTrustedCA("", nil, nil)
 	}
 	cm, err := c.configMaps.ConfigMaps(userConfigNamespace).Get(ca.Name, metav1.GetOptions{})
 	if err != nil {
@@ -343,3 +344,12 @@ func encodeOrDie(obj runtime.Object) []byte {
 	}
 	return bytes
 }
+
+func transportForTrustedCA(serverName string, certData []byte, keyData []byte) (http.RoundTripper, error) {
+	caData, err := ioutil.ReadFile(operatorTrustedCAFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read %s: %v", operatorTrustedCAFile, err)
+	}
+
+	return transportFor(serverName, caData, certData, keyData)
+}
diff --git a/pkg/operator2/operator.go b/pkg/operator2/operator.go
@@ -62,7 +62,8 @@ const (
 	kasServiceAndEndpointName = "kubernetes"
 	kasServiceFullName        = kasServiceAndEndpointName + "." + corev1.NamespaceDefault + ".svc"
 
-	rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+	rootCAFile            = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+	operatorTrustedCAFile = "/var/run/configmaps/trusted-ca-bundle/ca-bundle.crt"
 
 	systemTrustStoreDirPath = "/etc/pki/ca-trust/extracted/pem"
 
