Insert trusted-ca-bundle from managed config NS into oauth-server trust store

This uses the CVO to create and watch a CM in openshift-authentication
namespace, the name of the CM is prefixed in a way so that the config map's
resourceVersion is watched by the authn operator and oauth-server is reloaded
upon its change.

Author: stlaz

manifests/03_configmap.yaml

@@ -7,3 +7,13 @@ data:
   operator-config.yaml: |
     apiVersion: operator.openshift.io/v1alpha1
     kind: GenericOperatorConfig
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-authentication
+  name: v4-0-config-trusted-ca-bundle
+  annotations:
+    release.openshift.io/create-only: "true"
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"

pkg/operator2/deployment.go

@@ -71,6 +71,14 @@ func defaultDeployment(
 			path:      ocpBrandingSecretMount,
 			keys:      []string{configv1.LoginTemplateKey, configv1.ProviderSelectionTemplateKey, configv1.ErrorsTemplateKey},
 		},
+		{
+			name:      trustedCABundleName,
+			configmap: true,
+			path:      trustedCABundleMountDir,
+			mappedKeys: map[string]string{
+				trustedCABundleKey: trustedCABundleMountFile,
+			},
+		},
 	} {
 		v, m := data.split()
 		volumes = append(volumes, v)
@@ -257,10 +265,11 @@ func appendEnvVar(envVars []corev1.EnvVar, envName, envVal string) []corev1.EnvV
 }
 
 type volume struct {
-	name      string
-	configmap bool
-	path      string
-	keys      []string
+	name       string
+	configmap  bool
+	path       string
+	keys       []string
+	mappedKeys map[string]string
 }
 
 func (v *volume) split() (corev1.Volume, corev1.VolumeMount) {
@@ -269,6 +278,20 @@ func (v *volume) split() (corev1.Volume, corev1.VolumeMount) {
 	}
 
 	var items []corev1.KeyToPath
+	for key, val := range v.mappedKeys {
+		items = append(items, corev1.KeyToPath{
+			Key:  key,
+			Path: val,
+		})
+	}
+	// maps' keys are random, need to sort the output to prevent redeployment hotloops
+	sort.Slice(items, func(i, j int) bool {
+		if items[i].Key == items[j].Key {
+			return items[i].Path < items[j].Path
+		}
+		return items[i].Key < items[j].Key
+	})
+
 	for _, key := range v.keys {
 		items = append(items, corev1.KeyToPath{
 			Key:  key,

pkg/operator2/operator.go

@@ -64,6 +64,8 @@ const (
 
 	rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 
+	systemTrustStoreDirPath = "/etc/pki/ca-trust/extracted/pem"
+
 	systemConfigPath           = "/var/config/system"
 	systemConfigPathConfigMaps = systemConfigPath + "/configmaps"
 	systemConfigPathSecrets    = systemConfigPath + "/secrets"
@@ -109,6 +111,12 @@ const (
 	consoleConfigMapLocalName  = systemConfigPrefix + consoleConfigMapSharedName
 	consoleConfigKey           = consoleConfigMapSharedName + ".yaml"
 
+	// trustedCABundleName part of manifests, if changing this, need to change that, too
+	trustedCABundleName      = systemConfigPrefix + "trusted-ca-bundle"
+	trustedCABundleKey       = "ca-bundle.crt"
+	trustedCABundleMountDir  = systemTrustStoreDirPath
+	trustedCABundleMountFile = "tls-ca-bundle.pem"
+
 	ocpBrandingSecretName   = systemConfigPrefix + "ocp-branding-template"
 	ocpBrandingSecretMount  = systemConfigPathSecrets + "/" + ocpBrandingSecretName
 	ocpBrandingLoginPath    = ocpBrandingSecretMount + "/" + configv1.LoginTemplateKey