Insert trusted-ca-bundle from managed config NS into oauth-server trust store

This uses the ResourceSyncer to get the trusted-ca-bundle from the
openshift-config-managed into openshift-authentication namespace
with name prefixed in a way so that the config map's resourceVersion is
watched and oauth-server is reloaded upon its change.

Author: stlaz

pkg/operator2/deployment.go

@@ -71,6 +71,14 @@ func defaultDeployment(
 			path:      ocpBrandingSecretMount,
 			keys:      []string{configv1.LoginTemplateKey, configv1.ProviderSelectionTemplateKey, configv1.ErrorsTemplateKey},
 		},
+		{
+			name:      trustedCABundleLocalName,
+			configmap: true,
+			path:      trustedCABundleMountDir,
+			mappedKeys: map[string]string{
+				trustedCABundleKey: trustedCABundleMountFile,
+			},
+		},
 	} {
 		v, m := data.split()
 		volumes = append(volumes, v)
@@ -257,10 +265,11 @@ func appendEnvVar(envVars []corev1.EnvVar, envName, envVal string) []corev1.EnvV
 }
 
 type volume struct {
-	name      string
-	configmap bool
-	path      string
-	keys      []string
+	name       string
+	configmap  bool
+	path       string
+	keys       []string
+	mappedKeys map[string]string
 }
 
 func (v *volume) split() (corev1.Volume, corev1.VolumeMount) {
@@ -276,6 +285,13 @@ func (v *volume) split() (corev1.Volume, corev1.VolumeMount) {
 		})
 	}
 
+	for key, val := range v.mappedKeys {
+		items = append(items, corev1.KeyToPath{
+			Key:  key,
+			Path: val,
+		})
+	}
+
 	if v.configmap {
 		vol.ConfigMap = &corev1.ConfigMapVolumeSource{
 			LocalObjectReference: corev1.LocalObjectReference{

pkg/operator2/operator.go

@@ -62,7 +62,8 @@ const (
 	kasServiceAndEndpointName = "kubernetes"
 	kasServiceFullName        = kasServiceAndEndpointName + "." + corev1.NamespaceDefault + ".svc"
 
-	rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+	systemTrustStoreDirPath = "/etc/pki/ca-trust/extracted/pem"
+	rootCAFile              = systemTrustStoreDirPath + "/tls-ca-bundle.pem"
 
 	systemConfigPath           = "/var/config/system"
 	systemConfigPathConfigMaps = systemConfigPath + "/configmaps"
@@ -109,6 +110,12 @@ const (
 	consoleConfigMapLocalName  = systemConfigPrefix + consoleConfigMapSharedName
 	consoleConfigKey           = consoleConfigMapSharedName + ".yaml"
 
+	trustedCABundleSharedName = "trusted-ca-bundle"
+	trustedCABundleLocalName  = systemConfigPrefix + trustedCABundleSharedName
+	trustedCABundleKey        = "ca-bundle.crt"
+	trustedCABundleMountDir   = systemTrustStoreDirPath
+	trustedCABundleMountFile  = "tls-ca-bundle.pem"
+
 	ocpBrandingSecretName   = systemConfigPrefix + "ocp-branding-template"
 	ocpBrandingSecretMount  = systemConfigPathSecrets + "/" + ocpBrandingSecretName
 	ocpBrandingLoginPath    = ocpBrandingSecretMount + "/" + configv1.LoginTemplateKey

pkg/operator2/starter.go

@@ -122,6 +122,14 @@ func RunOperator(ctx *controllercmd.ControllerContext) error {
 		return err
 	}
 
+	// add syncing for the console-config ConfigMap (indirect watch for changes)
+	if err := resourceSyncer.SyncConfigMap(
+		resourcesynccontroller.ResourceLocation{Namespace: targetNamespace, Name: trustedCABundleLocalName},
+		resourcesynccontroller.ResourceLocation{Namespace: machineConfigNamespace, Name: trustedCABundleSharedName},
+	); err != nil {
+		return err
+	}
+
 	versionGetter := status.NewVersionGetter()
 
 	operator := NewAuthenticationOperator(