OLM mounts CA Certs where Kubebuilder expects

awgreene · awgreene · commit e98e1dc1dbee · 2020-10-13T11:14:09.000-04:00
Problem: OLM does not mount the Generated CA Certs to the deployment at
the default location defined by Kubebuilder and the Operator-SDK.

Solution: OLM will ensure backwards compatibility by mounting the
generated CA Certs at the existing location as well as the default
location defined by the Operator-SDK and Kubebuilder.
diff --git a/pkg/controller/install/certresources.go b/pkg/controller/install/certresources.go
@@ -497,13 +497,25 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
 	} else {
 		return nil, nil, err
 	}
+	AddDefaultCertVolumeAndVolumeMounts(&depSpec, secret.GetName())
 
+	// Setting the olm hash label forces a rollout and ensures that the new secret
+	// is used by the apiserver if not hot reloading.
+	depSpec.Template.ObjectMeta.SetAnnotations(map[string]string{OLMCAHashAnnotationKey: caHash})
+
+	return &depSpec, caPEM, nil
+}
+
+// AddDefaultCertVolumeAndVolumeMounts mounts the CA Cert generated by OLM to the location that OLM expects
+// APIService certs to be as well as the location that the Operator-SDK and Kubebuilder expect webhook
+// certs to be.
+func AddDefaultCertVolumeAndVolumeMounts(depSpec *appsv1.DeploymentSpec, secretName string) {
 	// Update deployment with secret volume mount.
 	volume := corev1.Volume{
 		Name: "apiservice-cert",
 		VolumeSource: corev1.VolumeSource{
 			Secret: &corev1.SecretVolumeSource{
-				SecretName: secret.GetName(),
+				SecretName: secretName,
 				Items: []corev1.KeyToPath{
 					{
 						Key:  "tls.crt",
@@ -518,6 +530,39 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
 		},
 	}
 
+	mount := corev1.VolumeMount{
+		Name:      volume.Name,
+		MountPath: "/apiserver.local.config/certificates",
+	}
+
+	addCertVolumeAndVolumeMount(depSpec, volume, mount)
+
+	volume = corev1.Volume{
+		Name: "webhook-cert",
+		VolumeSource: corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				SecretName: secretName,
+				Items: []corev1.KeyToPath{
+					{
+						Key:  "tls.crt",
+						Path: "tls.crt",
+					},
+					{
+						Key:  "tls.key",
+						Path: "tls.key",
+					},
+				},
+			},
+		},
+	}
+
+	mount = corev1.VolumeMount{
+		Name:      volume.Name,
+		MountPath: "/tmp/k8s-webhook-server/serving-certs",
+	}
+	addCertVolumeAndVolumeMount(depSpec, volume, mount)
+}
+func addCertVolumeAndVolumeMount(depSpec *appsv1.DeploymentSpec, volume corev1.Volume, volumeMount corev1.VolumeMount) {
 	replaced := false
 	for i, v := range depSpec.Template.Spec.Volumes {
 		if v.Name == volume.Name {
@@ -530,35 +575,25 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
 		depSpec.Template.Spec.Volumes = append(depSpec.Template.Spec.Volumes, volume)
 	}
 
-	mount := corev1.VolumeMount{
-		Name:      volume.Name,
-		MountPath: "/apiserver.local.config/certificates",
-	}
 	for i, container := range depSpec.Template.Spec.Containers {
 		found := false
 		for j, m := range container.VolumeMounts {
-			if m.Name == mount.Name {
+			if m.Name == volumeMount.Name {
 				found = true
 				break
 			}
 
 			// Replace if mounting to the same location.
-			if m.MountPath == mount.MountPath {
-				container.VolumeMounts[j] = mount
+			if m.MountPath == volumeMount.MountPath {
+				container.VolumeMounts[j] = volumeMount
 				found = true
 				break
 			}
 		}
 		if !found {
-			container.VolumeMounts = append(container.VolumeMounts, mount)
+			container.VolumeMounts = append(container.VolumeMounts, volumeMount)
 		}
 
 		depSpec.Template.Spec.Containers[i] = container
 	}
-
-	// Setting the olm hash label forces a rollout and ensures that the new secret
-	// is used by the apiserver if not hot reloading.
-	depSpec.Template.ObjectMeta.SetAnnotations(map[string]string{OLMCAHashAnnotationKey: caHash})
-
-	return &depSpec, caPEM, nil
 }
diff --git a/pkg/controller/operators/olm/apiservices.go b/pkg/controller/operators/olm/apiservices.go
@@ -6,7 +6,6 @@ import (
 
 	log "github.com/sirupsen/logrus"
 	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -344,62 +343,7 @@ func (a *Operator) updateDeploymentSpecsWithApiServiceData(csv *v1alpha1.Cluster
 			return nil, fmt.Errorf("Unable to get secret %s", install.SecretName(install.ServiceName(desc.DeploymentName)))
 		}
 
-		volume := corev1.Volume{
-			Name: "apiservice-cert",
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: secret.GetName(),
-					Items: []corev1.KeyToPath{
-						{
-							Key:  "tls.crt",
-							Path: "apiserver.crt",
-						},
-						{
-							Key:  "tls.key",
-							Path: "apiserver.key",
-						},
-					},
-				},
-			},
-		}
-
-		replaced := false
-		for i, v := range depSpec.Template.Spec.Volumes {
-			if v.Name == volume.Name {
-				depSpec.Template.Spec.Volumes[i] = volume
-				replaced = true
-				break
-			}
-		}
-		if !replaced {
-			depSpec.Template.Spec.Volumes = append(depSpec.Template.Spec.Volumes, volume)
-		}
-
-		mount := corev1.VolumeMount{
-			Name:      volume.Name,
-			MountPath: "/apiserver.local.config/certificates",
-		}
-		for i, container := range depSpec.Template.Spec.Containers {
-			found := false
-			for j, m := range container.VolumeMounts {
-				if m.Name == mount.Name {
-					found = true
-					break
-				}
-
-				// Replace if mounting to the same location.
-				if m.MountPath == mount.MountPath {
-					container.VolumeMounts[j] = mount
-					found = true
-					break
-				}
-			}
-			if !found {
-				container.VolumeMounts = append(container.VolumeMounts, mount)
-			}
-
-			depSpec.Template.Spec.Containers[i] = container
-		}
+		install.AddDefaultCertVolumeAndVolumeMounts(&depSpec, secret.GetName())
 		depSpec.Template.ObjectMeta.SetAnnotations(map[string]string{install.OLMCAHashAnnotationKey: caHash})
 		depSpecs[desc.DeploymentName] = depSpec
 	}
@@ -421,63 +365,8 @@ func (a *Operator) updateDeploymentSpecsWithApiServiceData(csv *v1alpha1.Cluster
 		if err != nil {
 			return nil, fmt.Errorf("Unable to get secret %s", install.SecretName(install.ServiceName(desc.DeploymentName)))
 		}
+		install.AddDefaultCertVolumeAndVolumeMounts(&depSpec, secret.GetName())
 
-		volume := corev1.Volume{
-			Name: "apiservice-cert",
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: secret.GetName(),
-					Items: []corev1.KeyToPath{
-						{
-							Key:  "tls.crt",
-							Path: "apiserver.crt",
-						},
-						{
-							Key:  "tls.key",
-							Path: "apiserver.key",
-						},
-					},
-				},
-			},
-		}
-
-		replaced := false
-		for i, v := range depSpec.Template.Spec.Volumes {
-			if v.Name == volume.Name {
-				depSpec.Template.Spec.Volumes[i] = volume
-				replaced = true
-				break
-			}
-		}
-		if !replaced {
-			depSpec.Template.Spec.Volumes = append(depSpec.Template.Spec.Volumes, volume)
-		}
-
-		mount := corev1.VolumeMount{
-			Name:      volume.Name,
-			MountPath: "/apiserver.local.config/certificates",
-		}
-		for i, container := range depSpec.Template.Spec.Containers {
-			found := false
-			for j, m := range container.VolumeMounts {
-				if m.Name == mount.Name {
-					found = true
-					break
-				}
-
-				// Replace if mounting to the same location.
-				if m.MountPath == mount.MountPath {
-					container.VolumeMounts[j] = mount
-					found = true
-					break
-				}
-			}
-			if !found {
-				container.VolumeMounts = append(container.VolumeMounts, mount)
-			}
-
-			depSpec.Template.Spec.Containers[i] = container
-		}
 		depSpec.Template.ObjectMeta.SetAnnotations(map[string]string{install.OLMCAHashAnnotationKey: caHash})
 		depSpecs[desc.DeploymentName] = depSpec
 	}
