UPSTREAM: 190: Add OpenShift CA bundle when deployed on OpenShift

Signed-off-by: Joel Smith <joelsmith@redhat.com>
joelsmith · May 26, 2023 · c00b30d · c00b30d
1 parent a295d6e
commit c00b30d
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 3 deletions.
diff --git a/controllers/keda/kedacontroller_controller.go b/controllers/keda/kedacontroller_controller.go
@@ -188,7 +188,7 @@ func (r *KedaControllerReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		}
 		return ctrl.Result{}, err
 	}
-	if err := r.installController(logger, instance); err != nil {
+	if err := r.installController(ctx, logger, instance); err != nil {
 		status.MarkInstallFailed("Not able to install KEDA Controller")
 		if statusErr := util.UpdateKedaControllerStatus(ctx, r.Client, instance, status); statusErr != nil {
 			err = fmt.Errorf("got error: %s and then another: %s", err, statusErr)
@@ -343,13 +343,19 @@ func (r *KedaControllerReconciler) installSA(logger logr.Logger, instance *kedav
 	return nil
 }
 
-func (r *KedaControllerReconciler) installController(logger logr.Logger, instance *kedav1alpha1.KedaController) error {
+func (r *KedaControllerReconciler) installController(ctx context.Context, logger logr.Logger, instance *kedav1alpha1.KedaController) error {
 	logger.Info("Reconciling KEDA Controller deployment")
 	transforms := []mf.Transformer{
 		mf.InjectOwner(instance),
 		transform.ReplaceWatchNamespace(instance.Spec.WatchNamespace, "keda-operator", r.Scheme, logger),
 	}
 
+	if util.RunningOnOpenshift(ctx, logger, r.Client) {
+		transforms = append(transforms,
+			transform.EnsureCertInjectionForOperatorDeployment(metricsServerConfigMapName, r.Scheme),
+		)
+	}
+
 	// Use alternate image spec if env var set
 	if controllerImage := os.Getenv("KEDA_OPERATOR_IMAGE"); len(controllerImage) > 0 {
 		transforms = append(transforms, transform.ReplaceKedaOperatorImage(controllerImage, r.Scheme))

diff --git a/controllers/keda/transform/transform.go b/controllers/keda/transform/transform.go
@@ -253,6 +253,71 @@ func EnsureCertInjectionForDeployment(configMapName, secretName, grpcCertSecretN
 	}
 }
 
+//nolint:dupl
+func EnsureCertInjectionForOperatorDeployment(configMapName string, scheme *runtime.Scheme) mf.Transformer {
+	return func(u *unstructured.Unstructured) error {
+		if u.GetKind() == "Deployment" {
+			deploy := &appsv1.Deployment{}
+			if err := scheme.Convert(u, deploy, nil); err != nil {
+				return err
+			}
+
+			// add Volumes referencing certs in ConfigMap
+			cabundleVolume := corev1.Volume{
+				Name: "cabundle",
+				VolumeSource: corev1.VolumeSource{
+					ConfigMap: &corev1.ConfigMapVolumeSource{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: configMapName,
+						},
+					},
+				},
+			}
+
+			volumes := deploy.Spec.Template.Spec.Volumes
+			cabundleVolumeFound := false
+			for i := range volumes {
+				if volumes[i].Name == "cabundle" {
+					volumes[i] = cabundleVolume
+					cabundleVolumeFound = true
+				}
+			}
+			if !cabundleVolumeFound {
+				deploy.Spec.Template.Spec.Volumes = append(deploy.Spec.Template.Spec.Volumes, cabundleVolume)
+			}
+			containers := deploy.Spec.Template.Spec.Containers
+			for i := range containers {
+				if containers[i].Name == containerNameKedaOperator {
+					// mount Volumes referencing certs in ConfigMap
+					cabundleVolumeMount := corev1.VolumeMount{
+						Name:      "cabundle",
+						MountPath: "/custom/ca",
+					}
+
+					volumeMounts := containers[i].VolumeMounts
+					cabundleVolumeMountFound := false
+					for j := range volumeMounts {
+						if volumeMounts[j].Name == "cabundle" {
+							volumeMounts[j] = cabundleVolumeMount
+							cabundleVolumeMountFound = true
+						}
+					}
+					if !cabundleVolumeMountFound {
+						containers[i].VolumeMounts = append(containers[i].VolumeMounts, cabundleVolumeMount)
+					}
+
+					break
+				}
+			}
+
+			if err := scheme.Convert(deploy, u, nil); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
+
 func EnsurePathsToCertsInDeployment(values []string, prefixes []Prefix, scheme *runtime.Scheme, logger logr.Logger) []mf.Transformer {
 	transforms := []mf.Transformer{}
 	for i := range values {
@@ -261,6 +326,7 @@ func EnsurePathsToCertsInDeployment(values []string, prefixes []Prefix, scheme *
 	return transforms
 }
 
+//nolint:dupl
 func EnsureAuditPolicyConfigMapMountsVolume(configMapName string, scheme *runtime.Scheme) mf.Transformer {
 	return func(u *unstructured.Unstructured) error {
 		if u.GetKind() == "Deployment" {

diff --git a/resources/keda-olm-operator.yaml b/resources/keda-olm-operator.yaml
@@ -39,7 +39,7 @@ metadata:
   labels:
     app.kubernetes.io/name: keda-admission-webhooks
   name: keda-admission-webhooks
-  namespace: openshift-keda
+  namespace: keda
 spec:
   endpoints:
   - interval: 60s