[release-v1.13] Ocp bundle injection apiserversoure 1.13 (#557)

* Adding support for creating CA trustbundle in user namespace, and mounting it on the deployment of the apiserversource (#441)

Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>

* Align mounth path for OCP cert inject towards the other workloads in Serverless Operator 1.32 (#506)

Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>

---------

Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>

pkg/reconciler/apiserversource/apiserversource.go

@@ -254,6 +254,12 @@ func (r *Reconciler) createReceiveAdapter(ctx context.Context, src *v1.ApiServer
 		msg := "Deployment created"
 		if err != nil {
 			msg = fmt.Sprint("Deployment created, error:", err)
+		} else {
+			// make CM only on clean creation
+			err := r.ensureCaTrustBundleConfigMap(ctx, src, adapterArgs)
+			if err != nil {
+				return nil, err
+			}
 		}
 		controller.GetEventRecorder(ctx).Eventf(src, corev1.EventTypeNormal, apiserversourceDeploymentCreated, "%s", msg)
 		return ra, err
@@ -274,6 +280,20 @@ func (r *Reconciler) createReceiveAdapter(ctx context.Context, src *v1.ApiServer
 	return ra, nil
 }
 
+func (r *Reconciler) ensureCaTrustBundleConfigMap(ctx context.Context, src *v1.ApiServerSource, adapterArgs resources.ReceiveAdapterArgs) error {
+	_, err := r.kubeClientSet.CoreV1().ConfigMaps(src.Namespace).Get(ctx, resources.TrustedCAConfigMapName, metav1.GetOptions{})
+	if apierrors.IsNotFound(err) {
+		trustedBundleCM := resources.MakeTrustedCABundleConfigMap(&adapterArgs)
+
+		_, err := r.kubeClientSet.CoreV1().ConfigMaps(src.Namespace).Create(ctx, trustedBundleCM, metav1.CreateOptions{})
+		if err != nil && !apierrors.IsAlreadyExists(err) {
+			return fmt.Errorf("error creating trusted CA bundle configmap: %v", err)
+		}
+	}
+
+	return nil
+}
+
 func (r *Reconciler) podSpecChanged(oldPodSpec corev1.PodSpec, newPodSpec corev1.PodSpec) bool {
 	if !equality.Semantic.DeepDerivative(newPodSpec, oldPodSpec) {
 		return true

pkg/reconciler/apiserversource/resources/cabundle_configmap.go

@@ -0,0 +1,31 @@
+package resources
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"knative.dev/pkg/kmeta"
+)
+
+const (
+	// user-provided and system CA certificates
+	TrustedCAConfigMapName   = "config-openshift-trusted-cabundle"
+	TrustedCAConfigMapVolume = TrustedCAConfigMapName + "-volume"
+	TrustedCAKey             = "ca-bundle.crt"
+)
+
+func MakeTrustedCABundleConfigMap(args *ReceiveAdapterArgs) *corev1.ConfigMap {
+	return &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      TrustedCAConfigMapName,
+			Namespace: args.Source.Namespace,
+			Labels: map[string]string{
+				"app.kubernetes.io/name": "knative-eventing",
+				// user-provided and system CA certificates
+				"config.openshift.io/inject-trusted-cabundle": "true",
+			},
+			OwnerReferences: []metav1.OwnerReference{
+				*kmeta.NewControllerRef(args.Source),
+			},
+		},
+	}
+}

pkg/reconciler/apiserversource/resources/receive_adapter.go

@@ -36,6 +36,10 @@ import (
 	reconcilersource "knative.dev/eventing/pkg/reconciler/source"
 )
 
+const (
+	OcpTrusedCaBundleMountPath = "/ocp-serverless-custom-certs/" + TrustedCAKey
+)
+
 // ReceiveAdapterArgs are the arguments needed to create a ApiServer Receive Adapter.
 // Every field is required.
 type ReceiveAdapterArgs struct {
@@ -84,6 +88,22 @@ func MakeReceiveAdapter(args *ReceiveAdapterArgs) (*appsv1.Deployment, error) {
 				Spec: corev1.PodSpec{
 					ServiceAccountName: args.Source.Spec.ServiceAccountName,
 					EnableServiceLinks: ptr.Bool(false),
+					Volumes: []corev1.Volume{
+						{
+							Name: TrustedCAConfigMapVolume,
+							VolumeSource: corev1.VolumeSource{
+								ConfigMap: &corev1.ConfigMapVolumeSource{
+									LocalObjectReference: corev1.LocalObjectReference{Name: TrustedCAConfigMapName},
+									Items: []corev1.KeyToPath{
+										{
+											Key:  TrustedCAKey,
+											Path: TrustedCAKey,
+										},
+									},
+								},
+							},
+						},
+					},
 					Containers: []corev1.Container{
 						{
 							Name:  "receive-adapter",
@@ -109,6 +129,14 @@ func MakeReceiveAdapter(args *ReceiveAdapterArgs) (*appsv1.Deployment, error) {
 								RunAsNonRoot:             ptr.Bool(true),
 								Capabilities:             &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
 							},
+							VolumeMounts: []corev1.VolumeMount{
+								{
+									Name:      TrustedCAConfigMapVolume,
+									MountPath: OcpTrusedCaBundleMountPath,
+									SubPath:   TrustedCAKey,
+									ReadOnly:  true,
+								},
+							},
 						},
 					},
 				},

pkg/reconciler/apiserversource/resources/receive_adapter_test.go

@@ -135,6 +135,22 @@ O2dgzikq8iSy1BlRsVw=
 				Spec: corev1.PodSpec{
 					ServiceAccountName: "source-svc-acct",
 					EnableServiceLinks: ptr.Bool(false),
+					Volumes: []corev1.Volume{
+						{
+							Name: TrustedCAConfigMapVolume,
+							VolumeSource: corev1.VolumeSource{
+								ConfigMap: &corev1.ConfigMapVolumeSource{
+									LocalObjectReference: corev1.LocalObjectReference{Name: TrustedCAConfigMapName},
+									Items: []corev1.KeyToPath{
+										{
+											Key:  TrustedCAKey,
+											Path: TrustedCAKey,
+										},
+									},
+								},
+							},
+						},
+					},
 					Containers: []corev1.Container{
 						{
 							Name:  "receive-adapter",
@@ -196,6 +212,14 @@ O2dgzikq8iSy1BlRsVw=
 								RunAsNonRoot:             ptr.Bool(true),
 								Capabilities:             &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
 							},
+							VolumeMounts: []corev1.VolumeMount{
+								{
+									Name:      TrustedCAConfigMapVolume,
+									MountPath: OcpTrusedCaBundleMountPath,
+									SubPath:   TrustedCAKey,
+									ReadOnly:  true,
+								},
+							},
 						},
 					},
 				},