Add trusted CA bundle to vsphere operators

Use cluster's CA bundle when talking to vCenter.
openshift · Jun 21, 2021 · 0bc0f12 · 0bc0f12
1 parent 8750b59
commit 0bc0f12
Show file tree

Hide file tree

Showing 5 changed files with 123 additions and 9 deletions.
diff --git a/assets/csidriveroperators/vsphere/02_configmap.yaml b/assets/csidriveroperators/vsphere/02_configmap.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    # This label ensures that the OpenShift Certificate Authority bundle
+    # is added to the ConfigMap.
+    config.openshift.io/inject-trusted-cabundle: "true"
+  name: vsphere-csi-driver-operator-trusted-ca-bundle
+  namespace: openshift-cluster-csi-drivers
diff --git a/assets/csidriveroperators/vsphere/08_deployment.yaml b/assets/csidriveroperators/vsphere/08_deployment.yaml
@@ -50,6 +50,9 @@ spec:
           requests:
             memory: 50Mi
             cpu: 10m
+        volumeMounts:
+        - name: trusted-ca-bundle
+          mountPath: /etc/pki/ca-trust/extracted/pem
       priorityClassName: system-cluster-critical
       serviceAccountName: vmware-vsphere-csi-driver-operator
       nodeSelector:
@@ -60,3 +63,10 @@ spec:
       - key: node-role.kubernetes.io/master
         operator: Exists
         effect: "NoSchedule"
+      volumes:
+      - name: trusted-ca-bundle
+        configMap:
+          name: vsphere-csi-driver-operator-trusted-ca-bundle
+          items:
+            - key: ca-bundle.crt
+              path: tls-ca-bundle.pem
diff --git a/assets/vsphere_problem_detector/06_configmap.yaml b/assets/vsphere_problem_detector/06_configmap.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    # This label ensures that the OpenShift Certificate Authority bundle
+    # is added to the ConfigMap.
+    config.openshift.io/inject-trusted-cabundle: "true"
+  name: trusted-ca-bundle
+  namespace: openshift-cluster-storage-operator
diff --git a/...phere_problem_detector/06_deployment.yaml → ...phere_problem_detector/07_deployment.yaml b/...phere_problem_detector/06_deployment.yaml → ...phere_problem_detector/07_deployment.yaml
@@ -39,6 +39,9 @@ spec:
         volumeMounts:
         - mountPath: /var/run/secrets/serving-cert
           name: vsphere-problem-detector-serving-cert
+        - name: trusted-ca-bundle
+          mountPath: /etc/pki/ca-trust/extracted/pem
+          readOnly: true
       priorityClassName: system-cluster-critical
       serviceAccountName: vsphere-problem-detector-operator
       nodeSelector:
@@ -54,3 +57,9 @@ spec:
         secret:
           secretName: vsphere-problem-detector-serving-cert
           optional: true
+      - name: trusted-ca-bundle
+        configMap:
+          name: trusted-ca-bundle
+          items:
+            - key: ca-bundle.crt
+              path: tls-ca-bundle.pem
diff --git a/pkg/generated/bindata.go b/pkg/generated/bindata.go