diff --git a/manifests/03_configmap.yaml b/manifests/03_configmap.yaml index d986e55a8f..d698008dfb 100644 --- a/manifests/03_configmap.yaml +++ b/manifests/03_configmap.yaml @@ -7,3 +7,23 @@ data: operator-config.yaml: | apiVersion: operator.openshift.io/v1alpha1 kind: GenericOperatorConfig +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: openshift-authentication-operator + name: trusted-ca-bundle + annotations: + release.openshift.io/create-only: "true" + labels: + config.openshift.io/inject-trusted-cabundle: "true" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: openshift-authentication + name: v4-0-config-system-trusted-ca-bundle + annotations: + release.openshift.io/create-only: "true" + labels: + config.openshift.io/inject-trusted-cabundle: "true" diff --git a/manifests/07_deployment.yaml b/manifests/07_deployment.yaml index 2295882201..5aa13577a5 100644 --- a/manifests/07_deployment.yaml +++ b/manifests/07_deployment.yaml @@ -36,6 +36,9 @@ spec: name: config - mountPath: /var/run/secrets/serving-cert name: serving-cert + - mountPath: /var/run/configmaps/trusted-ca-bundle + name: trusted-ca-bundle + readOnly: true env: - name: IMAGE value: quay.io/openshift/origin-oauth-server:v4.2 @@ -53,6 +56,10 @@ spec: configMap: defaultMode: 440 name: authentication-operator-config + - name: trusted-ca-bundle + configMap: + name: trusted-ca-bundle + optional: true - name: serving-cert secret: secretName: serving-cert diff --git a/pkg/operator2/deployment.go b/pkg/operator2/deployment.go index 43467535a0..6a93166d1e 100644 --- a/pkg/operator2/deployment.go +++ b/pkg/operator2/deployment.go @@ -71,6 +71,14 @@ func defaultDeployment( path: ocpBrandingSecretMount, keys: []string{configv1.LoginTemplateKey, configv1.ProviderSelectionTemplateKey, configv1.ErrorsTemplateKey}, }, + { + name: trustedCABundleName, + configmap: true, + path: trustedCABundleMountDir, + mappedKeys: map[string]string{ + trustedCABundleKey: trustedCABundleMountFile, + }, + }, } { v, m := data.split() volumes = append(volumes, v) @@ -257,10 +265,11 @@ func appendEnvVar(envVars []corev1.EnvVar, envName, envVal string) []corev1.EnvV } type volume struct { - name string - configmap bool - path string - keys []string + name string + configmap bool + path string + keys []string + mappedKeys map[string]string } func (v *volume) split() (corev1.Volume, corev1.VolumeMount) { @@ -269,6 +278,14 @@ func (v *volume) split() (corev1.Volume, corev1.VolumeMount) { } var items []corev1.KeyToPath + // maps' keys are random, we need to sort the output to prevent redeployment hotloops + for _, key := range sets.StringKeySet(v.mappedKeys).List() { + items = append(items, corev1.KeyToPath{ + Key: key, + Path: v.mappedKeys[key], + }) + } + for _, key := range v.keys { items = append(items, corev1.KeyToPath{ Key: key, diff --git a/pkg/operator2/idp.go b/pkg/operator2/idp.go index 97b98efa6c..86507b74db 100644 --- a/pkg/operator2/idp.go +++ b/pkg/operator2/idp.go @@ -3,10 +3,13 @@ package operator2 import ( "encoding/json" "fmt" + "io/ioutil" "net/http" "net/url" "strings" + "k8s.io/klog" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -293,7 +296,7 @@ func (c *authOperator) discoverOpenIDURLs(issuer, key string, ca configv1.Config func (c *authOperator) transportForCARef(ca configv1.ConfigMapNameReference, key string) (http.RoundTripper, error) { if len(ca.Name) == 0 { - return transportFor("", nil, nil, nil) + return transportFor("", trustedCABytes(), nil, nil) } cm, err := c.configMaps.ConfigMaps(userConfigNamespace).Get(ca.Name, metav1.GetOptions{}) if err != nil { @@ -343,3 +346,12 @@ func encodeOrDie(obj runtime.Object) []byte { } return bytes } + +func trustedCABytes() []byte { + caData, err := ioutil.ReadFile(operatorTrustedCAFile) + if err != nil { + klog.Infof("could not read %s, it won't be used in transport", operatorTrustedCAFile) + return nil + } + return caData +} diff --git a/pkg/operator2/operator.go b/pkg/operator2/operator.go index 8db61a0f8c..004eb7ae14 100644 --- a/pkg/operator2/operator.go +++ b/pkg/operator2/operator.go @@ -62,7 +62,8 @@ const ( kasServiceAndEndpointName = "kubernetes" kasServiceFullName = kasServiceAndEndpointName + "." + corev1.NamespaceDefault + ".svc" - rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + operatorTrustedCAFile = "/var/run/configmaps/trusted-ca-bundle/ca-bundle.crt" systemConfigPath = "/var/config/system" systemConfigPathConfigMaps = systemConfigPath + "/configmaps" @@ -109,6 +110,12 @@ const ( consoleConfigMapLocalName = systemConfigPrefix + consoleConfigMapSharedName consoleConfigKey = consoleConfigMapSharedName + ".yaml" + // trustedCABundleName part of manifests, if changing this, need to change that, too + trustedCABundleName = systemConfigPrefix + "trusted-ca-bundle" + trustedCABundleKey = "ca-bundle.crt" + trustedCABundleMountDir = "/etc/pki/ca-trust/extracted/pem" + trustedCABundleMountFile = "tls-ca-bundle.pem" + ocpBrandingSecretName = systemConfigPrefix + "ocp-branding-template" ocpBrandingSecretMount = systemConfigPathSecrets + "/" + ocpBrandingSecretName ocpBrandingLoginPath = ocpBrandingSecretMount + "/" + configv1.LoginTemplateKey @@ -525,7 +532,8 @@ func (c *authOperator) checkDeploymentReady(deployment *appsv1.Deployment, opera func (c *authOperator) checkRouteHealthy(route *routev1.Route, routerSecret *corev1.Secret, ingress *configv1.Ingress) (ready bool, msg, reason string, err error) { caData := routerSecretToCA(route, routerSecret, ingress) - rt, err := transportFor("", caData, nil, nil) + // merge trustedCA data with router cert in case TLS intercept proxy is in place + rt, err := transportFor("", append(caData, trustedCABytes()...), nil, nil) if err != nil { return false, "", "FailedTransport", fmt.Errorf("failed to build transport for route: %v", err) }