Inject payload's system store with proxy CA when specified

manifests/03_configmap.yaml

@@ -7,3 +7,23 @@ data:
   operator-config.yaml: |
     apiVersion: operator.openshift.io/v1alpha1
     kind: GenericOperatorConfig
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-authentication-operator
+  name: trusted-ca-bundle
+  annotations:
+    release.openshift.io/create-only: "true"
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-authentication
+  name: v4-0-config-system-trusted-ca-bundle
+  annotations:
+    release.openshift.io/create-only: "true"
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"

manifests/07_deployment.yaml

@@ -36,6 +36,9 @@ spec:
           name: config
         - mountPath: /var/run/secrets/serving-cert
           name: serving-cert
+        - mountPath: /var/run/configmaps/trusted-ca-bundle
+          name: trusted-ca-bundle
+          readOnly: true
         env:
         - name: IMAGE
           value: quay.io/openshift/origin-oauth-server:v4.2
@@ -53,6 +56,10 @@ spec:
         configMap:
           defaultMode: 440
           name: authentication-operator-config
+      - name: trusted-ca-bundle
+        configMap:
+          name: trusted-ca-bundle
+          optional: true
       - name: serving-cert
         secret:
           secretName: serving-cert

pkg/operator2/deployment.go

@@ -71,6 +71,14 @@ func defaultDeployment(
 			path:      ocpBrandingSecretMount,
 			keys:      []string{configv1.LoginTemplateKey, configv1.ProviderSelectionTemplateKey, configv1.ErrorsTemplateKey},
 		},
+		{
+			name:      trustedCABundleName,
+			configmap: true,
+			path:      trustedCABundleMountDir,
+			mappedKeys: map[string]string{
+				trustedCABundleKey: trustedCABundleMountFile,
+			},
+		},
 	} {
 		v, m := data.split()
 		volumes = append(volumes, v)
@@ -257,10 +265,11 @@ func appendEnvVar(envVars []corev1.EnvVar, envName, envVal string) []corev1.EnvV
 }
 
 type volume struct {
-	name      string
-	configmap bool
-	path      string
-	keys      []string
+	name       string
+	configmap  bool
+	path       string
+	keys       []string
+	mappedKeys map[string]string
 }
 
 func (v *volume) split() (corev1.Volume, corev1.VolumeMount) {
@@ -269,6 +278,14 @@ func (v *volume) split() (corev1.Volume, corev1.VolumeMount) {
 	}
 
 	var items []corev1.KeyToPath
+	// maps' keys are random,  we need to sort the output to prevent redeployment hotloops
+	for _, key := range sets.StringKeySet(v.mappedKeys).List() {
+		items = append(items, corev1.KeyToPath{
+			Key:  key,
+			Path: v.mappedKeys[key],
+		})
+	}
+
 	for _, key := range v.keys {
 		items = append(items, corev1.KeyToPath{
 			Key:  key,

pkg/operator2/idp.go

@@ -3,10 +3,13 @@ package operator2
 import (
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strings"
 
+	"k8s.io/klog"
+
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -293,7 +296,7 @@ func (c *authOperator) discoverOpenIDURLs(issuer, key string, ca configv1.Config
 
 func (c *authOperator) transportForCARef(ca configv1.ConfigMapNameReference, key string) (http.RoundTripper, error) {
 	if len(ca.Name) == 0 {
-		return transportFor("", nil, nil, nil)
+		return transportFor("", trustedCABytes(), nil, nil)
 	}
 	cm, err := c.configMaps.ConfigMaps(userConfigNamespace).Get(ca.Name, metav1.GetOptions{})
 	if err != nil {
@@ -343,3 +346,12 @@ func encodeOrDie(obj runtime.Object) []byte {
 	}
 	return bytes
 }
+
+func trustedCABytes() []byte {
+	caData, err := ioutil.ReadFile(operatorTrustedCAFile)
+	if err != nil {
+		klog.Infof("could not read %s, it won't be used in transport", operatorTrustedCAFile)
+		return nil
+	}
+	return caData
+}

pkg/operator2/operator.go

@@ -62,7 +62,8 @@ const (
 	kasServiceAndEndpointName = "kubernetes"
 	kasServiceFullName        = kasServiceAndEndpointName + "." + corev1.NamespaceDefault + ".svc"
 
-	rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+	rootCAFile            = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+	operatorTrustedCAFile = "/var/run/configmaps/trusted-ca-bundle/ca-bundle.crt"
 
 	systemConfigPath           = "/var/config/system"
 	systemConfigPathConfigMaps = systemConfigPath + "/configmaps"
@@ -109,6 +110,12 @@ const (
 	consoleConfigMapLocalName  = systemConfigPrefix + consoleConfigMapSharedName
 	consoleConfigKey           = consoleConfigMapSharedName + ".yaml"
 
+	// trustedCABundleName part of manifests, if changing this, need to change that, too
+	trustedCABundleName      = systemConfigPrefix + "trusted-ca-bundle"
+	trustedCABundleKey       = "ca-bundle.crt"
+	trustedCABundleMountDir  = "/etc/pki/ca-trust/extracted/pem"
+	trustedCABundleMountFile = "tls-ca-bundle.pem"
+
 	ocpBrandingSecretName   = systemConfigPrefix + "ocp-branding-template"
 	ocpBrandingSecretMount  = systemConfigPathSecrets + "/" + ocpBrandingSecretName
 	ocpBrandingLoginPath    = ocpBrandingSecretMount + "/" + configv1.LoginTemplateKey
@@ -525,7 +532,8 @@ func (c *authOperator) checkDeploymentReady(deployment *appsv1.Deployment, opera
 func (c *authOperator) checkRouteHealthy(route *routev1.Route, routerSecret *corev1.Secret, ingress *configv1.Ingress) (ready bool, msg, reason string, err error) {
 	caData := routerSecretToCA(route, routerSecret, ingress)
 
-	rt, err := transportFor("", caData, nil, nil)
+	// merge trustedCA data with router cert in case TLS intercept proxy is in place
+	rt, err := transportFor("", append(caData, trustedCABytes()...), nil, nil)
 	if err != nil {
 		return false, "", "FailedTransport", fmt.Errorf("failed to build transport for route: %v", err)
 	}