From 346081c6e0390016f63680163df2245645e01cd4 Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Fri, 18 Jun 2021 15:12:35 +0200 Subject: [PATCH] Add trusted CA bundle to vsphere operators Use cluster's CA bundle when talking to vCenter. --- assets/csidriveroperators/vsphere/02_configmap.yaml | 9 +++++++++ assets/csidriveroperators/vsphere/08_deployment.yaml | 10 ++++++++++ assets/vsphere_problem_detector/06_configmap.yaml | 9 +++++++++ .../{06_deployment.yaml => 07_deployment.yaml} | 9 +++++++++ .../csidriveroperator/csioperatorclient/vsphere.go | 1 + .../vsphere_problem_detector_deployment.go | 2 +- .../vsphere_problem_detector_starter.go | 1 + 7 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 assets/csidriveroperators/vsphere/02_configmap.yaml create mode 100644 assets/vsphere_problem_detector/06_configmap.yaml rename assets/vsphere_problem_detector/{06_deployment.yaml => 07_deployment.yaml} (84%) diff --git a/assets/csidriveroperators/vsphere/02_configmap.yaml b/assets/csidriveroperators/vsphere/02_configmap.yaml new file mode 100644 index 000000000..17185bf17 --- /dev/null +++ b/assets/csidriveroperators/vsphere/02_configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + # This label ensures that the OpenShift Certificate Authority bundle + # is added to the ConfigMap. + config.openshift.io/inject-trusted-cabundle: "true" + name: vsphere-csi-driver-operator-trusted-ca-bundle + namespace: openshift-cluster-csi-drivers diff --git a/assets/csidriveroperators/vsphere/08_deployment.yaml b/assets/csidriveroperators/vsphere/08_deployment.yaml index c9243614a..63f0d2e4e 100644 --- a/assets/csidriveroperators/vsphere/08_deployment.yaml +++ b/assets/csidriveroperators/vsphere/08_deployment.yaml @@ -50,6 +50,9 @@ spec: requests: memory: 50Mi cpu: 10m + volumeMounts: + - name: trusted-ca-bundle + mountPath: /etc/pki/ca-trust/extracted/pem priorityClassName: system-cluster-critical serviceAccountName: vmware-vsphere-csi-driver-operator nodeSelector: @@ -60,3 +63,10 @@ spec: - key: node-role.kubernetes.io/master operator: Exists effect: "NoSchedule" + volumes: + - name: trusted-ca-bundle + configMap: + name: vsphere-csi-driver-operator-trusted-ca-bundle + items: + - key: ca-bundle.crt + path: tls-ca-bundle.pem diff --git a/assets/vsphere_problem_detector/06_configmap.yaml b/assets/vsphere_problem_detector/06_configmap.yaml new file mode 100644 index 000000000..aec38e07c --- /dev/null +++ b/assets/vsphere_problem_detector/06_configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + # This label ensures that the OpenShift Certificate Authority bundle + # is added to the ConfigMap. + config.openshift.io/inject-trusted-cabundle: "true" + name: trusted-ca-bundle + namespace: openshift-cluster-storage-operator diff --git a/assets/vsphere_problem_detector/06_deployment.yaml b/assets/vsphere_problem_detector/07_deployment.yaml similarity index 84% rename from assets/vsphere_problem_detector/06_deployment.yaml rename to assets/vsphere_problem_detector/07_deployment.yaml index 649f28a47..271ff97bb 100644 --- a/assets/vsphere_problem_detector/06_deployment.yaml +++ b/assets/vsphere_problem_detector/07_deployment.yaml @@ -39,6 +39,9 @@ spec: volumeMounts: - mountPath: /var/run/secrets/serving-cert name: vsphere-problem-detector-serving-cert + - name: trusted-ca-bundle + mountPath: /etc/pki/ca-trust/extracted/pem + readOnly: true priorityClassName: system-cluster-critical serviceAccountName: vsphere-problem-detector-operator nodeSelector: @@ -54,3 +57,9 @@ spec: secret: secretName: vsphere-problem-detector-serving-cert optional: true + - name: trusted-ca-bundle + configMap: + name: trusted-ca-bundle + items: + - key: ca-bundle.crt + path: tls-ca-bundle.pem diff --git a/pkg/operator/csidriveroperator/csioperatorclient/vsphere.go b/pkg/operator/csidriveroperator/csioperatorclient/vsphere.go index b0ca110ff..207a3a618 100644 --- a/pkg/operator/csidriveroperator/csioperatorclient/vsphere.go +++ b/pkg/operator/csidriveroperator/csioperatorclient/vsphere.go @@ -26,6 +26,7 @@ func GetVMwareVSphereCSIOperatorConfig() CSIOperatorConfig { ConditionPrefix: "VSphere", Platform: configv1.VSpherePlatformType, StaticAssets: []string{ + "csidriveroperators/vsphere/02_configmap.yaml", "csidriveroperators/vsphere/03_sa.yaml", "csidriveroperators/vsphere/04_role.yaml", "csidriveroperators/vsphere/05_rolebinding.yaml", diff --git a/pkg/operator/vsphereproblemdetector/vsphere_problem_detector_deployment.go b/pkg/operator/vsphereproblemdetector/vsphere_problem_detector_deployment.go index 7d4ee5eab..bb7ec982a 100644 --- a/pkg/operator/vsphereproblemdetector/vsphere_problem_detector_deployment.go +++ b/pkg/operator/vsphereproblemdetector/vsphere_problem_detector_deployment.go @@ -76,7 +76,7 @@ func (c *VSphereProblemDetectorDeploymentController) sync(ctx context.Context, s } replacer := strings.NewReplacer(pairs...) - required, err := csoutils.GetRequiredDeployment("vsphere_problem_detector/06_deployment.yaml", opSpec, replacer) + required, err := csoutils.GetRequiredDeployment("vsphere_problem_detector/07_deployment.yaml", opSpec, replacer) if err != nil { return fmt.Errorf("failed to generate required Deployment: %s", err) } diff --git a/pkg/operator/vsphereproblemdetector/vsphere_problem_detector_starter.go b/pkg/operator/vsphereproblemdetector/vsphere_problem_detector_starter.go index 8f15957f8..b94189a84 100644 --- a/pkg/operator/vsphereproblemdetector/vsphere_problem_detector_starter.go +++ b/pkg/operator/vsphereproblemdetector/vsphere_problem_detector_starter.go @@ -103,6 +103,7 @@ func (c *VSphereProblemDetectorStarter) createVSphereProblemDetectorManager( "vsphere_problem_detector/03_rolebinding.yaml", "vsphere_problem_detector/04_clusterrole.yaml", "vsphere_problem_detector/05_clusterrolebinding.yaml", + "vsphere_problem_detector/06_configmap.yaml", "vsphere_problem_detector/10_service.yaml", }