Bug 1969719: Add trusted CA bundle to vsphere operators

assets/csidriveroperators/vsphere/02_configmap.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    # This label ensures that the OpenShift Certificate Authority bundle
+    # is added to the ConfigMap.
+    config.openshift.io/inject-trusted-cabundle: "true"
+  name: vsphere-csi-driver-operator-trusted-ca-bundle
+  namespace: openshift-cluster-csi-drivers

assets/csidriveroperators/vsphere/08_deployment.yaml

@@ -50,6 +50,9 @@ spec:
           requests:
             memory: 50Mi
             cpu: 10m
+        volumeMounts:
+        - name: trusted-ca-bundle
+          mountPath: /etc/pki/ca-trust/extracted/pem
       priorityClassName: system-cluster-critical
       serviceAccountName: vmware-vsphere-csi-driver-operator
       nodeSelector:
@@ -60,3 +63,10 @@ spec:
       - key: node-role.kubernetes.io/master
         operator: Exists
         effect: "NoSchedule"
+      volumes:
+      - name: trusted-ca-bundle
+        configMap:
+          name: vsphere-csi-driver-operator-trusted-ca-bundle
+          items:
+            - key: ca-bundle.crt
+              path: tls-ca-bundle.pem

assets/vsphere_problem_detector/06_configmap.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    # This label ensures that the OpenShift Certificate Authority bundle
+    # is added to the ConfigMap.
+    config.openshift.io/inject-trusted-cabundle: "true"
+  name: trusted-ca-bundle
+  namespace: openshift-cluster-storage-operator

assets/vsphere_problem_detector/06_deployment.yaml → assets/vsphere_problem_detector/07_deployment.yaml

@@ -39,6 +39,9 @@ spec:
         volumeMounts:
         - mountPath: /var/run/secrets/serving-cert
           name: vsphere-problem-detector-serving-cert
+        - name: trusted-ca-bundle
+          mountPath: /etc/pki/ca-trust/extracted/pem
+          readOnly: true
       priorityClassName: system-cluster-critical
       serviceAccountName: vsphere-problem-detector-operator
       nodeSelector:
@@ -54,3 +57,9 @@ spec:
         secret:
           secretName: vsphere-problem-detector-serving-cert
           optional: true
+      - name: trusted-ca-bundle
+        configMap:
+          name: trusted-ca-bundle
+          items:
+            - key: ca-bundle.crt
+              path: tls-ca-bundle.pem

pkg/operator/csidriveroperator/csioperatorclient/vsphere.go

@@ -26,6 +26,7 @@ func GetVMwareVSphereCSIOperatorConfig() CSIOperatorConfig {
 		ConditionPrefix: "VSphere",
 		Platform:        configv1.VSpherePlatformType,
 		StaticAssets: []string{
+			"csidriveroperators/vsphere/02_configmap.yaml",
 			"csidriveroperators/vsphere/03_sa.yaml",
 			"csidriveroperators/vsphere/04_role.yaml",
 			"csidriveroperators/vsphere/05_rolebinding.yaml",

pkg/operator/vsphereproblemdetector/vsphere_problem_detector_deployment.go

@@ -76,7 +76,7 @@ func (c *VSphereProblemDetectorDeploymentController) sync(ctx context.Context, s
 	}
 
 	replacer := strings.NewReplacer(pairs...)
-	required, err := csoutils.GetRequiredDeployment("vsphere_problem_detector/06_deployment.yaml", opSpec, replacer)
+	required, err := csoutils.GetRequiredDeployment("vsphere_problem_detector/07_deployment.yaml", opSpec, replacer)
 	if err != nil {
 		return fmt.Errorf("failed to generate required Deployment: %s", err)
 	}

pkg/operator/vsphereproblemdetector/vsphere_problem_detector_starter.go

@@ -103,6 +103,7 @@ func (c *VSphereProblemDetectorStarter) createVSphereProblemDetectorManager(
 		"vsphere_problem_detector/03_rolebinding.yaml",
 		"vsphere_problem_detector/04_clusterrole.yaml",
 		"vsphere_problem_detector/05_clusterrolebinding.yaml",
+		"vsphere_problem_detector/06_configmap.yaml",
 		"vsphere_problem_detector/10_service.yaml",
 	}