Add Proxy CA support

bindata/v3.11.0/openshift-svcat-controller-manager/trusted-ca.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-service-catalog-controller-manager
+  name: trusted-ca-bundle
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
+data:
+  ca-bundle.crt:

pkg/operator/operator.go

@@ -24,6 +24,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/informers"
+	informerscorev1 "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/flowcontrol"
@@ -58,6 +59,7 @@ func NewServiceCatalogControllerManagerOperator(
 	kubeInformersForServiceCatalogControllerManager informers.SharedInformerFactory,
 	operatorConfigClient operatorclientv1.OperatorV1Interface,
 	proxyInformer proxyinformersv1.ProxyInformer,
+	configMapInformer informerscorev1.ConfigMapInformer,
 	configClient versioned.Interface,
 	kubeClient kubernetes.Interface,
 	dynamicClient dynamic.Interface,
@@ -86,6 +88,9 @@ func NewServiceCatalogControllerManagerOperator(
 	// get notified of proxy config changes
 	proxyInformer.Informer().AddEventHandler(c.eventHandler())
 
+	// get notified when the configmap in our namespace changes
+	configMapInformer.Informer().AddEventHandler(c.eventHandler())
+
 	return c
 }
 

pkg/operator/starter.go

@@ -44,13 +44,15 @@ func RunOperator(ctx *controllercmd.ControllerContext) error {
 	kubeInformersForServiceCatalogControllerManagerNamespace := informers.NewSharedInformerFactoryWithOptions(kubeClient, 10*time.Minute, informers.WithNamespace(targetNamespaceName))
 	kubeInformersForOperatorNamespace := informers.NewSharedInformerFactoryWithOptions(kubeClient, 10*time.Minute, informers.WithNamespace(util.OperatorNamespace))
 	configInformers := configinformers.NewSharedInformerFactory(configClient, 10*time.Minute)
+	configMapInformers := informers.NewSharedInformerFactoryWithOptions(kubeClient, 10*time.Minute, informers.WithNamespace(targetNamespaceName))
 
 	operator := NewServiceCatalogControllerManagerOperator(
 		os.Getenv("IMAGE"),
 		operatorConfigInformers.Operator().V1().ServiceCatalogControllerManagers(),
 		kubeInformersForServiceCatalogControllerManagerNamespace,
 		operatorClient.OperatorV1(),
 		configInformers.Config().V1().Proxies(),
+		configMapInformers.Core().V1().ConfigMaps(),
 		configClient,
 		kubeClient,
 		dynamicClient,
@@ -84,6 +86,7 @@ func RunOperator(ctx *controllercmd.ControllerContext) error {
 	kubeInformersForServiceCatalogControllerManagerNamespace.Start(ctx.Done())
 	kubeInformersForOperatorNamespace.Start(ctx.Done())
 	configInformers.Start(ctx.Done())
+	configMapInformers.Start(ctx.Done())
 
 	go operator.Run(1, ctx.Done())
 	go clusterOperatorStatus.Run(1, ctx.Done())

pkg/operator/sync_controllermanager_v311_00.go

@@ -32,6 +32,7 @@ const (
 	httpProxyEnvVar  = "HTTP_PROXY"
 	httpsProxyEnvVar = "HTTPS_PROXY"
 	noProxyEnvVar    = "NO_PROXY"
+	trustedCABundle  = "trusted-ca-bundle"
 )
 
 // syncServiceCatalogControllerManager_v311_00_to_latest takes care of synchronizing (not upgrading) the thing we're managing.
@@ -77,18 +78,25 @@ func syncServiceCatalogControllerManager_v311_00_to_latest(c ServiceCatalogContr
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap", err))
 	}
+
+	// Handle the Trusted CA configmap
+	_, trustedCAModified, err := manageServiceCatalogControllerManagerTrustedCAConfigMap_v311_00_to_latest(c.kubeClient, c.kubeClient.CoreV1(), c.recorder, operatorConfig)
+	if err != nil {
+		errors = append(errors, fmt.Errorf("%q: %v", "configmap", err))
+	}
+
 	// the kube-apiserver is the source of truth for client CA bundles
 	clientCAModified, err := manageServiceCatalogControllerManagerClientCA_v311_00_to_latest(c.kubeClient.CoreV1(), c.recorder)
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "client-ca", err))
 	}
 
 	forceRollout = forceRollout || operatorConfig.ObjectMeta.Generation != operatorConfig.Status.ObservedGeneration
-	forceRollout = forceRollout || configMapModified || clientCAModified
+	forceRollout = forceRollout || configMapModified || clientCAModified || trustedCAModified
 
 	// our configmaps and secrets are in order, now it is time to create the DS
 	// TODO check basic preconditions here
-	actualDaemonSet, _, err := manageServiceCatalogControllerManagerDeployment_v311_00_to_latest(c.kubeClient.AppsV1(), c.recorder, operatorConfig, c.targetImagePullSpec, operatorConfig.Status.Generations, forceRollout, proxyConfig)
+	actualDaemonSet, _, err := manageServiceCatalogControllerManagerDeployment_v311_00_to_latest(c.kubeClient.AppsV1(), c.recorder, operatorConfig, c.targetImagePullSpec, operatorConfig.Status.Generations, forceRollout, proxyConfig, trustedCAModified)
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "deployment", err))
 	}
@@ -200,11 +208,29 @@ func manageServiceCatalogControllerManagerConfigMap_v311_00_to_latest(kubeClient
 	return resourceapply.ApplyConfigMap(client, recorder, requiredConfigMap)
 }
 
+func manageServiceCatalogControllerManagerTrustedCAConfigMap_v311_00_to_latest(kubeClient kubernetes.Interface, client coreclientv1.ConfigMapsGetter, recorder events.Recorder, operatorConfig *operatorapiv1.ServiceCatalogControllerManager) (*corev1.ConfigMap, bool, error) {
+	trustedCAConfigMap := resourceread.ReadConfigMapV1OrDie(v311_00_assets.MustAsset("v3.11.0/openshift-svcat-controller-manager/trusted-ca.yaml"))
+
+	currentTrustedCAConfigMap, err := client.ConfigMaps(targetNamespaceName).Get(trustedCABundle, metav1.GetOptions{})
+	if apierrors.IsNotFound(err) {
+		return nil, false, nil
+	} else if err != nil {
+		return nil, false, err
+	}
+
+	requiredTrustedCAConfigMap, _, err := resourcemerge.MergeConfigMap(trustedCAConfigMap, trustedCABundle, nil, []byte(currentTrustedCAConfigMap.Data["ca-bundle.crt"]))
+	if err != nil {
+		return nil, false, err
+	}
+
+	return resourceapply.ApplyConfigMap(client, recorder, requiredTrustedCAConfigMap)
+}
+
 func manageServiceCatalogControllerManagerDeployment_v311_00_to_latest(
 	client appsclientv1.DaemonSetsGetter, recorder events.Recorder,
 	options *operatorapiv1.ServiceCatalogControllerManager, imagePullSpec string,
 	generationStatus []operatorapiv1.GenerationStatus, forceRollout bool,
-	proxyConfig *configv1.Proxy) (*appsv1.DaemonSet, bool, error) {
+	proxyConfig *configv1.Proxy, trustedCAModified bool) (*appsv1.DaemonSet, bool, error) {
 
 	// read the stock daemonset, this is NOT the live one
 	required := resourceread.ReadDaemonSetV1OrDie(v311_00_assets.MustAsset("v3.11.0/openshift-svcat-controller-manager/ds.yaml"))
@@ -225,6 +251,11 @@ func manageServiceCatalogControllerManagerDeployment_v311_00_to_latest(
 		level = 3
 	}
 
+	// if trustedCAModified we should add a mount point to the daemonset
+	if trustedCAModified {
+		addTrustedCAVolumeToDaemonSet(required)
+	}
+
 	// ================================================================
 
 	var foundDaemonSet bool
@@ -341,6 +372,47 @@ func manageServiceCatalogControllerManagerDeployment_v311_00_to_latest(
 	return resourceapply.ApplyDaemonSet(client, recorder, required, resourcemerge.ExpectedDaemonSetGeneration(required, generationStatus), forceRollout)
 }
 
+func addTrustedCAVolumeToDaemonSet(required *appsv1.DaemonSet) {
+	// volumeMount:
+	//   - mountPath: /etc/pki/ca-trust/extracted/pem/
+	//     name: trusted-ca-bundle
+	// volumes:
+	//   - name: trusted-ca-bundle
+	//     configMap:
+	//       name: trusted-ca-bundle
+	//       items:
+	//       - key: ca-bundle.crt
+	//         path: "tls-ca-bundle.pem"
+
+	required.Spec.Template.Spec.Containers[0].VolumeMounts = append(
+		required.Spec.Template.Spec.Containers[0].VolumeMounts,
+
+		corev1.VolumeMount{
+			Name:      trustedCABundle,
+			MountPath: "/etc/pki/ca-trust/extracted/pem/",
+		})
+
+	optionalVolume := true
+	required.Spec.Template.Spec.Volumes = append(required.Spec.Template.Spec.Volumes,
+		corev1.Volume{
+			Name: trustedCABundle,
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: trustedCABundle,
+					},
+					Items: []corev1.KeyToPath{
+						{
+							Key:  "ca-bundle.crt",
+							Path: "tls-ca-bundle.pem",
+						},
+					},
+					Optional: &optionalVolume,
+				},
+			},
+		})
+}
+
 func addProxyToEnvironment(required *appsv1.DaemonSet, proxyConfig *configv1.Proxy) {
 	required.Spec.Template.Spec.Containers[0].Env = append(required.Spec.Template.Spec.Containers[0].Env,
 		[]corev1.EnvVar{

pkg/operator/v311_00_assets/bindata.go

@@ -16,6 +16,7 @@
 // bindata/v3.11.0/openshift-svcat-controller-manager/servicemonitor-rolebinding.yaml
 // bindata/v3.11.0/openshift-svcat-controller-manager/servicemonitor.yaml
 // bindata/v3.11.0/openshift-svcat-controller-manager/svc.yaml
+// bindata/v3.11.0/openshift-svcat-controller-manager/trusted-ca.yaml
 package v311_00_assets
 
 import (
@@ -680,6 +681,32 @@ func v3110OpenshiftSvcatControllerManagerSvcYaml() (*asset, error) {
 	return a, nil
 }
 
+var _v3110OpenshiftSvcatControllerManagerTrustedCaYaml = []byte(`apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-service-catalog-controller-manager
+  name: trusted-ca-bundle
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
+data:
+  ca-bundle.crt:
+`)
+
+func v3110OpenshiftSvcatControllerManagerTrustedCaYamlBytes() ([]byte, error) {
+	return _v3110OpenshiftSvcatControllerManagerTrustedCaYaml, nil
+}
+
+func v3110OpenshiftSvcatControllerManagerTrustedCaYaml() (*asset, error) {
+	bytes, err := v3110OpenshiftSvcatControllerManagerTrustedCaYamlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "v3.11.0/openshift-svcat-controller-manager/trusted-ca.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
 // Asset loads and returns the asset for the given name.
 // It returns an error if the asset could not be found or
 // could not be loaded.
@@ -748,6 +775,7 @@ var _bindata = map[string]func() (*asset, error){
 	"v3.11.0/openshift-svcat-controller-manager/servicemonitor-rolebinding.yaml":              v3110OpenshiftSvcatControllerManagerServicemonitorRolebindingYaml,
 	"v3.11.0/openshift-svcat-controller-manager/servicemonitor.yaml":                          v3110OpenshiftSvcatControllerManagerServicemonitorYaml,
 	"v3.11.0/openshift-svcat-controller-manager/svc.yaml":                                     v3110OpenshiftSvcatControllerManagerSvcYaml,
+	"v3.11.0/openshift-svcat-controller-manager/trusted-ca.yaml":                              v3110OpenshiftSvcatControllerManagerTrustedCaYaml,
 }
 
 // AssetDir returns the file names below a certain
@@ -809,6 +837,7 @@ var _bintree = &bintree{nil, map[string]*bintree{
 			"servicemonitor-rolebinding.yaml":              {v3110OpenshiftSvcatControllerManagerServicemonitorRolebindingYaml, map[string]*bintree{}},
 			"servicemonitor.yaml":                          {v3110OpenshiftSvcatControllerManagerServicemonitorYaml, map[string]*bintree{}},
 			"svc.yaml":                                     {v3110OpenshiftSvcatControllerManagerSvcYaml, map[string]*bintree{}},
+			"trusted-ca.yaml":                              {v3110OpenshiftSvcatControllerManagerTrustedCaYaml, map[string]*bintree{}},
 		}},
 	}},
 }}