Modify the handling of injected OCP CA bundles (#1328)

* Add the CA-bundle injection configmap to the NooBaa package
- Revert Azure cert bundle injection
- Change the OCP injected CA bundle configmap name
- Change the CA bundle mountPath to not override system certs
- Change `AddToRootCAs` to append to the system pool instead of a new one
* Remove redundant newline
* Add missing `subPath`
* Fix `optional` indentation
* - Remove injectable configmap creation
- Generate `deploy.go`
- Fix old bundle path references
* Omit subPath usage since it doesn't update the file when the ConfigMap changes

https: //kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#mounted-configmaps-are-updated-automatically

Signed-off-by: Ben <[email protected]>

deploy/internal/configmap-ca-inject.yaml

@@ -3,5 +3,5 @@ kind: ConfigMap
 metadata:
   labels:
     config.openshift.io/inject-trusted-cabundle: "true"
-  name: noobaa-ca-inject
+  name: ocp-injected-ca-bundle
 data: {}

deploy/operator.yaml

@@ -30,12 +30,12 @@ spec:
       # SHOULD BE RETURNED ONCE COSI IS BACK
       # - name: socket
       #   emptyDir: {}
-      - name: noobaa-ca-inject
+      - name: ocp-injected-ca-bundle
         configMap:
-          name: noobaa-ca-inject
+          name: ocp-injected-ca-bundle
           items:
           - key: ca-bundle.crt
-            path: tls-ca-bundle.pem
+            path: ca-bundle.crt
           optional: true
       containers:
         - name: noobaa-operator
@@ -44,8 +44,8 @@ spec:
           - name: bound-sa-token
             mountPath: /var/run/secrets/openshift/serviceaccount
             readOnly: true
-          - name: noobaa-ca-inject
-            mountPath: /etc/pki/ca-trust/extracted/pem
+          - name: ocp-injected-ca-bundle
+            mountPath: /etc/ocp-injected-ca-bundle
           # SHOULD BE RETURNED ONCE COSI IS BACK
           # - name: socket
           #   mountPath: /var/lib/cosi

pkg/bundle/deploy.go

@@ -3740,14 +3740,14 @@ spec:
     skipServiceCheck: true
 `
 
-const Sha256_deploy_internal_configmap_ca_inject_yaml = "75f8ab503a683bcebd2ed6a2c9f8da0a4c174a62b4e6ca7e97ebc3da847ca866"
+const Sha256_deploy_internal_configmap_ca_inject_yaml = "fac2305a04146c6b553398b1cb69b3ee2f32c5735359f5102590d43d33ccecba"
 
 const File_deploy_internal_configmap_ca_inject_yaml = `apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
     config.openshift.io/inject-trusted-cabundle: "true"
-  name: noobaa-ca-inject
+  name: ocp-injected-ca-bundle
 data: {}
 `
 
@@ -5871,7 +5871,7 @@ spec:
   sourceNamespace: default
 `
 
-const Sha256_deploy_operator_yaml = "1a2c110adc6763047d158e9021ea716e8d16ce734c0302c569b02e114189dff8"
+const Sha256_deploy_operator_yaml = "f1d3f744af5e55b5476c085c10425f93837cf0bdf39d206f3857d3c5e9bc6c78"
 
 const File_deploy_operator_yaml = `apiVersion: apps/v1
 kind: Deployment
@@ -5905,12 +5905,12 @@ spec:
       # SHOULD BE RETURNED ONCE COSI IS BACK
       # - name: socket
       #   emptyDir: {}
-      - name: noobaa-ca-inject
+      - name: ocp-injected-ca-bundle
         configMap:
-          name: noobaa-ca-inject
+          name: ocp-injected-ca-bundle
           items:
           - key: ca-bundle.crt
-            path: tls-ca-bundle.pem
+            path: ca-bundle.crt
           optional: true
       containers:
         - name: noobaa-operator
@@ -5919,8 +5919,8 @@ spec:
           - name: bound-sa-token
             mountPath: /var/run/secrets/openshift/serviceaccount
             readOnly: true
-          - name: noobaa-ca-inject
-            mountPath: /etc/pki/ca-trust/extracted/pem
+          - name: ocp-injected-ca-bundle
+            mountPath: /etc/ocp-injected-ca-bundle
           # SHOULD BE RETURNED ONCE COSI IS BACK
           # - name: socket
           #   mountPath: /var/lib/cosi

pkg/olm/olm.go

@@ -208,6 +208,10 @@ func RunCatalog(cmd *cobra.Command, args []string) {
 		util.Panic(os.WriteFile(dir+"noobaa-operator.package.yaml", pkgBytes, 0644))
 	}
 	util.Panic(util.WriteYamlFile(csvFileName, GenerateCSV(opConf, csvParams)))
+	// The CA configmap is needed prior to the operator startup to prevent a certificate injection race condition
+	util.Panic(util.WriteYamlFile(
+		versionDir+"noobaa-operator.ca-bundle-configmap.yaml",
+		util.KubeObject(bundle.File_deploy_internal_configmap_ca_inject_yaml)))
 	crd.ForEachCRD(func(c *crd.CRD) {
 		if c.Spec.Group == nbv1.SchemeGroupVersion.Group || (csvParams.OBCMode == OBCOwned && c.Spec.Group == obAPI.Domain) {
 			util.Panic(util.WriteYamlFile(versionDir+c.Name+".crd.yaml", c))

pkg/system/azure_utils.go

@@ -3,40 +3,20 @@ package system
 import (
 	"fmt"
 	"log"
-	"net/http"
 	"net/url"
-	"time"
 
 	"github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
 	"github.com/Azure/azure-storage-blob-go/azblob"
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/to"
-
-	"github.com/noobaa/noobaa-operator/v5/pkg/util"
 )
 
 func (r *Reconciler) getStorageAccountsClient() storage.AccountsClient {
 	storageAccountsClient := storage.NewAccountsClient(r.AzureContainerCreds.StringData["azure_subscription_id"])
 	auth, _ := r.GetResourceManagementAuthorizer()
 	storageAccountsClient.Authorizer = auth
-	// Inject the global refreshing CA pool into the one used by the Azure client
-	var httpClient = &http.Client{
-		Transport: util.GlobalCARefreshingTransport,
-		Timeout:   10 * time.Second,
-	}
-	underlyingHTTPClient, ok := storageAccountsClient.Sender.(*http.Client)
-	if !ok {
-		log.Fatalf("failed to cast underlyingHTTPClient to *http.Client")
-	}
-	underlyingHTTPClient.Transport = httpClient.Transport
-	underlyingTransport, ok := underlyingHTTPClient.Transport.(*http.Transport)
-	if !ok {
-		log.Fatalf("failed to cast underlyingTransport to *http.Transport")
-	}
-	underlyingTransport.TLSClientConfig.RootCAs = util.GlobalCARefreshingTransport.TLSClientConfig.RootCAs
-
 	err := storageAccountsClient.AddToUserAgent("Go-http-client/1.1")
 	if err != nil {
 		log.Fatalf("got error on storageAccountsClient.AddToUserAgent %v", err)

pkg/system/phase2_creating.go

@@ -49,9 +49,6 @@ func (r *Reconciler) ReconcilePhaseCreating() error {
 		"noobaa operator started phase 2/4 - \"Creating\"",
 	)
 
-	if err := r.ReconcileCAInject(); err != nil {
-		return err
-	}
 	if err := r.ReconcileObject(r.ServiceAccount, r.SetDesiredServiceAccount); err != nil {
 		return err
 	}
@@ -468,7 +465,7 @@ func (r *Reconciler) SetDesiredCoreApp() error {
 			if util.KubeCheckQuiet(r.CaBundleConf) {
 				configMapVolumeMounts := []corev1.VolumeMount{{
 					Name:      r.CaBundleConf.Name,
-					MountPath: "/etc/pki/ca-trust/extracted/pem",
+					MountPath: "/etc/ocp-injected-ca-bundle.crt",
 					ReadOnly:  true,
 				}}
 				util.MergeVolumeMountList(&c.VolumeMounts, &configMapVolumeMounts)
@@ -509,7 +506,7 @@ func (r *Reconciler) SetDesiredCoreApp() error {
 			if util.KubeCheckQuiet(r.CaBundleConf) {
 				configMapVolumeMounts := []corev1.VolumeMount{{
 					Name:      r.CaBundleConf.Name,
-					MountPath: "/etc/pki/ca-trust/extracted/pem",
+					MountPath: "/etc/ocp-injected-ca-bundle.crt",
 					ReadOnly:  true,
 				}}
 				util.MergeVolumeMountList(&c.VolumeMounts, &configMapVolumeMounts)
@@ -559,7 +556,7 @@ func (r *Reconciler) SetDesiredCoreApp() error {
 					},
 					Items: []corev1.KeyToPath{{
 						Key:  "ca-bundle.crt",
-						Path: "tls-ca-bundle.pem",
+						Path: "ca-bundle.crt",
 					}},
 				},
 			},
@@ -804,23 +801,6 @@ func (r *Reconciler) ReconcileIBMCredentials() error {
 	return nil
 }
 
-// ReconcileCAInject checks if a namespace called openshift-config exist (OCP)
-// if so creates a cofig map for OCP to inject supported CAs to
-func (r *Reconciler) ReconcileCAInject() error {
-	ocpConfigNamespace := &corev1.Namespace{
-		TypeMeta: metav1.TypeMeta{Kind: "Namespace"},
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "openshift-config",
-		},
-	}
-	if util.KubeCheckQuiet(ocpConfigNamespace) {
-		r.Logger.Infof("Found openshift-config ns - will reconcile CA inject configmap: %q", r.CaBundleConf.Name)
-		if err := r.ReconcileObject(r.CaBundleConf, nil); err != nil {
-			return err
-		}
-	}
-	return nil
-}
 
 // SetDesiredAgentProfile updates the value of the AGENT_PROFILE env
 func (r *Reconciler) SetDesiredAgentProfile(profileString string) string {

pkg/system/phase4_configuring.go

@@ -488,15 +488,15 @@ func (r *Reconciler) setDesiredEndpointMounts(podSpec *corev1.PodSpec, container
 					},
 					Items: []corev1.KeyToPath{{
 						Key:  "ca-bundle.crt",
-						Path: "tls-ca-bundle.pem",
+						Path: "ca-bundle.crt",
 					}},
 				},
 			},
 		}}
 		util.MergeVolumeList(&podSpec.Volumes, &configMapVolumes)
 		configMapVolumeMounts := []corev1.VolumeMount{{
 			Name:      r.CaBundleConf.Name,
-			MountPath: "/etc/pki/ca-trust/extracted/pem",
+			MountPath: "/etc/ocp-injected-ca-bundle.crt",
 			ReadOnly:  true,
 		}}
 		util.MergeVolumeMountList(&container.VolumeMounts, &configMapVolumeMounts)
@@ -866,10 +866,6 @@ func (r *Reconciler) prepareAWSBackingStore() error {
 				*result.Credentials.SecretAccessKey,
 				*result.Credentials.SessionToken,
 			),
-			HTTPClient: &http.Client{
-				Transport: util.GlobalCARefreshingTransport,
-				Timeout:   10 * time.Second,
-			},
 			Region: &region,
 		}
 	} else { // handle AWS long-lived credentials (not STS)
@@ -879,10 +875,6 @@ func (r *Reconciler) prepareAWSBackingStore() error {
 				cloudCredsSecret.StringData["aws_secret_access_key"],
 				"",
 			),
-			HTTPClient: &http.Client{
-				Transport: util.GlobalCARefreshingTransport,
-				Timeout:   10 * time.Second,
-			},
 			Region: &region,
 		}
 	}

pkg/util/util.go

@@ -132,10 +132,13 @@ var (
 
 // AddToRootCAs adds a local cert file to Our GlobalCARefreshingTransport
 func AddToRootCAs(localCertFile string) error {
-	rootCAs := x509.NewCertPool()
+	rootCAs, _ := x509.SystemCertPool()
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
 
 	var certFiles = []string{
-		"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem",
+		"/etc/ocp-injected-ca-bundle.crt",
 		localCertFile,
 	}