- Revert Azure cert bundle injection

- Change the OCP injected CA bundle configmap name - Change the CA bundle mountPath to not override system certs - Change `AddToRootCAs` to append to the system pool instead of a new one Signed-off-by: Ben <[email protected]>
noobaa · Apr 2, 2024 · f4747ee · f4747ee
1 parent 52b75d2
commit f4747ee
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 38 deletions.
diff --git a/deploy/internal/configmap-ca-inject.yaml b/deploy/internal/configmap-ca-inject.yaml
@@ -3,5 +3,5 @@ kind: ConfigMap
 metadata:
   labels:
     config.openshift.io/inject-trusted-cabundle: "true"
-  name: noobaa-ca-inject
+  name: ocp-injected-ca-bundle
 data: {}
diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -30,9 +30,9 @@ spec:
       # SHOULD BE RETURNED ONCE COSI IS BACK
       # - name: socket
       #   emptyDir: {}
-      - name: noobaa-ca-inject
+      - name: ocp-injected-ca-bundle
         configMap:
-          name: noobaa-ca-inject
+          name: ocp-injected-ca-bundle
           items:
           - key: ca-bundle.crt
             path: tls-ca-bundle.pem
@@ -44,7 +44,7 @@ spec:
           - name: bound-sa-token
             mountPath: /var/run/secrets/openshift/serviceaccount
             readOnly: true
-          - name: noobaa-ca-inject
+          - name: ocp-injected-ca-bundle
             mountPath: /etc/pki/ca-trust/extracted/pem
           # SHOULD BE RETURNED ONCE COSI IS BACK
           # - name: socket

diff --git a/pkg/bundle/deploy.go b/pkg/bundle/deploy.go
@@ -3747,7 +3747,7 @@ kind: ConfigMap
 metadata:
   labels:
     config.openshift.io/inject-trusted-cabundle: "true"
-  name: noobaa-ca-inject
+  name: ocp-injected-ca-bundle
 data: {}
 `
 
@@ -6039,21 +6039,23 @@ spec:
       # SHOULD BE RETURNED ONCE COSI IS BACK
       # - name: socket
       #   emptyDir: {}
-      - name: noobaa-ca-inject
+      - name: ocp-injected-ca-bundle
         configMap:
-          name: noobaa-ca-inject
+          name: ocp-injected-ca-bundle
           items:
           - key: ca-bundle.crt
             path: tls-ca-bundle.pem
+            optional: true
       containers:
         - name: noobaa-operator
           image: NOOBAA_OPERATOR_IMAGE
           volumeMounts:
           - name: bound-sa-token
             mountPath: /var/run/secrets/openshift/serviceaccount
             readOnly: true
-          - name: noobaa-ca-inject
-            mountPath: /etc/pki/ca-trust/extracted/pem
+          - name: ocp-injected-ca-bundle
+            mountPath: /etc/ocp-injected-ca-bundle.crt
+            subPath: ocp-injected-ca-bundle.crt
           # SHOULD BE RETURNED ONCE COSI IS BACK
           # - name: socket
           #   mountPath: /var/lib/cosi

diff --git a/pkg/system/azure_utils.go b/pkg/system/azure_utils.go
@@ -3,39 +3,20 @@ package system
 import (
 	"fmt"
 	"log"
-	"net/http"
 	"net/url"
-	"time"
 
 	"github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
 	"github.com/Azure/azure-storage-blob-go/azblob"
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/to"
-
-	"github.com/noobaa/noobaa-operator/v5/pkg/util"
 )
 
 func (r *Reconciler) getStorageAccountsClient() storage.AccountsClient {
 	storageAccountsClient := storage.NewAccountsClient(r.AzureContainerCreds.StringData["azure_subscription_id"])
 	auth, _ := r.GetResourceManagementAuthorizer()
 	storageAccountsClient.Authorizer = auth
-	// Inject the global refreshing CA pool into the one used by the Azure client
-	var httpClient = &http.Client{
-		Transport: util.GlobalCARefreshingTransport,
-		Timeout:   10 * time.Second,
-	}
-	underlyingHTTPClient, ok := storageAccountsClient.Sender.(*http.Client)
-	if !ok {
-		log.Fatalf("failed to cast underlyingHTTPClient to *http.Client")
-	}
-	underlyingHTTPClient.Transport = httpClient.Transport
-	underlyingTransport, ok := underlyingHTTPClient.Transport.(*http.Transport)
-	if !ok {
-		log.Fatalf("failed to cast underlyingTransport to *http.Transport")
-	}
-	underlyingTransport.TLSClientConfig.RootCAs = util.GlobalCARefreshingTransport.TLSClientConfig.RootCAs
 
 	err := storageAccountsClient.AddToUserAgent("Go-http-client/1.1")
 	if err != nil {

diff --git a/pkg/system/phase4_configuring.go b/pkg/system/phase4_configuring.go
@@ -866,10 +866,6 @@ func (r *Reconciler) prepareAWSBackingStore() error {
 				*result.Credentials.SecretAccessKey,
 				*result.Credentials.SessionToken,
 			),
-			HTTPClient: &http.Client{
-				Transport: util.GlobalCARefreshingTransport,
-				Timeout:   10 * time.Second,
-			},
 			Region: &region,
 		}
 	} else { // handle AWS long-lived credentials (not STS)
@@ -879,10 +875,6 @@ func (r *Reconciler) prepareAWSBackingStore() error {
 				cloudCredsSecret.StringData["aws_secret_access_key"],
 				"",
 			),
-			HTTPClient: &http.Client{
-				Transport: util.GlobalCARefreshingTransport,
-				Timeout:   10 * time.Second,
-			},
 			Region: &region,
 		}
 	}

diff --git a/pkg/util/util.go b/pkg/util/util.go
@@ -132,10 +132,13 @@ var (
 
 // AddToRootCAs adds a local cert file to Our GlobalCARefreshingTransport
 func AddToRootCAs(localCertFile string) error {
-	rootCAs := x509.NewCertPool()
+	rootCAs, _ := x509.SystemCertPool()
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
 
 	var certFiles = []string{
-		"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem",
+		"/etc/ocp-injected-ca-bundle.crt",
 		localCertFile,
 	}