diff --git a/deploy/internal/configmap-ca-inject.yaml b/deploy/internal/configmap-ca-inject.yaml index ed89c8aa1..9063bff0c 100644 --- a/deploy/internal/configmap-ca-inject.yaml +++ b/deploy/internal/configmap-ca-inject.yaml @@ -3,5 +3,5 @@ kind: ConfigMap metadata: labels: config.openshift.io/inject-trusted-cabundle: "true" - name: noobaa-ca-inject + name: ocp-injected-ca-bundle data: {} diff --git a/deploy/operator.yaml b/deploy/operator.yaml index c97d0957a..27fb77554 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -30,12 +30,12 @@ spec: # SHOULD BE RETURNED ONCE COSI IS BACK # - name: socket # emptyDir: {} - - name: noobaa-ca-inject + - name: ocp-injected-ca-bundle configMap: - name: noobaa-ca-inject + name: ocp-injected-ca-bundle items: - key: ca-bundle.crt - path: tls-ca-bundle.pem + path: ca-bundle.crt optional: true containers: - name: noobaa-operator @@ -44,8 +44,8 @@ spec: - name: bound-sa-token mountPath: /var/run/secrets/openshift/serviceaccount readOnly: true - - name: noobaa-ca-inject - mountPath: /etc/pki/ca-trust/extracted/pem + - name: ocp-injected-ca-bundle + mountPath: /etc/ocp-injected-ca-bundle # SHOULD BE RETURNED ONCE COSI IS BACK # - name: socket # mountPath: /var/lib/cosi diff --git a/pkg/bundle/deploy.go b/pkg/bundle/deploy.go index 88eb6fd36..b3142eaa7 100644 --- a/pkg/bundle/deploy.go +++ b/pkg/bundle/deploy.go @@ -3740,14 +3740,14 @@ spec: skipServiceCheck: true ` -const Sha256_deploy_internal_configmap_ca_inject_yaml = "75f8ab503a683bcebd2ed6a2c9f8da0a4c174a62b4e6ca7e97ebc3da847ca866" +const Sha256_deploy_internal_configmap_ca_inject_yaml = "fac2305a04146c6b553398b1cb69b3ee2f32c5735359f5102590d43d33ccecba" const File_deploy_internal_configmap_ca_inject_yaml = `apiVersion: v1 kind: ConfigMap metadata: labels: config.openshift.io/inject-trusted-cabundle: "true" - name: noobaa-ca-inject + name: ocp-injected-ca-bundle data: {} ` @@ -5871,7 +5871,7 @@ spec: sourceNamespace: default ` -const Sha256_deploy_operator_yaml = "1a2c110adc6763047d158e9021ea716e8d16ce734c0302c569b02e114189dff8" +const Sha256_deploy_operator_yaml = "f1d3f744af5e55b5476c085c10425f93837cf0bdf39d206f3857d3c5e9bc6c78" const File_deploy_operator_yaml = `apiVersion: apps/v1 kind: Deployment @@ -5905,12 +5905,12 @@ spec: # SHOULD BE RETURNED ONCE COSI IS BACK # - name: socket # emptyDir: {} - - name: noobaa-ca-inject + - name: ocp-injected-ca-bundle configMap: - name: noobaa-ca-inject + name: ocp-injected-ca-bundle items: - key: ca-bundle.crt - path: tls-ca-bundle.pem + path: ca-bundle.crt optional: true containers: - name: noobaa-operator @@ -5919,8 +5919,8 @@ spec: - name: bound-sa-token mountPath: /var/run/secrets/openshift/serviceaccount readOnly: true - - name: noobaa-ca-inject - mountPath: /etc/pki/ca-trust/extracted/pem + - name: ocp-injected-ca-bundle + mountPath: /etc/ocp-injected-ca-bundle # SHOULD BE RETURNED ONCE COSI IS BACK # - name: socket # mountPath: /var/lib/cosi diff --git a/pkg/olm/olm.go b/pkg/olm/olm.go index 7a7be6925..3de461227 100644 --- a/pkg/olm/olm.go +++ b/pkg/olm/olm.go @@ -208,6 +208,10 @@ func RunCatalog(cmd *cobra.Command, args []string) { util.Panic(os.WriteFile(dir+"noobaa-operator.package.yaml", pkgBytes, 0644)) } util.Panic(util.WriteYamlFile(csvFileName, GenerateCSV(opConf, csvParams))) + // The CA configmap is needed prior to the operator startup to prevent a certificate injection race condition + util.Panic(util.WriteYamlFile( + versionDir+"noobaa-operator.ca-bundle-configmap.yaml", + util.KubeObject(bundle.File_deploy_internal_configmap_ca_inject_yaml))) crd.ForEachCRD(func(c *crd.CRD) { if c.Spec.Group == nbv1.SchemeGroupVersion.Group || (csvParams.OBCMode == OBCOwned && c.Spec.Group == obAPI.Domain) { util.Panic(util.WriteYamlFile(versionDir+c.Name+".crd.yaml", c)) diff --git a/pkg/system/azure_utils.go b/pkg/system/azure_utils.go index ea3a48e5b..c62a721f2 100644 --- a/pkg/system/azure_utils.go +++ b/pkg/system/azure_utils.go @@ -3,9 +3,7 @@ package system import ( "fmt" "log" - "net/http" "net/url" - "time" "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage" "github.com/Azure/azure-storage-blob-go/azblob" @@ -13,30 +11,12 @@ import ( "github.com/Azure/go-autorest/autorest/adal" "github.com/Azure/go-autorest/autorest/azure" "github.com/Azure/go-autorest/autorest/to" - - "github.com/noobaa/noobaa-operator/v5/pkg/util" ) func (r *Reconciler) getStorageAccountsClient() storage.AccountsClient { storageAccountsClient := storage.NewAccountsClient(r.AzureContainerCreds.StringData["azure_subscription_id"]) auth, _ := r.GetResourceManagementAuthorizer() storageAccountsClient.Authorizer = auth - // Inject the global refreshing CA pool into the one used by the Azure client - var httpClient = &http.Client{ - Transport: util.GlobalCARefreshingTransport, - Timeout: 10 * time.Second, - } - underlyingHTTPClient, ok := storageAccountsClient.Sender.(*http.Client) - if !ok { - log.Fatalf("failed to cast underlyingHTTPClient to *http.Client") - } - underlyingHTTPClient.Transport = httpClient.Transport - underlyingTransport, ok := underlyingHTTPClient.Transport.(*http.Transport) - if !ok { - log.Fatalf("failed to cast underlyingTransport to *http.Transport") - } - underlyingTransport.TLSClientConfig.RootCAs = util.GlobalCARefreshingTransport.TLSClientConfig.RootCAs - err := storageAccountsClient.AddToUserAgent("Go-http-client/1.1") if err != nil { log.Fatalf("got error on storageAccountsClient.AddToUserAgent %v", err) diff --git a/pkg/system/phase2_creating.go b/pkg/system/phase2_creating.go index c40a4f280..691cb1845 100644 --- a/pkg/system/phase2_creating.go +++ b/pkg/system/phase2_creating.go @@ -49,9 +49,6 @@ func (r *Reconciler) ReconcilePhaseCreating() error { "noobaa operator started phase 2/4 - \"Creating\"", ) - if err := r.ReconcileCAInject(); err != nil { - return err - } if err := r.ReconcileObject(r.ServiceAccount, r.SetDesiredServiceAccount); err != nil { return err } @@ -468,7 +465,7 @@ func (r *Reconciler) SetDesiredCoreApp() error { if util.KubeCheckQuiet(r.CaBundleConf) { configMapVolumeMounts := []corev1.VolumeMount{{ Name: r.CaBundleConf.Name, - MountPath: "/etc/pki/ca-trust/extracted/pem", + MountPath: "/etc/ocp-injected-ca-bundle.crt", ReadOnly: true, }} util.MergeVolumeMountList(&c.VolumeMounts, &configMapVolumeMounts) @@ -509,7 +506,7 @@ func (r *Reconciler) SetDesiredCoreApp() error { if util.KubeCheckQuiet(r.CaBundleConf) { configMapVolumeMounts := []corev1.VolumeMount{{ Name: r.CaBundleConf.Name, - MountPath: "/etc/pki/ca-trust/extracted/pem", + MountPath: "/etc/ocp-injected-ca-bundle.crt", ReadOnly: true, }} util.MergeVolumeMountList(&c.VolumeMounts, &configMapVolumeMounts) @@ -559,7 +556,7 @@ func (r *Reconciler) SetDesiredCoreApp() error { }, Items: []corev1.KeyToPath{{ Key: "ca-bundle.crt", - Path: "tls-ca-bundle.pem", + Path: "ca-bundle.crt", }}, }, }, @@ -804,23 +801,6 @@ func (r *Reconciler) ReconcileIBMCredentials() error { return nil } -// ReconcileCAInject checks if a namespace called openshift-config exist (OCP) -// if so creates a cofig map for OCP to inject supported CAs to -func (r *Reconciler) ReconcileCAInject() error { - ocpConfigNamespace := &corev1.Namespace{ - TypeMeta: metav1.TypeMeta{Kind: "Namespace"}, - ObjectMeta: metav1.ObjectMeta{ - Name: "openshift-config", - }, - } - if util.KubeCheckQuiet(ocpConfigNamespace) { - r.Logger.Infof("Found openshift-config ns - will reconcile CA inject configmap: %q", r.CaBundleConf.Name) - if err := r.ReconcileObject(r.CaBundleConf, nil); err != nil { - return err - } - } - return nil -} // SetDesiredAgentProfile updates the value of the AGENT_PROFILE env func (r *Reconciler) SetDesiredAgentProfile(profileString string) string { diff --git a/pkg/system/phase4_configuring.go b/pkg/system/phase4_configuring.go index c898ba592..a9c23b1d9 100644 --- a/pkg/system/phase4_configuring.go +++ b/pkg/system/phase4_configuring.go @@ -488,7 +488,7 @@ func (r *Reconciler) setDesiredEndpointMounts(podSpec *corev1.PodSpec, container }, Items: []corev1.KeyToPath{{ Key: "ca-bundle.crt", - Path: "tls-ca-bundle.pem", + Path: "ca-bundle.crt", }}, }, }, @@ -496,7 +496,7 @@ func (r *Reconciler) setDesiredEndpointMounts(podSpec *corev1.PodSpec, container util.MergeVolumeList(&podSpec.Volumes, &configMapVolumes) configMapVolumeMounts := []corev1.VolumeMount{{ Name: r.CaBundleConf.Name, - MountPath: "/etc/pki/ca-trust/extracted/pem", + MountPath: "/etc/ocp-injected-ca-bundle.crt", ReadOnly: true, }} util.MergeVolumeMountList(&container.VolumeMounts, &configMapVolumeMounts) @@ -866,10 +866,6 @@ func (r *Reconciler) prepareAWSBackingStore() error { *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken, ), - HTTPClient: &http.Client{ - Transport: util.GlobalCARefreshingTransport, - Timeout: 10 * time.Second, - }, Region: ®ion, } } else { // handle AWS long-lived credentials (not STS) @@ -879,10 +875,6 @@ func (r *Reconciler) prepareAWSBackingStore() error { cloudCredsSecret.StringData["aws_secret_access_key"], "", ), - HTTPClient: &http.Client{ - Transport: util.GlobalCARefreshingTransport, - Timeout: 10 * time.Second, - }, Region: ®ion, } } diff --git a/pkg/util/util.go b/pkg/util/util.go index df2998f8f..7b94e9660 100644 --- a/pkg/util/util.go +++ b/pkg/util/util.go @@ -132,10 +132,13 @@ var ( // AddToRootCAs adds a local cert file to Our GlobalCARefreshingTransport func AddToRootCAs(localCertFile string) error { - rootCAs := x509.NewCertPool() + rootCAs, _ := x509.SystemCertPool() + if rootCAs == nil { + rootCAs = x509.NewCertPool() + } var certFiles = []string{ - "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", + "/etc/ocp-injected-ca-bundle.crt", localCertFile, }