diff --git a/openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml b/openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml index 2a8207da6..540e545a8 100644 --- a/openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml +++ b/openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml @@ -3,19 +3,13 @@ value: {"name":"catalogserver-certs", "secret":{"optional":false,"secretName":"catalogserver-cert"}} - op: add path: /spec/template/spec/volumes/- - value: {"name":"trusted-ca-bundle", "configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}} -- op: add - path: /spec/template/spec/volumes/- - value: {"name":"service-ca", "configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}} + value: {"name":"ca-certs", "projected": {"sources":[{"configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}},{"configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}]}} - op: add path: /spec/template/spec/containers/0/volumeMounts/- value: {"name":"catalogserver-certs", "mountPath":"/var/certs"} - op: add path: /spec/template/spec/containers/0/volumeMounts/- - value: {"name":"trusted-ca-bundle", "mountPath":"/var/trusted-cas/ca-bundle.crt", "subPath":"ca-bundle.crt"} -- op: add - path: /spec/template/spec/containers/0/volumeMounts/- - value: {"name":"service-ca", "mountPath":"/var/trusted-cas/service-ca.crt", "subPath":"service-ca.crt"} + value: {"name":"ca-certs", "mountPath":"/var/ca-certs", "readOnly": true} - op: add path: /spec/template/spec/containers/0/args/- value: "--tls-cert=/var/certs/tls.crt" @@ -23,5 +17,5 @@ path: /spec/template/spec/containers/0/args/- value: "--tls-key=/var/certs/tls.key" - op: add - path: /spec/template/spec/containers/0/args/- - value: "--ca-certs-dir=/var/trusted-cas" + path: /spec/template/spec/containers/0/env + value: [{"name":"SSL_CERT_DIR", "value":"/var/ca-certs"}] diff --git a/openshift/catalogd/manifests/14-deployment-openshift-catalogd-catalogd-controller-manager.yml b/openshift/catalogd/manifests/14-deployment-openshift-catalogd-catalogd-controller-manager.yml index f2297bc3c..6d22a31a7 100644 --- a/openshift/catalogd/manifests/14-deployment-openshift-catalogd-catalogd-controller-manager.yml +++ b/openshift/catalogd/manifests/14-deployment-openshift-catalogd-catalogd-controller-manager.yml @@ -46,11 +46,13 @@ spec: - --external-address=catalogd-service.openshift-catalogd.svc - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key - - --ca-certs-dir=/var/trusted-cas - --v=${LOG_VERBOSITY} - --global-pull-secret=openshift-config/pull-secret command: - ./catalogd + env: + - name: SSL_CERT_DIR + value: /var/ca-certs image: ${CATALOGD_IMAGE} imagePullPolicy: IfNotPresent livenessProbe: @@ -81,12 +83,9 @@ spec: name: cache - mountPath: /var/certs name: catalogserver-certs - - mountPath: /var/trusted-cas/ca-bundle.crt - name: trusted-ca-bundle - subPath: ca-bundle.crt - - mountPath: /var/trusted-cas/service-ca.crt - name: service-ca - subPath: service-ca.crt + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true - mountPath: /etc/containers name: etc-containers readOnly: true @@ -121,20 +120,21 @@ spec: secret: optional: false secretName: catalogserver-cert - - configMap: - items: - - key: ca-bundle.crt - path: ca-bundle.crt - name: catalogd-trusted-ca-bundle - optional: false - name: trusted-ca-bundle - - configMap: - items: - - key: service-ca.crt - path: service-ca.crt - name: openshift-service-ca.crt - optional: false - name: service-ca + - name: ca-certs + projected: + sources: + - configMap: + items: + - key: ca-bundle.crt + path: ca-bundle.crt + name: catalogd-trusted-ca-bundle + optional: false + - configMap: + items: + - key: service-ca.crt + path: service-ca.crt + name: openshift-service-ca.crt + optional: false - hostPath: path: /etc/containers type: Directory diff --git a/openshift/operator-controller/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml b/openshift/operator-controller/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml index 4100ff569..874a496a6 100644 --- a/openshift/operator-controller/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml +++ b/openshift/operator-controller/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_certs.yaml @@ -3,19 +3,13 @@ value: {"name":"operator-controller-certs", "secret":{"optional":false,"secretName":"operator-controller-cert"}} - op: add path: /spec/template/spec/volumes/- - value: {"name":"trusted-ca-bundle", "configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}} -- op: add - path: /spec/template/spec/volumes/- - value: {"name":"service-ca", "configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}} + value: {"name":"ca-certs", "projected": {"sources":[{"configMap":{"optional":false,"name":"trusted-ca-bundle", "items":[{"key":"ca-bundle.crt","path":"ca-bundle.crt"}]}},{"configMap":{"optional":false,"name":"openshift-service-ca.crt", "items":[{"key":"service-ca.crt","path":"service-ca.crt"}]}}]}} - op: add path: /spec/template/spec/containers/0/volumeMounts/- value: {"name":"operator-controller-certs", "mountPath":"/var/certs"} - op: add path: /spec/template/spec/containers/0/volumeMounts/- - value: {"name":"trusted-ca-bundle", "mountPath":"/var/trusted-cas/ca-bundle.crt", "subPath":"ca-bundle.crt" } -- op: add - path: /spec/template/spec/containers/0/volumeMounts/- - value: {"name":"service-ca", "mountPath":"/var/trusted-cas/service-ca.crt", "subPath":"service-ca.crt" } + value: {"name":"ca-certs", "mountPath":"/var/ca-certs", "readOnly": true} - op: add path: /spec/template/spec/containers/0/args/- value: "--tls-cert=/var/certs/tls.crt" @@ -23,5 +17,5 @@ path: /spec/template/spec/containers/0/args/- value: "--tls-key=/var/certs/tls.key" - op: add - path: /spec/template/spec/containers/0/args/- - value: "--ca-certs-dir=/var/trusted-cas" + path: /spec/template/spec/containers/0/env + value: [{"name":"SSL_CERT_DIR", "value":"/var/ca-certs"}] diff --git a/openshift/operator-controller/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml b/openshift/operator-controller/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml index 3cb5f9ad0..1f407b2f9 100644 --- a/openshift/operator-controller/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml +++ b/openshift/operator-controller/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml @@ -45,11 +45,13 @@ spec: - --leader-elect - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key - - --ca-certs-dir=/var/trusted-cas - --v=${LOG_VERBOSITY} - --global-pull-secret=openshift-config/pull-secret command: - /operator-controller + env: + - name: SSL_CERT_DIR + value: /var/ca-certs image: ${OPERATOR_CONTROLLER_IMAGE} imagePullPolicy: IfNotPresent livenessProbe: @@ -80,12 +82,9 @@ spec: name: cache - mountPath: /var/certs name: operator-controller-certs - - mountPath: /var/trusted-cas/ca-bundle.crt - name: trusted-ca-bundle - subPath: ca-bundle.crt - - mountPath: /var/trusted-cas/service-ca.crt - name: service-ca - subPath: service-ca.crt + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true - mountPath: /etc/containers name: etc-containers readOnly: true @@ -120,20 +119,21 @@ spec: secret: optional: false secretName: operator-controller-cert - - configMap: - items: - - key: ca-bundle.crt - path: ca-bundle.crt - name: operator-controller-trusted-ca-bundle - optional: false - name: trusted-ca-bundle - - configMap: - items: - - key: service-ca.crt - path: service-ca.crt - name: openshift-service-ca.crt - optional: false - name: service-ca + - name: ca-certs + projected: + sources: + - configMap: + items: + - key: ca-bundle.crt + path: ca-bundle.crt + name: operator-controller-trusted-ca-bundle + optional: false + - configMap: + items: + - key: service-ca.crt + path: service-ca.crt + name: openshift-service-ca.crt + optional: false - hostPath: path: /etc/containers type: Directory