UPSTREAM: <carry>: add openshift kustomize overlay

to enable TLS communication with catalogd. Configure the CA certs
using the configmap injection method via service-ca-operator

Signed-off-by: everettraven <[email protected]>

Author: everettraven

openshift/generate-manifests.sh

@@ -48,7 +48,7 @@ mkdir -p "$TMP_MANIFEST_DIR"
 
 # Run kustomize, which emits a single yaml file
 TMP_KUSTOMIZE_OUTPUT="${TMP_MANIFEST_DIR}/temp.yaml"
-$KUSTOMIZE build "${TMP_CONFIG}/base" -o "$TMP_KUSTOMIZE_OUTPUT"
+$KUSTOMIZE build "${REPO_ROOT}"/openshift/kustomize/overlays/openshift -o "$TMP_KUSTOMIZE_OUTPUT"
 
 for container_name in "${!IMAGE_MAPPINGS[@]}"; do
   placeholder="${IMAGE_MAPPINGS[$container_name]}"

openshift/kustomize/overlays/openshift/kustomization.yaml

@@ -0,0 +1,16 @@
+# Adds namespace to all resources.
+namespace: openshift-operator-controller
+
+namePrefix: operator-controller-
+
+resources:
+  - resources/ca_configmap.yaml
+  - ../../../../config/base/crd
+  - ../../../../config/base/rbac
+  - ../../../../config/base/manager
+
+patches:
+  - target:
+      kind: Deployment
+      name: controller-manager
+    path: patches/manager_deployment_ca.yaml

openshift/kustomize/overlays/openshift/patches/manager_deployment_ca.yaml

@@ -0,0 +1,9 @@
+- op: add
+  path: /spec/template/spec/volumes/-
+  value: {"name":"olmv1-certificate", "configMap":{"name":"operator-controller-openshift-ca", "optional": false, "items": [{"key": "service-ca.crt", "path": "olm-ca.crt"}]}}
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/certs/olm-ca.crt", "subPath":"olm-ca.crt"}
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--ca-certs-dir=/var/certs"

openshift/kustomize/overlays/openshift/resources/ca_configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: openshift-ca
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+data: {}

openshift/manifests/16-configmap-openshift-operator-controller-operator-controller-openshift-ca.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+data: {}
+kind: ConfigMap
+metadata:
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+  name: operator-controller-openshift-ca
+  namespace: openshift-operator-controller

openshift/manifests/16-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml renamed to openshift/manifests/17-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml

@@ -43,6 +43,7 @@ spec:
             - --health-probe-bind-address=:8081
             - --metrics-bind-address=127.0.0.1:8080
             - --leader-elect
+            - --ca-certs-dir=/var/certs
           command:
             - /manager
           image: ${OPERATOR_CONTROLLER_IMAGE}
@@ -73,6 +74,10 @@ spec:
           volumeMounts:
             - mountPath: /var/cache
               name: cache
+            - mountPath: /var/certs/olm-ca.crt
+              name: olmv1-certificate
+              readOnly: true
+              subPath: olm-ca.crt
         - args:
             - --secure-listen-address=0.0.0.0:8443
             - --http2-disable
@@ -103,4 +108,11 @@ spec:
       volumes:
         - emptyDir: {}
           name: cache
+        - configMap:
+            items:
+              - key: service-ca.crt
+                path: olm-ca.crt
+            name: operator-controller-openshift-ca
+            optional: false
+          name: olmv1-certificate
       priorityClassName: system-cluster-critical