Stop using service ca from service account token

marun · marun · commit 29f6acf2f276 · 2020-05-11T22:59:11.000-07:00
Inclusion of the service ca in token configmaps is discontinued in
4.5.
diff --git a/manifests/04-service-ca-configmap.yaml b/manifests/04-service-ca-configmap.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-insights
+  name: service-ca-bundle
+  annotations:
+    release.openshift.io/create-only: "true"
+    service.beta.openshift.io/inject-cabundle: "true"
diff --git a/manifests/06-deployment.yaml b/manifests/06-deployment.yaml
@@ -42,6 +42,10 @@ spec:
         configMap:
           name: trusted-ca-bundle
           optional: true
+      - name: service-ca-bundle
+        configMap:
+          name: service-ca-bundle
+          optional: true
       - name: serving-cert
         secret:
           secretName: openshift-insights-serving-cert
@@ -56,6 +60,9 @@ spec:
         - mountPath: /var/run/configmaps/trusted-ca-bundle
           name: trusted-ca-bundle
           readOnly: true
+        - mountPath: /var/run/configmaps/service-ca-bundle
+          name: service-ca-bundle
+          readOnly: true
         - mountPath: /var/run/secrets/serving-cert
           name: serving-cert
         ports:
diff --git a/pkg/cmd/start/start.go b/pkg/cmd/start/start.go
@@ -17,7 +17,7 @@ import (
 	"github.com/openshift/insights-operator/pkg/controller"
 )
 
-const serviceCACertPath = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
+const serviceCACertPath = "/var/run/configmaps/service-ca-bundle/service-ca.crt"
 
 func NewOperator() *cobra.Command {
 	operator := &controller.Support{
@@ -55,6 +55,8 @@ func NewOperator() *cobra.Command {
 			// if the service CA is rotated, we want to restart
 			if data, err := ioutil.ReadFile(serviceCACertPath); err == nil {
 				startingFileContent[serviceCACertPath] = data
+			} else {
+				klog.V(4).Info("Unable to read service ca bundle: %v", err)
 			}
 			observedFiles = append(observedFiles, serviceCACertPath)
 
diff --git a/pkg/controller/operator.go b/pkg/controller/operator.go
@@ -84,7 +84,7 @@ func (s *Support) Run(ctx context.Context, controller *controllercmd.ControllerC
 	// TODO: the oauth-proxy and delegating authorizer do not support Impersonate-User,
 	//   so we do not impersonate gather
 	metricsGatherKubeConfig := rest.CopyConfig(controller.KubeConfig)
-	metricsGatherKubeConfig.CAFile = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
+	metricsGatherKubeConfig.CAFile = "/var/run/configmaps/service-ca-bundle/service-ca.crt"
 	metricsGatherKubeConfig.NegotiatedSerializer = scheme.Codecs
 	metricsGatherKubeConfig.GroupVersion = &schema.GroupVersion{}
 	metricsGatherKubeConfig.APIPath = "/"

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ import (`
`17`	`17`	`"github.com/openshift/insights-operator/pkg/controller"`
`18`	`18`	`)`
`19`	`19`
`20`		`-const serviceCACertPath = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"`
	`20`	`+const serviceCACertPath = "/var/run/configmaps/service-ca-bundle/service-ca.crt"`
`21`	`21`
`22`	`22`	`func NewOperator() *cobra.Command {`
`23`	`23`	`operator := &controller.Support{`
`@@ -55,6 +55,8 @@ func NewOperator() *cobra.Command {`
`55`	`55`	`// if the service CA is rotated, we want to restart`
`56`	`56`	`if data, err := ioutil.ReadFile(serviceCACertPath); err == nil {`
`57`	`57`	`startingFileContent[serviceCACertPath] = data`
	`58`	`+ } else {`
	`59`	`+ klog.V(4).Info("Unable to read service ca bundle: %v", err)`
`58`	`60`	`}`
`59`	`61`	`observedFiles = append(observedFiles, serviceCACertPath)`
`60`	`62`