From a22cada147e5f9e45cd8072e5bc8553ab1487673 Mon Sep 17 00:00:00 2001
From: Samuel Padgett <spadgett@redhat.com>
Date: Mon, 10 Dec 2018 18:24:20 -0500
Subject: [PATCH] Accept service-ca.crt file as parameter

The service-ca.crt file is injected using a config map in 4.0. Accept
the path as a parameter on startup.
---
 cmd/bridge/main.go | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/cmd/bridge/main.go b/cmd/bridge/main.go
index 69407a677ca..ba80aaf4075 100644
--- a/cmd/bridge/main.go
+++ b/cmd/bridge/main.go
@@ -28,10 +28,6 @@ const (
 	k8sInClusterCA          = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 	k8sInClusterBearerToken = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 
-	// CA bundle for cluster-created certificates in OpenShift
-	// https://docs.openshift.org/latest/dev_guide/secrets.html#service-serving-certificate-secrets
-	openshiftInClusterServiceCA = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-
 	// Well-known location of Prometheus service for OpenShift. This is only accessible in-cluster.
 	openshiftPrometheusHost = "prometheus-k8s.openshift-monitoring.svc:9091"
 
@@ -50,6 +46,9 @@ func main() {
 	fBasePath := fs.String("base-path", "/", "")
 	fConfig := fs.String("config", "", "The YAML config file.")
 
+	// See https://github.com/openshift/service-serving-cert-signer
+	fServiceCAFile := fs.String("service-ca-file", "", "CA bundle for OpenShift services signed with the service signing certificates.")
+
 	fTectonicClusterName := fs.String("tectonic-cluster-name", "tectonic", "The Tectonic cluster name.")
 
 	fUserAuth := fs.String("user-auth", "disabled", "disabled | oidc | openshift")
@@ -257,8 +256,8 @@ func main() {
 		k8sAuthServiceAccountBearerToken = string(bearerToken)
 
 		// If running in an OpenShift cluster, set up a proxy to the prometheus-k8s serivce running in the openshift-monitoring namespace.
-		if _, err := os.Stat(openshiftInClusterServiceCA); err == nil {
-			serviceCertPEM, err := ioutil.ReadFile(openshiftInClusterServiceCA)
+		if *fServiceCAFile != "" {
+			serviceCertPEM, err := ioutil.ReadFile(*fServiceCAFile)
 			if err != nil {
 				log.Fatalf("failed to read service-ca.crt file: %v", err)
 			}
@@ -277,9 +276,6 @@ func main() {
 				HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
 				Endpoint:        &url.URL{Scheme: "https", Host: openshiftAlertManagerHost, Path: "/api"},
 			}
-		} else if !os.IsNotExist(err) {
-			// Ignore errors when the file does not exist, which is the case if not running on OpenShift. Fail on other errors.
-			log.Fatalf("failed to stat service-ca.crt file: %v", err)
 		}
 
 	case "off-cluster":