move service-ca volumes to cm,secret

assets/apps/0000_60_service-ca_05_deploy.yaml

@@ -46,11 +46,11 @@ spec:
           name: signing-cabundle
       volumes:
       - name: signing-key
-        hostPath:
-          path: {{.KeyDir}}
+        secret:
+          secretName: {{.TLSSecret}}
       - name: signing-cabundle
-        hostPath:
-          path: {{.CADir}}
+        configMap:
+          name: {{.CAConfigMap}}
       # nodeSelector:
       #   node-role.kubernetes.io/master: ""
       priorityClassName: "system-cluster-critical"

assets/core/0000_60_service-ca_04_configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-service-ca
+  name: signing-cabundle
+data:
+  ca-bundle.crt:

assets/core/0000_60_service-ca_04_secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: openshift-service-ca
+  name: signing-key
+type: kubernetes.io/tls
+data:
+  tls.crt:
+  tls.key:

pkg/assets/apps/bindata.go

@@ -227,11 +227,11 @@ spec:
           name: signing-cabundle
       volumes:
       - name: signing-key
-        hostPath:
-          path: {{.KeyDir}}
+        secret:
+          secretName: {{.TLSSecret}}
       - name: signing-cabundle
-        hostPath:
-          path: {{.CADir}}
+        configMap:
+          name: {{.CAConfigMap}}
       # nodeSelector:
       #   node-role.kubernetes.io/master: ""
       priorityClassName: "system-cluster-critical"

pkg/assets/core.go

@@ -68,6 +68,35 @@ func (ns *nsApplier) Applier() error {
 	return nil
 }
 
+type secretApplier struct {
+	Client *coreclientv1.CoreV1Client
+	secret *corev1.Secret
+}
+
+func (secret *secretApplier) Reader(objBytes []byte, render RenderFunc, params RenderParams) {
+	var err error
+	if render != nil {
+		objBytes, err = render(objBytes, params)
+		if err != nil {
+			panic(err)
+		}
+	}
+	obj, err := runtime.Decode(coreCodecs.UniversalDecoder(corev1.SchemeGroupVersion), objBytes)
+	if err != nil {
+		panic(err)
+	}
+	secret.secret = obj.(*corev1.Secret)
+}
+
+func (secret *secretApplier) Applier() error {
+	_, err := secret.Client.Secrets(secret.secret.Namespace).Get(context.TODO(), secret.secret.Name, metav1.GetOptions{})
+	if apierrors.IsNotFound(err) {
+		_, err := secret.Client.Secrets(secret.secret.Namespace).Create(context.TODO(), secret.secret, metav1.CreateOptions{})
+		return err
+	}
+	return nil
+}
+
 type svcApplier struct {
 	Client *coreclientv1.CoreV1Client
 	svc    *corev1.Service
@@ -198,3 +227,43 @@ func ApplyConfigMaps(cores []string, kubeconfigPath string) error {
 	cm.Client = coreClient(kubeconfigPath)
 	return applyCore(cores, cm, nil, nil)
 }
+
+func ApplyConfigMapWithData(cmPath string, data map[string]string, kubeconfigPath string) error {
+	ctx := context.TODO()
+	cm := &cmApplier{}
+	cm.Client = coreClient(kubeconfigPath)
+	if err := applyCore([]string{cmPath}, cm, nil, nil); err != nil {
+		return err
+	}
+	c, err := cm.Client.ConfigMaps(cm.cm.Namespace).Get(ctx, cm.cm.Name, metav1.GetOptions{})
+	if apierrors.IsNotFound(err) {
+		c, err = cm.Client.ConfigMaps(cm.cm.Namespace).Create(ctx, cm.cm, metav1.CreateOptions{})
+		return err
+	}
+	c.Data = data
+	_, err = cm.Client.ConfigMaps(c.Namespace).Update(ctx, c, metav1.UpdateOptions{})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func ApplySecretWithData(secretPath string, data map[string][]byte, kubeconfigPath string) error {
+	ctx := context.TODO()
+	secret := &secretApplier{}
+	secret.Client = coreClient(kubeconfigPath)
+	if err := applyCore([]string{secretPath}, secret, nil, nil); err != nil {
+		return err
+	}
+	s, err := secret.Client.Secrets(secret.secret.Namespace).Get(ctx, secret.secret.Name, metav1.GetOptions{})
+	if apierrors.IsNotFound(err) {
+		s, err = secret.Client.Secrets(secret.secret.Namespace).Create(ctx, secret.secret, metav1.CreateOptions{})
+		return err
+	}
+	s.Data = data
+	_, err = secret.Client.Secrets(s.Namespace).Update(ctx, s, metav1.UpdateOptions{})
+	if err != nil {
+		return err
+	}
+	return nil
+}

pkg/assets/core/bindata.go

@@ -4,7 +4,9 @@
 // assets/core/0000_00_flannel-service-account.yaml
 // assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml
 // assets/core/0000_60_service-ca_01_namespace.yaml
+// assets/core/0000_60_service-ca_04_configmap.yaml
 // assets/core/0000_60_service-ca_04_sa.yaml
+// assets/core/0000_60_service-ca_04_secret.yaml
 // assets/core/0000_70_dns_00-namespace.yaml
 // assets/core/0000_70_dns_01-configmap.yaml
 // assets/core/0000_70_dns_01-dns-service-account.yaml
@@ -194,6 +196,30 @@ func assetsCore0000_60_serviceCa_01_namespaceYaml() (*asset, error) {
 	return a, nil
 }
 
+var _assetsCore0000_60_serviceCa_04_configmapYaml = []byte(`apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-service-ca
+  name: signing-cabundle
+data:
+  ca-bundle.crt:
+`)
+
+func assetsCore0000_60_serviceCa_04_configmapYamlBytes() ([]byte, error) {
+	return _assetsCore0000_60_serviceCa_04_configmapYaml, nil
+}
+
+func assetsCore0000_60_serviceCa_04_configmapYaml() (*asset, error) {
+	bytes, err := assetsCore0000_60_serviceCa_04_configmapYamlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "assets/core/0000_60_service-ca_04_configmap.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
 var _assetsCore0000_60_serviceCa_04_saYaml = []byte(`apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -216,6 +242,32 @@ func assetsCore0000_60_serviceCa_04_saYaml() (*asset, error) {
 	return a, nil
 }
 
+var _assetsCore0000_60_serviceCa_04_secretYaml = []byte(`apiVersion: v1
+kind: Secret
+metadata:
+  namespace: openshift-service-ca
+  name: signing-key
+type: kubernetes.io/tls
+data:
+  tls.crt:
+  tls.key:
+`)
+
+func assetsCore0000_60_serviceCa_04_secretYamlBytes() ([]byte, error) {
+	return _assetsCore0000_60_serviceCa_04_secretYaml, nil
+}
+
+func assetsCore0000_60_serviceCa_04_secretYaml() (*asset, error) {
+	bytes, err := assetsCore0000_60_serviceCa_04_secretYamlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "assets/core/0000_60_service-ca_04_secret.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
 var _assetsCore0000_70_dns_00NamespaceYaml = []byte(`kind: Namespace
 apiVersion: v1
 metadata:
@@ -642,7 +694,9 @@ var _bindata = map[string]func() (*asset, error){
 	"assets/core/0000_00_flannel-service-account.yaml":                           assetsCore0000_00_flannelServiceAccountYaml,
 	"assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml": assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml,
 	"assets/core/0000_60_service-ca_01_namespace.yaml":                           assetsCore0000_60_serviceCa_01_namespaceYaml,
+	"assets/core/0000_60_service-ca_04_configmap.yaml":                           assetsCore0000_60_serviceCa_04_configmapYaml,
 	"assets/core/0000_60_service-ca_04_sa.yaml":                                  assetsCore0000_60_serviceCa_04_saYaml,
+	"assets/core/0000_60_service-ca_04_secret.yaml":                              assetsCore0000_60_serviceCa_04_secretYaml,
 	"assets/core/0000_70_dns_00-namespace.yaml":                                  assetsCore0000_70_dns_00NamespaceYaml,
 	"assets/core/0000_70_dns_01-configmap.yaml":                                  assetsCore0000_70_dns_01ConfigmapYaml,
 	"assets/core/0000_70_dns_01-dns-service-account.yaml":                        assetsCore0000_70_dns_01DnsServiceAccountYaml,
@@ -704,7 +758,9 @@ var _bintree = &bintree{nil, map[string]*bintree{
 			"0000_00_flannel-service-account.yaml":                           {assetsCore0000_00_flannelServiceAccountYaml, map[string]*bintree{}},
 			"0000_50_cluster-openshift-controller-manager_00_namespace.yaml": {assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, map[string]*bintree{}},
 			"0000_60_service-ca_01_namespace.yaml":                           {assetsCore0000_60_serviceCa_01_namespaceYaml, map[string]*bintree{}},
+			"0000_60_service-ca_04_configmap.yaml":                           {assetsCore0000_60_serviceCa_04_configmapYaml, map[string]*bintree{}},
 			"0000_60_service-ca_04_sa.yaml":                                  {assetsCore0000_60_serviceCa_04_saYaml, map[string]*bintree{}},
+			"0000_60_service-ca_04_secret.yaml":                              {assetsCore0000_60_serviceCa_04_secretYaml, map[string]*bintree{}},
 			"0000_70_dns_00-namespace.yaml":                                  {assetsCore0000_70_dns_00NamespaceYaml, map[string]*bintree{}},
 			"0000_70_dns_01-configmap.yaml":                                  {assetsCore0000_70_dns_01ConfigmapYaml, map[string]*bintree{}},
 			"0000_70_dns_01-dns-service-account.yaml":                        {assetsCore0000_70_dns_01DnsServiceAccountYaml, map[string]*bintree{}},

pkg/components/controllers.go

@@ -1,6 +1,8 @@
 package components
 
 import (
+	"os"
+
 	"github.com/openshift/microshift/pkg/assets"
 	"github.com/openshift/microshift/pkg/config"
 
@@ -31,7 +33,32 @@ func startServiceCAController(cfg *config.MicroshiftConfig, kubeconfigPath strin
 		sa = []string{
 			"assets/core/0000_60_service-ca_04_sa.yaml",
 		}
+		secret     = "assets/core/0000_60_service-ca_04_secret.yaml"
+		secretName = "signing-key"
+		cm         = "assets/core/0000_60_service-ca_04_configmap.yaml"
+		cmName     = "signing-cabundle"
 	)
+	caPath := cfg.DataDir + "/certs/ca-bundle/ca-bundle.crt"
+	tlsCrtPath := cfg.DataDir + "/resources/service-ca/secrets/service-ca/tls.crt"
+	tlsKeyPath := cfg.DataDir + "/resources/service-ca/secrets/service-ca/tls.key"
+	cmData := map[string]string{}
+	secretData := map[string][]byte{}
+	cabundle, err := os.ReadFile(caPath)
+	if err != nil {
+		return err
+	}
+	tlscrt, err := os.ReadFile(tlsCrtPath)
+	if err != nil {
+		return err
+	}
+	tlskey, err := os.ReadFile(tlsKeyPath)
+	if err != nil {
+		return err
+	}
+	cmData["ca-bundle.crt"] = string(cabundle)
+	secretData["tls.crt"] = tlscrt
+	secretData["tls.key"] = tlskey
+
 	if err := assets.ApplyNamespaces(ns, kubeconfigPath); err != nil {
 		logrus.Warningf("failed to apply ns %v: %v", ns, err)
 		return err
@@ -56,7 +83,15 @@ func startServiceCAController(cfg *config.MicroshiftConfig, kubeconfigPath strin
 		logrus.Warningf("failed to apply sa %v: %v", sa, err)
 		return err
 	}
-	if err := assets.ApplyDeployments(apps, renderSCController, assets.RenderParams{"DataDir": cfg.DataDir}, kubeconfigPath); err != nil {
+	if err := assets.ApplySecretWithData(secret, secretData, kubeconfigPath); err != nil {
+		logrus.Warningf("failed to apply secret %v: %v", secret, err)
+		return err
+	}
+	if err := assets.ApplyConfigMapWithData(cm, cmData, kubeconfigPath); err != nil {
+		logrus.Warningf("failed to apply sa %v: %v", cm, err)
+		return err
+	}
+	if err := assets.ApplyDeployments(apps, renderSCController, assets.RenderParams{"ConfigMap": cmName, "Secret": secretName}, kubeconfigPath); err != nil {
 		logrus.Warningf("failed to apply apps %v: %v", apps, err)
 		return err
 	}

pkg/components/render.go

@@ -10,12 +10,12 @@ import (
 
 func renderSCController(b []byte, p assets.RenderParams) ([]byte, error) {
 	data := struct {
-		ReleaseImage  assets.RenderParams
-		KeyDir, CADir string
+		ReleaseImage           assets.RenderParams
+		CAConfigMap, TLSSecret string
 	}{
 		ReleaseImage: release.Image,
-		KeyDir:       p["DataDir"] + "/resources/service-ca/secrets/service-ca",
-		CADir:        p["DataDir"] + "/certs/ca-bundle",
+		CAConfigMap:  p["ConfigMap"],
+		TLSSecret:    p["Secret"],
 	}
 	tpl := template.Must(template.New("sc").Parse(string(b)))
 	var byteBuff bytes.Buffer