Uploaded image for project: 'OpenShift API for Data Protection'
  1. OpenShift API for Data Protection
  2. OADP-6265

Implement OpenShift certificate injection for trusted CA bundle support

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • OADP
    • Product / Portfolio Work
    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • ToDo
    • Very Likely
    • 0
    • None
    • Unset
    • Unknown
    • None

        1. Problem
          The OADP operator currently lacks support for OpenShift's automatic certificate injection mechanism, which prevents OADP components from automatically trusting custom CA certificates configured at the cluster level.
        1. Background
          OpenShift provides a mechanism for operators to automatically receive trusted CA certificates through ConfigMap injection. This is documented in the [OpenShift certificate injection module](https://github.com/openshift/openshift-docs/blob/main/modules/certificate-injection-using-operators.adoc).

      When the cluster has custom CA certificates defined in the `user-ca-bundle` ConfigMap in the `openshift-config` namespace (typically from proxy configurations), operators can request automatic injection of these certificates by creating ConfigMaps with the label `config.openshift.io/inject-trusted-cabundle=true`.

        1. Current State
          Investigation of the OADP operator codebase shows:
      • No ConfigMaps are created with the `config.openshift.io/inject-trusted-cabundle=true` label
      • OADP components do not automatically receive the cluster's trusted CA bundle
      • This can cause issues in environments with custom PKI/proxy configurations where OADP needs to trust custom CAs
        1. Desired Implementation
          The OADP operator should:

      1. *Create trusted CA ConfigMaps*: Create ConfigMaps in the OADP namespace with the `config.openshift.io/inject-trusted-cabundle=true` label
      2. *Mount CA bundles*: Mount the injected CA bundle (`ca-bundle.crt` key) into OADP component pods at standard locations like `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`
      3. *Update deployments*: Ensure Velero, node-agent, and other OADP components have access to the trusted CA bundle
      4. *Environment variables*: Set appropriate environment variables (e.g., `SSL_CERT_FILE`, `CURL_CA_BUNDLE`) to point to the mounted CA bundle

        1. Example Implementation
          ```yaml
          apiVersion: v1
          kind: ConfigMap
          metadata:
          name: trusted-ca-bundle
          namespace: openshift-adp
          labels:
          config.openshift.io/inject-trusted-cabundle: "true"
          data: {} # Will be populated automatically by OpenShift
          ```

      Then mount this in pod specifications:
      ```yaml
      spec:
      containers:

      • name: velero
        volumeMounts:
      • name: trusted-ca
        mountPath: /etc/pki/ca-trust/extracted/pem
        readOnly: true
        volumes:
      • name: trusted-ca
        configMap:
        name: trusted-ca-bundle
        items:
      • key: ca-bundle.crt
        path: tls-ca-bundle.pem
        ```
        1. Benefits
      • Automatic support for custom enterprise CA certificates
      • Better compatibility with corporate proxy environments
      • Aligned with OpenShift best practices for certificate management
      • No additional user configuration required
        1. References

              wnstb Wes Hayutin
              tkaovila@redhat.com Tiger Kaovilai
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: