Description of problem:
For various reasons, operator-controller and catalogd need to refer to multiple CAs. Due to limitations within the containers/images API, only one directory can be specified for the locations of the CA. In order to mount all the CAs into a single location, subPath is used when mounting. However, there is a limitation on subPath: it doesn't update when the source item (a ConfigMap in this case) updates. See: https://github.com/kubernetes/kubernetes/issues/50345 This is a problem for CA rotation. However, it appears that the service-ca provided by Openshift has a validity period of 26 months, during which it is expected that the user will have upgraded, and the CA will have been rotated: https://docs.openshift.com/container-platform/4.17/security/certificate_types_descriptions/service-ca-certificates.html
Version-Release number of selected component (if applicable):
How reproducible:
It's the current state of the manifests.
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
- is related to
-
OCPBUGS-48830 OLMv1: Proxy CA mount does not wait until ca-bundle.crt is ready
-
- Verified
-
- relates to
-
-
- ASSIGNED
-
- links to
