Uploaded image for project: 'Operator Runtime'
  1. Operator Runtime
  2. OPRUN-2661

Remove rukpak's cert-manager dependency

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Blocker Blocker
    • None
    • None
    • None
    • [OLM-223] Platform Operators, [OLM-224] PO - Pikachu

      Goal: Ensure rukpak can work in downstream environments by removing the upstream's cert-manager dependency in favor of OCP's service-ca-operator component. The upstream rukpak repository uses cert-manager for creating and managing certificates for its webhooks, which isn't installed by default downstream.

      The service-ca-operator has support for generating service serving certificates for downstream OCP components that services that require a self-signed CA.

      See the 4.10 service-ca-operator documentation for more information.

      Open Question:

      • Add a test that specifies different provisioner IDs for a BundleDeployment resource (registry+v1 source, plain+v0 bundle apply)
      • One workaround is to disable client auth for kube-rbac-proxy

      Notes:

      • The ValidatingWebhookConfiguration manifests will likely need to specify the inject-cabundle annotation key, and set the value to "true".
      • Create a ConfigMap for the validating webhook certs and specify the inject-cabundle annotation key.
      • The webhook service manifests will likely need to specify the serving-cert-secret-name annotation key, and set the value to the ConfigMap that specifies the inject-cabundle annotation key.
      • Update any webhook deployments to mount the same secret name specified in the webhook services' serving-cert-secret-name annotation key.

      AC:

      • Remove the cert-manager resources from rukpak's set of manifests
      • Specify the requisite service.beta.openshift.io/* annotation keys for rukpak resources to ensure service serving certificates are properly injected

          There are no Sub-Tasks for this issue.

              tyslaton@redhat.com Tyler Slaton (Inactive)
              tflannag@redhat.com Tim Flannagan (Inactive)
              Kui Wang Kui Wang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: