Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-1629

Allow override the name of the key in configmaps when injecting the ca-bundle

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Normal Normal
    • openshift-4.13
    • None
    • SDN
    • None
    • False
    • False
    • Undefined

      Proposed title of this feature request

      Allow override the name of the ca-bundle.crt key in configmaps when injecting the CA bundle using the Cluster Network Operator.

      What is the nature and description of the request?

      At this moment the Cluster Network Operator injects a key in any configmaps (properly labeled) with the bundle of trusted CAs, but it uses a fixed name for the key: ca-bundle.crt

       

      This RFE aims to allow any user to request an specific key (and not ca-bundle.crt) for the bundle, using an extra label in the configmaps, as an example:

       

      apiVersion: v1
kind: ConfigMap
metadata:
 name: custom-ca-bundle
 labels:
 config.openshift.io/inject-trusted-cabundle="true"
 config.openshift.io/inject-trusted-cabundle-key="certs.crt"
type: kubernetes.io/tls
data: {}

       

       

      In the previous example, the Cluster Network Operator would inject the bundle as usual but it will add the key my-trusted-ca-certs.crt and not ca-bundle.crt:

      apiVersion: v1
kind: ConfigMap
metadata:
 name: custom-ca-bundle
 labels:
 config.openshift.io/inject-trusted-cabundle="true"
 config.openshift.io/inject-trusted-cabundle-key="certs.crt"
type: kubernetes.io/tls
data:
  certs.crt: |
   ...... REST OF CERTS ......

       

      Why does the customer need this?

      Not every single piece of software out there is configured to read the same filename ca-bundle.crt when reading certificates. Some of them might need to read a file named ca.crt, certs.crt, or any other name that the developer considers.

      Even when one could mount the secret with a given name (using subPath), not everyone is capable of edit the deployments/deploymentconfigs when there's an operator controlling the resource and undoing the changes in the mounts.

       

      As an example, but not limited to it, Dynatrace Operator (one of our Certified Operators) expects a key named certs.crt. For this use case, which is only an example, this RFE would allow the users to create the configmap with the two labels and get the bundle in the right key automatically without managing in a manual way a separate configmap.

      List any affected packages or components

      Cluster Network Operator

              mcurry@redhat.com Marc Curry
              sgarciam@redhat.com Sergio Garcia Martinez
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: