Details
-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
1
-
False
-
None
-
False
-
OCPSTRAT-193 - Automatically restart storage operators pods when the CA certificates are updated
Description
The pod `openstack-cinder-csi-driver-controller` mounts the secret:
$ oc get po/openstack-cinder-csi-driver-controller-689b897df8-cx5hl -oyaml|yq .spec.volumes
- emptyDir: {}
name: socket-dir
- name: secret-cinderplugin
secret:
defaultMode: 420
items:
- key: clouds.yaml
path: clouds.yaml
secretName: openstack-cloud-credentials
- configMap:
defaultMode: 420
items:
- key: cloud.conf
path: cloud.conf
name: cloud-conf
name: config-cinderplugin
- configMap:
defaultMode: 420
items:
- key: ca-bundle.pem
path: ca-bundle.pem
name: cloud-provider-config
optional: true
name: cacert
- name: metrics-serving-cert
secret:
defaultMode: 420
secretName: openstack-cinder-csi-driver-controller-metrics-serving-cert
- configMap:
defaultMode: 420
items:
- key: ca-bundle.crt
path: tls-ca-bundle.pem
name: openstack-cinder-csi-driver-trusted-ca-bundle
name: non-standard-root-system-trust-ca-bundle
- name: kube-api-access-hz62v
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- configMap:
items:
- key: service-ca.crt
path: service-ca.crt
name: openshift-service-ca.crt
Hence, if the secret is updated (e.g. as a result of CA cert update), the Pod must be restarted