feat(operator): Mount CA into Upgrade Artifacts Job Container (#2200)

use new hostcabundle functionality for upgrade arifacts job

Author: diamonwiggins

operator/charts/embedded-cluster-operator/values.yaml

@@ -71,7 +71,3 @@ serviceAccount:
   labels: {}
 
 terminationGracePeriodSeconds: 10
-
-privateCAs:
-  enabled: true
-  configmapName: "private-cas"

operator/charts/embedded-cluster-operator/values.yaml.tmpl

@@ -73,7 +73,3 @@ serviceAccount:
   labels: {}
 
 terminationGracePeriodSeconds: 10
-
-privateCAs:
-  enabled: true
-  configmapName: "private-cas"

operator/pkg/artifacts/upgrade.go

@@ -64,39 +64,17 @@ var copyArtifactsJob = &batchv1.Job{
 							},
 						},
 					},
-					{
-						Name: "private-cas",
-						VolumeSource: corev1.VolumeSource{
-							ConfigMap: &corev1.ConfigMapVolumeSource{
-								LocalObjectReference: corev1.LocalObjectReference{
-									Name: "private-cas",
-								},
-								Optional: ptr.To[bool](true),
-							},
-						},
-					},
 				},
 				RestartPolicy: corev1.RestartPolicyNever,
 				Containers: []corev1.Container{
 					{
 						Name: "embedded-cluster-updater",
-						Env: []corev1.EnvVar{
-							{
-								Name:  "SSL_CERT_DIR",
-								Value: "/certs",
-							},
-						},
 						VolumeMounts: []corev1.VolumeMount{
 							{
 								Name:      "host",
 								MountPath: "/embedded-cluster",
 								ReadOnly:  false,
 							},
-							{
-								Name:      "private-cas",
-								MountPath: "/certs",
-								ReadOnly:  true,
-							},
 						},
 					},
 				},
@@ -259,7 +237,7 @@ func ensureArtifactsJobForNode(
 	localArtifactMirrorImage, appSlug, channelID, appVersion string,
 	cfghash string,
 ) (*batchv1.Job, error) {
-	job, err := getArtifactJobForNode(cli, in, node, localArtifactMirrorImage, appSlug, channelID, appVersion)
+	job, err := getArtifactJobForNode(ctx, cli, in, node, localArtifactMirrorImage, appSlug, channelID, appVersion)
 	if err != nil {
 		return nil, fmt.Errorf("get job for node: %w", err)
 	}
@@ -284,7 +262,7 @@ func ensureArtifactsJobForNode(
 }
 
 func getArtifactJobForNode(
-	cli client.Client, in *clusterv1beta1.Installation,
+	ctx context.Context, cli client.Client, in *clusterv1beta1.Installation,
 	node corev1.Node,
 	localArtifactMirrorImage, appSlug, channelID, appVersion string,
 ) (*batchv1.Job, error) {
@@ -335,6 +313,48 @@ func getArtifactJobForNode(
 		)
 	}
 
+	// Add the host CA bundle volume, mount, and env var if it's available in the installation
+	log := ctrl.LoggerFrom(ctx)
+	hostCABundlePath := ""
+	if in.Spec.RuntimeConfig != nil {
+		hostCABundlePath = in.Spec.RuntimeConfig.HostCABundlePath
+	}
+
+	if hostCABundlePath != "" {
+		log.Info("Using host CA bundle from installation", "path", hostCABundlePath)
+
+		// Add the CA bundle volume
+		job.Spec.Template.Spec.Volumes = append(job.Spec.Template.Spec.Volumes, corev1.Volume{
+			Name: "host-ca-bundle",
+			VolumeSource: corev1.VolumeSource{
+				HostPath: &corev1.HostPathVolumeSource{
+					Path: hostCABundlePath,
+					Type: ptr.To(corev1.HostPathFileOrCreate),
+				},
+			},
+		})
+
+		// Add the CA bundle mount
+		job.Spec.Template.Spec.Containers[0].VolumeMounts = append(
+			job.Spec.Template.Spec.Containers[0].VolumeMounts,
+			corev1.VolumeMount{
+				Name:      "host-ca-bundle",
+				MountPath: "/certs/ca-certificates.crt",
+			},
+		)
+
+		// Add the SSL_CERT_DIR environment variable
+		job.Spec.Template.Spec.Containers[0].Env = append(
+			job.Spec.Template.Spec.Containers[0].Env,
+			corev1.EnvVar{
+				Name:  "SSL_CERT_DIR",
+				Value: "/certs",
+			},
+		)
+	} else {
+		log.Info("No host CA bundle path found in installation, no CA bundle will be used")
+	}
+
 	if !in.Spec.AirGap && in.Spec.Config != nil && in.Spec.Config.Domains.ProxyRegistryDomain != "" {
 		localArtifactMirrorImage = strings.Replace(
 			localArtifactMirrorImage,

operator/pkg/artifacts/upgrade_test.go

@@ -15,7 +15,9 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
 )
 
@@ -435,3 +437,180 @@ func TestListArtifactsJobForNodes(t *testing.T) {
 		})
 	}
 }
+
+func TestGetArtifactJobForNode_HostCABundle(t *testing.T) {
+	// Test with HostCABundlePath set
+	t.Run("with HostCABundlePath set", func(t *testing.T) {
+		log := testr.NewWithOptions(t, testr.Options{Verbosity: 10})
+		ctx := logr.NewContext(context.Background(), log)
+
+		scheme := runtime.NewScheme()
+		require.NoError(t, clusterv1beta1.AddToScheme(scheme))
+		require.NoError(t, batchv1.AddToScheme(scheme))
+		require.NoError(t, corev1.AddToScheme(scheme))
+
+		// CA path used for testing
+		testCAPath := "/etc/ssl/certs/ca-certificates.crt"
+
+		// Create a minimal installation CR with RuntimeConfig.HostCABundlePath set
+		installation := &clusterv1beta1.Installation{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "test-installation",
+			},
+			Spec: clusterv1beta1.InstallationSpec{
+				AirGap: true,
+				Artifacts: &clusterv1beta1.ArtifactsLocation{
+					Images:                  "images",
+					HelmCharts:              "helm-charts",
+					EmbeddedClusterBinary:   "embedded-cluster-binary",
+					EmbeddedClusterMetadata: "embedded-cluster-metadata",
+				},
+				RuntimeConfig: &clusterv1beta1.RuntimeConfigSpec{
+					HostCABundlePath: testCAPath,
+				},
+			},
+		}
+
+		// Create a fake client
+		cli := fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(installation).
+			Build()
+
+		// Create a test node
+		node := corev1.Node{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "test-node",
+			},
+		}
+
+		// Call the function under test
+		job, err := getArtifactJobForNode(
+			ctx, cli, installation, node,
+			"local-artifact-mirror:latest",
+			"app-slug",
+			"channel-id",
+			"1.0.0",
+		)
+		require.NoError(t, err)
+
+		// Verify that the host CA bundle volume exists
+		var hostCABundleVolumeFound bool
+		for _, volume := range job.Spec.Template.Spec.Volumes {
+			if volume.Name == "host-ca-bundle" {
+				hostCABundleVolumeFound = true
+				// Verify the volume properties
+				require.NotNil(t, volume.HostPath, "Host CA bundle volume should be a hostPath volume")
+				assert.Equal(t, testCAPath, volume.HostPath.Path, "Host CA bundle path should match RuntimeConfig.HostCABundlePath")
+				assert.Equal(t, corev1.HostPathFileOrCreate, *volume.HostPath.Type, "Host CA bundle type should be FileOrCreate")
+				break
+			}
+		}
+		assert.True(t, hostCABundleVolumeFound, "Host CA bundle volume should exist")
+
+		// Verify that the volume mount exists
+		var hostCABundleMountFound bool
+		for _, mount := range job.Spec.Template.Spec.Containers[0].VolumeMounts {
+			if mount.Name == "host-ca-bundle" {
+				hostCABundleMountFound = true
+				// Verify the mount properties
+				assert.Equal(t, "/certs/ca-certificates.crt", mount.MountPath, "Host CA bundle mount path should be correct")
+				break
+			}
+		}
+		assert.True(t, hostCABundleMountFound, "Host CA bundle mount should exist")
+
+		// Verify that the SSL_CERT_DIR environment variable exists
+		var sslCertDirEnvFound bool
+		for _, env := range job.Spec.Template.Spec.Containers[0].Env {
+			if env.Name == "SSL_CERT_DIR" {
+				sslCertDirEnvFound = true
+				// Verify the env var value
+				assert.Equal(t, "/certs", env.Value, "SSL_CERT_DIR value should be correct")
+				break
+			}
+		}
+		assert.True(t, sslCertDirEnvFound, "SSL_CERT_DIR environment variable should exist")
+	})
+
+	// Test without HostCABundlePath set
+	t.Run("without HostCABundlePath set", func(t *testing.T) {
+		log := testr.NewWithOptions(t, testr.Options{Verbosity: 10})
+		ctx := logr.NewContext(context.Background(), log)
+
+		scheme := runtime.NewScheme()
+		require.NoError(t, clusterv1beta1.AddToScheme(scheme))
+		require.NoError(t, batchv1.AddToScheme(scheme))
+		require.NoError(t, corev1.AddToScheme(scheme))
+
+		// Create a minimal installation CR without RuntimeConfig.HostCABundlePath
+		installation := &clusterv1beta1.Installation{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "test-installation",
+			},
+			Spec: clusterv1beta1.InstallationSpec{
+				AirGap: true,
+				Artifacts: &clusterv1beta1.ArtifactsLocation{
+					Images:                  "images",
+					HelmCharts:              "helm-charts",
+					EmbeddedClusterBinary:   "embedded-cluster-binary",
+					EmbeddedClusterMetadata: "embedded-cluster-metadata",
+				},
+				// No RuntimeConfig or empty RuntimeConfig
+			},
+		}
+
+		// Create a fake client
+		cli := fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(installation).
+			Build()
+
+		// Create a test node
+		node := corev1.Node{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "test-node",
+			},
+		}
+
+		// Call the function under test
+		job, err := getArtifactJobForNode(
+			ctx, cli, installation, node,
+			"local-artifact-mirror:latest",
+			"app-slug",
+			"channel-id",
+			"1.0.0",
+		)
+		require.NoError(t, err)
+
+		// Verify that the host CA bundle volume does NOT exist
+		var hostCABundleVolumeFound bool
+		for _, volume := range job.Spec.Template.Spec.Volumes {
+			if volume.Name == "host-ca-bundle" {
+				hostCABundleVolumeFound = true
+				break
+			}
+		}
+		assert.False(t, hostCABundleVolumeFound, "Host CA bundle volume should not exist when HostCABundlePath is not set")
+
+		// Verify that the volume mount does NOT exist
+		var hostCABundleMountFound bool
+		for _, mount := range job.Spec.Template.Spec.Containers[0].VolumeMounts {
+			if mount.Name == "host-ca-bundle" {
+				hostCABundleMountFound = true
+				break
+			}
+		}
+		assert.False(t, hostCABundleMountFound, "Host CA bundle mount should not exist when HostCABundlePath is not set")
+
+		// Verify that the SSL_CERT_DIR environment variable does NOT exist
+		var sslCertDirEnvFound bool
+		for _, env := range job.Spec.Template.Spec.Containers[0].Env {
+			if env.Name == "SSL_CERT_DIR" {
+				sslCertDirEnvFound = true
+				break
+			}
+		}
+		assert.False(t, sslCertDirEnvFound, "SSL_CERT_DIR environment variable should not exist when HostCABundlePath is not set")
+	})
+}