Service CA bundle changes in OpenShift - cniackz/public GitHub Wiki
Objective:
Get the bundle from configMap rather than from /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt file since it is now deprecated.
Steps:
- Get cluster using crc to reproduce the issue where operator can't trust tenant due to deprecated /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt:
- Create configMap and see if you get the bundle inyected in other words add the service CA bundle to a config map:
apiVersion: v1
kind: ConfigMap
metadata:
name: game-demo
data:
# property-like keys; each key maps to a simple value
player_initial_lives: "3"
$ oc apply -f ~/minio/configmap.yaml -n tenant-lite
configmap/game-demo created
oc annotate configmap game-demo service.beta.openshift.io/inject-cabundle=true -n tenant-lite
$ oc annotate configmap game-demo service.beta.openshift.io/inject-cabundle=true -n tenant-lite
configmap/game-demo annotated
$ oc get configmap game-demo -n tenant-lite -o yaml > ~/configmap.yaml
Cesars-MacBook-Pro:~ cniackz$ subl ~/configmap.yaml
apiVersion: v1
data:
service-ca.crt: |
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIIdnom3M1dFVgwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTY3MDM5MTc0OTAe
Fw0yMjEyMDcwNTQyMjhaFw0yNTAyMDQwNTQyMjlaMDYxNDAyBgNVBAMMK29wZW5z
aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE2NzAzOTE3NDkwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo4Rk2eL9BfTK70nSCACAsAR2px42H0ZZ9
3YZdUFsiYDeOQIUsl35SJY/S8G1+MaQBMPtXtHDmed/yMk3BR8M4WP0TgNaQyYqC
lErNWxCLUSCMFHqd3GjPSHxq5+pUFSwl4Qgkh+y+GF8ZYPBqMCvWPqmeWHpQNaSr
74XzDvZgBF0tkEZkBesvenmSBu5ld7CuyIkSrgHO62OlHunZp711DmIy+DGbU+G4
9W2WheUMCDR3YYXeFuPCF+mg7mSNC7gesDSnPM3TL38ZieZDvzvYMxzDxayPFHtP
0LeOmXsjA9Bb+1GvKVEjwmeJYo4iOKLMMkifof3+T5wNrpLBoYanAgMBAAGjYzBh
MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSs2kRZ
DHHOB5PNb4UUdAicv42S0DAfBgNVHSMEGDAWgBSs2kRZDHHOB5PNb4UUdAicv42S
0DANBgkqhkiG9w0BAQsFAAOCAQEAafLHUNZOxC3Ck8UaM6xdjl6rfNWmaBBsuAfg
1EpSfWUERJxv2r3Q2TPzIQFlXaITOFc3++l+RaDa7GkPHutMEnC+o8kua7OYkCjZ
IJfHSdhXUrT0g09kFmXRxKcTAOT9PJ7SMNEQyxUinY2vFpNGJn/+ifvStKHpAPtJ
iYfwwT9PC8nhkvrDWq0bAciXitvRnZkLp4GlbIWQi9dSXEavGPqf7laVrIhS2mxf
kDbOSMGluk+JaGyRaAW68cdxYw9m2qRkKi9DtcEE2UXq7l64A6YA8r699V/Vpsef
aXijOJoheaCPqu84ri/kg+SkPFiPnsd5slJVXXZ2GoVGpYw4uw==
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"player_initial_lives":"3"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"game-demo","namespace":"tenant-lite"}}
service.beta.openshift.io/inject-cabundle: "true"
creationTimestamp: "2023-01-31T16:57:40Z"
name: game-demo
namespace: tenant-lite
resourceVersion: "37964"
uid: be146228-4b36-40e8-9d57-ef5da780d390
# Operator as root
# run pod as root
```sh
Cesars-MacBook-Pro:~ cniackz$ oc get deployment minio-operator -n minio-operator -o yaml | yq '.spec.template.spec.containers[0].securityContext'
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt https://minio.tenant-lite.svc.cluster.local