Minor cert handling modifications

Neon-White · Neon-White · commit 24d183c9bc35 · 2025-04-29T12:06:05.000+02:00
Signed-off-by: Ben &lt;belimele@redhat.com&gt;
diff --git a/pkg/system/phase2_creating.go b/pkg/system/phase2_creating.go
@@ -473,7 +473,7 @@ func (r *Reconciler) setDesiredCoreEnv(c *corev1.Container) {
 				c.Env[j].Value = "true"
 			}
 		case "NODE_EXTRA_CA_CERTS":
-			c.Env[j].Value = r.ApplyCAsToPods
+			c.Env[j].Value = util.CombinedCaBundlePath
 		case "GUARANTEED_LOGS_PATH":
 			if r.NooBaa.Spec.BucketLogging.LoggingType == nbv1.BucketLoggingTypeGuaranteed {
 				c.Env[j].Value = r.BucketLoggingVolumeMount
diff --git a/pkg/system/phase4_configuring.go b/pkg/system/phase4_configuring.go
@@ -414,7 +414,7 @@ func (r *Reconciler) SetDesiredDeploymentEndpoint() error {
 						c.Env[j].Value = ""
 					}
 				case "NODE_EXTRA_CA_CERTS":
-					c.Env[j].Value = r.ApplyCAsToPods
+					c.Env[j].Value = util.CombinedCaBundlePath
 				case "GUARANTEED_LOGS_PATH":
 					if r.NooBaa.Spec.BucketLogging.LoggingType == nbv1.BucketLoggingTypeGuaranteed {
 						c.Env[j].Value = r.BucketLoggingVolumeMount
@@ -1371,7 +1371,7 @@ func (r *Reconciler) prepareCephBackingStore() error {
 		Transport: util.InsecureHTTPTransport,
 		Timeout:   10 * time.Second,
 	}
-	if r.ApplyCAsToPods != "" {
+	if r.UseRefreshingTransport {
 		client.Transport = util.GlobalCARefreshingTransport
 	}
 
diff --git a/pkg/system/reconciler.go b/pkg/system/reconciler.go
@@ -68,7 +68,7 @@ type Reconciler struct {
 	OperatorVersion          string
 	OAuthEndpoints           *util.OAuth2Endpoints
 	PostgresConnectionString string
-	ApplyCAsToPods           string // the CA will be applied to the core and endpoint pods
+	UseRefreshingTransport   bool
 
 	NooBaa                    *nbv1.NooBaa
 	ServiceAccount            *corev1.ServiceAccount
@@ -406,8 +406,7 @@ func (r *Reconciler) Reconcile() (reconcile.Result, error) {
 
 	err = util.CombineCaBundle(util.ServiceServingCertCAFile)
 	if err == nil {
-		// r.ApplyCAsToPods = util.InjectedBundleCertCAFile
-		r.ApplyCAsToPods = util.ServiceServingCertCAFile // back as it was
+		r.UseRefreshingTransport = true
 	} else if !os.IsNotExist(err) {
 		log.Errorf("❌ NooBaa %q failed to add root CAs to system default", r.NooBaa.Name)
 		res.RequeueAfter = 3 * time.Second
diff --git a/pkg/util/util.go b/pkg/util/util.go
@@ -90,6 +90,9 @@ const (
 
 	// InjectedBundleCertCAFile points to OCP root CA to be added to the default root CA list
 	InjectedBundleCertCAFile = "/etc/ocp-injected-ca-bundle/ca-bundle.crt"
+
+	// CombinedCaBundlePath points to the combined CA bundle file
+	CombinedCaBundlePath = "/tmp/ca-bundle.crt"
 )
 
 // OAuth2Endpoints holds OAuth2 endpoints information.

Original file line number	Diff line number	Diff line change
`@@ -473,7 +473,7 @@ func (r Reconciler) setDesiredCoreEnv(c corev1.Container) {`
`473`	`473`	`c.Env[j].Value = "true"`
`474`	`474`	`}`
`475`	`475`	`case "NODE_EXTRA_CA_CERTS":`
`476`		`- c.Env[j].Value = r.ApplyCAsToPods`
	`476`	`+ c.Env[j].Value = util.CombinedCaBundlePath`
`477`	`477`	`case "GUARANTEED_LOGS_PATH":`
`478`	`478`	`if r.NooBaa.Spec.BucketLogging.LoggingType == nbv1.BucketLoggingTypeGuaranteed {`
`479`	`479`	`c.Env[j].Value = r.BucketLoggingVolumeMount`
Original file line number	Diff line number	Diff line change
`@@ -414,7 +414,7 @@ func (r *Reconciler) SetDesiredDeploymentEndpoint() error {`
`414`	`414`	`c.Env[j].Value = ""`
`415`	`415`	`}`
`416`	`416`	`case "NODE_EXTRA_CA_CERTS":`
`417`		`- c.Env[j].Value = r.ApplyCAsToPods`
	`417`	`+ c.Env[j].Value = util.CombinedCaBundlePath`
`418`	`418`	`case "GUARANTEED_LOGS_PATH":`
`419`	`419`	`if r.NooBaa.Spec.BucketLogging.LoggingType == nbv1.BucketLoggingTypeGuaranteed {`
`420`	`420`	`c.Env[j].Value = r.BucketLoggingVolumeMount`
`@@ -1371,7 +1371,7 @@ func (r *Reconciler) prepareCephBackingStore() error {`
`1371`	`1371`	`Transport: util.InsecureHTTPTransport,`
`1372`	`1372`	`Timeout: 10 * time.Second,`
`1373`	`1373`	`}`
`1374`		`- if r.ApplyCAsToPods != "" {`
	`1374`	`+ if r.UseRefreshingTransport {`
`1375`	`1375`	`client.Transport = util.GlobalCARefreshingTransport`
`1376`	`1376`	`}`
`1377`	`1377`
Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,9 @@ const (`
`90`	`90`
`91`	`91`	`// InjectedBundleCertCAFile points to OCP root CA to be added to the default root CA list`
`92`	`92`	`InjectedBundleCertCAFile = "/etc/ocp-injected-ca-bundle/ca-bundle.crt"`
	`93`	`+`
	`94`	`+ // CombinedCaBundlePath points to the combined CA bundle file`
	`95`	`+ CombinedCaBundlePath = "/tmp/ca-bundle.crt"`
`93`	`96`	`)`
`94`	`97`
`95`	`98`	`// OAuth2Endpoints holds OAuth2 endpoints information.`