From 7c30936f7eaaf789739302f27060536e5ac36ea6 Mon Sep 17 00:00:00 2001 From: Evgeny Slutsky Date: Wed, 20 May 2026 12:06:46 +0200 Subject: [PATCH] create ca bundles configmap each start with cert-manager Co-Authored-By: Claude Opus 4.6 --- .../cert-manager/manager/kustomization.yaml | 6 ++++++ packaging/rpm/microshift.spec | 8 ++++++++ .../microshift-cert-manager-ca-bundle.conf | 2 ++ .../microshift-cert-manager-update-ca-bundle.sh | 15 +++++++++++++++ 4 files changed, 31 insertions(+) create mode 100644 packaging/systemd/microshift-cert-manager-ca-bundle.conf create mode 100644 packaging/systemd/microshift-cert-manager-update-ca-bundle.sh diff --git a/assets/optional/cert-manager/manager/kustomization.yaml b/assets/optional/cert-manager/manager/kustomization.yaml index 3689551b81..1739b53de3 100644 --- a/assets/optional/cert-manager/manager/kustomization.yaml +++ b/assets/optional/cert-manager/manager/kustomization.yaml @@ -65,3 +65,9 @@ replacements: name: controller-manager fieldPaths: - spec.template.spec.containers.[name=cert-manager-operator].image +configMapGenerator: + - name: trusted-ca-bundle + files: + - ca-bundle.crt=tls-ca-bundle.pem +generatorOptions: + disableNameSuffixHash: true diff --git a/packaging/rpm/microshift.spec b/packaging/rpm/microshift.spec index 6362e4f552..7d82c3f42a 100644 --- a/packaging/rpm/microshift.spec +++ b/packaging/rpm/microshift.spec @@ -587,6 +587,11 @@ install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshi install -p -m644 assets/optional/cert-manager/manager/manager.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/manager install -p -m644 assets/optional/cert-manager/manager/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/manager +# cert-manager CA bundle update script and systemd drop-in +install -p -m755 packaging/systemd/microshift-cert-manager-update-ca-bundle.sh %{buildroot}%{_bindir}/microshift-cert-manager-update-ca-bundle +mkdir -p -m755 %{buildroot}%{_sysconfdir}/systemd/system/microshift.service.d +install -p -m644 packaging/systemd/microshift-cert-manager-ca-bundle.conf %{buildroot}%{_sysconfdir}/systemd/system/microshift.service.d/microshift-cert-manager-ca-bundle.conf + %ifarch %{arm} aarch64 cat assets/optional/cert-manager/manager/images-aarch64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/manager/images.yaml %endif @@ -798,6 +803,9 @@ fi %files cert-manager %dir %{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager %{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/* +%{_bindir}/microshift-cert-manager-update-ca-bundle +%dir %{_sysconfdir}/systemd/system/microshift.service.d +%{_sysconfdir}/systemd/system/microshift.service.d/microshift-cert-manager-ca-bundle.conf %files cert-manager-release-info %{_datadir}/microshift/release/release-cert-manager-{x86_64,aarch64}.json diff --git a/packaging/systemd/microshift-cert-manager-ca-bundle.conf b/packaging/systemd/microshift-cert-manager-ca-bundle.conf new file mode 100644 index 0000000000..b54c2428bc --- /dev/null +++ b/packaging/systemd/microshift-cert-manager-ca-bundle.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPre=/usr/bin/microshift-cert-manager-update-ca-bundle diff --git a/packaging/systemd/microshift-cert-manager-update-ca-bundle.sh b/packaging/systemd/microshift-cert-manager-update-ca-bundle.sh new file mode 100644 index 0000000000..b36ea0408e --- /dev/null +++ b/packaging/systemd/microshift-cert-manager-update-ca-bundle.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# Copy the system CA bundle into the cert-manager manifests directory +# so kustomize can use it to create the trusted-ca-bundle ConfigMap. +# +# This script runs as ExecStartPre before MicroShift starts. + +set -euo pipefail + +SRC="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" +DST="/usr/lib/microshift/manifests.d/060-microshift-cert-manager/manager/tls-ca-bundle.pem" + +# Only copy if the cert-manager manifests directory exists (package installed) +if [ -d "$(dirname "${DST}")" ] && [ -f "${SRC}" ]; then + cp -f "${SRC}" "${DST}" +fi