Custom CA support #461
Custom CA support #461
Conversation
mbaldessari
commented
Apr 11, 2024
mbaldessari
commented
- Add support for custom CAs
- Update tests
This feature relies on the VP operator version >= 0.0.44 in order to
work.
The way to enable this is to add a feature flag called 'initcontainers'
in the VP operator. Once this is enabled, we will detect this and take
over the all ArgoCD instances' definition and add initContainers which
will inject the CAs contained in the trusted-bundle-ca configmap and
also the openshift internal CA.
Testing protocol:
1. (Operator 0.0.44) MCG deployment with experimentalCapabilities set
to '' and using a github main upstream (i.e. without this PR)
2. (Operator 0.0.44) MCG deployment with experimentalCapabilities set
to 'initcontainers' and using a github diconnected common upstream
(requiring a custom CA) (i.e. with this PR)
3. (Operator 0.0.44) MCG deployment with experimentalCapabilities set
to '' and using a github diconnected common upstream. (same as 1.2)
and then set the initcontainer capability on the hub. Checked that
the .global.experimentalCapabilities property replicated from hub to
spoke and the initcontainers have been generated correctly
3.1 (Operator 0.0.44) Change the repo from github to an internal one
that does need the custom ca to work
4. (Operator 0.0.43) Test an old operator with a newer common that
contains this very branch
Note: Once we will make initcontainers a default feature of the operator
we will remove the ifs added in this PR and just make it the defaut
behaviour.
There was a problem hiding this comment.
This is clearly an important capability and the changes here make sense. What I'd like to see is a test for specifying both this feature and a custom repo plugin at the same time to see what happens. If it works, great - if not, we should note that it doesn't. I suspect the usage of the features will intersect, since the main use of the plugins is to add support for PolicyGen and the things that want PolicyGen seem to be predominantly internal.
There was a problem hiding this comment.
Overall these changes are needed for customers that require their own CA applied to their OpenShift clusters. As it's marked "experimental" we can ask one of our customers, or partners, to test in their environment and iterate through the issues encountered if any.
