Skip to content

Cert-manager create ca-bundle configmap for trust-manager #6605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
eslutsky wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Cert-manager create ca-bundle configmap for trust-manager #6605

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions assets/optional/cert-manager/manager/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,9 @@ replacements:
name: controller-manager
fieldPaths:
- spec.template.spec.containers.[name=cert-manager-operator].image
configMapGenerator:
- name: trusted-ca-bundle
files:
- ca-bundle.crt=tls-ca-bundle.pem
generatorOptions:
disableNameSuffixHash: true
8 changes: 8 additions & 0 deletions packaging/rpm/microshift.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -587,6 +587,11 @@ install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshi
install -p -m644 assets/optional/cert-manager/manager/manager.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/manager
install -p -m644 assets/optional/cert-manager/manager/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/manager

# cert-manager CA bundle update script and systemd drop-in
install -p -m755 packaging/systemd/microshift-cert-manager-update-ca-bundle.sh %{buildroot}%{_bindir}/microshift-cert-manager-update-ca-bundle
mkdir -p -m755 %{buildroot}%{_sysconfdir}/systemd/system/microshift.service.d
install -p -m644 packaging/systemd/microshift-cert-manager-ca-bundle.conf %{buildroot}%{_sysconfdir}/systemd/system/microshift.service.d/microshift-cert-manager-ca-bundle.conf

Comment on lines +590 to +594
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify drop-in install exists and check for a cert-manager-scoped post scriptlet.
rg -n 'microshift-cert-manager-ca-bundle\.conf|%post cert-manager|%systemd_post microshift\.service' packaging/rpm/microshift.spec

Repository: openshift/microshift

Length of output: 375

🏁 Script executed:

# Get context around the lines mentioned in the review
sed -n '570,630p' packaging/rpm/microshift.spec | cat -n

Repository: openshift/microshift

Length of output: 4016

🏁 Script executed:

# Get context around the "Also applies to" lines
sed -n '785,795p' packaging/rpm/microshift.spec | cat -n

Repository: openshift/microshift

Length of output: 608

Add a cert-manager post scriptlet to reload systemd drop-ins.

The cert-manager subpackage installs /etc/systemd/system/microshift.service.d/microshift-cert-manager-ca-bundle.conf but lacks a cert-manager-scoped %post hook to run daemon reload. The existing %systemd_post microshift.service is part of the main package post hook and won't execute when cert-manager is installed independently, leaving the drop-in unconfigured until manual reload/reboot.

Add:

+%post cert-manager
+%systemd_post microshift.service
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@packaging/rpm/microshift.spec` around lines 576 - 580, Add a
cert-manager-scoped RPM post scriptlet that reloads systemd so the installed
drop-in becomes active: add a %post section for the cert-manager subpackage
which runs a systemctl daemon-reload (or calls the rpm macro that performs that,
e.g. invoke %systemd_post for microshift.service from the cert-manager
subpackage) so the installed drop-in at
/etc/systemd/system/microshift.service.d/microshift-cert-manager-ca-bundle.conf
is picked up when cert-manager is installed without the main package.

%ifarch %{arm} aarch64
cat assets/optional/cert-manager/manager/images-aarch64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/manager/images.yaml
%endif
Expand Down Expand Up @@ -798,6 +803,9 @@ fi
%files cert-manager
%dir %{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager
%{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager/*
%{_bindir}/microshift-cert-manager-update-ca-bundle
%dir %{_sysconfdir}/systemd/system/microshift.service.d
%{_sysconfdir}/systemd/system/microshift.service.d/microshift-cert-manager-ca-bundle.conf

%files cert-manager-release-info
%{_datadir}/microshift/release/release-cert-manager-{x86_64,aarch64}.json
Expand Down
2 changes: 2 additions & 0 deletions packaging/systemd/microshift-cert-manager-ca-bundle.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[Service]
ExecStartPre=/usr/bin/microshift-cert-manager-update-ca-bundle
15 changes: 15 additions & 0 deletions packaging/systemd/microshift-cert-manager-update-ca-bundle.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/bin/bash
# Copy the system CA bundle into the cert-manager manifests directory
# so kustomize can use it to create the trusted-ca-bundle ConfigMap.
#
# This script runs as ExecStartPre before MicroShift starts.

set -euo pipefail

SRC="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
DST="/usr/lib/microshift/manifests.d/060-microshift-cert-manager/manager/tls-ca-bundle.pem"

# Only copy if the cert-manager manifests directory exists (package installed)
if [ -d "$(dirname "${DST}")" ] && [ -f "${SRC}" ]; then
cp -f "${SRC}" "${DST}"
fi
Comment on lines +1 to +15
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Fail fast if the CA bundle is missing.

Silently skipping the copy leaves the manifest still pointing at tls-ca-bundle.pem, so startup will fail later during kustomize render. Consider exiting non-zero here or making the ConfigMap conditional.

🔧 Suggested guard 
-if [ -d "$(dirname "${DST}")" ] && [ -f "${SRC}" ]; then
-    cp -f "${SRC}" "${DST}"
+if [ -d "$(dirname "${DST}")" ]; then
+    if [ -f "${SRC}" ]; then
+        cp -f "${SRC}" "${DST}"
+    else
+        echo "Missing CA bundle at ${SRC}" >&2
+        exit 1
+    fi
 fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
#!/bin/bash
# Copy the system CA bundle into the cert-manager manifests directory
# so kustomize can use it to create the trusted-ca-bundle ConfigMap.
#
# This script runs as ExecStartPre before MicroShift starts.
set -euo pipefail
SRC="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
DST="/usr/lib/microshift/manifests.d/060-microshift-cert-manager/manager/tls-ca-bundle.pem"
# Only copy if the cert-manager manifests directory exists (package installed)
if [ -d "$(dirname "${DST}")" ] && [ -f "${SRC}" ]; then
cp -f "${SRC}" "${DST}"
fi
#!/bin/bash
# Copy the system CA bundle into the cert-manager manifests directory
# so kustomize can use it to create the trusted-ca-bundle ConfigMap.
#
# This script runs as ExecStartPre before MicroShift starts.
set -euo pipefail
SRC="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
DST="/usr/lib/microshift/manifests.d/060-microshift-cert-manager/manager/tls-ca-bundle.pem"
# Only copy if the cert-manager manifests directory exists (package installed)
if [ -d "$(dirname "${DST}")" ]; then
if [ -f "${SRC}" ]; then
cp -f "${SRC}" "${DST}"
else
echo "Missing CA bundle at ${SRC}" >&2
exit 1
fi
fi
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@packaging/systemd/microshift-cert-manager-update-ca-bundle.sh` around lines 1
- 15, The script (microshift-cert-manager-update-ca-bundle.sh) currently
silently skips when SRC ("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem") or
the target directory for DST
("/usr/lib/microshift/manifests.d/060-microshift-cert-manager/manager/tls-ca-bundle.pem")
is missing; change it to fail fast by checking both the source file and the
destination directory and, if either is absent, print a clear error to stderr
and exit non-zero (e.g., exit 1) so ExecStartPre fails early rather than letting
kustomize fail later — update the existing conditional around SRC/DST to emit
the error and exit when the file or directory is not present.