From 147483032b8eced8c8f8641c5c5019cfb72c9a13 Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Wed, 11 Mar 2026 10:49:36 +0100 Subject: [PATCH] Add service to generate a TLS cert for EFS operator Add service aws-efs-csi-driver-operator-metrics to the EFS CSI driver OLM manifests. OLM will instantiate it together with the operator Deployment. This service causes service-ca-operator to generate a TLS key + certificate for the operator. As result, the operator stops generating a self-signed cert and uses the provided one instead. --- config/aws-efs/bundle.Dockerfile | 1 + ...s-csi-driver-operator-metrics-service.yaml | 21 +++++++++++++++++++ ...driver-operator.clusterserviceversion.yaml | 7 +++++++ 3 files changed, 29 insertions(+) create mode 100644 config/aws-efs/manifests/stable/aws-efs-csi-driver-operator-metrics-service.yaml diff --git a/config/aws-efs/bundle.Dockerfile b/config/aws-efs/bundle.Dockerfile index 867ae0809..a5c5322c4 100644 --- a/config/aws-efs/bundle.Dockerfile +++ b/config/aws-efs/bundle.Dockerfile @@ -6,4 +6,5 @@ LABEL operators.operatorframework.io.bundle.package.v1=aws-efs-csi-driver-operat LABEL operators.operatorframework.io.bundle.channels.v1=stable LABEL operators.operatorframework.io.bundle.channel.default.v1=stable COPY manifests/stable/aws-efs-csi-driver-operator.clusterserviceversion.yaml /manifests/aws-efs-csi-driver-operator.clusterserviceversion.yaml +COPY manifests/stable/aws-efs-csi-driver-operator-metrics-service.yaml /manifests/aws-efs-csi-driver-operator-metrics-service.yaml COPY metadata/annotations.yaml /metadata/annotations.yaml diff --git a/config/aws-efs/manifests/stable/aws-efs-csi-driver-operator-metrics-service.yaml b/config/aws-efs/manifests/stable/aws-efs-csi-driver-operator-metrics-service.yaml new file mode 100644 index 000000000..d5abe92b6 --- /dev/null +++ b/config/aws-efs/manifests/stable/aws-efs-csi-driver-operator-metrics-service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: aws-efs-csi-driver-operator-metrics-serving-cert + labels: + app: aws-efs-csi-driver-operator-metrics + name: aws-efs-csi-driver-operator-metrics +spec: + ports: + # This is a fake port, the operator does not expose any ports currently. + # The service is used only to generate aws-efs-csi-driver-operator-metrics-serving-cert by service-ca-operator. + # TODO: expose the operator metrics port + create a ServiceMonitor for it. + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: aws-efs-csi-driver-operator + sessionAffinity: None + type: ClusterIP diff --git a/config/aws-efs/manifests/stable/aws-efs-csi-driver-operator.clusterserviceversion.yaml b/config/aws-efs/manifests/stable/aws-efs-csi-driver-operator.clusterserviceversion.yaml index 726d389aa..2150d0c02 100644 --- a/config/aws-efs/manifests/stable/aws-efs-csi-driver-operator.clusterserviceversion.yaml +++ b/config/aws-efs/manifests/stable/aws-efs-csi-driver-operator.clusterserviceversion.yaml @@ -370,6 +370,8 @@ spec: args: - "start" - "-v=2" + - --terminate-on-files=/var/run/secrets/serving-cert/tls.crt + - --terminate-on-files=/var/run/secrets/serving-cert/tls.key env: - name: POD_NAME valueFrom: @@ -403,6 +405,8 @@ spec: volumeMounts: - mountPath: /tmp name: tmp + - mountPath: /var/run/secrets/serving-cert + name: metrics-serving-cert priorityClassName: system-cluster-critical securityContext: runAsNonRoot: true @@ -412,6 +416,9 @@ spec: - name: tmp emptyDir: medium: Memory + - name: metrics-serving-cert + secret: + secretName: aws-efs-csi-driver-operator-metrics-serving-cert # Strongly prefer a master node, but don't require it. # We want the same Deployment to work on hypershift, # without any master nodes.