Merge pull request #4122 from riendeau/add-root-ca-rbac

OCPBUGS-34699: Allow access to root-ca configmap in cluster-network-operator role
openshift · Jun 4, 2024 · be9e3f8 · be9e3f8
2 parents e66add8 + b26b1c6
commit be9e3f8
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go b/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go
@@ -33,6 +33,8 @@ import (
 const (
 	operatorName          = "cluster-network-operator"
 	konnectivityProxyName = "konnectivity-proxy"
+	caConfigMap           = "root-ca"
+	caConfigMapKey        = "ca.crt"
 )
 
 type Images struct {
@@ -115,8 +117,8 @@ func NewParams(hcp *hyperv1.HostedControlPlane, version string, releaseImageProv
 		TokenAudience:           hcp.Spec.IssuerURL,
 		SbDbPubStrategy:         util.ServicePublishingStrategyByTypeForHCP(hcp, hyperv1.OVNSbDb),
 		DefaultIngressDomain:    defaultIngressDomain,
-		CAConfigMap:             "root-ca",
-		CAConfigMapKey:          "ca.crt",
+		CAConfigMap:             caConfigMap,
+		CAConfigMapKey:          caConfigMapKey,
 	}
 
 	p.DeploymentConfig.AdditionalLabels = map[string]string{
@@ -153,6 +155,7 @@ func ReconcileRole(role *rbacv1.Role, ownerRef config.OwnerRef, networkType hype
 				},
 				ResourceNames: []string{
 					"openshift-service-ca.crt",
+					caConfigMap,
 				},
 				Verbs: []string{
 					"get",

diff --git a/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator_test.go b/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator_test.go
@@ -212,6 +212,7 @@ func expectedRules(networkType hyperv1.NetworkType) []rbacv1.PolicyRule {
 			},
 			ResourceNames: []string{
 				"openshift-service-ca.crt",
+				caConfigMap,
 			},
 			Verbs: []string{
 				"get",