rename AddToRootCAs to CombineCaBundle + add the const InjectedBundleCertCAFile which is /etc/ocp-injected-ca-bundle/ca-bundle.crt +

shirady · shirady · commit c67182744785 · 2025-04-03T11:30:00.000+03:00
assign r.ApplyCAsToPods to be the new constant (will be NODE_EXTRA_CA_CERTS eventually)

Signed-off-by: shirady &lt;57721533+shirady@users.noreply.github.com&gt;
(cherry picked from commit 41215ae64ada1a5c7cd5a85322201e64a2945fda)
diff --git a/pkg/options/options.go b/pkg/options/options.go
@@ -49,8 +49,11 @@ const (
 	// SystemName is a constant as we want just a single system per namespace
 	SystemName = "noobaa"
 
-	// ServiceServingCertCAFile points to OCP root CA to be added to the default root CA list
+	// ServiceServingCertCAFile points to OCP default root CA list
 	ServiceServingCertCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
+
+	// InjectedBundleCertCAFile points to OCP root CA to be added to the default root CA list
+	InjectedBundleCertCAFile = "/etc/ocp-injected-ca-bundle/ca-bundle.crt"
 )
 
 // Namespace is the target namespace for locating the noobaa system
diff --git a/pkg/system/reconciler.go b/pkg/system/reconciler.go
@@ -404,9 +404,9 @@ func (r *Reconciler) Reconcile() (reconcile.Result, error) {
 		}
 	}
 
-	err = util.AddToRootCAs(options.ServiceServingCertCAFile)
+	err = util.CombineCaBundle(options.ServiceServingCertCAFile)
 	if err == nil {
-		r.ApplyCAsToPods = options.ServiceServingCertCAFile
+		r.ApplyCAsToPods = options.InjectedBundleCertCAFile
 	} else if !os.IsNotExist(err) {
 		log.Errorf("❌ NooBaa %q failed to add root CAs to system default", r.NooBaa.Name)
 		res.RequeueAfter = 3 * time.Second
diff --git a/pkg/util/util.go b/pkg/util/util.go
@@ -142,8 +142,8 @@ var (
 	}
 )
 
-// AddToRootCAs adds a local cert file to Our GlobalCARefreshingTransport
-func AddToRootCAs(localCertFile string) error {
+// CombineCaBundle combines a local cert file to Our GlobalCARefreshingTransport
+func CombineCaBundle(localCertFile string) error {
 	rootCAs, _ := x509.SystemCertPool()
 	if rootCAs == nil {
 		rootCAs = x509.NewCertPool()
@@ -168,7 +168,7 @@ func AddToRootCAs(localCertFile string) error {
 		}
 
 		// Trust the augmented cert pool in our client
-		log.Infof("Successfuly appended %q to RootCAs", certFile)
+		log.Infof("Successfully appended %q to RootCAs", certFile)
 	}
 	GlobalCARefreshingTransport.TLSClientConfig.RootCAs = rootCAs
 	return nil

Original file line number	Diff line number	Diff line change
`@@ -404,9 +404,9 @@ func (r *Reconciler) Reconcile() (reconcile.Result, error) {`
`404`	`404`	`}`
`405`	`405`	`}`
`406`	`406`
`407`		`- err = util.AddToRootCAs(options.ServiceServingCertCAFile)`
	`407`	`+ err = util.CombineCaBundle(options.ServiceServingCertCAFile)`
`408`	`408`	`if err == nil {`
`409`		`- r.ApplyCAsToPods = options.ServiceServingCertCAFile`
	`409`	`+ r.ApplyCAsToPods = options.InjectedBundleCertCAFile`
`410`	`410`	`} else if !os.IsNotExist(err) {`
`411`	`411`	`log.Errorf("❌ NooBaa %q failed to add root CAs to system default", r.NooBaa.Name)`
`412`	`412`	`res.RequeueAfter = 3 * time.Second`
Original file line number	Diff line number	Diff line change
`@@ -142,8 +142,8 @@ var (`
`142`	`142`	`}`
`143`	`143`	`)`
`144`	`144`
`145`		`-// AddToRootCAs adds a local cert file to Our GlobalCARefreshingTransport`
`146`		`-func AddToRootCAs(localCertFile string) error {`
	`145`	`+// CombineCaBundle combines a local cert file to Our GlobalCARefreshingTransport`
	`146`	`+func CombineCaBundle(localCertFile string) error {`
`147`	`147`	`rootCAs, _ := x509.SystemCertPool()`
`148`	`148`	`if rootCAs == nil {`
`149`	`149`	`rootCAs = x509.NewCertPool()`
`@@ -168,7 +168,7 @@ func AddToRootCAs(localCertFile string) error {`
`168`	`168`	`}`
`169`	`169`
`170`	`170`	`// Trust the augmented cert pool in our client`
`171`		`- log.Infof("Successfuly appended %q to RootCAs", certFile)`
	`171`	`+ log.Infof("Successfully appended %q to RootCAs", certFile)`
`172`	`172`	`}`
`173`	`173`	`GlobalCARefreshingTransport.TLSClientConfig.RootCAs = rootCAs`
`174`	`174`	`return nil`