Merge pull request #607 from VaniHaripriya/RHOAIENG-3780-New

Parameterize CABundle mountpath in dspa

api/v1alpha1/dspipeline_types.go

@@ -133,6 +133,14 @@ type APIServer struct {
 	// +kubebuilder:default:=true
 	// +kubebuilder:validation:Optional
 	AutoUpdatePipelineDefaultVersion bool `json:"autoUpdatePipelineDefaultVersion"`
+	// This is the path where the ca bundle will be mounted in the
+	// pipeline server and user executor pods
+	// +kubebuilder:validation:Optional
+	CABundleFileMountPath string `json:"caBundleFileMountPath"`
+	// This is the filename of the ca bundle that will be created in the
+	// pipeline server and user executor pods
+	// +kubebuilder:validation:Optional
+	CABundleFileName string `json:"caBundleFileName"`
 }
 
 type CABundle struct {

config/crd/bases/datasciencepipelinesapplications.opendatahub.io_datasciencepipelinesapplications.yaml

@@ -89,6 +89,14 @@ spec:
                     - configMapKey
                     - configMapName
                     type: object
+                  caBundleFileMountPath:
+                    description: This is the path where the ca bundle will be mounted
+                      in the pipeline server and user executor pods
+                    type: string
+                  caBundleFileName:
+                    description: This is the folder where the ca bundle will be created
+                      in the pipeline server and user executor pods
+                    type: string
                   cacheImage:
                     description: 'Deprecated: DSP V1 only, will be removed in the
                       future.'

config/samples/v2/dspa-all-fields/dspa_all_fields.yaml

@@ -22,6 +22,8 @@ spec:
       limits:
         cpu: 500m
         memory: 1Gi
+    CABundleFileMountPath: /your/certbundle/path.crt
+    CABundleFileName: certbundlefilename.crt
     # requires this configmap to be created beforehand,
     cABundle:
       configMapKey: keyname

controllers/dspipeline_params.go

@@ -21,12 +21,13 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/json"
 	"math/rand"
 	"strings"
 	"time"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/json"
+
 	"github.com/go-logr/logr"
 	mf "github.com/manifestival/manifestival"
 	dspa "github.com/opendatahub-io/data-science-pipelines-operator/api/v1alpha1"
@@ -553,6 +554,7 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip
 	p.MLMD = dsp.Spec.MLMD.DeepCopy()
 	p.CustomCABundleRootMountPath = config.CustomCABundleRootMountPath
 	p.PiplinesCABundleMountPath = config.GetCABundleFileMountPath()
+	dspTrustedCAConfigMapKey := config.CustomDSPTrustedCAConfigMapKey
 
 	log := loggr.WithValues("namespace", p.Namespace).WithValues("dspa_name", p.Name)
 
@@ -646,6 +648,14 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip
 			}
 		}
 
+		if p.APIServer.CABundleFileMountPath != "" {
+			p.CustomCABundleRootMountPath = p.APIServer.CABundleFileMountPath
+		}
+		if p.APIServer.CABundleFileName != "" {
+			dspTrustedCAConfigMapKey = p.APIServer.CABundleFileName
+		}
+		p.PiplinesCABundleMountPath = fmt.Sprintf("%s/%s", p.CustomCABundleRootMountPath, dspTrustedCAConfigMapKey)
+
 		// There are situations where global & user provided certs, or a provided ca trust configmap(s) have various trust bundles
 		// (for example in the case of "odh-trusted-ca-bundle") there is "odh-ca-bundle.crt" and "ca-bundle.crt".
 		// We create a separate configmap and concatenate all the certs into a single bundle, because passing a
@@ -673,7 +683,7 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip
 			}
 
 			p.CustomCABundle = &dspa.CABundle{
-				ConfigMapKey:  config.CustomDSPTrustedCAConfigMapKey,
+				ConfigMapKey:  dspTrustedCAConfigMapKey,
 				ConfigMapName: fmt.Sprintf("%s-%s", config.CustomDSPTrustedCAConfigMapNamePrefix, p.Name),
 			}
 
@@ -712,7 +722,7 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip
 			// We need to update the default SSL_CERT_DIR to include
 			// dsp custom cert path, used by DSP Api Server
 			var certDirectories = []string{
-				config.CustomCABundleRootMountPath,
+				p.CustomCABundleRootMountPath,
 				"/etc/ssl/certs",     // SLES10/SLES11, https://golang.org/issue/12139
 				"/etc/pki/tls/certs", // Fedora/RHEL
 			}

controllers/testdata/declarative/case_6/deploy/03_cr.yaml

@@ -3,6 +3,8 @@
 # When a user provides a cABundle in the DSPA, it is also included in the concatenated dsp custom ca cert configmap
 # When external db is used the server config created for api server uses tls=true
 # MLMD grpc server mounts the dspa cert and passes it into grpc server
+# When a user provides a caBundleFileMountPath, it will be used to mount the ca bundle
+# When a user provides ca bundle configmapkey, it will be used instead of default one
 apiVersion: datasciencepipelinesapplications.opendatahub.io/v1alpha1
 kind: DataSciencePipelinesApplication
 metadata:
@@ -12,6 +14,8 @@ spec:
   apiServer:
     deploy: true
     enableSamplePipeline: false
+    caBundleFileMountPath: /dspa/custom-certs
+    caBundleFileName: user-ca-bundle.crt
     cABundle:
       configMapKey: user-ca-bundle.crt
       configMapName: user-ca-bundle

controllers/testdata/declarative/case_6/expected/created/apiserver_deployment.yaml

@@ -40,11 +40,11 @@ spec:
             - name: ARTIFACT_COPY_STEP_CABUNDLE_CONFIGMAP_NAME
               value: dsp-trusted-ca-testdsp6
             - name: ARTIFACT_COPY_STEP_CABUNDLE_CONFIGMAP_KEY
-              value: dsp-ca.crt
+              value: user-ca-bundle.crt
             - name: ARTIFACT_COPY_STEP_CABUNDLE_MOUNTPATH
-              value: /dsp-custom-certs
+              value: /dspa/custom-certs
             - name: SSL_CERT_DIR
-              value: "/dsp-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs"
+              value: "/dspa/custom-certs:/etc/ssl/certs:/etc/pki/tls/certs"
             - name: AUTO_UPDATE_PIPELINE_DEFAULT_VERSION
               value: "true"
             - name: DBCONFIG_CONMAXLIFETIMESEC
@@ -158,7 +158,7 @@ spec:
               mountPath: /config/config.json
               subPath: config.json
             - name: ca-bundle
-              mountPath: /dsp-custom-certs
+              mountPath: /dspa/custom-certs
         - name: oauth-proxy
           args:
             - --https-address=:8443

controllers/testdata/declarative/case_6/expected/created/configmap_artifact_script.yaml

@@ -9,7 +9,7 @@ data:
 
         aws_cp() {
 
-          aws s3 --endpoint http://minio-testdsp6.default.svc.cluster.local:9000 --ca-bundle /dsp-custom-certs/dsp-ca.crt cp $1.tgz s3://mlpipeline/artifacts/$PIPELINERUN/$PIPELINETASK/$1.tgz
+          aws s3 --endpoint http://minio-testdsp6.default.svc.cluster.local:9000 --ca-bundle /dspa/custom-certs/user-ca-bundle.crt cp $1.tgz s3://mlpipeline/artifacts/$PIPELINERUN/$PIPELINETASK/$1.tgz
 
         }
 

controllers/testdata/declarative/case_6/expected/created/configmap_dspa_trusted_ca.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 metadata:
   name: dsp-trusted-ca-testdsp6
 data:
-  dsp-ca.crt: |
+  user-ca-bundle.crt: |
     -----BEGIN CERTIFICATE-----
     MIIFLTCCAxWgAwIBAgIUIvY4jV0212P/ddjuCZhcUyJfoocwDQYJKoZIhvcNAQEL
     BQAwJjELMAkGA1UEBhMCWFgxFzAVBgNVBAMMDnJoLWRzcC1kZXZzLmlvMB4XDTI0

controllers/testdata/declarative/case_6/expected/created/metadata_grpc_deployment.yaml

@@ -30,7 +30,7 @@ spec:
             - --mysql_config_user=$(DBCONFIG_USER)
             - --mysql_config_password=$(DBCONFIG_PASSWORD)
             - --enable_database_upgrade=true
-            - --mysql_config_sslrootcert=/dsp-custom-certs/dsp-ca.crt
+            - --mysql_config_sslrootcert=/dspa/custom-certs/user-ca-bundle.crt
           command:
             - /bin/metadata_store_server
           env:
@@ -73,7 +73,7 @@ spec:
               cpu: 100m
               memory: 256Mi
           volumeMounts:
-            - mountPath: /dsp-custom-certs
+            - mountPath: /dspa/custom-certs
               name: ca-bundle
       serviceAccountName: ds-pipeline-metadata-grpc-testdsp6
       volumes:

controllers/testdata/declarative/case_8/deploy/02_cr.yaml

@@ -15,6 +15,7 @@ spec:
   apiServer:
     deploy: true
     enableSamplePipeline: false
+    caBundleFileName: testcabundleconfigmapkey8.crt
     cABundle:
       configMapName: testcabundleconfigmap8
       configMapKey: testcabundleconfigmapkey8.crt

controllers/testdata/declarative/case_8/expected/created/apiserver_deployment.yaml

@@ -40,7 +40,7 @@ spec:
             - name: ARTIFACT_COPY_STEP_CABUNDLE_CONFIGMAP_NAME
               value: dsp-trusted-ca-testdsp8
             - name: ARTIFACT_COPY_STEP_CABUNDLE_CONFIGMAP_KEY
-              value: dsp-ca.crt
+              value: testcabundleconfigmapkey8.crt
             - name: ARTIFACT_COPY_STEP_CABUNDLE_MOUNTPATH
               value: /dsp-custom-certs
             - name: SSL_CERT_DIR

controllers/testdata/declarative/case_8/expected/created/configmap_artifact_script.yaml

@@ -9,7 +9,7 @@ data:
 
         aws_cp() {
 
-          aws s3 --endpoint http://minio-testdsp8.default.svc.cluster.local:9000 --ca-bundle /dsp-custom-certs/dsp-ca.crt cp $1.tgz s3://mlpipeline/artifacts/$PIPELINERUN/$PIPELINETASK/$1.tgz
+          aws s3 --endpoint http://minio-testdsp8.default.svc.cluster.local:9000 --ca-bundle /dsp-custom-certs/testcabundleconfigmapkey8.crt cp $1.tgz s3://mlpipeline/artifacts/$PIPELINERUN/$PIPELINETASK/$1.tgz
 
         }
 

controllers/testdata/declarative/case_8/expected/created/configmap_dspa_trusted_ca.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 metadata:
   name: dsp-trusted-ca-testdsp8
 data:
-  dsp-ca.crt: |-
+  testcabundleconfigmapkey8.crt: |-
     -----BEGIN CERTIFICATE-----
     MIIFLTCCAxWgAwIBAgIUIvY4jV0212P/ddjuCZhcUyJfoocwDQYJKoZIhvcNAQEL
     BQAwJjELMAkGA1UEBhMCWFgxFzAVBgNVBAMMDnJoLWRzcC1kZXZzLmlvMB4XDTI0