OSASINFRA-3732: openstack: Sync CA cert to new key

control-plane-operator/controllers/hostedcontrolplane/cloud/openstack/providerconfig.go

@@ -28,8 +28,17 @@ func ReconcileCloudConfigSecret(platformSpec *hyperv1.OpenStackPlatformSpec, sec
 	}
 	config := getCloudConfig(platformSpec, credentialsSecret, caCertData, machineNetwork)
 	if caCertData != nil {
+		secret.Data[CASecretKey] = caCertData
+		// TODO(stephenfin): Both csi-operator (for Manila and Cinder CSI) and
+		// cluster-storage-operator now uses the certs from 'cacert', meaning
+		// this is no longer necessary. It is only kept here temporarily to
+		// ease upgrades. Remove in 4.20+
 		secret.Data[CABundleKey] = caCertData
 	}
+	// TODO(stephenfin): Neither cinder nor manila CSI drivers (as deployed by
+	// csi-operator) consume configuration from this secret: cinder sources it
+	// from the config map, and manila does its own special thing. Remove in
+	// 4.20+
 	secret.Data[CloudConfigKey] = []byte(config)
 
 	return nil

control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/openstack/config.go

@@ -45,6 +45,13 @@ func adaptConfig(cpContext component.WorkloadContext, cm *corev1.ConfigMap) erro
 
 	caCertData := GetCACertFromCredentialsSecret(credentialsSecret)
 	if caCertData != nil {
+		// NOTE(stephenfin): While we (OpenStack) would prefer that this used
+		// 'cacert' like everything else, CCCMO expects the CA cert to be found
+		// at 'ca-bundle.pem' since it will combine this cert with an optional
+		// cert bundle. This is done for more platforms that OpenStack so we
+		// don't want to change that. See the below for more information.
+		//
+		// https://github.com/openshift/cluster-cloud-controller-manager-operator/blob/master/docs/dev/trusted_ca_bundle_sync.md
 		cm.Data[CABundleKey] = string(caCertData)
 	}
 

control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go

@@ -1569,9 +1569,9 @@ func (r *reconciler) reconcileCloudCredentialSecrets(ctx context.Context, hcp *h
 		caCertData := openstack.GetCACertFromCredentialsSecret(credentialsSecret)
 		errs = append(errs,
 			r.reconcileOpenStackCredentialsSecret(ctx, hcp.Spec.Platform.OpenStack, "openshift-cluster-csi-drivers", "openstack-cloud-credentials", credentialsSecret, caCertData, hcp.Spec.Networking.MachineNetwork),
+			r.reconcileOpenStackCredentialsSecret(ctx, hcp.Spec.Platform.OpenStack, "openshift-cluster-csi-drivers", "manila-cloud-credentials", credentialsSecret, caCertData, hcp.Spec.Networking.MachineNetwork),
 			r.reconcileOpenStackCredentialsSecret(ctx, hcp.Spec.Platform.OpenStack, "openshift-image-registry", "installer-cloud-credentials", credentialsSecret, caCertData, hcp.Spec.Networking.MachineNetwork),
 			r.reconcileOpenStackCredentialsSecret(ctx, hcp.Spec.Platform.OpenStack, "openshift-cloud-network-config-controller", "cloud-credentials", credentialsSecret, caCertData, hcp.Spec.Networking.MachineNetwork),
-			r.reconcileOpenStackCredentialsSecret(ctx, hcp.Spec.Platform.OpenStack, "openshift-cluster-csi-drivers", "manila-cloud-credentials", credentialsSecret, caCertData, hcp.Spec.Networking.MachineNetwork),
 		)
 	case hyperv1.PowerVSPlatform:
 		createPowerVSSecret := func(srcSecret, destSecret *corev1.Secret) error {
@@ -1649,7 +1649,7 @@ func (r *reconciler) reconcileCloudCredentialSecrets(ctx context.Context, hcp *h
 	return errs
 }
 
-// reconcileOpenStackCredentialsSecret is a wrapper used to reconcile the OpenStack cloud config secrets.
+// reconcileOpenStackCredentialsSecret is a wrapper used to reconcile the OpenStack credentials secrets.
 func (r *reconciler) reconcileOpenStackCredentialsSecret(ctx context.Context, platformSpec *hyperv1.OpenStackPlatformSpec, namespace, name string, credentialsSecret *corev1.Secret, caCertData []byte, machineNetwork []hyperv1.MachineNetworkEntry) error {
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{