Add the ability to configure exporters system ca bundle

[beelzetron]

• I have read Pelorus Contributing guidelines

Linked Issues

N/A

Description

Some people need to trust internal CAs emitting TLS certificates for internal only services.

Adding the internal CAs to the container system CA bundle avoids certificate validation errors in the exporters.

This PR adds the ability to override the exporters system CA bundle with a ConfigMap.
The ConfigMap must contain the ca-bundle.crt key populated with PEM formatted certificates to be trusted.

The ConfigMap will be mounted into the exporter pods updating the system CA bundle located in /etc/pki/tls/certs/ca-bundle.crt.

Testing Instructions

1. Create the ConfigMap with the CA bundle:

   apiVersion: v1
   kind: ConfigMap
   metadata:
     labels:
       config.openshift.io/inject-trusted-cabundle: "true"
     name: cluster-ca-bundle

2. Create a values file with the custom_ca_configmap configuration:

   instances:
     - app_name: deploytime-exporter
       exporter_type: deploytime
       custom_ca_configmap: cluster-ca-bundle
     - app_name: committime-exporter
       exporter_type: committime
       custom_ca_configmap: cluster-ca-bundle
       extraEnv:
       - name: PROVIDER
         value: containerimage

3. Deploy the exporters helm chart using the values file just created.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign weshayutin for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @beelzetron. Thanks for your PR.

I'm waiting for a dora-metrics member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

Test images available! 🧪🚀 To test operator with them, run

operator-sdk run bundle \
quay.io/pelorus/rc-pelorus-operator-bundle:vpr1141-23e90f7 \
--namespace test-pelorus-operator

To clean up environment afterwards, run

operator-sdk cleanup pelorus-operator --namespace test-pelorus-operator

[beelzetron]

Test images available! 🧪🚀 To test operator with them, run

operator-sdk run bundle \
quay.io/pelorus/rc-pelorus-operator-bundle:vpr1141-23e90f7 \
--namespace test-pelorus-operator

To clean up environment afterwards, run

operator-sdk cleanup pelorus-operator --namespace test-pelorus-operator

Test OK on my side.

[github-actions]

Test images available! 🧪🚀 To test operator with them, run

operator-sdk run bundle \
quay.io/pelorus/rc-pelorus-operator-bundle:vpr1141-c77cb69 \
--namespace test-pelorus-operator

To clean up environment afterwards, run

operator-sdk cleanup pelorus-operator --namespace test-pelorus-operator

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.