redhat-cop
Unable to use a CA (configmap) in another namespace than group-sync-operator
It is normally possible to reference a configmap that contains the LDAP server CA in another namespace, but the operator indicates that the configmap does not exist.
The operator is deployed via OLM on an OpenShift 4.10 cluster, the operator version is 0.0.20.
Below is the configuration:
---
apiVersion: redhatcop.redhat.io/v1alpha1
kind: GroupSync
metadata:
name: groups
namespace: group-sync-operator
spec:
providers:
- ldap:
ca:
name: trusted-ca
namespace: openshift-config
key: ca-bundle.crt
kind: ConfigMap
augmentedActiveDirectory:
groupsQuery:
baseDN: "<changeme>"
derefAliases: always
pageSize: 0
groupUIDAttribute: dn
groupNameAttributes: [ cn ]
usersQuery:
baseDN: "<changeme>"
scope: sub
derefAliases: never
filter: (objectclass=person)
pageSize: 0
userNameAttributes: [ sAMAccountName ]
groupMembershipAttributes: [ "memberOf:1.2.840.113556.1.4.1941:" ]
credentialsSecret:
name: <changeme>
namespace: group-sync-operator
insecure: false
prune: true
url: "ldaps://<changeme>:636"
whitelist:
- "<changeme>"
name: ldap
schedule: "*/2 * * * *"
The trusted-ca configmap does exist in the ns openshift-config:
$ kubectl -n openshift-config describe cm trusted-ca :
Name: trusted-ca
Namespace: openshift-config
Labels: <none>
Data
====
ca-bundle.crt:
----
-----BEGIN CERTIFICATE-----
<.....>
-----END CERTIFICATE-----
But in operator logs (formatted for convenience):
2022-07-22T14:15:31.725Z ERROR controller-runtime.manager.controller.groupsync Reconciler error
{
"reconciler group": "redhatcop.redhat.io",
"reconciler kind": "GroupSync",
"name": "groups",
"namespace": "group-sync-operator",
"error": "[ConfigMap \"trusted-ca\" not found, Could not find 'ca-bundle.crt' key in ConfigMap 'trusted-ca' in namespace 'openshift-config, caSecret must be specified when insecure=false]",
"errorCauses": [
{
"error": "[ConfigMap \"trusted-ca\" not found, Could not find 'ca-bundle.crt' key in ConfigMap 'trusted-ca' in namespace 'openshift-config, caSecret must be specified when insecure=false]",
"errorCauses": [
{
"error": "ConfigMap \"trusted-ca\" not found"
},
{
"error": "Could not find 'ca-bundle.crt' key in ConfigMap 'trusted-ca' in namespace 'openshift-config"
},
{
"error": "caSecret must be specified when insecure=false"
}
]
}
]
}
I have the same problem if I try to reference the bind account secret in another namespace than group-sync-operator:
2022-07-22T14: 32: 50.198Z ERROR controller-runtime.manager.controller.groupsync Reconciler error {
"reconciler group": "redhatcop.redhat.io",
"reconciler kind": "GroupSync",
"name": "groups",
"namespace": "group-sync-operator",
"error": "[Secret \"bind-xxx-ldap\" not found, ConfigMap \"trusted-ca\" not found, Could not find 'ca-bundle.crt' key in ConfigMap 'trusted-ca' in namespace 'openshift-config, caSecret must be specified when insecure=false]",
"errorCauses": [
{
"error": "[Secret \"bind-xxx-ldap\" not found, ConfigMap \"trusted-ca\" not found, Could not find 'ca-bundle.crt' key in ConfigMap 'trusted-ca' in namespace 'openshift-config, caSecret must be specified when insecure=false]",
"errorCauses": [
{
"error": "Secret \"bind-xxx-ldap\" not found"
},
{
"error": "ConfigMap \"trusted-ca\" not found"
},
{
"error": "Could not find 'ca-bundle.crt' key in ConfigMap 'trusted-ca' in namespace 'openshift-config"
},
{
"error": "caSecret must be specified when insecure=false"
}
]
}
]
}
I also add that I don't have any problems if the CA configmap and the secret used for the ldap connection are in the namespace group-sync-operator.
@PendaGTP Currently, the operator only is able to load secrets/configmaps from the namespace that it is deployed to
This is due to the presence of the WATCH_NAMESPACE environment variable which constrains the list of resources that the operator monitors.
If there is enough interest from the community, this restriction could be revisited
@PendaGTP The 0.0.22 version no longer places the restriction of the WATCH_NAMESPACE. would you be able to see if the latest version would work for your use case?