Revert "Add OpenShift service-ca support for authenticated metrics endpoints (#3677)"

camilamacedo86 · camilamacedo86 · commit 39145b84b1cb · 2025-10-23T12:20:43.000+01:00
This reverts commit 971d680.
diff --git a/deploy/chart/templates/0000_50_olm_02-olm-operator.serviceaccount.yaml b/deploy/chart/templates/0000_50_olm_02-olm-operator.serviceaccount.yaml
@@ -8,18 +8,6 @@ rules:
   verbs: ["watch", "list", "get", "create", "update", "patch", "delete", "deletecollection", "escalate", "bind"]
 - nonResourceURLs: ["*"]
   verbs: ["*"]
-- apiGroups:
-    - authentication.k8s.io
-  resources:
-    - tokenreviews
-  verbs:
-    - create
-- apiGroups:
-    - authorization.k8s.io
-  resources:
-    - subjectaccessreviews
-  verbs:
-    - create
 ---
 kind: ServiceAccount
 apiVersion: v1
diff --git a/deploy/chart/templates/0000_50_olm_03-services.yaml b/deploy/chart/templates/0000_50_olm_03-services.yaml
@@ -1,43 +1,39 @@
-{{- if or .Values.monitoring.enabled .Values.serviceCa.enabled }}
+{{ if .Values.monitoring.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ .Values.olm.service.name }}
+  name: olm-operator-metrics
   namespace: {{ .Values.namespace }}
-  {{- if .Values.serviceCa.enabled }}
   annotations:
-    service.alpha.openshift.io/serving-cert-secret-name: {{ .Values.serviceCa.olmOperator.secretName }}
-  {{- end }}
+    service.alpha.openshift.io/serving-cert-secret-name: olm-operator-serving-cert
   labels:
     app: olm-operator
 spec:
   type: ClusterIP
   ports:
   - name: https-metrics
-    port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.externalPort }}{{ end }}
+    port: {{ .Values.olm.service.externalPort }}
     protocol: TCP
-    targetPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
+    targetPort: {{ .Values.olm.service.internalPort }}
   selector:
     app: olm-operator
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ .Values.catalog.service.name }}
+  name: catalog-operator-metrics
   namespace: {{ .Values.namespace }}
-  {{- if .Values.serviceCa.enabled }}
   annotations:
-    service.alpha.openshift.io/serving-cert-secret-name: {{ .Values.serviceCa.catalogOperator.secretName }}
-  {{- end }}
+    service.alpha.openshift.io/serving-cert-secret-name: catalog-operator-serving-cert
   labels:
     app: catalog-operator
 spec:
   type: ClusterIP
   ports:
   - name: https-metrics
-    port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.externalPort }}{{ end }}
+    port: {{ .Values.catalog.service.externalPort }}
     protocol: TCP
-    targetPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
+    targetPort: {{ .Values.catalog.service.internalPort }}
   selector:
     app: catalog-operator
 {{ end }}
diff --git a/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml b/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml
@@ -30,13 +30,6 @@ spec:
       - name: profile-collector-cert
         secret:
           secretName: {{ .Values.certManager.certificate.secretName }}
-      {{- else if .Values.serviceCa.enabled }}
-      - name: srv-cert
-        secret:
-          secretName: {{ .Values.serviceCa.olmOperator.secretName }}
-      - name: profile-collector-cert
-        secret:
-          secretName: {{ .Values.serviceCa.olmOperator.secretName }}
       {{- end }}
       - name: tmpfs
         emptyDir: {}
@@ -48,7 +41,7 @@ spec:
             capabilities:
               drop: [ "ALL" ]
           volumeMounts:
-          {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }}
+          {{- if .Values.certManager.enabled }}
           - name: srv-cert
             mountPath: "/srv-cert"
             readOnly: true
@@ -81,7 +74,7 @@ spec:
           - --writePackageServerStatusName
           - {{ .Values.writePackageServerStatusName }}
           {{- end }}
-         {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }}
+         {{- if .Values.certManager.enabled }}
           - --tls-cert
           - /srv-cert/tls.crt
           - --tls-key
@@ -92,18 +85,18 @@ spec:
           image: {{ .Values.olm.image.ref }}
           imagePullPolicy: {{ .Values.olm.image.pullPolicy }}
           ports:
-            - containerPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
+            - containerPort: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
               name: metrics
           livenessProbe:
             httpGet:
               path: /healthz
-              port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
-              scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
+              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
           readinessProbe:
             httpGet:
               path: /healthz
-              port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
-              scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
+              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
           terminationMessagePolicy: FallbackToLogsOnError
           env:
           - name: OPERATOR_NAMESPACE
diff --git a/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml b/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml
@@ -30,13 +30,6 @@ spec:
       - name: profile-collector-cert
         secret:
           secretName: {{ .Values.certManager.certificate.secretName }}
-      {{- else if .Values.serviceCa.enabled }}
-      - name: srv-cert
-        secret:
-          secretName: {{ .Values.serviceCa.catalogOperator.secretName }}
-      - name: profile-collector-cert
-        secret:
-          secretName: {{ .Values.serviceCa.catalogOperator.secretName }}
       {{- end }}
       - name: tmpfs
         emptyDir: {}
@@ -48,7 +41,7 @@ spec:
             capabilities:
               drop: [ "ALL" ]
           volumeMounts:
-          {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }}
+          {{- if .Values.certManager.enabled }}
           - name: srv-cert
             mountPath: "/srv-cert"
             readOnly: true
@@ -78,7 +71,7 @@ spec:
           - --writeStatusName
           - {{ .Values.writeStatusNameCatalog }}
           {{- end }}
-          {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }}
+          {{- if .Values.certManager.enabled }}
           - --tls-cert
           - /srv-cert/tls.crt
           - --tls-key
@@ -99,18 +92,18 @@ spec:
           {{- end }}
           imagePullPolicy: {{ .Values.catalog.image.pullPolicy }}
           ports:
-            - containerPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
+            - containerPort: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
               name: metrics
           livenessProbe:
             httpGet:
               path: /healthz
-              port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
-              scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
+              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
           readinessProbe:
             httpGet:
               path: /healthz
-              port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
-              scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
+              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
           terminationMessagePolicy: FallbackToLogsOnError
           {{- if .Values.catalog.resources }}
           resources:
diff --git a/deploy/chart/values.yaml b/deploy/chart/values.yaml
@@ -27,7 +27,6 @@ olm:
     ref: quay.io/operator-framework/olm:master
     pullPolicy: Always
   service:
-    name: olm-operator-metrics
     internalPort: 8080
     internalPortHttps: 8443
     externalPort: metrics
@@ -47,7 +46,6 @@ catalog:
     ref: quay.io/operator-framework/olm:master
     pullPolicy: Always
   service:
-    name: catalog-operator-metrics
     internalPort: 8080
     internalPortHttps: 8443
     externalPort: metrics
@@ -91,18 +89,6 @@ certManager:
     extraDnsNames: []
     extraIpAddresses: []
 
-# OpenShift service-ca configuration
-# When enabled, uses OpenShift service-ca-operator for certificate management
-# This is mutually exclusive with certManager - only one should be enabled
-serviceCa:
-  enabled: false
-  # Secret names are left empty in upstream, to be filled by downstream values.yaml
-  # Service names are taken from olm.service.name and catalog.service.name
-  olmOperator:
-    secretName: ""
-  catalogOperator:
-    secretName: ""
-
 networkPolicy:
   dns:
     ports:
