mount trusted CA bundle in runner pods#1258
Merged
jeremyeder merged 3 commits intomainfrom Apr 10, 2026
Merged
Conversation
Contributor
📝 WalkthroughWalkthroughOperator code now conditionally mounts a Changes
Sequence Diagram(s)sequenceDiagram
participant Operator as Operator (session handler)
participant K8s as Kubernetes API
participant Pod as PodSpec (in-memory)
Operator->>K8s: GET ConfigMap `trusted-ca-bundle` in session namespace
alt ConfigMap found and contains ca-bundle.crt
K8s-->>Operator: ConfigMap with ca-bundle.crt
Operator->>Pod: append ConfigMap Volume `trusted-ca-bundle`
Operator->>Pod: add VolumeMount to container `ambient-code-runner` at /etc/pki/tls/certs/ca-bundle.crt (subPath: ca-bundle.crt, readOnly)
else NotFound
K8s-->>Operator: 404 NotFound
Operator-->>Pod: no changes
else Other error or missing key
K8s-->>Operator: error or missing key
Operator-->>Pod: log warning, no changes
end
Operator->>K8s: create Pod from modified PodSpec
K8s-->>Operator: Pod created / acknowledged
🚥 Pre-merge checks | ✅ 6 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (6 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@components/operator/internal/handlers/sessions.go`:
- Around line 2172-2200: The code currently only checks that the ConfigMap
exists via k8sClient.CoreV1().ConfigMaps(...).Get and then unconditionally adds
a Volume and a VolumeMount with SubPath "ca-bundle.crt"; you must GET the
ConfigMap object and validate that its Data (or BinaryData) contains the
"ca-bundle.crt" key before appending the pod.Spec.Volumes and before adding the
SubPath mount to pod.Spec.Containers[i].VolumeMounts (match container name
"ambient-code-runner"); if the key is missing, log a warning referencing
types.TrustedCABundleConfigMapName and skip adding the volume/mount to avoid
kubelet SubPath mount failures.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: e18eebad-be36-4572-94ec-50e41f26f95b
📒 Files selected for processing (3)
components/operator/internal/handlers/sessions.gocomponents/operator/internal/handlers/sessions_test.gocomponents/operator/internal/types/resources.go
ktdreyer
force-pushed
the
feat/trusted-ca-bundle-runner-pods
branch
from
b5d1c07 to
32550e2
Compare
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@components/operator/internal/handlers/sessions.go`:
- Around line 2199-2213: The current patch only mounts the trusted CA bundle
into the ambient-code-runner container; update the code to also mount the same
VolumeMount into init containers and any other containers that need it
(specifically target init container named "init-hydrate" in
pod.Spec.InitContainers and the container named "state-sync" in
pod.Spec.Containers) so they receive the trusted CA before network operations;
reuse the same corev1.VolumeMount (Name "trusted-ca-bundle", MountPath
"/etc/pki/tls/certs/ca-bundle.crt", SubPath "ca-bundle.crt", ReadOnly true) and
log using types.TrustedCABundleConfigMapName, ensuring you iterate
pod.Spec.InitContainers to patch "init-hydrate" and pod.Spec.Containers to patch
both "state-sync" and "ambient-code-runner" (avoid duplicate mounts if already
present).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: ea8d4d77-4042-4f4d-89a2-931cf6ff48cd
📒 Files selected for processing (3)
components/operator/internal/handlers/sessions.gocomponents/operator/internal/handlers/sessions_test.gocomponents/operator/internal/types/resources.go
✅ Files skipped from review due to trivial changes (1)
- components/operator/internal/types/resources.go
🚧 Files skipped from review as they are similar to previous changes (1)
- components/operator/internal/handlers/sessions_test.go
Comment on lines
+2199
to
+2213
| for i := range pod.Spec.Containers { | ||
| if pod.Spec.Containers[i].Name == "ambient-code-runner" { | ||
| pod.Spec.Containers[i].VolumeMounts = append( | ||
| pod.Spec.Containers[i].VolumeMounts, | ||
| corev1.VolumeMount{ | ||
| Name: "trusted-ca-bundle", | ||
| MountPath: "/etc/pki/tls/certs/ca-bundle.crt", | ||
| SubPath: "ca-bundle.crt", | ||
| ReadOnly: true, | ||
| }, | ||
| ) | ||
| log.Printf("Mounted %s ConfigMap to /etc/pki/tls/certs/ca-bundle.crt in runner container", | ||
| types.TrustedCABundleConfigMapName) | ||
| break | ||
| } |
Contributor
There was a problem hiding this comment.
Mount the bundle into init-hydrate and state-sync too.
This only patches ambient-code-runner. init-hydrate lives in pod.Spec.InitContainers and is configured with repo/S3 inputs (Lines 901-946), and state-sync is configured for S3 (Lines 1230-1248). On private-CA clusters, those containers can still fail TLS before the main runner starts, so private repo hydration/state sync is still broken unless they get the same trust bundle when present.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@components/operator/internal/handlers/sessions.go` around lines 2199 - 2213,
The current patch only mounts the trusted CA bundle into the ambient-code-runner
container; update the code to also mount the same VolumeMount into init
containers and any other containers that need it (specifically target init
container named "init-hydrate" in pod.Spec.InitContainers and the container
named "state-sync" in pod.Spec.Containers) so they receive the trusted CA before
network operations; reuse the same corev1.VolumeMount (Name "trusted-ca-bundle",
MountPath "/etc/pki/tls/certs/ca-bundle.crt", SubPath "ca-bundle.crt", ReadOnly
true) and log using types.TrustedCABundleConfigMapName, ensuring you iterate
pod.Spec.InitContainers to patch "init-hydrate" and pod.Spec.Containers to patch
both "state-sync" and "ambient-code-runner" (avoid duplicate mounts if already
present).
Contributor
Author
There was a problem hiding this comment.
@coderabbitai how can those require the CA?
Contributor
There was a problem hiding this comment.
@ktdreyer Good challenge — it depends on the deployment:
init-hydrate's backend API call (BACKEND_API_URL) uses plainhttp://— no TLS at all, so definitely no CA needed there.- S3 (
s3Endpoint) — if it's internal MinIO over HTTP (the typical default here), no CA needed. But if an operator configures an internal HTTPS S3 endpoint backed by a corporate CA,init-hydrateandstate-syncwould fail TLS. - Git clones in
init-hydrate— if repos are hosted on an internal Gitlab/Gitea with a private CA cert, cloning over HTTPS would fail without the bundle.
So the containers can need it, but only when:
- The S3 endpoint is HTTPS + corporate CA, or
- Git repos are on a private-CA HTTPS host
If your target environments use plain-HTTP MinIO and public-CA git hosts, the runner container is the only one making connections (to Anthropic/Claude APIs, etc.) that realistically need the bundle. In that case you can safely ignore my comment. Your call on whether the edge cases (HTTPS S3, private git) are in scope for this PR.
Contributor
Author
There was a problem hiding this comment.
Neither of those conditions are true. We'll ignore this for now.
On clusters with private or corporate CAs, runner pods fail TLS validation because they only have the default UBI9 system CA store. The "backend-api" Deployment already supports a trusted CA bundle, but runner pods (created dynamically by the operator) never had matching support. "applyTrustedCABundle" checks for a "trusted-ca-bundle" ConfigMap in the session namespace before each pod is created. On OpenShift, this ConfigMap is auto-populated by CA injection; on other clusters, operators can provision it manually. When present, the ConfigMap is mounted at "/etc/pki/tls/certs/ca-bundle.crt" (the UBI9 system CA path) so all TLS clients in the runner container trust the corporate CA without any application-level changes. Clusters without the ConfigMap are unaffected. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ktdreyer
force-pushed
the
feat/trusted-ca-bundle-runner-pods
branch
from
32550e2 to
0301b72
Compare
Contributor
Resolved merge conflict in sessions.go by keeping both the new deleteAmbientMlflowObservabilitySecret function from main and the applyTrustedCABundle function from this PR. Also addressed CodeRabbit review: mount CA bundle into init-hydrate and state-sync containers in addition to ambient-code-runner so all containers that make network calls can validate TLS certificates. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The public-api go.mod requires Go 1.25.0, but the ubi9/go-toolset:1.25 image currently ships with Go 1.24.6. Setting GOTOOLCHAIN=auto allows Go to automatically download and use the correct toolchain version. Fixes the CI build failure where go mod download was failing with: "go: go.mod requires go >= 1.25.0 (running go 1.24.6; GOTOOLCHAIN=local)" Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
Fixed Issues✅ Merge Conflict ResolvedResolved conflict in
✅ CodeRabbit Review AddressedUpdated
This ensures TLS certificate validation works before any network operations. ✅ CI Build Failure FixedFixed the public-api build failure caused by Go version mismatch:
All changes pushed and CI should pass now. 🤖 Session |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@components/operator/internal/handlers/sessions_test.go`:
- Around line 573-758: The tests for applyTrustedCABundle only assert mounts on
the "ambient-code-runner" container, so they miss regressions where
"init-hydrate" and "state-sync" are not receiving the trusted CA; update the
TestApplyTrustedCABundle_* cases to create pods with three containers named
"init-hydrate", "state-sync", and "ambient-code-runner" (or add those containers
to existing pod fixtures) and assert that the volumes list includes the
trusted-ca-bundle and that each of the three containers has a VolumeMount named
"trusted-ca-bundle" with MountPath "/etc/pki/tls/certs/ca-bundle.crt", SubPath
"ca-bundle.crt" and ReadOnly=true; for the ExistingMountsPreserved test also
ensure pre-existing mounts for each container remain in-place and that the
trusted-ca-bundle mount is appended.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: f06347d4-12e7-417d-a033-25594f3a0df2
📒 Files selected for processing (3)
components/operator/internal/handlers/sessions.gocomponents/operator/internal/handlers/sessions_test.gocomponents/public-api/Dockerfile
✅ Files skipped from review due to trivial changes (1)
- components/public-api/Dockerfile
🚧 Files skipped from review as they are similar to previous changes (1)
- components/operator/internal/handlers/sessions.go
Comment on lines
+573
to
+758
| // TestApplyTrustedCABundle_ConfigMapPresent verifies that applyTrustedCABundle adds the volume | ||
| // and VolumeMount when the trusted-ca-bundle ConfigMap exists in the session namespace. | ||
| func TestApplyTrustedCABundle_ConfigMapPresent(t *testing.T) { | ||
| cm := &corev1.ConfigMap{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Name: types.TrustedCABundleConfigMapName, | ||
| Namespace: "session-ns", | ||
| }, | ||
| Data: map[string]string{ | ||
| "ca-bundle.crt": "--- fake CA data ---", | ||
| }, | ||
| } | ||
| setupTestClient(cm) | ||
|
|
||
| pod := &corev1.Pod{ | ||
| Spec: corev1.PodSpec{ | ||
| Containers: []corev1.Container{ | ||
| {Name: "ambient-code-runner"}, | ||
| }, | ||
| }, | ||
| } | ||
|
|
||
| applyTrustedCABundle(config.K8sClient, "session-ns", pod) | ||
|
|
||
| if len(pod.Spec.Volumes) != 1 { | ||
| t.Fatalf("expected 1 volume, got %d", len(pod.Spec.Volumes)) | ||
| } | ||
| vol := pod.Spec.Volumes[0] | ||
| if vol.Name != "trusted-ca-bundle" { | ||
| t.Errorf("expected volume name 'trusted-ca-bundle', got %q", vol.Name) | ||
| } | ||
| if vol.ConfigMap == nil || vol.ConfigMap.Name != types.TrustedCABundleConfigMapName { | ||
| t.Errorf("expected ConfigMap volume sourced from %q", types.TrustedCABundleConfigMapName) | ||
| } | ||
|
|
||
| mounts := pod.Spec.Containers[0].VolumeMounts | ||
| if len(mounts) != 1 { | ||
| t.Fatalf("expected 1 VolumeMount, got %d", len(mounts)) | ||
| } | ||
| m := mounts[0] | ||
| if m.Name != "trusted-ca-bundle" { | ||
| t.Errorf("expected mount name 'trusted-ca-bundle', got %q", m.Name) | ||
| } | ||
| if m.MountPath != "/etc/pki/tls/certs/ca-bundle.crt" { | ||
| t.Errorf("unexpected MountPath: %q", m.MountPath) | ||
| } | ||
| if m.SubPath != "ca-bundle.crt" { | ||
| t.Errorf("expected SubPath 'ca-bundle.crt', got %q", m.SubPath) | ||
| } | ||
| if !m.ReadOnly { | ||
| t.Error("expected ReadOnly=true") | ||
| } | ||
| } | ||
|
|
||
| // TestApplyTrustedCABundle_ConfigMapAbsent verifies that applyTrustedCABundle leaves the pod | ||
| // unchanged when the trusted-ca-bundle ConfigMap is not present in the session namespace. | ||
| func TestApplyTrustedCABundle_ConfigMapAbsent(t *testing.T) { | ||
| setupTestClient() // no ConfigMap | ||
|
|
||
| pod := &corev1.Pod{ | ||
| Spec: corev1.PodSpec{ | ||
| Containers: []corev1.Container{ | ||
| {Name: "ambient-code-runner"}, | ||
| }, | ||
| }, | ||
| } | ||
|
|
||
| applyTrustedCABundle(config.K8sClient, "session-ns", pod) | ||
|
|
||
| if len(pod.Spec.Volumes) != 0 { | ||
| t.Errorf("expected no volumes, got %d", len(pod.Spec.Volumes)) | ||
| } | ||
| if len(pod.Spec.Containers[0].VolumeMounts) != 0 { | ||
| t.Errorf("expected no VolumeMounts, got %d", len(pod.Spec.Containers[0].VolumeMounts)) | ||
| } | ||
| } | ||
|
|
||
| // TestApplyTrustedCABundle_ExistingMountsPreserved verifies that applyTrustedCABundle appends | ||
| // to, rather than replacing, existing VolumeMounts on the runner container. | ||
| func TestApplyTrustedCABundle_ExistingMountsPreserved(t *testing.T) { | ||
| cm := &corev1.ConfigMap{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Name: types.TrustedCABundleConfigMapName, | ||
| Namespace: "session-ns", | ||
| }, | ||
| Data: map[string]string{ | ||
| "ca-bundle.crt": "--- fake CA data ---", | ||
| }, | ||
| } | ||
| setupTestClient(cm) | ||
|
|
||
| existingMount := corev1.VolumeMount{ | ||
| Name: "runner-token", | ||
| MountPath: "/var/run/secrets/ambient", | ||
| ReadOnly: true, | ||
| } | ||
| pod := &corev1.Pod{ | ||
| Spec: corev1.PodSpec{ | ||
| Volumes: []corev1.Volume{ | ||
| {Name: "runner-token"}, | ||
| }, | ||
| Containers: []corev1.Container{ | ||
| { | ||
| Name: "ambient-code-runner", | ||
| VolumeMounts: []corev1.VolumeMount{existingMount}, | ||
| }, | ||
| }, | ||
| }, | ||
| } | ||
|
|
||
| applyTrustedCABundle(config.K8sClient, "session-ns", pod) | ||
|
|
||
| if len(pod.Spec.Volumes) != 2 { | ||
| t.Fatalf("expected 2 volumes (runner-token + trusted-ca-bundle), got %d", len(pod.Spec.Volumes)) | ||
| } | ||
| mounts := pod.Spec.Containers[0].VolumeMounts | ||
| if len(mounts) != 2 { | ||
| t.Fatalf("expected 2 VolumeMounts, got %d", len(mounts)) | ||
| } | ||
| // Existing mount must still be at index 0 | ||
| if mounts[0].Name != "runner-token" { | ||
| t.Errorf("expected first mount to be 'runner-token', got %q", mounts[0].Name) | ||
| } | ||
| if mounts[1].Name != "trusted-ca-bundle" { | ||
| t.Errorf("expected second mount to be 'trusted-ca-bundle', got %q", mounts[1].Name) | ||
| } | ||
| } | ||
|
|
||
| // TestApplyTrustedCABundle_MissingKey verifies that applyTrustedCABundle leaves the pod | ||
| // unchanged when the ConfigMap exists but lacks the ca-bundle.crt key. | ||
| func TestApplyTrustedCABundle_MissingKey(t *testing.T) { | ||
| cm := &corev1.ConfigMap{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Name: types.TrustedCABundleConfigMapName, | ||
| Namespace: "session-ns", | ||
| }, | ||
| Data: map[string]string{ | ||
| "wrong-key.pem": "--- fake CA data ---", | ||
| }, | ||
| } | ||
| setupTestClient(cm) | ||
|
|
||
| pod := &corev1.Pod{ | ||
| Spec: corev1.PodSpec{ | ||
| Containers: []corev1.Container{ | ||
| {Name: "ambient-code-runner"}, | ||
| }, | ||
| }, | ||
| } | ||
|
|
||
| applyTrustedCABundle(config.K8sClient, "session-ns", pod) | ||
|
|
||
| if len(pod.Spec.Volumes) != 0 { | ||
| t.Errorf("expected no volumes when key is missing, got %d", len(pod.Spec.Volumes)) | ||
| } | ||
| if len(pod.Spec.Containers[0].VolumeMounts) != 0 { | ||
| t.Errorf("expected no VolumeMounts when key is missing, got %d", len(pod.Spec.Containers[0].VolumeMounts)) | ||
| } | ||
| } | ||
|
|
||
| // TestApplyTrustedCABundle_APIError verifies that applyTrustedCABundle leaves the pod | ||
| // unchanged when the ConfigMap GET returns a non-NotFound error. | ||
| func TestApplyTrustedCABundle_APIError(t *testing.T) { | ||
| fakeClient := fake.NewSimpleClientset() | ||
| fakeClient.PrependReactor("get", "configmaps", func(action clienttesting.Action) (bool, runtime.Object, error) { | ||
| return true, nil, fmt.Errorf("connection refused") | ||
| }) | ||
| config.K8sClient = fakeClient | ||
|
|
||
| pod := &corev1.Pod{ | ||
| Spec: corev1.PodSpec{ | ||
| Containers: []corev1.Container{ | ||
| {Name: "ambient-code-runner"}, | ||
| }, | ||
| }, | ||
| } | ||
|
|
||
| applyTrustedCABundle(config.K8sClient, "session-ns", pod) | ||
|
|
||
| if len(pod.Spec.Volumes) != 0 { | ||
| t.Errorf("expected no volumes on API error, got %d", len(pod.Spec.Volumes)) | ||
| } | ||
| if len(pod.Spec.Containers[0].VolumeMounts) != 0 { | ||
| t.Errorf("expected no VolumeMounts on API error, got %d", len(pod.Spec.Containers[0].VolumeMounts)) | ||
| } | ||
| } |
Contributor
There was a problem hiding this comment.
Tests miss required coverage for init-hydrate and state-sync mounts.
These new tests only verify ambient-code-runner. The PR objective requires mounting the trusted CA bundle into init-hydrate, state-sync, and ambient-code-runner; with current assertions, an implementation that skips the first two would still pass.
Proposed test adjustment
func TestApplyTrustedCABundle_ConfigMapPresent(t *testing.T) {
@@
pod := &corev1.Pod{
Spec: corev1.PodSpec{
Containers: []corev1.Container{
+ {Name: "init-hydrate"},
+ {Name: "state-sync"},
{Name: "ambient-code-runner"},
},
},
}
@@
- mounts := pod.Spec.Containers[0].VolumeMounts
- if len(mounts) != 1 {
- t.Fatalf("expected 1 VolumeMount, got %d", len(mounts))
- }
- m := mounts[0]
- if m.Name != "trusted-ca-bundle" {
- t.Errorf("expected mount name 'trusted-ca-bundle', got %q", m.Name)
- }
- if m.MountPath != "/etc/pki/tls/certs/ca-bundle.crt" {
- t.Errorf("unexpected MountPath: %q", m.MountPath)
- }
- if m.SubPath != "ca-bundle.crt" {
- t.Errorf("expected SubPath 'ca-bundle.crt', got %q", m.SubPath)
- }
- if !m.ReadOnly {
- t.Error("expected ReadOnly=true")
- }
+ expected := map[string]bool{
+ "init-hydrate": false,
+ "state-sync": false,
+ "ambient-code-runner": false,
+ }
+ for _, c := range pod.Spec.Containers {
+ for _, m := range c.VolumeMounts {
+ if m.Name == "trusted-ca-bundle" &&
+ m.MountPath == "/etc/pki/tls/certs/ca-bundle.crt" &&
+ m.SubPath == "ca-bundle.crt" &&
+ m.ReadOnly {
+ if _, ok := expected[c.Name]; ok {
+ expected[c.Name] = true
+ }
+ }
+ }
+ }
+ for name, ok := range expected {
+ if !ok {
+ t.Fatalf("expected trusted-ca-bundle mount on container %q", name)
+ }
+ }
}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@components/operator/internal/handlers/sessions_test.go` around lines 573 -
758, The tests for applyTrustedCABundle only assert mounts on the
"ambient-code-runner" container, so they miss regressions where "init-hydrate"
and "state-sync" are not receiving the trusted CA; update the
TestApplyTrustedCABundle_* cases to create pods with three containers named
"init-hydrate", "state-sync", and "ambient-code-runner" (or add those containers
to existing pod fixtures) and assert that the volumes list includes the
trusted-ca-bundle and that each of the three containers has a VolumeMount named
"trusted-ca-bundle" with MountPath "/etc/pki/tls/certs/ca-bundle.crt", SubPath
"ca-bundle.crt" and ReadOnly=true; for the ExistingMountsPreserved test also
ensure pre-existing mounts for each container remain in-place and that the
trusted-ca-bundle mount is appended.
jeremyeder
approved these changes
Apr 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
trusted-ca-bundleConfigMap at/etc/pki/tls/certs/ca-bundle.crt(the UBI9 system CA path), enabling TLS validation against private/corporate CAsFixes #1247
Test plan
TestApplyTrustedCABundle_ConfigMapPresent— volume + mount added when ConfigMap existsTestApplyTrustedCABundle_ConfigMapAbsent— pod unchanged when ConfigMap is missingTestApplyTrustedCABundle_ExistingMountsPreserved— existing mounts not clobberedTestApplyTrustedCABundle_APIError— pod unchanged on transient API errorstrusted-ca-bundleConfigMap in session namespace, start session, verify/etc/pki/tls/certs/ca-bundle.crtin runner pod contains the custom CASummary by CodeRabbit
New Features
Tests