{"id":18637207,"url":"https://github.com/openshift/service-ca-operator","last_synced_at":"2025-04-05T12:02:43.439Z","repository":{"id":40351934,"uuid":"148210990","full_name":"openshift/service-ca-operator","owner":"openshift","description":"Controller to mint and manage serving certificates for Kubernetes services","archived":false,"fork":false,"pushed_at":"2025-03-20T12:48:24.000Z","size":72518,"stargazers_count":42,"open_issues_count":7,"forks_count":70,"subscribers_count":13,"default_branch":"main","last_synced_at":"2025-03-29T11:04:24.811Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openshift.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-10T19:54:44.000Z","updated_at":"2025-03-10T02:24:34.000Z","dependencies_parsed_at":"2023-09-23T07:49:57.610Z","dependency_job_id":"4045ca79-6b23-4282-a30d-149fd88f7b15","html_url":"https://github.com/openshift/service-ca-operator","commit_stats":{"total_commits":270,"total_committers":34,"mean_commits":"7.9411764705882355","dds":0.8148148148148149,"last_synced_commit":"8f1e2fabfc0ded40557cdb7f6f2894020c465e8c"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift%2Fservice-ca-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift%2Fservice-ca-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift%2Fservice-ca-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift%2Fservice-ca-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openshift","download_url":"https://codeload.github.com/openshift/service-ca-operator/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247332559,"owners_count":20921853,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T05:34:08.209Z","updated_at":"2025-04-05T12:02:43.407Z","avatar_url":"https://github.com/openshift.png","language":"Go","readme":"# OpenShift Service CA Operator\n\nThis operator runs the following OpenShift controllers:\n* **serving cert signer:**\n  * Issues a signed serving certificate/key pair to services annotated with 'service.beta.openshift.io/serving-cert-secret-name' via a secret. [See the current OKD documentation for usage.](https://docs.okd.io/latest/security/certificates/service-serving-certificate.html)\n\n* **configmap cabundle injector:**\n  * Watches for configmaps annotated with 'service.beta.openshift.io/inject-cabundle=true' and adds or updates a data item (key \"service-ca.crt\") containing the PEM-encoded CA signing bundle. Consumers of the configmap can then trust service-ca.crt in their TLS client configuration, allowing connections to services that utilize service-serving certificates.\n  * Note: Explicitly referencing the \"service-ca.crt\" key in a volumeMount will prevent a pod from starting until the configMap has been injected with the CA bundle (https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#restrictions). This behavior helps ensure that pods start with the CA bundle data available.\n\n```\n$ oc create configmap foobar --from-literal=key1=foo\nconfigmap/foobar created\n$ oc get configmap/foobar -o yaml\napiVersion: v1\ndata:\n  key1: foo\nkind: ConfigMap\nmetadata:\n  creationTimestamp: 2018-09-11T23:44:56Z\n  name: foobar\n  namespace: myproject\n  resourceVersion: \"56490\"\n  selfLink: /api/v1/namespaces/myproject/configmaps/foobar\n  uid: afee501b-b61c-11e8-833b-c85b762603b0\n$ oc annotate configmap foobar service.beta.openshift.io/inject-cabundle=\"true\"\nconfigmap/foobar annotated\n$ oc get configmap/foobar -o yaml\napiVersion: v1\ndata:\n  key1: foo\n  service-ca.crt: |\n    -----BEGIN CERTIFICATE-----\n    MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MTQwMgYDVQQDDCtvcGVu\n    c2hpZnQtc2VydmljZS1zZXJ2aW5nLXNpZ25lckAxNTM2Njk1NTIxMB4XDTE4MDkx\n    MTE5NTIwMVoXDTIzMDkxMDE5NTIwMlowNjE0MDIGA1UEAwwrb3BlbnNoaWZ0LXNl\n    cnZpY2Utc2VydmluZy1zaWduZXJAMTUzNjY5NTUyMTCCASIwDQYJKoZIhvcNAQEB\n    BQADggEPADCCAQoCggEBANP9Asc657SkWVPOohmMlrXQirl7taaarmM5l3/pNgeo\n    /fwkaH5KrJ9D8OxiSd5aepURrxeAk22U9eicGWRNssoe1wukE4hlLcIUlwdvElBA\n    5dS0xRI3Jld3WjqisVRdjTy9O4GEWFOIhkZlrL9ZcNWe8WhiCtn447rgI1QhtZtX\n    mAxUZ/mZdswQgvP0eqWOGWarC1b+RBQFo7uF0No6N4vTlpNBCxoz3CYvlpXwODYU\n    4dpdpsoF6PdZ+8uMh4hVY/2w1/6qgwwe4E85RkumBwyPHQGOFKkJDF26nBLM1HGF\n    +BLCcpUatISgLO9eDm1thcDvmash9HmaH7nJ+195ck0CAwEAAaMjMCEwDgYDVR0P\n    AQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABwA\n    aZNHvhla0QWznreqkPkd1bUbMit4R5JbTGYk6cd37zLAWA60inwaZ0A4GFk7VVom\n    Zbru3/DdhoI4ojcY26eqY0CbrhizV10mlI8Q/cdu1EKpDFwrHiwNk2rsBVbox8Es\n    Quy9jgb51WIFhUy4C0aqSmc495Gg9pCxzs4cCuqJtb8OyUEUBKbxyz9lA1a7ZUpx\n    BofBpbbyBRtnf27mQTyxVcZBzkHAj1Ouq0mBiXs4c3YLGbNse00MP0G6Uwtmsbev\n    PCmHDAHzPvb7N9vMZ4jrqulkaN1S2H9091pH0DxA8srUl0JCuB7p03uPrxCOSAwT\n    6OkzAWkPxzToypA+7fU=\n    -----END CERTIFICATE-----\nkind: ConfigMap\nmetadata:\n  annotations:\n    service.beta.openshift.io/inject-cabundle: \"true\"\n  creationTimestamp: 2018-09-11T23:44:56Z\n  name: foobar\n  namespace: myproject\n  resourceVersion: \"56606\"\n  selfLink: /api/v1/namespaces/myproject/configmaps/foobar\n  uid: afee501b-b61c-11e8-833b-c85b762603b0\n```\n\n* **generic cabundle injector:**\n  * Watches for apiservices, mutatingwebhookconfig, validatingwebhookconfig and crds annotated with 'service.beta.openshift.io/inject-cabundle=true' and sets the appropriate ca bundle field (apiservice -\u003e spec.caBundle, *webhookconfig -\u003e webhooks[].clientConfig.caBundle, spec.conversion.webhook.clientConfig.caBundle) with a base64url-encoded CA signing bundle. The following example is for apiservices:\n\n```\n$ oc get apiservice/v1.build.openshift.io -o yaml\napiVersion: apiregistration.k8s.io/v1\nkind: APIService\nmetadata:\n  annotations:\n    kubectl.kubernetes.io/last-applied-configuration: |\n      {\"apiVersion\":\"apiregistration.k8s.io/v1beta1\",\"kind\":\"APIService\",\"metadata\":{\"annotations\":{\"service.beta.openshift.io/inject-cabundle\":\"true\"},\"name\":\"v1.build.openshift.io\",\"namespace\":\"\"},\"spec\":{\"group\":\"build.openshift.io\",\"groupPriorityMinimum\":9900,\"service\":{\"name\":\"api\",\"namespace\":\"openshift-apiserver\"},\"version\":\"v1\",\"versionPriority\":15}}\n    service.beta.openshift.io/inject-cabundle: \"true\"\n  creationTimestamp: 2018-09-11T19:52:16Z\n  name: v1.build.openshift.io\n  resourceVersion: \"923\"\n  selfLink: /apis/apiregistration.k8s.io/v1/apiservices/v1.build.openshift.io\n  uid: 2f55ec88-b5fc-11e8-833b-c85b762603b0\nspec:\n  caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDakNDQWZLZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREEyTVRRd01nWURWUVFEREN0dmNHVnUKYzJocFpuUXRjMlZ5ZG1salpTMXpaWEoyYVc1bkxYTnBaMjVsY2tBeE5UTTJOamsxTlRJeE1CNFhEVEU0TURreApNVEU1TlRJd01Wb1hEVEl6TURreE1ERTVOVEl3TWxvd05qRTBNRElHQTFVRUF3d3JiM0JsYm5Ob2FXWjBMWE5sCmNuWnBZMlV0YzJWeWRtbHVaeTF6YVdkdVpYSkFNVFV6TmpZNU5UVXlNVENDQVNJd0RRWUpLb1pJaHZjTkFRRUIKQlFBRGdnRVBBRENDQVFvQ2dnRUJBTlA5QXNjNjU3U2tXVlBPb2htTWxyWFFpcmw3dGFhYXJtTTVsMy9wTmdlbwovZndrYUg1S3JKOUQ4T3hpU2Q1YWVwVVJyeGVBazIyVTllaWNHV1JOc3NvZTF3dWtFNGhsTGNJVWx3ZHZFbEJBCjVkUzB4UkkzSmxkM1dqcWlzVlJkalR5OU80R0VXRk9JaGtabHJMOVpjTldlOFdoaUN0bjQ0N3JnSTFRaHRadFgKbUF4VVovbVpkc3dRZ3ZQMGVxV09HV2FyQzFiK1JCUUZvN3VGME5vNk40dlRscE5CQ3hvejNDWXZscFh3T0RZVQo0ZHBkcHNvRjZQZForOHVNaDRoVlkvMncxLzZxZ3d3ZTRFODVSa3VtQnd5UEhRR09GS2tKREYyNm5CTE0xSEdGCitCTENjcFVhdElTZ0xPOWVEbTF0aGNEdm1hc2g5SG1hSDduSisxOTVjazBDQXdFQUFhTWpNQ0V3RGdZRFZSMFAKQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUJ3QQphWk5IdmhsYTBRV3pucmVxa1BrZDFiVWJNaXQ0UjVKYlRHWWs2Y2QzN3pMQVdBNjBpbndhWjBBNEdGazdWVm9tClpicnUzL0RkaG9JNG9qY1kyNmVxWTBDYnJoaXpWMTBtbEk4US9jZHUxRUtwREZ3ckhpd05rMnJzQlZib3g4RXMKUXV5OWpnYjUxV0lGaFV5NEMwYXFTbWM0OTVHZzlwQ3h6czRjQ3VxSnRiOE95VUVVQktieHl6OWxBMWE3WlVweApCb2ZCcGJieUJSdG5mMjdtUVR5eFZjWkJ6a0hBajFPdXEwbUJpWHM0YzNZTEdiTnNlMDBNUDBHNlV3dG1zYmV2ClBDbUhEQUh6UHZiN045dk1aNGpycXVsa2FOMVMySDkwOTFwSDBEeEE4c3JVbDBKQ3VCN3AwM3VQcnhDT1NBd1QKNk9rekFXa1B4elRveXBBKzdmVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n  group: build.openshift.io\n  groupPriorityMinimum: 9900\n  service:\n    name: api\n    namespace: openshift-apiserver\n  version: v1\n  versionPriority: 15\nstatus:\n  conditions:\n  - lastTransitionTime: 2018-09-11T19:54:16Z\n    message: all checks passed\n    reason: Passed\n    status: \"True\"\n    type: Available\n```\n\nThe openshift-service-ca-operator is an\n[OpenShift ClusterOperator](https://github.com/openshift/enhancements/blob/master/enhancements/dev-guide/operators.md#what-is-an-openshift-clusteroperator)\n\nThe ServiceCA [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) is defined in this repository.    \nThe [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions)\n`servicecas.operator.openshift.io`    \ncan be viewed in a cluster with:\n\n```console\n$ oc get crd servicecas.operator.openshift.io -o yaml\n```\n\nMany OpenShift ClusterOperators share common build, test, deployment, and update methods.    \nFor information about how to build, deploy, test, update, and develop OpenShift ClusterOperators, see    \n[OpenShift ClusterOperator and Operand Developer Document](https://github.com/openshift/enhancements/blob/master/dev-guide/operators.md#how-do-i-buildupdateverifyrun-unit-tests)\n\nThis section explains how to deploy OpenShift with your version of a service-ca-operator image:        \n[Testing a ClusterOperator/Operand image in a cluster](https://github.com/openshift/enhancements/blob/master/dev-guide/operators.md#how-can-i-test-changes-to-an-openshift-operatoroperandrelease-component)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenshift%2Fservice-ca-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenshift%2Fservice-ca-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenshift%2Fservice-ca-operator/lists"}