allow configuring the filepath for the ca from the secret

the cert may be mounted at tls.crt or ca.crt depending on how the secret is generated
authzed · Nov 21, 2023 · c94d78b · c94d78b
1 parent b20aeb9
commit c94d78b
Show file tree

Hide file tree

Showing 3 changed files with 244 additions and 218 deletions.
diff --git a/e2e/cluster_test.go b/e2e/cluster_test.go
@@ -278,6 +278,7 @@ var _ = Describe("SpiceDBClusters", func() {
 							"cmd":                            spicedbCmd,
 							"tlsSecretName":                  "spicedb-grpc-tls",
 							"dispatchUpstreamCASecretName":   "spicedb-grpc-tls",
+							"dispatchUpstreamCAFilePath":     "ca.crt",
 							"serviceAccountName":             "spicedb-non-default",
 							"extraServiceAccountAnnotations": "authzed.com/e2e=true",
 							"datastoreConnpoolReadMinOpen":   1,
@@ -577,6 +578,7 @@ var _ = Describe("SpiceDBClusters", func() {
 						"datastoreEngine":              "postgres",
 						"tlsSecretName":                "spicedb-grpc-tls",
 						"dispatchUpstreamCASecretName": "spicedb-grpc-tls",
+						"dispatchUpstreamCAFilePath":   "ca.crt",
 					}
 					cluster.Spec.Version = "v1.13.0"
 

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -60,6 +60,7 @@ var (
 	projectAnnotations                = newBoolOrStringKey("projectAnnotations", true)
 	tlsSecretNameKey                  = newStringKey("tlsSecretName")
 	dispatchCAKey                     = newStringKey("dispatchUpstreamCASecretName")
+	dispatchCAFilePathKey             = newKey("dispatchUpstreamCAFilePath", "tls.crt")
 	dispatchEnabledKey                = newBoolOrStringKey("dispatchEnabled", true)
 	telemetryCAKey                    = newStringKey("telemetryCASecretName")
 	envPrefixKey                      = newKey("envPrefix", "SPICEDB")
@@ -149,6 +150,7 @@ type SpiceConfig struct {
 	TLSSecretName                  string
 	DispatchEnabled                bool
 	DispatchUpstreamCASecretName   string
+	DispatchUpstreamCASecretPath   string
 	TelemetryTLSCASecretName       string
 	SecretName                     string
 	ExtraPodLabels                 map[string]string
@@ -182,6 +184,7 @@ func NewConfig(cluster *v1alpha1.SpiceDBCluster, globalConfig *OperatorConfig, s
 		TLSSecretName:                tlsSecretNameKey.pop(config),
 		ServiceAccountName:           serviceAccountNameKey.pop(config),
 		DispatchUpstreamCASecretName: dispatchCAKey.pop(config),
+		DispatchUpstreamCASecretPath: dispatchCAFilePathKey.pop(config),
 		TelemetryTLSCASecretName:     telemetryCAKey.pop(config),
 		EnvPrefix:                    envPrefixKey.pop(config),
 		SpiceDBCmd:                   spiceDBCmdKey.pop(config),
@@ -347,7 +350,7 @@ func NewConfig(cluster *v1alpha1.SpiceDBCluster, globalConfig *OperatorConfig, s
 	}
 
 	if len(spiceConfig.DispatchUpstreamCASecretName) > 0 && spiceConfig.DispatchEnabled {
-		passthroughConfig["dispatchUpstreamCAPath"] = "/dispatch-tls/tls.crt"
+		passthroughConfig["dispatchUpstreamCAPath"] = "/dispatch-tls/" + spiceConfig.DispatchUpstreamCASecretPath
 	}
 
 	if len(spiceConfig.TelemetryTLSCASecretName) > 0 {