Merge "Mount existing nodepool-ca volume in zuul-capacity container"

Author: Microzuul CI

controllers/capacity.go

@@ -8,7 +8,10 @@ import (
 	apiv1 "k8s.io/api/core/v1"
 )
 
-func MkZuulCapacityContainer(openshiftUser bool) apiv1.Container {
+func MkZuulCapacityContainer(
+	openshiftUser bool,
+	corporateCMExists bool,
+) apiv1.Container {
 	container := base.MkContainer("zuul-capacity", base.ZuulCapacityImage(), openshiftUser)
 	container.Args = []string{"--port", "9100"}
 	container.Env = []apiv1.EnvVar{
@@ -36,5 +39,16 @@ func MkZuulCapacityContainer(openshiftUser bool) apiv1.Container {
 			ReadOnly:  true,
 		},
 	}
+
+	// Mount existing nodepool-ca volume for CA certs
+	if corporateCMExists {
+		container.VolumeMounts = append(
+			container.VolumeMounts,
+			apiv1.VolumeMount{
+				Name:      "nodepool-ca",
+				MountPath: TrustedCAExtractedMountPath,
+			})
+	}
+
 	return container
 }

controllers/nodepool.go

@@ -788,9 +788,8 @@ func (r *SFController) DeployNodepoolLauncher(statsdExporterVolume apiv1.Volume,
 	if hasProviderSecret(initialVolumeMounts) {
 		// Append zuul-capacity sidecar
 		nl.Spec.Template.Spec.Containers = append(nl.Spec.Template.Spec.Containers,
-			MkZuulCapacityContainer(r.isOpenShift),
+			MkZuulCapacityContainer(r.isOpenShift, corporateCMExists),
 		)
-
 		// Setup zuul-capacity service
 		zcSrv := base.MkService("zuul-capacity", r.ns, "nodepool-launcher", []int32{9100}, "zuul-capacity", r.cr.Spec.ExtraLabels)
 		r.GetOrCreate(&zcSrv)

doc/reference/CHANGELOG.md

@@ -25,6 +25,7 @@ All notable changes to this project will be documented in this file.
 
 - Ensure the trailing '/' when accessing https://<domain>/logjuicer. The web app was failing without the trailing slash.
 - zuul: when the user provides a connection named opendev.org, the operator no longer adds its own git connection and use the one provided by the user for accessing zuul-jobs.
+- zuul-capacity: the corporate CA certificate is now part of the CA trust chain if provided.
 
 ## [v0.0.57] - 2025-04-24