Update serving cert names to be consistent with thanos query

philipgough · philipgough · commit cc1487dbf9f5 · 2025-03-05T17:34:40.000Z
diff --git a/magefiles/operator.go b/magefiles/operator.go
@@ -861,6 +861,13 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
 								"--tls-cert-file=/etc/tls/private/tls.crt",
 								"--tls-private-key-file=/etc/tls/private/tls.key",
 							},
+							VolumeMounts: []corev1.VolumeMount{
+								{
+									Name:      "tls",
+									MountPath: "/etc/tls/private",
+									ReadOnly:  true,
+								},
+							},
 							Ports: []corev1.ContainerPort{
 								{
 									ContainerPort: 8443,
@@ -923,22 +930,16 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
 									Drop: []corev1.Capability{"ALL"},
 								},
 							},
-							VolumeMounts: []corev1.VolumeMount{
-								{
-									Name:      "kube-rbac-proxy-tls",
-									MountPath: "/etc/tls/private",
-									ReadOnly:  true,
-								},
-							},
 						},
 					},
 					Volumes: []corev1.Volume{
 						{
-							Name: "kube-rbac-proxy-tls",
+							Name: "tls",
 							VolumeSource: corev1.VolumeSource{
 								Secret: &corev1.SecretVolumeSource{
-									SecretName: "kube-rbac-proxy-tls",
-									Optional:   ptr.To(false),
+									SecretName:  "kube-rbac-proxy-tls",
+									DefaultMode: ptr.To(int32(420)),
+									Optional:    ptr.To(false),
 								},
 							},
 						},
diff --git a/resources/services/bundle/staging/operator.yaml b/resources/services/bundle/staging/operator.yaml
@@ -89,6 +89,10 @@ objects:
             capabilities:
               drop:
               - ALL
+          volumeMounts:
+          - mountPath: /etc/tls/private
+            name: tls
+            readOnly: true
         - args:
           - --health-probe-bind-address=:8081
           - --metrics-bind-address=127.0.0.1:8080
@@ -132,17 +136,14 @@ objects:
             capabilities:
               drop:
               - ALL
-          volumeMounts:
-          - mountPath: /etc/tls/private
-            name: kube-rbac-proxy-tls
-            readOnly: true
         securityContext:
           runAsNonRoot: true
         serviceAccountName: thanos-operator-controller-manager
         terminationGracePeriodSeconds: 10
         volumes:
-        - name: kube-rbac-proxy-tls
+        - name: tls
           secret:
+            defaultMode: 420
             optional: false
             secretName: kube-rbac-proxy-tls
   status: {}
