pulp · josephtate · Dec 1, 2025 · Dec 23, 2025
diff --git a/apis/repo-manager.pulpproject.org/v1/pulp_types.go b/apis/repo-manager.pulpproject.org/v1/pulp_types.go
@@ -316,12 +316,20 @@ type PulpSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret","urn:alm:descriptor:com.tectonic.ui:advanced"}
 	SSOSecret string `json:"sso_secret,omitempty"`
 
-	// Define if the operator should or should not mount the custom CA certificates added to the cluster via cluster-wide proxy config.
+	// Enable mounting of custom CA certificates. On OpenShift, mounts CA certificates added to the cluster via cluster-wide proxy config. On vanilla Kubernetes with cert-manager's trust-manager, requires mount_trusted_ca_configmap_key to specify the ConfigMap and key containing the CA bundle.
 	// Default: false
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"}
 	TrustedCa bool `json:"mount_trusted_ca,omitempty"`
 
+	// Specifies the ConfigMap and key containing the CA bundle for vanilla Kubernetes clusters.
+	// The ConfigMap can be managed manually or kept up to date using cert-manager's trust-manager.
+	// Format: "configmap-name:key" (e.g., "vault-ca-defaults-bundle:ca.crt")
+	// Required on vanilla Kubernetes when mount_trusted_ca is true. Optional on OpenShift.
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Trusted CA ConfigMap Key",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced","urn:alm:descriptor:com.tectonic.ui:fieldDependency:mount_trusted_ca:true"}
+	TrustedCaConfigMapKey *string `json:"mount_trusted_ca_configmap_key,omitempty"`
+
 	// Job to reset pulp admin password
 	AdminPasswordJob PulpJob `json:"admin_password_job,omitempty"`
 

diff --git a/apis/repo-manager.pulpproject.org/v1/zz_generated.deepcopy.go b/apis/repo-manager.pulpproject.org/v1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/pulp-operator.clusterserviceversion.yaml b/bundle/manifests/pulp-operator.clusterserviceversion.yaml
@@ -788,13 +788,24 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - description: 'Define if the operator should or should not mount the custom
-          CA certificates added to the cluster via cluster-wide proxy config. Default:
-          false'
+      - description: 'Enable mounting of custom CA certificates. On OpenShift, mounts
+          CA certificates added to the cluster via cluster-wide proxy config. On vanilla
+          Kubernetes with cert-manager''s trust-manager, requires mount_trusted_ca_configmap_key
+          to specify the ConfigMap and key containing the CA bundle. Default: false'
         displayName: Trusted Ca
         path: mount_trusted_ca
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: 'Specifies the ConfigMap and key containing the CA bundle for
+          vanilla Kubernetes clusters. The ConfigMap can be managed manually or kept
+          up to date using cert-manager''s trust-manager. Format: "configmap-name:key"
+          (e.g., "vault-ca-defaults-bundle:ca.crt") Required on vanilla Kubernetes
+          when mount_trusted_ca is true. Optional on OpenShift.'
+        displayName: Trusted CA ConfigMap Key
+        path: mount_trusted_ca_configmap_key
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:mount_trusted_ca:true
       - description: 'The client max body size for Nginx Ingress. Default: "10m"'
         displayName: Nginx Max Body Size
         path: nginx_client_max_body_size

diff --git a/bundle/manifests/repo-manager.pulpproject.org_pulps.yaml b/bundle/manifests/repo-manager.pulpproject.org_pulps.yaml
@@ -7730,9 +7730,16 @@ spec:
                 type: object
               mount_trusted_ca:
                 description: |-
-                  Define if the operator should or should not mount the custom CA certificates added to the cluster via cluster-wide proxy config.
+                  Enable mounting of custom CA certificates. On OpenShift, mounts CA certificates added to the cluster via cluster-wide proxy config. On vanilla Kubernetes with cert-manager's trust-manager, requires mount_trusted_ca_configmap_key to specify the ConfigMap and key containing the CA bundle.
                   Default: false
                 type: boolean
+              mount_trusted_ca_configmap_key:
+                description: |-
+                  Specifies the ConfigMap and key containing the CA bundle for vanilla Kubernetes clusters.
+                  The ConfigMap can be managed manually or kept up to date using cert-manager's trust-manager.
+                  Format: "configmap-name:key" (e.g., "vault-ca-defaults-bundle:ca.crt")
+                  Required on vanilla Kubernetes when mount_trusted_ca is true. Optional on OpenShift.
+                type: string
               nginx_client_max_body_size:
                 description: |-
                   The client max body size for Nginx Ingress.

diff --git a/config/crd/bases/repo-manager.pulpproject.org_pulps.yaml b/config/crd/bases/repo-manager.pulpproject.org_pulps.yaml
@@ -7730,9 +7730,16 @@ spec:
                 type: object
               mount_trusted_ca:
                 description: |-
-                  Define if the operator should or should not mount the custom CA certificates added to the cluster via cluster-wide proxy config.
+                  Enable mounting of custom CA certificates. On OpenShift, mounts CA certificates added to the cluster via cluster-wide proxy config. On vanilla Kubernetes with cert-manager's trust-manager, requires mount_trusted_ca_configmap_key to specify the ConfigMap and key containing the CA bundle.
                   Default: false
                 type: boolean
+              mount_trusted_ca_configmap_key:
+                description: |-
+                  Specifies the ConfigMap and key containing the CA bundle for vanilla Kubernetes clusters.
+                  The ConfigMap can be managed manually or kept up to date using cert-manager's trust-manager.
+                  Format: "configmap-name:key" (e.g., "vault-ca-defaults-bundle:ca.crt")
+                  Required on vanilla Kubernetes when mount_trusted_ca is true. Optional on OpenShift.
+                type: string
               nginx_client_max_body_size:
                 description: |-
                   The client max body size for Nginx Ingress.

diff --git a/config/manifests/bases/pulp-operator.clusterserviceversion.yaml b/config/manifests/bases/pulp-operator.clusterserviceversion.yaml
@@ -798,13 +798,24 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - description: 'Define if the operator should or should not mount the custom
-          CA certificates added to the cluster via cluster-wide proxy config. Default:
-          false'
+      - description: 'Enable mounting of custom CA certificates. On OpenShift, mounts
+          CA certificates added to the cluster via cluster-wide proxy config. On vanilla
+          Kubernetes with cert-manager''s trust-manager, requires mount_trusted_ca_configmap_key
+          to specify the ConfigMap and key containing the CA bundle. Default: false'
         displayName: Trusted Ca
         path: mount_trusted_ca
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: 'Specifies the ConfigMap and key containing the CA bundle for
+          vanilla Kubernetes clusters. The ConfigMap can be managed manually or kept
+          up to date using cert-manager''s trust-manager. Format: "configmap-name:key"
+          (e.g., "vault-ca-defaults-bundle:ca.crt") Required on vanilla Kubernetes
+          when mount_trusted_ca is true. Optional on OpenShift.'
+        displayName: Trusted CA ConfigMap Key
+        path: mount_trusted_ca_configmap_key
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:mount_trusted_ca:true
       - description: 'The client max body size for Nginx Ingress. Default: "10m"'
         displayName: Nginx Max Body Size
         path: nginx_client_max_body_size

diff --git a/config/samples/simple-trust-manager.yaml b/config/samples/simple-trust-manager.yaml
@@ -0,0 +1,68 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: 'example-pulp-admin-password'
+stringData:
+  password: 'password'
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: settings
+data:
+  analytics: "False"
+
+---
+# Bundle resource managed by cert-manager's trust-manager
+# This will create a ConfigMap containing the aggregated CA bundle
+# See: https://cert-manager.io/docs/trust/trust-manager/
+apiVersion: trust.cert-manager.io/v1alpha1
+kind: Bundle
+metadata:
+  name: example-pulp-trusted-ca-bundle
+spec:
+  sources:
+  # Include the default system CA certificates
+  - useDefaultCAs: true
+  # Optionally include custom CAs from ConfigMaps
+  # - configMap:
+  #     name: custom-ca-certs
+  #     key: ca.crt
+  # Optionally include CAs from cert-manager Certificate resources
+  # - inLine: |
+  #     -----BEGIN CERTIFICATE-----
+  #     ...
+  #     -----END CERTIFICATE-----
+  target:
+    configMap:
+      key: "ca-bundle.crt"
+    # The ConfigMap will be created with the same name as the Bundle
+    # In this case: example-pulp-trusted-ca-bundle
+
+---
+apiVersion: repo-manager.pulpproject.org/v1
+kind: Pulp
+metadata:
+  name: example-pulp
+spec:
+  api:
+    replicas: 1
+  custom_pulp_settings: settings
+  admin_password_secret: "example-pulp-admin-password"
+
+  # Enable trust-manager CA bundle mounting
+  # Format: "configmap-name:key" or just "configmap-name" (mounts all keys)
+  mount_trusted_ca: true
+  mount_trusted_ca_configmap_key: "example-pulp-trusted-ca-bundle:ca-bundle.crt"
+
+  database:
+    postgres_storage_class: standard
+
+  file_storage_access_mode: "ReadWriteOnce"
+  file_storage_size: "2Gi"
+  file_storage_storage_class: standard
+
+  ingress_type: ingress
+  ingress_host: pulp.example.com
diff --git a/controllers/deployment.go b/controllers/deployment.go
@@ -554,6 +554,10 @@ func (d *CommonDeployment) setVolumes(resources any, pulpcoreType settings.Pulpc
 		}
 		volumes = append(volumes, containerTokenSecretVolume)
 	}
+
+	// append the CA configmap to the volumes
+	volumes = SetCAVolumes(&pulp, volumes)
+
 	d.volumes = append([]corev1.Volume(nil), volumes...)
 }
 
@@ -724,6 +728,10 @@ func (d *CommonDeployment) setVolumeMounts(pulp pulpv1.Pulp, pulpcoreType settin
 		}
 		volumeMounts = append(volumeMounts, containerTokenSecretMount...)
 	}
+
+	// append the CA configmap to the volumeMounts
+	volumeMounts = SetCAVolumeMounts(&pulp, volumeMounts)
+
 	d.volumeMounts = append([]corev1.VolumeMount(nil), volumeMounts...)
 }
 
@@ -1141,15 +1149,16 @@ func AddHashLabel(r FunctionResources, deployment *appsv1.Deployment) {
 	if err := r.Create(r.Context, deployment, client.DryRunAll); err != nil {
 		hash = HashFromMutated(deployment, r)
 	} else {
+		// Create a copy to avoid modifying the original deployment
+		depCopy := deployment.DeepCopy()
+
 		// When HPA is enabled, exclude replicas from hash calculation
 		// to avoid race condition between operator and HPA
 		if isHPAManagedDeployment(deployment.Name, r.Pulp) {
-			depCopy := deployment.DeepCopy()
 			depCopy.Spec.Replicas = nil
-			hash = CalculateHash(depCopy.Spec)
-		} else {
-			hash = CalculateHash(deployment.Spec)
 		}
+
+		hash = CalculateDeploymentHash(depCopy.Spec)
 	}
 
 	SetHashLabel(hash, deployment)

diff --git a/controllers/ocp/deployment.go b/controllers/ocp/deployment.go
@@ -28,15 +28,6 @@ import (
 func defaultsForOCPDeployment(deployment *appsv1.Deployment, pulp *pulpv1.Pulp) {
 	// in OCP we use SCC so there is no need to define PodSecurityContext
 	deployment.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{}
-
-	// get the current volume mount points
-	volumes := deployment.Spec.Template.Spec.Volumes
-	volumeMounts := deployment.Spec.Template.Spec.Containers[0].VolumeMounts
-
-	// append the CA configmap to the volumes/volumemounts slice
-	volumes, volumeMounts = mountCASpec(pulp, volumes, volumeMounts)
-	deployment.Spec.Template.Spec.Volumes = volumes
-	deployment.Spec.Template.Spec.Containers[0].VolumeMounts = volumeMounts
 }
 
 // DeploymentAPIOCP is the pulpcore-api Deployment definition for common OCP clusters

diff --git a/controllers/ocp/utils.go b/controllers/ocp/utils.go
@@ -101,40 +101,6 @@ func CreateEmptyConfigMap(r client.Client, scheme *runtime.Scheme, ctx context.C
 	return ctrl.Result{}, nil
 }
 
-// mountCASpec adds the trusted-ca bundle into []volume and []volumeMount if pulp.Spec.TrustedCA is true
-func mountCASpec(pulp *pulpv1.Pulp, volumes []corev1.Volume, volumeMounts []corev1.VolumeMount) ([]corev1.Volume, []corev1.VolumeMount) {
-
-	if pulp.Spec.TrustedCa {
-
-		// trustedCAVolume contains the configmap with the custom ca bundle
-		trustedCAVolume := corev1.Volume{
-			Name: "trusted-ca",
-			VolumeSource: corev1.VolumeSource{
-				ConfigMap: &corev1.ConfigMapVolumeSource{
-					LocalObjectReference: corev1.LocalObjectReference{
-						Name: settings.EmptyCAConfigMapName(pulp.Name),
-					},
-					Items: []corev1.KeyToPath{
-						{Key: "ca-bundle.crt", Path: "tls-ca-bundle.pem"},
-					},
-				},
-			},
-		}
-		volumes = append(volumes, trustedCAVolume)
-
-		// trustedCAMount defines the mount point of the configmap
-		// with the custom ca bundle
-		trustedCAMount := corev1.VolumeMount{
-			Name:      "trusted-ca",
-			MountPath: "/etc/pki/ca-trust/extracted/pem",
-			ReadOnly:  true,
-		}
-		volumeMounts = append(volumeMounts, trustedCAMount)
-	}
-
-	return volumes, volumeMounts
-}
-
 // GetRouteHost defines route host based on ingress default cluster domain if no .spec.route_host defined
 func GetRouteHost(pulp *pulpv1.Pulp) string {
 	if len(pulp.Spec.RouteHost) == 0 {