Certificate injection in Pulp containers

nicokruger · February 24, 2026, 2:59pm

Problem:
We are running a tls terminating proxy. I would like to inject our custom CA root into the containers (api, content, worker). I had a look at this article https://pulpproject.org/pulp-operator/docs/trust-manager-integration/
but it seems the CRD for “mount_trusted_ca_configmap_key” does not exist.
path: charts/pulp-operator/crds/pulp-crd.yaml

Expected outcome:
mount_trusted_ca_configmap_key working

Pulpcore version:
“versions”: {
“deb”: “3.8.0”,
“npm”: “0.4.0”,
“rpm”: “3.33.1”,
“core”: “3.94.0”,
“file”: “3.94.0”,
“maven”: “0.11.0”,
“ostree”: “2.5.3”,
“python”: “3.21.0”,
“ansible”: “0.28.0”,
“certguard”: “3.94.0”,
“container”: “2.26.3”
}
Pulp plugins installed and their versions:
operator was installed via helm.
appVersion: 1.2.0
chartVersion: 0.5.0

Operating system - distribution and version:
Kubernetes

Other relevant data:
pulp CR:
—
apiVersion: repo-manager.pulpproject.org/v1
kind: Pulp
metadata:
name: pulp-mpe
spec:
file_storage_storage_class: hostpath
file_storage_size: 30G
file_storage_access_mode: ReadWriteMany
mount_trusted_ca: true
mount_trusted_ca_configmap_key: “mpe-ca-bundle:ca.crt”
database:
postgres_image: docker.io/library/postgres:17
postgres_storage_class: hostpath
ipv6_disabled: true
image_pull_policy: Always
custom_pulp_settings: settings
api:
replicas: 1
cache:
redis_image: valkey/valkey:9.0.2-alpine
enabled: true
content:
replicas: 1
worker:
replicas: 1

k apply -f pulp-repo-instance.yaml
The request is invalid: patch: Invalid value: "{\"apiVersion\":\"repo-manager.pulpproject.org/v1\",\"kind\":\"Pulp\",\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/last-applied-configuration\":\"{\\\"apiVersion\\\":\\\"repo-manager.pulpproject.org/v1\\\",\\\"kind\\\":\\\"Pulp\\\",\\\"metadata\\\":{\\\"annotations\\\":{},\\\"name\\\":\\\"pulp-mpe\\\",\\\"namespace\\\":\\\"pulp\\\"},\\\"spec\\\":{\\\"api\\\":{\\\"replicas\\\":1},\\\"cache\\\":{\\\"enabled\\\":true,\\\"redis_image\\\":\\\"valkey/valkey:9.0.2-alpine\\\"},\\\"content\\\":{\\\"replicas\\\":1},\\\"custom_pulp_settings\\\":\\\"settings\\\",\\\"database\\\":{\\\"postgres_image\\\":\\\"docker.io/library/postgres:17\\\",\\\"postgres_storage_class\\\":\\\"hostpath\\\"},\\\"file_storage_access_mode\\\":\\\"ReadWriteMany\\\",\\\"file_storage_size\\\":\\\"30G\\\",\\\"file_storage_storage_class\\\":\\\"hostpath\\\",\\\"image_pull_policy\\\":\\\"Always\\\",\\\"ipv6_disabled\\\":true,\\\"mount_trusted_ca\\\":true,\\\"mount_trusted_ca_configmap_key\\\":\\\"mpe-ca-bundle:ca.crt\\\",\\\"worker\\\":{\\\"replicas\\\":1}}}\\n\"},\"creationTimestamp\":\"2026-02-19T09:28:13Z\",\"generation\":5,\"managedFields\":[{\"apiVersion\":\"repo-manager.pulpproject.org/v1\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{}}},\"f:spec\":{\".\":{},\"f:api\":{\".\":{},\"f:replicas\":{}},\"f:cache\":{\".\":{},\"f:enabled\":{},\"f:redis_image\":{}},\"f:container_auth_private_key_name\":{},\"f:container_auth_public_key_name\":{},\"f:content\":{\".\":{},\"f:replicas\":{}},\"f:custom_pulp_settings\":{},\"f:database\":{\".\":{},\"f:postgres_image\":{},\"f:postgres_storage_class\":{}},\"f:file_storage_access_mode\":{},\"f:file_storage_size\":{},\"f:file_storage_storage_class\":{},\"f:image\":{},\"f:image_pull_policy\":{},\"f:image_version\":{},\"f:image_web\":{},\"f:image_web_version\":{},\"f:ipv6_disabled\":{},\"f:worker\":{\".\":{},\"f:replicas\":{}}}},\"manager\":\"kubectl-client-side-apply\",\"operation\":\"Update\",\"time\":\"2026-02-19T09:28:13Z\"},{\"apiVersion\":\"repo-manager.pulpproject.org/v1\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:spec\":{\"f:admin_password_secret\":{},\"f:container_token_secret\":{},\"f:db_fields_encryption_secret\":{},\"f:pulp_secret_key\":{}}},\"manager\":\"manager\",\"operation\":\"Update\",\"time\":\"2026-02-19T09:28:18Z\"},{\"apiVersion\":\"repo-manager.pulpproject.org/v1\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:status\":{\".\":{},\"f:admin_password_secret\":{},\"f:conditions\":{},\"f:container_token_secret\":{},\"f:db_fields_encryption_secret\":{},\"f:image\":{},\"f:managed_cache_enabled\":{},\"f:pulp_secret_key\":{},\"f:storage_type\":{}}},\"manager\":\"manager\",\"operation\":\"Update\",\"subresource\":\"status\",\"time\":\"2026-02-24T08:02:58Z\"}],\"name\":\"pulp-mpe\",\"namespace\":\"pulp\",\"resourceVersion\":\"1298725\",\"uid\":\"ffa047f8-2354-49aa-b6f5-b1d2b0e6934c\"},\"spec\":{\"admin_password_secret\":\"pulp-mpe-admin-password\",\"api\":{\"replicas\":1},\"cache\":{\"enabled\":true,\"redis_image\":\"valkey/valkey:9.0.2-alpine\"},\"container_auth_private_key_name\":\"container_auth_private_key.pem\",\"container_auth_public_key_name\":\"container_auth_public_key.pem\",\"container_token_secret\":\"pulp-mpe-container-auth\",\"content\":{\"replicas\":1},\"custom_pulp_settings\":\"settings\",\"database\":{\"postgres_image\":\"docker.io/library/postgres:17\",\"postgres_storage_class\":\"hostpath\"},\"db_fields_encryption_secret\":\"pulp-mpe-db-fields-encryption\",\"file_storage_access_mode\":\"ReadWriteMany\",\"file_storage_size\":\"30G\",\"file_storage_storage_class\":\"hostpath\",\"image\":\"quay.io/pulp/pulp-minimal\",\"image_pull_policy\":\"Always\",\"image_version\":\"stable\",\"image_web\":\"quay.io/pulp/pulp-web\",\"image_web_version\":\"stable\",\"ipv6_disabled\":true,\"mount_trusted_ca\":true,\"mount_trusted_ca_configmap_key\":\"mpe-ca-bundle:ca.crt\",\"pulp_secret_key\":\"pulp-mpe-secret-key\",\"worker\":{\"replicas\":1}},\"status\":{\"admin_password_secret\":\"pulp-mpe-admin-password\",\"conditions\":[{\"lastTransitionTime\":\"2026-02-24T08:02:58Z\",\"message\":\"All tasks ran successfully\",\"reason\":\"OperatorFinishedExecution\",\"status\":\"True\",\"type\":\"Pulp-Operator-Finished-Execution\"},{\"lastTransitionTime\":\"2026-02-24T08:02:58Z\",\"message\":\"All Api tasks ran successfully\",\"reason\":\"ApiTasksFinished\",\"status\":\"True\",\"type\":\"Pulp-API-Ready\"},{\"lastTransitionTime\":\"2026-02-19T09:28:18Z\",\"message\":\"All Database tasks ran successfully\",\"reason\":\"DatabaseTasksFinished\",\"status\":\"True\",\"type\":\"Pulp-Database-Ready\"},{\"lastTransitionTime\":\"2026-02-24T08:02:56Z\",\"message\":\"All Content tasks ran successfully\",\"reason\":\"ContentTasksFinished\",\"status\":\"True\",\"type\":\"Pulp-Content-Ready\"},{\"lastTransitionTime\":\"2026-02-24T08:02:56Z\",\"message\":\"All Worker tasks ran successfully\",\"reason\":\"WorkerTasksFinished\",\"status\":\"True\",\"type\":\"Pulp-Worker-Ready\"},{\"lastTransitionTime\":\"2026-02-19T09:28:18Z\",\"message\":\"All Web tasks ran successfully\",\"reason\":\"WebTasksFinished\",\"status\":\"True\",\"type\":\"Pulp-Web-Ready\"}],\"container_token_secret\":\"pulp-mpe-container-auth\",\"db_fields_encryption_secret\":\"pulp-mpe-db-fields-encryption\",\"image\":\"quay.io/pulp/pulp-minimal:stable\",\"managed_cache_enabled\":true,\"pulp_secret_key\":\"pulp-mpe-secret-key\",\"storage_type\":\"StorageClass\"}}": strict decoding error: unknown field "spec.mount_trusted_ca_configmap_key"

hyagi · February 27, 2026, 12:02pm

Hi @nicokruger

The mount_trusted_ca_configmap_key config was added in pulp-operator 1.3.0, but our pipeline is failing and we could not publish this new version in quay, operator-hub, and helm yet.
I will see if I can work on the pipeline errors in the next days.