MonitoringStack.spec.prometheusConfig.webTLSConfig.certificateAuthority: only secret possible, but configmap provided by OpenShift

[felixkrohn]

Using OO on OpenShift I'd like to make use of the "service serving certificates", where a key and cert are generated by setting an annotation on the service. The service signer's CA however is by default exported only in ConfigMaps. So my options here are:

• read CA-file from CM and save it into a secret: will break at next automatic rotation
• the same, but in a daily cronjob: cumbersome, need to create adapted SA and RBAC as well in order not to create new security issues

IMHO the ideal solution to this would be to be able to specify a configMap (openshift-service-ca.crt) containing a key (service-ca.crt) whose value is the CA chain.