fix(ssl-ca): mount ssl ca directories (#9794)

Signed-off-by: Maxime Leroy <19607336+maxime1907@users.noreply.github.com>

roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-controllerplugin.yml.j2

@@ -133,6 +133,13 @@ spec:
             - name: ca-certs
               mountPath: /etc/ssl/certs
               readOnly: true
+{% if ssl_ca_dirs|length %}
+{% for dir in ssl_ca_dirs %}
+            - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+              mountPath: {{ dir }}
+              readOnly: true
+{% endfor %}
+{% endif %}
 {% if cinder_cacert is defined and cinder_cacert != "" %}
             - name: cinder-cacert
               mountPath: {{ kube_config_dir }}/cinder-cacert.pem
@@ -148,6 +155,14 @@ spec:
           hostPath:
             path: /etc/ssl/certs
             type: DirectoryOrCreate
+{% if ssl_ca_dirs|length %}
+{% for dir in ssl_ca_dirs %}
+        - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+          hostPath:
+            path: {{ dir }}
+            type: DirectoryOrCreate
+{% endfor %}
+{% endif %}
 {% if cinder_cacert is defined and cinder_cacert != "" %}
         - name: cinder-cacert
           hostPath:

roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-nodeplugin.yml.j2

@@ -89,6 +89,13 @@ spec:
             - name: ca-certs
               mountPath: /etc/ssl/certs
               readOnly: true
+{% if ssl_ca_dirs|length %}
+{% for dir in ssl_ca_dirs %}
+            - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+              mountPath: {{ dir }}
+              readOnly: true
+{% endfor %}
+{% endif %}
 {% if cinder_cacert is defined and cinder_cacert != "" %}
             - name: cinder-cacert
               mountPath: {{ kube_config_dir }}/cinder-cacert.pem
@@ -118,6 +125,14 @@ spec:
           hostPath:
             path: /etc/ssl/certs
             type: DirectoryOrCreate
+{% if ssl_ca_dirs|length %}
+{% for dir in ssl_ca_dirs %}
+        - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+          hostPath:
+            path: {{ dir }}
+            type: DirectoryOrCreate
+{% endfor %}
+{% endif %}
 {% if cinder_cacert is defined and cinder_cacert != "" %}
         - name: cinder-cacert
           hostPath:

roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2

@@ -57,6 +57,13 @@ spec:
             - mountPath: /etc/ssl/certs
               name: ca-certs
               readOnly: true
+{% if ssl_ca_dirs|length %}
+{% for dir in ssl_ca_dirs %}
+            - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+              mountPath: {{ dir }}
+              readOnly: true
+{% endfor %}
+{% endif %}
             - mountPath: /etc/config/cloud.conf
               name: cloud-config-volume
               readOnly: true
@@ -78,19 +85,27 @@ spec:
       hostNetwork: true
       volumes:
 {% if kubelet_flexvolumes_plugins_dir is defined %}
-      - hostPath:
+      - name: flexvolume-dir
+        hostPath:
           path: "{{ kubelet_flexvolumes_plugins_dir }}"
           type: DirectoryOrCreate
-        name: flexvolume-dir
 {% endif %}
-      - hostPath:
+      - name: k8s-certs
+        hostPath:
           path: /etc/kubernetes/pki
           type: DirectoryOrCreate
-        name: k8s-certs
-      - hostPath:
+      - name: ca-certs
+        hostPath:
           path: /etc/ssl/certs
           type: DirectoryOrCreate
-        name: ca-certs
+{% if ssl_ca_dirs|length %}
+{% for dir in ssl_ca_dirs %}
+      - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+        hostPath:
+          path: {{ dir }}
+          type: DirectoryOrCreate
+{% endfor %}
+{% endif %}
       - name: cloud-config-volume
         secret:
           secretName: external-openstack-cloud-config