From 29f833e9a43bcb1f84dd7baeeffd18195545144d Mon Sep 17 00:00:00 2001
From: Maxime Leroy <19607336+maxime1907@users.noreply.github.com>
Date: Mon, 29 May 2023 04:43:42 +0200
Subject: [PATCH] fix(ssl-ca): mount ssl ca directories (#9794)
Signed-off-by: Maxime Leroy <19607336+maxime1907@users.noreply.github.com>
---
.../cinder-csi-controllerplugin.yml.j2 | 15 +++++++++++
.../templates/cinder-csi-nodeplugin.yml.j2 | 15 +++++++++++
...enstack-cloud-controller-manager-ds.yml.j2 | 27 ++++++++++++++-----
3 files changed, 51 insertions(+), 6 deletions(-)
diff --git a/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-controllerplugin.yml.j2 b/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-controllerplugin.yml.j2
index 6bd671ade..a4db64215 100644
--- a/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-controllerplugin.yml.j2
+++ b/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-controllerplugin.yml.j2
@@ -133,6 +133,13 @@ spec:
- name: ca-certs
mountPath: /etc/ssl/certs
readOnly: true
+{% if ssl_ca_dirs|length %}
+{% for dir in ssl_ca_dirs %}
+ - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+ mountPath: {{ dir }}
+ readOnly: true
+{% endfor %}
+{% endif %}
{% if cinder_cacert is defined and cinder_cacert != "" %}
- name: cinder-cacert
mountPath: {{ kube_config_dir }}/cinder-cacert.pem
@@ -148,6 +155,14 @@ spec:
hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
+{% if ssl_ca_dirs|length %}
+{% for dir in ssl_ca_dirs %}
+ - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+ hostPath:
+ path: {{ dir }}
+ type: DirectoryOrCreate
+{% endfor %}
+{% endif %}
{% if cinder_cacert is defined and cinder_cacert != "" %}
- name: cinder-cacert
hostPath:
diff --git a/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-nodeplugin.yml.j2 b/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-nodeplugin.yml.j2
index 3cdf9bb94..41f922a2f 100644
--- a/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-nodeplugin.yml.j2
+++ b/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-nodeplugin.yml.j2
@@ -89,6 +89,13 @@ spec:
- name: ca-certs
mountPath: /etc/ssl/certs
readOnly: true
+{% if ssl_ca_dirs|length %}
+{% for dir in ssl_ca_dirs %}
+ - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+ mountPath: {{ dir }}
+ readOnly: true
+{% endfor %}
+{% endif %}
{% if cinder_cacert is defined and cinder_cacert != "" %}
- name: cinder-cacert
mountPath: {{ kube_config_dir }}/cinder-cacert.pem
@@ -118,6 +125,14 @@ spec:
hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
+{% if ssl_ca_dirs|length %}
+{% for dir in ssl_ca_dirs %}
+ - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+ hostPath:
+ path: {{ dir }}
+ type: DirectoryOrCreate
+{% endfor %}
+{% endif %}
{% if cinder_cacert is defined and cinder_cacert != "" %}
- name: cinder-cacert
hostPath:
diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2
index 5b0819d8b..6649a24ec 100644
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2
@@ -57,6 +57,13 @@ spec:
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
+{% if ssl_ca_dirs|length %}
+{% for dir in ssl_ca_dirs %}
+ - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+ mountPath: {{ dir }}
+ readOnly: true
+{% endfor %}
+{% endif %}
- mountPath: /etc/config/cloud.conf
name: cloud-config-volume
readOnly: true
@@ -78,19 +85,27 @@ spec:
hostNetwork: true
volumes:
{% if kubelet_flexvolumes_plugins_dir is defined %}
- - hostPath:
+ - name: flexvolume-dir
+ hostPath:
path: "{{ kubelet_flexvolumes_plugins_dir }}"
type: DirectoryOrCreate
- name: flexvolume-dir
{% endif %}
- - hostPath:
+ - name: k8s-certs
+ hostPath:
path: /etc/kubernetes/pki
type: DirectoryOrCreate
- name: k8s-certs
- - hostPath:
+ - name: ca-certs
+ hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
- name: ca-certs
+{% if ssl_ca_dirs|length %}
+{% for dir in ssl_ca_dirs %}
+ - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+ hostPath:
+ path: {{ dir }}
+ type: DirectoryOrCreate
+{% endfor %}
+{% endif %}
- name: cloud-config-volume
secret:
secretName: external-openstack-cloud-config
--
GitLab