Fixing CA certificate locations for k8s components

7a98ad50 · Brad Beam · 576beaa6 · 7a98ad50 · 7a98ad50 · 7a98ad50
Commit 7a98ad50 authored 7 years ago by Brad Beam
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -105,9 +105,14 @@ spec:
    - mountPath: {{ kube_config_dir }}
      name: kubernetes-config
      readOnly: true
-    - mountPath: /etc/ssl/certs
+    - mountPath: /etc/ssl
      name: ssl-certs-host
      readOnly: true
+{% for dir in ssl_ca_dirs %}
+    - mountPath: {{ dir }}
+      name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+      readOnly: true
+{% endfor %}
    - mountPath: {{ etcd_cert_dir }}
      name: etcd-certs
      readOnly: true
@@ -120,9 +125,14 @@ spec:
  - hostPath:
      path: {{ kube_config_dir }}
    name: kubernetes-config
-  - hostPath:
-      path: /etc/ssl/certs/
-    name: ssl-certs-host
+  - name: ssl-certs-host
+    hostPath:
+      path: /etc/ssl
+{% for dir in ssl_ca_dirs %}
+  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+    hostPath:
+      path: {{ dir }}
+{% endfor %}
  - hostPath:
      path: {{ etcd_cert_dir }}
    name: etcd-certs

--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@@ -70,9 +70,14 @@ spec:
      initialDelaySeconds: 30
      timeoutSeconds: 10
    volumeMounts:
-    - mountPath: /etc/ssl/certs
+    - mountPath: /etc/ssl
      name: ssl-certs-host
      readOnly: true
+{% for dir in ssl_ca_dirs %}
+    - mountPath: {{ dir }}
+      name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+      readOnly: true
+{% endfor %}
    - mountPath: "{{kube_config_dir}}/ssl"
      name: etc-kube-ssl
      readOnly: true
@@ -87,11 +92,12 @@ spec:
  volumes:
  - name: ssl-certs-host
    hostPath:
-{% if ansible_os_family == 'RedHat' %}
-      path: /etc/pki/tls
-{% else %}
-      path: /usr/share/ca-certificates
-{% endif %}
+      path: /etc/ssl
+{% for dir in ssl_ca_dirs %}
+  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+    hostPath:
+      path: {{ dir }}
+{% endfor %}
  - name: etc-kube-ssl
    hostPath:
      path: "{{ kube_config_dir }}/ssl"

--- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
@@ -45,9 +45,14 @@ spec:
      initialDelaySeconds: 30
      timeoutSeconds: 10
    volumeMounts:
-    - mountPath: /etc/ssl/certs
+    - mountPath: /etc/ssl
      name: ssl-certs-host
      readOnly: true
+{% for dir in ssl_ca_dirs %}
+    - mountPath: {{ dir }}
+      name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+      readOnly: true
+{% endfor %}
    - mountPath: "{{ kube_config_dir }}/ssl"
      name: etc-kube-ssl
      readOnly: true
@@ -57,11 +62,12 @@ spec:
  volumes:
  - name: ssl-certs-host
    hostPath:
-{% if ansible_os_family == 'RedHat' %}
-      path: /etc/pki/tls
-{% else %}
-      path: /usr/share/ca-certificates
-{% endif %}
+      path: /etc/ssl
+{% for dir in ssl_ca_dirs %}
+  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+    hostPath:
+      path: {{ dir }}
+{% endfor %}
  - name: etc-kube-ssl
    hostPath:
      path: "{{ kube_config_dir }}/ssl"