From 7a98ad50b44341cd87b056c2d8d1ece2391b6074 Mon Sep 17 00:00:00 2001
From: Brad Beam <brad.beam@b-rad.info>
Date: Wed, 30 Aug 2017 14:41:09 -0500
Subject: [PATCH] Fixing CA certificate locations for k8s components
---
.../manifests/kube-apiserver.manifest.j2 | 18 ++++++++++++++----
.../kube-controller-manager.manifest.j2 | 18 ++++++++++++------
.../manifests/kube-scheduler.manifest.j2 | 18 ++++++++++++------
3 files changed, 38 insertions(+), 16 deletions(-)
diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index c19076db3..1032ba482 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -105,9 +105,14 @@ spec:
- mountPath: {{ kube_config_dir }}
name: kubernetes-config
readOnly: true
- - mountPath: /etc/ssl/certs
+ - mountPath: /etc/ssl
name: ssl-certs-host
readOnly: true
+{% for dir in ssl_ca_dirs %}
+ - mountPath: {{ dir }}
+ name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+ readOnly: true
+{% endfor %}
- mountPath: {{ etcd_cert_dir }}
name: etcd-certs
readOnly: true
@@ -120,9 +125,14 @@ spec:
- hostPath:
path: {{ kube_config_dir }}
name: kubernetes-config
- - hostPath:
- path: /etc/ssl/certs/
- name: ssl-certs-host
+ - name: ssl-certs-host
+ hostPath:
+ path: /etc/ssl
+{% for dir in ssl_ca_dirs %}
+ - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+ hostPath:
+ path: {{ dir }}
+{% endfor %}
- hostPath:
path: {{ etcd_cert_dir }}
name: etcd-certs
diff --git a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
index 44a1c253c..8d08dfeb6 100644
--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@@ -70,9 +70,14 @@ spec:
initialDelaySeconds: 30
timeoutSeconds: 10
volumeMounts:
- - mountPath: /etc/ssl/certs
+ - mountPath: /etc/ssl
name: ssl-certs-host
readOnly: true
+{% for dir in ssl_ca_dirs %}
+ - mountPath: {{ dir }}
+ name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+ readOnly: true
+{% endfor %}
- mountPath: "{{kube_config_dir}}/ssl"
name: etc-kube-ssl
readOnly: true
@@ -87,11 +92,12 @@ spec:
volumes:
- name: ssl-certs-host
hostPath:
-{% if ansible_os_family == 'RedHat' %}
- path: /etc/pki/tls
-{% else %}
- path: /usr/share/ca-certificates
-{% endif %}
+ path: /etc/ssl
+{% for dir in ssl_ca_dirs %}
+ - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+ hostPath:
+ path: {{ dir }}
+{% endfor %}
- name: etc-kube-ssl
hostPath:
path: "{{ kube_config_dir }}/ssl"
diff --git a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
index 054239b67..e9422d4a1 100644
--- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
@@ -45,9 +45,14 @@ spec:
initialDelaySeconds: 30
timeoutSeconds: 10
volumeMounts:
- - mountPath: /etc/ssl/certs
+ - mountPath: /etc/ssl
name: ssl-certs-host
readOnly: true
+{% for dir in ssl_ca_dirs %}
+ - mountPath: {{ dir }}
+ name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+ readOnly: true
+{% endfor %}
- mountPath: "{{ kube_config_dir }}/ssl"
name: etc-kube-ssl
readOnly: true
@@ -57,11 +62,12 @@ spec:
volumes:
- name: ssl-certs-host
hostPath:
-{% if ansible_os_family == 'RedHat' %}
- path: /etc/pki/tls
-{% else %}
- path: /usr/share/ca-certificates
-{% endif %}
+ path: /etc/ssl
+{% for dir in ssl_ca_dirs %}
+ - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+ hostPath:
+ path: {{ dir }}
+{% endfor %}
- name: etc-kube-ssl
hostPath:
path: "{{ kube_config_dir }}/ssl"
--
GitLab