From c696eda50a97f286281a40a1cd0da3ca2e3c7c50 Mon Sep 17 00:00:00 2001 From: Joel <34544090+JoelKle@users.noreply.github.com> Date: Thu, 6 Jun 2024 04:56:52 +0200 Subject: [PATCH] Fix custom CA certificates for task/web/migration (#1846) * Fix bundle_ca_crt for task/web/migration - added a new init container init-bundle-ca-trust - added volume ca-trust-extracted to the migration job - added volume ca-trust-extracted to the init container init-database - removed volume bundle-ca from all follow-up containers --- .../templates/deployments/task.yaml.j2 | 43 ++++++++++--------- .../templates/deployments/web.yaml.j2 | 35 +++++++-------- .../templates/jobs/migration.yaml.j2 | 34 +++++++++++++++ 3 files changed, 75 insertions(+), 37 deletions(-) diff --git a/roles/installer/templates/deployments/task.yaml.j2 b/roles/installer/templates/deployments/task.yaml.j2 index 8903405dd..66310328c 100644 --- a/roles/installer/templates/deployments/task.yaml.j2 +++ b/roles/installer/templates/deployments/task.yaml.j2 @@ -74,6 +74,25 @@ spec: priorityClassName: '{{ control_plane_priority_class }}' {% endif %} initContainers: +{% if bundle_ca_crt %} + - name: init-bundle-ca-trust + image: '{{ _init_container_image }}' + imagePullPolicy: '{{ image_pull_policy }}' + resources: {{ init_container_resource_requirements }} + command: + - /bin/sh + - -c + - | + mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2} + update-ca-trust extract + volumeMounts: + - name: "ca-trust-extracted" + mountPath: "/etc/pki/ca-trust/extracted" + - name: "{{ ansible_operator_meta.name }}-bundle-cacert" + mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt + subPath: bundle-ca.crt + readOnly: true +{% endif %} - name: init-database image: '{{ _image }}' imagePullPolicy: '{{ image_pull_policy }}' @@ -96,6 +115,10 @@ spec: subPath: settings.py readOnly: true {{ lookup("template", "common/volume_mounts/extra_settings_files.yaml.j2") | indent(width=12) | trim }} +{% if bundle_ca_crt %} + - name: "ca-trust-extracted" + mountPath: "/etc/pki/ca-trust/extracted" +{% endif %} {% if development_mode | bool %} - name: awx-devel mountPath: "/awx_devel" @@ -123,10 +146,6 @@ spec: outcert=/etc/receptor/tls/receptor.crt \ notafter=$(date --iso-8601=seconds --utc --date "10 years") \ verify=yes -{% if bundle_ca_crt %} - mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2} - update-ca-trust -{% endif %} {% if init_container_extra_commands %} {{ init_container_extra_commands | indent(width=14) }} {% endif %} @@ -149,10 +168,6 @@ spec: {% if bundle_ca_crt %} - name: "ca-trust-extracted" mountPath: "/etc/pki/ca-trust/extracted" - - name: "{{ ansible_operator_meta.name }}-bundle-cacert" - mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt - subPath: bundle-ca.crt - readOnly: true {% endif %} {% if init_container_extra_volume_mounts -%} {{ init_container_extra_volume_mounts | indent(width=12, first=True) }} @@ -255,10 +270,6 @@ spec: {% if bundle_ca_crt %} - name: "ca-trust-extracted" mountPath: "/etc/pki/ca-trust/extracted" - - name: "{{ ansible_operator_meta.name }}-bundle-cacert" - mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt - subPath: bundle-ca.crt - readOnly: true {% endif %} - name: "{{ ansible_operator_meta.name }}-application-credentials" mountPath: "/etc/tower/conf.d/execution_environments.py" @@ -358,10 +369,6 @@ spec: {% if bundle_ca_crt %} - name: "ca-trust-extracted" mountPath: "/etc/pki/ca-trust/extracted" - - name: "{{ ansible_operator_meta.name }}-bundle-cacert" - mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt - subPath: bundle-ca.crt - readOnly: true {% endif %} - name: "{{ ansible_operator_meta.name }}-default-receptor-config" mountPath: "/etc/receptor/receptor-default.conf" @@ -438,10 +445,6 @@ spec: {% if bundle_ca_crt %} - name: "ca-trust-extracted" mountPath: "/etc/pki/ca-trust/extracted" - - name: "{{ ansible_operator_meta.name }}-bundle-cacert" - mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt - subPath: bundle-ca.crt - readOnly: true {% endif %} {% if development_mode | bool %} - name: awx-devel diff --git a/roles/installer/templates/deployments/web.yaml.j2 b/roles/installer/templates/deployments/web.yaml.j2 index 202c7b7dd..1d5155932 100644 --- a/roles/installer/templates/deployments/web.yaml.j2 +++ b/roles/installer/templates/deployments/web.yaml.j2 @@ -80,8 +80,8 @@ spec: priorityClassName: '{{ control_plane_priority_class }}' {% endif %} initContainers: -{% if bundle_ca_crt or projects_persistence|bool or init_container_extra_commands %} - - name: init +{% if bundle_ca_crt %} + - name: init-bundle-ca-trust image: '{{ _init_container_image }}' imagePullPolicy: '{{ image_pull_policy }}' resources: {{ init_container_resource_requirements }} @@ -89,15 +89,9 @@ spec: - /bin/sh - -c - | -{% if bundle_ca_crt %} mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2} - update-ca-trust -{% endif %} -{% if init_container_extra_commands %} - {{ init_container_extra_commands | indent(width=14) }} -{% endif %} + update-ca-trust extract volumeMounts: -{% if bundle_ca_crt %} - name: "ca-trust-extracted" mountPath: "/etc/pki/ca-trust/extracted" - name: "{{ ansible_operator_meta.name }}-bundle-cacert" @@ -105,6 +99,21 @@ spec: subPath: bundle-ca.crt readOnly: true {% endif %} +{% if init_container_extra_commands %} + - name: init + image: '{{ _init_container_image }}' + imagePullPolicy: '{{ image_pull_policy }}' + resources: {{ init_container_resource_requirements }} + command: + - /bin/sh + - -c + - | + {{ init_container_extra_commands | indent(width=14) }} + volumeMounts: +{% if bundle_ca_crt %} + - name: "ca-trust-extracted" + mountPath: "/etc/pki/ca-trust/extracted" +{% endif %} {% if init_container_extra_volume_mounts -%} {{ init_container_extra_volume_mounts | indent(width=12, first=True) }} {% endif %} @@ -191,10 +200,6 @@ spec: {% if bundle_ca_crt %} - name: "ca-trust-extracted" mountPath: "/etc/pki/ca-trust/extracted" - - name: "{{ ansible_operator_meta.name }}-bundle-cacert" - mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt - subPath: bundle-ca.crt - readOnly: true {% endif %} - name: {{ ansible_operator_meta.name }}-uwsgi-config mountPath: "/etc/tower/uwsgi.ini" @@ -316,10 +321,6 @@ spec: {% if bundle_ca_crt %} - name: "ca-trust-extracted" mountPath: "/etc/pki/ca-trust/extracted" - - name: "{{ ansible_operator_meta.name }}-bundle-cacert" - mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt - subPath: bundle-ca.crt - readOnly: true {% endif %} {% if development_mode | bool %} - name: awx-devel diff --git a/roles/installer/templates/jobs/migration.yaml.j2 b/roles/installer/templates/jobs/migration.yaml.j2 index b3ad759e5..a71841094 100644 --- a/roles/installer/templates/jobs/migration.yaml.j2 +++ b/roles/installer/templates/jobs/migration.yaml.j2 @@ -9,6 +9,26 @@ metadata: spec: template: spec: +{% if bundle_ca_crt %} + initContainers: + - name: init-bundle-ca-trust + image: '{{ _init_container_image }}' + imagePullPolicy: '{{ image_pull_policy }}' + resources: {{ init_container_resource_requirements }} + command: + - /bin/sh + - -c + - | + mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2} + update-ca-trust extract + volumeMounts: + - name: "ca-trust-extracted" + mountPath: "/etc/pki/ca-trust/extracted" + - name: "{{ ansible_operator_meta.name }}-bundle-cacert" + mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt + subPath: bundle-ca.crt + readOnly: true +{% endif %} containers: - name: "migration-job" image: '{{ _image }}' @@ -30,6 +50,10 @@ spec: subPath: settings.py readOnly: true {{ lookup("template", "common/volume_mounts/extra_settings_files.yaml.j2") | indent(width=12) | trim }} +{% if bundle_ca_crt %} + - name: "ca-trust-extracted" + mountPath: "/etc/pki/ca-trust/extracted" +{% endif %} {% if development_mode | bool %} - name: awx-devel mountPath: "/awx_devel" @@ -96,6 +120,16 @@ spec: - key: settings path: settings.py {{ lookup("template", "common/volumes/extra_settings_files.yaml.j2") | indent(width=8) | trim }} +{% if bundle_ca_crt %} + - name: "ca-trust-extracted" + emptyDir: {} + - name: "{{ ansible_operator_meta.name }}-bundle-cacert" + secret: + secretName: "{{ bundle_cacert_secret }}" + items: + - key: bundle-ca.crt + path: 'bundle-ca.crt' +{% endif %} {% if development_mode | bool %} - name: awx-devel hostPath: