fix(helm): use custom CA in egress and ingress too (#5980)

While we've always been able to pass a specific CA for control-plane certs it wasn't possible to use it for egress and ingress. Now we just use whatever is set. We also simplified the template when handling CAs Signed-off-by: Charly Molter <[email protected]>
kumahq · Feb 10, 2023 · 286cd9c · 286cd9c
1 parent e3f3cbf
commit 286cd9c
Show file tree

Hide file tree

Showing 10 changed files with 1,144 additions and 51 deletions.
diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.with-egress.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.with-egress.golden.yaml
@@ -569,7 +569,7 @@ spec:
             - name: KUMA_CONTROL_PLANE_URL
               value: "https://kuma-control-plane.kuma-system:5678"
             - name: KUMA_CONTROL_PLANE_CA_CERT_FILE
-              value: /var/run/secrets/kuma.io/tls-cert/ca.crt
+              value: /var/run/secrets/kuma.io/cp-ca/ca.crt
             - name: KUMA_DATAPLANE_NAME
               value: $(POD_NAME).$(POD_NAMESPACE)
             - name: KUMA_DATAPLANE_DRAIN_TIME
@@ -609,13 +609,16 @@ spec:
               cpu: 1000m
               memory: 512Mi
           volumeMounts:
-            - name: kuma-tls-cert
-              mountPath: /var/run/secrets/kuma.io/tls-cert
+            - name: control-plane-ca
+              mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
       volumes:
-        - name: kuma-tls-cert
+        - name: control-plane-ca
           secret:
-            secretName: kuma-tls-cert
+            secretName: "kuma-tls-cert"
+            items:
+              - key: ca.crt
+                path: ca.crt
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.with-helm-set.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.with-helm-set.yaml
@@ -5537,7 +5537,7 @@ spec:
             - name: KUMA_CONTROL_PLANE_URL
               value: "https://kuma-control-plane.kuma-system:5678"
             - name: KUMA_CONTROL_PLANE_CA_CERT_FILE
-              value: /var/run/secrets/kuma.io/tls-cert/ca.crt
+              value: /var/run/secrets/kuma.io/cp-ca/ca.crt
             - name: KUMA_DATAPLANE_NAME
               value: $(POD_NAME).$(POD_NAMESPACE)
             - name: KUMA_DATAPLANE_DRAIN_TIME
@@ -5577,13 +5577,16 @@ spec:
               cpu: 1000m
               memory: 512Mi
           volumeMounts:
-            - name: kuma-tls-cert
-              mountPath: /var/run/secrets/kuma.io/tls-cert
+            - name: control-plane-ca
+              mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
       volumes:
-        - name: kuma-tls-cert
+        - name: control-plane-ca
           secret:
-            secretName: kuma-tls-cert
+            secretName: "kuma-tls-cert"
+            items:
+              - key: ca.crt
+                path: ca.crt
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -5655,7 +5658,7 @@ spec:
             - name: KUMA_CONTROL_PLANE_URL
               value: "https://kuma-control-plane.kuma-system:5678"
             - name: KUMA_CONTROL_PLANE_CA_CERT_FILE
-              value: /var/run/secrets/kuma.io/tls-cert/ca.crt
+              value: /var/run/secrets/kuma.io/cp-ca/ca.crt
             - name: KUMA_DATAPLANE_NAME
               value: $(POD_NAME).$(POD_NAMESPACE)
             - name: KUMA_DATAPLANE_DRAIN_TIME
@@ -5696,13 +5699,16 @@ spec:
               memory: 64Mi
 
           volumeMounts:
-            - name: kuma-tls-cert
-              mountPath: /var/run/secrets/kuma.io/tls-cert
+            - name: control-plane-ca
+              mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
       volumes:
-        - name: kuma-tls-cert
+        - name: control-plane-ca
           secret:
-            secretName: kuma-tls-cert
+            secretName: "kuma-tls-cert"
+            items:
+              - key: ca.crt
+                path: ca.crt
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.with-ingress.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.with-ingress.golden.yaml
@@ -574,7 +574,7 @@ spec:
             - name: KUMA_CONTROL_PLANE_URL
               value: "https://kuma-control-plane.kuma-system:5678"
             - name: KUMA_CONTROL_PLANE_CA_CERT_FILE
-              value: /var/run/secrets/kuma.io/tls-cert/ca.crt
+              value: /var/run/secrets/kuma.io/cp-ca/ca.crt
             - name: KUMA_DATAPLANE_NAME
               value: $(POD_NAME).$(POD_NAMESPACE)
             - name: KUMA_DATAPLANE_DRAIN_TIME
@@ -615,13 +615,16 @@ spec:
               memory: 64Mi
 
           volumeMounts:
-            - name: kuma-tls-cert
-              mountPath: /var/run/secrets/kuma.io/tls-cert
+            - name: control-plane-ca
+              mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
       volumes:
-        - name: kuma-tls-cert
+        - name: control-plane-ca
           secret:
-            secretName: kuma-tls-cert
+            secretName: "kuma-tls-cert"
+            items:
+              - key: ca.crt
+                path: ca.crt
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration

diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/fix4496.golden.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/fix4496.golden.yaml
@@ -587,7 +587,7 @@ spec:
             - name: KUMA_CONTROL_PLANE_URL
               value: "https://kuma-control-plane.kuma-system:5678"
             - name: KUMA_CONTROL_PLANE_CA_CERT_FILE
-              value: /var/run/secrets/kuma.io/tls-cert/ca.crt
+              value: /var/run/secrets/kuma.io/cp-ca/ca.crt
             - name: KUMA_DATAPLANE_NAME
               value: $(POD_NAME).$(POD_NAMESPACE)
             - name: KUMA_DATAPLANE_DRAIN_TIME
@@ -628,13 +628,16 @@ spec:
               memory: 64Mi
 
           volumeMounts:
-            - name: kuma-tls-cert
-              mountPath: /var/run/secrets/kuma.io/tls-cert
+            - name: control-plane-ca
+              mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
       volumes:
-        - name: kuma-tls-cert
+        - name: control-plane-ca
           secret:
-            secretName: kuma-tls-cert
+            secretName: "kuma-tls-cert"
+            items:
+              - key: ca.crt
+                path: ca.crt
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress

diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/fix4935.golden.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/fix4935.golden.yaml
@@ -795,7 +795,7 @@ spec:
             - name: KUMA_CONTROL_PLANE_URL
               value: "https://kuma-control-plane.kuma-system:5678"
             - name: KUMA_CONTROL_PLANE_CA_CERT_FILE
-              value: /var/run/secrets/kuma.io/tls-cert/ca.crt
+              value: /var/run/secrets/kuma.io/cp-ca/ca.crt
             - name: KUMA_DATAPLANE_NAME
               value: $(POD_NAME).$(POD_NAMESPACE)
             - name: KUMA_DATAPLANE_DRAIN_TIME
@@ -835,13 +835,16 @@ spec:
               cpu: 1000m
               memory: 512Mi
           volumeMounts:
-            - name: kuma-tls-cert
-              mountPath: /var/run/secrets/kuma.io/tls-cert
+            - name: control-plane-ca
+              mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
       volumes:
-        - name: kuma-tls-cert
+        - name: control-plane-ca
           secret:
-            secretName: kuma-tls-cert
+            secretName: "kuma-tls-cert"
+            items:
+              - key: ca.crt
+                path: ca.crt
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -916,7 +919,7 @@ spec:
             - name: KUMA_CONTROL_PLANE_URL
               value: "https://kuma-control-plane.kuma-system:5678"
             - name: KUMA_CONTROL_PLANE_CA_CERT_FILE
-              value: /var/run/secrets/kuma.io/tls-cert/ca.crt
+              value: /var/run/secrets/kuma.io/cp-ca/ca.crt
             - name: KUMA_DATAPLANE_NAME
               value: $(POD_NAME).$(POD_NAMESPACE)
             - name: KUMA_DATAPLANE_DRAIN_TIME
@@ -957,13 +960,16 @@ spec:
               memory: 64Mi
 
           volumeMounts:
-            - name: kuma-tls-cert
-              mountPath: /var/run/secrets/kuma.io/tls-cert
+            - name: control-plane-ca
+              mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
       volumes:
-        - name: kuma-tls-cert
+        - name: control-plane-ca
           secret:
-            secretName: kuma-tls-cert
+            secretName: "kuma-tls-cert"
+            items:
+              - key: ca.crt
+                path: ca.crt
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress