From 6d6ee516706a8384c34bfd3392c833c66a6d0105 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Mon, 9 Dec 2024 13:07:34 -0500 Subject: [PATCH] Fix permissions for barbican-p11-prep job --- pkg/barbican/p11_prep.go | 3 +-- pkg/barbican/volumes.go | 2 +- templates/barbican/config/Chrystoki.conf | 2 +- .../config/barbican-p11-prep-config.json | 17 ++++++++++++----- 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/pkg/barbican/p11_prep.go b/pkg/barbican/p11_prep.go index 0e3cee9..b51ff1a 100644 --- a/pkg/barbican/p11_prep.go +++ b/pkg/barbican/p11_prep.go @@ -11,7 +11,7 @@ import ( const ( // P11PrepCommand - - P11PrepCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + P11PrepCommand = "/usr/local/bin/kolla_start" P11PrepConfig = "p11-prep-config-data" ) @@ -49,7 +49,6 @@ func P11PrepJob(instance *barbicanv1beta1.Barbican, labels map[string]string, an runAsUser := int64(0) envVars := map[string]env.Setter{} envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS") - envVars["KOLLA_BOOTSTRAP"] = env.SetValue("TRUE") job := &batchv1.Job{ ObjectMeta: metav1.ObjectMeta{ diff --git a/pkg/barbican/volumes.go b/pkg/barbican/volumes.go index 08c09b9..ef69a15 100644 --- a/pkg/barbican/volumes.go +++ b/pkg/barbican/volumes.go @@ -107,7 +107,7 @@ func GetLogVolume() corev1.Volume { func GetScriptVolumeMount() corev1.VolumeMount { return corev1.VolumeMount{ Name: ScriptVolume, - MountPath: "/var/lib/openstack/bin", + MountPath: "/usr/local/bin/container-scripts", ReadOnly: true, } } diff --git a/templates/barbican/config/Chrystoki.conf b/templates/barbican/config/Chrystoki.conf index 92f5e23..1b580e4 100644 --- a/templates/barbican/config/Chrystoki.conf +++ b/templates/barbican/config/Chrystoki.conf @@ -29,7 +29,7 @@ LunaSA Client = { SSLConfigFile = /usr/local/luna/openssl.cnf; ClientPrivKeyFile = {{ .P11CertificatesMountPoint }}/{{ .P11ClientAddress }}Key.pem; ClientCertFile = {{ .P11CertificatesMountPoint }}/{{ .P11ClientAddress }}.pem; - ServerCAFile = {{ .P11CertificatesMountPoint }}/{{ .P11ServerAddress }}Cert.pem; + ServerCAFile = {{ .P11CertificatesMountPoint }}/CACert.pem; NetClient = 1; TCPKeepAlive = 1; EnableTLS1_2 = 1; diff --git a/templates/barbican/config/barbican-p11-prep-config.json b/templates/barbican/config/barbican-p11-prep-config.json index d811bb2..3152baa 100644 --- a/templates/barbican/config/barbican-p11-prep-config.json +++ b/templates/barbican/config/barbican-p11-prep-config.json @@ -1,11 +1,11 @@ { - "command": "generate_p11_keys.sh", + "command": "/bin/generate_p11_keys.sh", "config_files": [ { - "source": "/var/lib/openstack/bin/generate_p11_keys.sh", - "dest": "/bin/", + "source": "/usr/local/bin/container-scripts/generate_p11_keys.sh", + "dest": "/bin/generate_p11_keys.sh", "owner": "barbican", - "perm": "0700" + "perm": "0755" }, { "source": "/var/lib/config-data/default/00-default.conf", @@ -15,11 +15,18 @@ }, { "source": "/var/lib/config-data/default/Chrystoki.conf", - "dest": "//usr/local/luna/Chrystoki.conf", + "dest": "/usr/local/luna/Chrystoki.conf", "owner": "barbican", "perm": "0600", "optional": true, "merge": true } + ], + "permissions": [ + { + "path": "/var/log/barbican", + "owner": "barbican:barbican", + "recurse": true + } ] }