Merge pull request #361 from stuggi/tls-ca-bundle

[TLS] Mount tls cert/key + ca-bundle into /etc
openstack-k8s-operators · Oct 9, 2023 · e0907a2 · e0907a2
2 parents 7fe7fe1 + 7daa69c
commit e0907a2
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/modules/common/tls/tls.go b/modules/common/tls/tls.go
@@ -25,6 +25,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
 )
 
 // Service contains server-specific TLS secret
@@ -77,16 +78,23 @@ func (t *TLS) CreateVolumeMounts() []corev1.VolumeMount {
 
 	if t.Service != nil && t.Service.SecretName != "" {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name:      "tls-certs",
-			MountPath: "/var/lib/config-data/tls-certificates",
+			Name:      "tls-crt",
+			MountPath: "/etc/pki/tls/certs/tls.crt",
+			SubPath:   "tls.crt",
+			ReadOnly:  true,
+		})
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      "tls-key",
+			MountPath: "/etc/pki/tls/certs/tls.key",
+			SubPath:   "tls.key",
 			ReadOnly:  true,
 		})
 	}
 
 	if t.Ca != nil && t.Ca.CaSecretName != "" {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
 			Name:      "ca-certs",
-			MountPath: "/var/lib/config-data/ca-certificates",
+			MountPath: "/etc/pki/ca-trust/extracted/pem",
 			ReadOnly:  true,
 		})
 	}
@@ -97,15 +105,14 @@ func (t *TLS) CreateVolumeMounts() []corev1.VolumeMount {
 // CreateVolumes - add volume for TLS certificate and CA certificates
 func (t *TLS) CreateVolumes() []corev1.Volume {
 	var volumes []corev1.Volume
-	mode := int32(0400)
 
 	if t.Service != nil && t.Service.SecretName != "" {
 		volumes = append(volumes, corev1.Volume{
 			Name: "tls-certs",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
 					SecretName:  t.Service.SecretName,
-					DefaultMode: &mode,
+					DefaultMode: ptr.To[int32](0440),
 				},
 			},
 		})
@@ -117,7 +124,7 @@ func (t *TLS) CreateVolumes() []corev1.Volume {
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
 					SecretName:  t.Ca.CaSecretName,
-					DefaultMode: &mode,
+					DefaultMode: ptr.To[int32](0444),
 				},
 			},
 		})

diff --git a/modules/common/tls/tls_test.go b/modules/common/tls/tls_test.go
@@ -37,7 +37,7 @@ func TestCreateVolumeMounts(t *testing.T) {
 			name:          "Only TLS Secret",
 			service:       &Service{SecretName: "test-tls-secret"},
 			ca:            &Ca{},
-			wantMountsLen: 1,
+			wantMountsLen: 2,
 		},
 		{
 			name:          "Only CA Secret",
@@ -49,7 +49,7 @@ func TestCreateVolumeMounts(t *testing.T) {
 			name:          "TLS and CA Secrets",
 			service:       &Service{SecretName: "test-tls-secret"},
 			ca:            &Ca{CaSecretName: "test-ca1"},
-			wantMountsLen: 2,
+			wantMountsLen: 3,
 		},
 	}