From 7a98ad50b44341cd87b056c2d8d1ece2391b6074 Mon Sep 17 00:00:00 2001 From: Brad Beam Date: Wed, 30 Aug 2017 14:41:09 -0500 Subject: [PATCH] Fixing CA certificate locations for k8s components --- .../manifests/kube-apiserver.manifest.j2 | 18 ++++++++++++++---- .../kube-controller-manager.manifest.j2 | 18 ++++++++++++------ .../manifests/kube-scheduler.manifest.j2 | 18 ++++++++++++------ 3 files changed, 38 insertions(+), 16 deletions(-) diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index c19076db3..1032ba482 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -105,9 +105,14 @@ spec: - mountPath: {{ kube_config_dir }} name: kubernetes-config readOnly: true - - mountPath: /etc/ssl/certs + - mountPath: /etc/ssl name: ssl-certs-host readOnly: true +{% for dir in ssl_ca_dirs %} + - mountPath: {{ dir }} + name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} + readOnly: true +{% endfor %} - mountPath: {{ etcd_cert_dir }} name: etcd-certs readOnly: true @@ -120,9 +125,14 @@ spec: - hostPath: path: {{ kube_config_dir }} name: kubernetes-config - - hostPath: - path: /etc/ssl/certs/ - name: ssl-certs-host + - name: ssl-certs-host + hostPath: + path: /etc/ssl +{% for dir in ssl_ca_dirs %} + - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} + hostPath: + path: {{ dir }} +{% endfor %} - hostPath: path: {{ etcd_cert_dir }} name: etcd-certs diff --git a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 index 44a1c253c..8d08dfeb6 100644 --- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 @@ -70,9 +70,14 @@ spec: initialDelaySeconds: 30 timeoutSeconds: 10 volumeMounts: - - mountPath: /etc/ssl/certs + - mountPath: /etc/ssl name: ssl-certs-host readOnly: true +{% for dir in ssl_ca_dirs %} + - mountPath: {{ dir }} + name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} + readOnly: true +{% endfor %} - mountPath: "{{kube_config_dir}}/ssl" name: etc-kube-ssl readOnly: true @@ -87,11 +92,12 @@ spec: volumes: - name: ssl-certs-host hostPath: -{% if ansible_os_family == 'RedHat' %} - path: /etc/pki/tls -{% else %} - path: /usr/share/ca-certificates -{% endif %} + path: /etc/ssl +{% for dir in ssl_ca_dirs %} + - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} + hostPath: + path: {{ dir }} +{% endfor %} - name: etc-kube-ssl hostPath: path: "{{ kube_config_dir }}/ssl" diff --git a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 index 054239b67..e9422d4a1 100644 --- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 @@ -45,9 +45,14 @@ spec: initialDelaySeconds: 30 timeoutSeconds: 10 volumeMounts: - - mountPath: /etc/ssl/certs + - mountPath: /etc/ssl name: ssl-certs-host readOnly: true +{% for dir in ssl_ca_dirs %} + - mountPath: {{ dir }} + name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} + readOnly: true +{% endfor %} - mountPath: "{{ kube_config_dir }}/ssl" name: etc-kube-ssl readOnly: true @@ -57,11 +62,12 @@ spec: volumes: - name: ssl-certs-host hostPath: -{% if ansible_os_family == 'RedHat' %} - path: /etc/pki/tls -{% else %} - path: /usr/share/ca-certificates -{% endif %} + path: /etc/ssl +{% for dir in ssl_ca_dirs %} + - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }} + hostPath: + path: {{ dir }} +{% endfor %} - name: etc-kube-ssl hostPath: path: "{{ kube_config_dir }}/ssl"