Added ability to trust a custom bundle CA

2026-03-26 21:33:14 +00:00 · 2021-06-11 00:23:34 -04:00
parent 1fb429b1ed
commit f2e43db37c
10 changed files with 128 additions and 8 deletions
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -111,6 +111,8 @@ redis_image: docker.io/redis
 redis_image_version: latest
 postgres_image: postgres
 postgres_image_version: 12
+init_container_image: quay.io/centos/centos
+init_container_image_version: 8
 image_pull_policy: IfNotPresent
 image_pull_secret: ''

@@ -206,6 +208,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 #
 ldap_cacert_secret: ''

+# Secret to lookup that provides the custom CA trusted bundle
+bundle_cacert_secret: ''
+
 # Whether secrets should be garbage collected
 # on teardown
 #
--- a/roles/installer/tasks/load_bundle_cacert_secret.yml
+++ b/roles/installer/tasks/load_bundle_cacert_secret.yml
@@ -0,0 +1,12 @@
+---
+- name: Retrieve bundle Certificate Authority Secret
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ bundle_cacert_secret }}'
+  register: bundle_cacert
+
+- name: Load bundle Certificate Authority Secret content
+  set_fact:
+    bundle_ca_crt: '{{ bundle_cacert["resources"][0]["data"]["bundle-ca.crt"] | b64decode }}'
+  when: '"bundle-ca.crt" in bundle_cacert["resources"][0]["data"]'
--- a/roles/installer/tasks/main.yml
+++ b/roles/installer/tasks/main.yml
@@ -25,6 +25,11 @@
  when:
    - ldap_cacert_secret != ''

+- name: Load bundle certificate authority certificate
+  include_tasks: load_bundle_cacert_secret.yml
+  when:
+    - bundle_cacert_secret != ''
+
 - name: Include admin password configuration tasks
  include_tasks: admin_password_configuration.yml

--- a/roles/installer/templates/deployment.yaml.j2
+++ b/roles/installer/templates/deployment.yaml.j2
@@ -32,6 +32,25 @@ spec:
 {% if image_pull_secret %}
      imagePullSecrets:
        - name: {{ image_pull_secret }}
+{% endif %}
+{% if bundle_ca_crt %}
+      initContainers:
+        - name: init
+          image: '{{ init_container_image }}:{{ init_container_image_version }}'
+          imagePullPolicy: '{{ image_pull_policy }}'
+          command:
+            - /bin/sh
+            - -c
+            - |
+              mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
+              update-ca-trust
+          volumeMounts:
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
 {% endif %}
      containers:
        - image: '{{ redis_image }}:{{ redis_image_version }}'
@@ -62,6 +81,14 @@ spec:
            - containerPort: 8053
 {% endif %}
          volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
            - name: "{{ meta.name }}-application-credentials"
              mountPath: "/etc/tower/conf.d/execution_environments.py"
              subPath: execution_environments.py
@@ -141,6 +168,14 @@ spec:
          args: {{ task_args }}
 {% endif %}
          volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
            - name: "{{ meta.name }}-application-credentials"
              mountPath: "/etc/tower/conf.d/execution_environments.py"
              subPath: execution_environments.py
@@ -211,6 +246,14 @@ spec:
          resources: {{ ee_resource_requirements }}
          args: ['receptor', '--config', '/etc/receptor.conf']
          volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
            - name: "{{ meta.name }}-receptor-config"
              mountPath: "/etc/receptor.conf"
              subPath: receptor.conf
@@ -241,6 +284,16 @@ spec:
        {{ tolerations | indent(width=8) }}
 {% endif %}
      volumes:
+{% if bundle_ca_crt %}
+        - name: "ca-trust-extracted"
+          emptyDir: {}
+        - name: "{{ meta.name }}-bundle-cacert"
+          secret:
+            secretName: "{{ bundle_cacert_secret }}"
+            items:
+              - key: bundle-ca.crt
+                path: 'bundle-ca.crt'
+{% endif %}
 {% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
        - name: "{{ meta.name }}-nginx-certs"
          secret:
--- a/roles/installer/vars/main.yml
+++ b/roles/installer/vars/main.yml
@@ -2,4 +2,5 @@
 postgres_initdb_args: '--auth-host=scram-sha-256'
 postgres_host_auth_method: 'scram-sha-256'
 ldap_cacert_ca_crt: ''
+bundle_ca_crt: ''
 projects_existing_claim: ''