Added ability to trust a custom bundle CA

2026-05-08 14:22:49 +00:00 · 2021-06-11 00:23:34 -04:00
parent 1fb429b1ed
commit f2e43db37c
10 changed files with 128 additions and 8 deletions
--- a/roles/installer/templates/deployment.yaml.j2
+++ b/roles/installer/templates/deployment.yaml.j2
@@ -32,6 +32,25 @@ spec:
 {% if image_pull_secret %}
      imagePullSecrets:
        - name: {{ image_pull_secret }}
+{% endif %}
+{% if bundle_ca_crt %}
+      initContainers:
+        - name: init
+          image: '{{ init_container_image }}:{{ init_container_image_version }}'
+          imagePullPolicy: '{{ image_pull_policy }}'
+          command:
+            - /bin/sh
+            - -c
+            - |
+              mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
+              update-ca-trust
+          volumeMounts:
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
 {% endif %}
      containers:
        - image: '{{ redis_image }}:{{ redis_image_version }}'
@@ -62,6 +81,14 @@ spec:
            - containerPort: 8053
 {% endif %}
          volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
            - name: "{{ meta.name }}-application-credentials"
              mountPath: "/etc/tower/conf.d/execution_environments.py"
              subPath: execution_environments.py
@@ -141,6 +168,14 @@ spec:
          args: {{ task_args }}
 {% endif %}
          volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
            - name: "{{ meta.name }}-application-credentials"
              mountPath: "/etc/tower/conf.d/execution_environments.py"
              subPath: execution_environments.py
@@ -211,6 +246,14 @@ spec:
          resources: {{ ee_resource_requirements }}
          args: ['receptor', '--config', '/etc/receptor.conf']
          volumeMounts:
+{% if bundle_ca_crt %}
+            - name: "ca-trust-extracted"
+              mountPath: "/etc/pki/ca-trust/extracted"
+            - name: "{{ meta.name }}-bundle-cacert"
+              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
+              subPath: bundle-ca.crt
+              readOnly: true
+{% endif %}
            - name: "{{ meta.name }}-receptor-config"
              mountPath: "/etc/receptor.conf"
              subPath: receptor.conf
@@ -241,6 +284,16 @@ spec:
        {{ tolerations | indent(width=8) }}
 {% endif %}
      volumes:
+{% if bundle_ca_crt %}
+        - name: "ca-trust-extracted"
+          emptyDir: {}
+        - name: "{{ meta.name }}-bundle-cacert"
+          secret:
+            secretName: "{{ bundle_cacert_secret }}"
+            items:
+              - key: bundle-ca.crt
+                path: 'bundle-ca.crt'
+{% endif %}
 {% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
        - name: "{{ meta.name }}-nginx-certs"
          secret: