specify private CAs configmap via CLI

replicatedhq · Sep 12, 2024 · 361f435 · 361f435
1 parent 6cf0941
commit 361f435
Show file tree

Hide file tree

Showing 4 changed files with 151 additions and 91 deletions.
diff --git a/cmd/kots/cli/install.go b/cmd/kots/cli/install.go
@@ -309,7 +309,6 @@ func InstallCmd() *cobra.Command {
 				AdditionalLabels:       additionalLabels,
 				AdditionalAnnotations:  additionalAnnotations,
 				TrustedCAsConfigmap:    v.GetString("private-ca-configmap"),
-				TrustedCAsConfigmapNS:  v.GetString("private-ca-configmap-namespace"),
 
 				RegistryConfig: *registryConfig,
 
@@ -554,7 +553,6 @@ func InstallCmd() *cobra.Command {
 	cmd.Flags().StringArray("additional-annotations", []string{}, "additional annotations to add to kotsadm pods")
 	cmd.Flags().StringArray("additional-labels", []string{}, "additional labels to add to kotsadm pods")
 	cmd.Flags().String("private-ca-configmap", "", "the name of a configmap containing private CAs to add to the kotsadm deployment")
-	cmd.Flags().String("private-ca-configmap-namespace", "", "the namespace of a configmap containing private CAs to add to the kotsadm deployment")
 
 	registryFlags(cmd.Flags())
 

diff --git a/pkg/kotsadm/objects/kotsadm_objects.go b/pkg/kotsadm/objects/kotsadm_objects.go
@@ -344,6 +344,17 @@ func KotsadmDeployment(deployOptions types.DeployOptions) (*appsv1.Deployment, e
 		})
 	}
 
+	if deployOptions.TrustedCAsConfigmap != "" {
+		env = append(env, corev1.EnvVar{
+			Name:  "SSL_CERT_DIR",
+			Value: "/certs",
+		})
+		env = append(env, corev1.EnvVar{
+			Name:  "SSL_CERT_CONFIGMAP",
+			Value: deployOptions.TrustedCAsConfigmap,
+		})
+	}
+
 	podAnnotations := map[string]string{
 		"backup.velero.io/backup-volumes":   "backup",
 		"pre.hook.backup.velero.io/command": `["/backup.sh"]`,
@@ -359,6 +370,60 @@ func KotsadmDeployment(deployOptions types.DeployOptions) (*appsv1.Deployment, e
 		podLabels[k] = v
 	}
 
+	volumes := []corev1.Volume{
+		{
+			Name: "migrations",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{
+					Medium: corev1.StorageMediumMemory,
+				},
+			},
+		},
+		{
+			Name: "backup",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
+		{
+			Name: "tmp",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
+	}
+
+	if deployOptions.TrustedCAsConfigmap != "" {
+		volumes = append(volumes, corev1.Volume{
+			Name: "kotsadm-private-cas",
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: deployOptions.TrustedCAsConfigmap,
+					},
+				},
+			},
+		})
+	}
+
+	volumeMounts := []corev1.VolumeMount{
+		{
+			Name:      "backup",
+			MountPath: "/backup",
+		},
+		{
+			Name:      "tmp",
+			MountPath: "/tmp",
+		},
+	}
+
+	if deployOptions.TrustedCAsConfigmap != "" {
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      "kotsadm-private-cas",
+			MountPath: "/certs",
+		})
+	}
+
 	deployment := &appsv1.Deployment{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "apps/v1",
@@ -385,29 +450,8 @@ func KotsadmDeployment(deployOptions types.DeployOptions) (*appsv1.Deployment, e
 					Affinity: &corev1.Affinity{
 						NodeAffinity: defaultKOTSNodeAffinity(),
 					},
-					SecurityContext: securityContext,
-					Volumes: []corev1.Volume{
-						{
-							Name: "migrations",
-							VolumeSource: corev1.VolumeSource{
-								EmptyDir: &corev1.EmptyDirVolumeSource{
-									Medium: corev1.StorageMediumMemory,
-								},
-							},
-						},
-						{
-							Name: "backup",
-							VolumeSource: corev1.VolumeSource{
-								EmptyDir: &corev1.EmptyDirVolumeSource{},
-							},
-						},
-						{
-							Name: "tmp",
-							VolumeSource: corev1.VolumeSource{
-								EmptyDir: &corev1.EmptyDirVolumeSource{},
-							},
-						},
-					},
+					SecurityContext:    securityContext,
+					Volumes:            volumes,
 					ServiceAccountName: "kotsadm",
 					RestartPolicy:      corev1.RestartPolicyAlways,
 					ImagePullSecrets:   pullSecrets,
@@ -631,17 +675,8 @@ func KotsadmDeployment(deployOptions types.DeployOptions) (*appsv1.Deployment, e
 									},
 								},
 							},
-							VolumeMounts: []corev1.VolumeMount{
-								{
-									Name:      "backup",
-									MountPath: "/backup",
-								},
-								{
-									Name:      "tmp",
-									MountPath: "/tmp",
-								},
-							},
-							Env: env,
+							VolumeMounts: volumeMounts,
+							Env:          env,
 							Resources: corev1.ResourceRequirements{
 								Limits: corev1.ResourceList{
 									"cpu":    resource.MustParse("1"),
@@ -694,6 +729,7 @@ func UpdateKotsadmStatefulSet(existingStatefulset *appsv1.StatefulSet, desiredSt
 	return nil
 }
 
+// TODO add configmap for additional CAs
 func KotsadmStatefulSet(deployOptions types.DeployOptions, size resource.Quantity) (*appsv1.StatefulSet, error) {
 	securityContext := k8sutil.SecurePodContext(1001, 1001, deployOptions.StrictSecurityContext)
 	if deployOptions.IsOpenShift {
@@ -846,6 +882,17 @@ func KotsadmStatefulSet(deployOptions types.DeployOptions, size resource.Quantit
 		})
 	}
 
+	if deployOptions.TrustedCAsConfigmap != "" {
+		env = append(env, corev1.EnvVar{
+			Name:  "SSL_CERT_DIR",
+			Value: "/certs",
+		})
+		env = append(env, corev1.EnvVar{
+			Name:  "SSL_CERT_CONFIGMAP",
+			Value: deployOptions.TrustedCAsConfigmap,
+		})
+	}
+
 	var storageClassName *string
 	if deployOptions.StorageClassName != "" {
 		storageClassName = &deployOptions.StorageClassName
@@ -866,6 +913,72 @@ func KotsadmStatefulSet(deployOptions types.DeployOptions, size resource.Quantit
 		podLabels[k] = v
 	}
 
+	volumes := []corev1.Volume{
+		{
+			Name: "kotsadmdata",
+			VolumeSource: corev1.VolumeSource{
+				PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
+					ClaimName: "kotsadmdata",
+				},
+			},
+		},
+		{
+			Name: "migrations",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{
+					Medium: corev1.StorageMediumMemory,
+				},
+			},
+		},
+		{
+			Name: "backup",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
+		{
+			Name: "tmp",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
+	}
+
+	if deployOptions.TrustedCAsConfigmap != "" {
+		volumes = append(volumes, corev1.Volume{
+			Name: "kotsadm-private-cas",
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: deployOptions.TrustedCAsConfigmap,
+					},
+				},
+			},
+		})
+	}
+
+	volumeMounts := []corev1.VolumeMount{
+		{
+			Name:      "kotsadmdata",
+			MountPath: "/kotsadmdata",
+		},
+		{
+			Name:      "backup",
+			MountPath: "/backup",
+		},
+		{
+			Name:      "tmp",
+			MountPath: "/tmp",
+		},
+	}
+
+	if deployOptions.TrustedCAsConfigmap != "" {
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      "kotsadm-private-cas",
+			MountPath: "/certs",
+		})
+	}
+
 	statefulset := &appsv1.StatefulSet{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "apps/v1",
@@ -893,37 +1006,8 @@ func KotsadmStatefulSet(deployOptions types.DeployOptions, size resource.Quantit
 					Affinity: &corev1.Affinity{
 						NodeAffinity: defaultKOTSNodeAffinity(),
 					},
-					SecurityContext: securityContext,
-					Volumes: []corev1.Volume{
-						{
-							Name: "kotsadmdata",
-							VolumeSource: corev1.VolumeSource{
-								PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
-									ClaimName: "kotsadmdata",
-								},
-							},
-						},
-						{
-							Name: "migrations",
-							VolumeSource: corev1.VolumeSource{
-								EmptyDir: &corev1.EmptyDirVolumeSource{
-									Medium: corev1.StorageMediumMemory,
-								},
-							},
-						},
-						{
-							Name: "backup",
-							VolumeSource: corev1.VolumeSource{
-								EmptyDir: &corev1.EmptyDirVolumeSource{},
-							},
-						},
-						{
-							Name: "tmp",
-							VolumeSource: corev1.VolumeSource{
-								EmptyDir: &corev1.EmptyDirVolumeSource{},
-							},
-						},
-					},
+					SecurityContext:    securityContext,
+					Volumes:            volumes,
 					ServiceAccountName: "kotsadm",
 					RestartPolicy:      corev1.RestartPolicyAlways,
 					ImagePullSecrets:   pullSecrets,
@@ -1153,21 +1237,8 @@ func KotsadmStatefulSet(deployOptions types.DeployOptions, size resource.Quantit
 									},
 								},
 							},
-							VolumeMounts: []corev1.VolumeMount{
-								{
-									Name:      "kotsadmdata",
-									MountPath: "/kotsadmdata",
-								},
-								{
-									Name:      "backup",
-									MountPath: "/backup",
-								},
-								{
-									Name:      "tmp",
-									MountPath: "/tmp",
-								},
-							},
-							Env: env,
+							VolumeMounts: volumeMounts,
+							Env:          env,
 							Resources: corev1.ResourceRequirements{
 								Limits: corev1.ResourceList{
 									"cpu":    resource.MustParse("1"),

diff --git a/pkg/kotsadm/types/deployoptions.go b/pkg/kotsadm/types/deployoptions.go
@@ -60,7 +60,6 @@ type DeployOptions struct {
 	AdditionalAnnotations  map[string]string
 	AdditionalLabels       map[string]string
 	TrustedCAsConfigmap    string
-	TrustedCAsConfigmapNS  string
 
 	IdentityConfig kotsv1beta1.IdentityConfig
 	IngressConfig  kotsv1beta1.IngressConfig

diff --git a/pkg/template/static_context.go b/pkg/template/static_context.go
@@ -684,11 +684,3 @@ func (ctx StaticCtx) privateCACert() string {
 	// return the name of a configmap holding additional CA certificates provided by the end user at install time
 	return os.Getenv("SSL_CERT_CONFIGMAP")
 }
-
-func (ctx StaticCtx) privateCACertNamespace() string {
-	// return the namespace of a configmap holding additional CA certificates provided by the end user at install time
-	if os.Getenv("SSL_CERT_CONFIGMAP_NAMESPACE") != "" {
-		return os.Getenv("SSL_CERT_CONFIGMAP_NAMESPACE")
-	}
-	return ctx.namespace()
-}