From 361f4350b520334e7e124d4cd6dd3797f4686ae3 Mon Sep 17 00:00:00 2001 From: Andrew Lavery Date: Thu, 12 Sep 2024 15:02:41 -0400 Subject: [PATCH] specify private CAs configmap via CLI --- cmd/kots/cli/install.go | 2 - pkg/kotsadm/objects/kotsadm_objects.go | 231 ++++++++++++++++--------- pkg/kotsadm/types/deployoptions.go | 1 - pkg/template/static_context.go | 8 - 4 files changed, 151 insertions(+), 91 deletions(-) diff --git a/cmd/kots/cli/install.go b/cmd/kots/cli/install.go index bd9a246e7c..b6515c5e9a 100644 --- a/cmd/kots/cli/install.go +++ b/cmd/kots/cli/install.go @@ -309,7 +309,6 @@ func InstallCmd() *cobra.Command { AdditionalLabels: additionalLabels, AdditionalAnnotations: additionalAnnotations, TrustedCAsConfigmap: v.GetString("private-ca-configmap"), - TrustedCAsConfigmapNS: v.GetString("private-ca-configmap-namespace"), RegistryConfig: *registryConfig, @@ -554,7 +553,6 @@ func InstallCmd() *cobra.Command { cmd.Flags().StringArray("additional-annotations", []string{}, "additional annotations to add to kotsadm pods") cmd.Flags().StringArray("additional-labels", []string{}, "additional labels to add to kotsadm pods") cmd.Flags().String("private-ca-configmap", "", "the name of a configmap containing private CAs to add to the kotsadm deployment") - cmd.Flags().String("private-ca-configmap-namespace", "", "the namespace of a configmap containing private CAs to add to the kotsadm deployment") registryFlags(cmd.Flags()) diff --git a/pkg/kotsadm/objects/kotsadm_objects.go b/pkg/kotsadm/objects/kotsadm_objects.go index f2741bea62..31ea4a93ad 100644 --- a/pkg/kotsadm/objects/kotsadm_objects.go +++ b/pkg/kotsadm/objects/kotsadm_objects.go @@ -344,6 +344,17 @@ func KotsadmDeployment(deployOptions types.DeployOptions) (*appsv1.Deployment, e }) } + if deployOptions.TrustedCAsConfigmap != "" { + env = append(env, corev1.EnvVar{ + Name: "SSL_CERT_DIR", + Value: "/certs", + }) + env = append(env, corev1.EnvVar{ + Name: "SSL_CERT_CONFIGMAP", + Value: deployOptions.TrustedCAsConfigmap, + }) + } + podAnnotations := map[string]string{ "backup.velero.io/backup-volumes": "backup", "pre.hook.backup.velero.io/command": `["/backup.sh"]`, @@ -359,6 +370,60 @@ func KotsadmDeployment(deployOptions types.DeployOptions) (*appsv1.Deployment, e podLabels[k] = v } + volumes := []corev1.Volume{ + { + Name: "migrations", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{ + Medium: corev1.StorageMediumMemory, + }, + }, + }, + { + Name: "backup", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, + { + Name: "tmp", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, + } + + if deployOptions.TrustedCAsConfigmap != "" { + volumes = append(volumes, corev1.Volume{ + Name: "kotsadm-private-cas", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: deployOptions.TrustedCAsConfigmap, + }, + }, + }, + }) + } + + volumeMounts := []corev1.VolumeMount{ + { + Name: "backup", + MountPath: "/backup", + }, + { + Name: "tmp", + MountPath: "/tmp", + }, + } + + if deployOptions.TrustedCAsConfigmap != "" { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: "kotsadm-private-cas", + MountPath: "/certs", + }) + } + deployment := &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{ APIVersion: "apps/v1", @@ -385,29 +450,8 @@ func KotsadmDeployment(deployOptions types.DeployOptions) (*appsv1.Deployment, e Affinity: &corev1.Affinity{ NodeAffinity: defaultKOTSNodeAffinity(), }, - SecurityContext: securityContext, - Volumes: []corev1.Volume{ - { - Name: "migrations", - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{ - Medium: corev1.StorageMediumMemory, - }, - }, - }, - { - Name: "backup", - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - }, - { - Name: "tmp", - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - }, - }, + SecurityContext: securityContext, + Volumes: volumes, ServiceAccountName: "kotsadm", RestartPolicy: corev1.RestartPolicyAlways, ImagePullSecrets: pullSecrets, @@ -631,17 +675,8 @@ func KotsadmDeployment(deployOptions types.DeployOptions) (*appsv1.Deployment, e }, }, }, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "backup", - MountPath: "/backup", - }, - { - Name: "tmp", - MountPath: "/tmp", - }, - }, - Env: env, + VolumeMounts: volumeMounts, + Env: env, Resources: corev1.ResourceRequirements{ Limits: corev1.ResourceList{ "cpu": resource.MustParse("1"), @@ -694,6 +729,7 @@ func UpdateKotsadmStatefulSet(existingStatefulset *appsv1.StatefulSet, desiredSt return nil } +// TODO add configmap for additional CAs func KotsadmStatefulSet(deployOptions types.DeployOptions, size resource.Quantity) (*appsv1.StatefulSet, error) { securityContext := k8sutil.SecurePodContext(1001, 1001, deployOptions.StrictSecurityContext) if deployOptions.IsOpenShift { @@ -846,6 +882,17 @@ func KotsadmStatefulSet(deployOptions types.DeployOptions, size resource.Quantit }) } + if deployOptions.TrustedCAsConfigmap != "" { + env = append(env, corev1.EnvVar{ + Name: "SSL_CERT_DIR", + Value: "/certs", + }) + env = append(env, corev1.EnvVar{ + Name: "SSL_CERT_CONFIGMAP", + Value: deployOptions.TrustedCAsConfigmap, + }) + } + var storageClassName *string if deployOptions.StorageClassName != "" { storageClassName = &deployOptions.StorageClassName @@ -866,6 +913,72 @@ func KotsadmStatefulSet(deployOptions types.DeployOptions, size resource.Quantit podLabels[k] = v } + volumes := []corev1.Volume{ + { + Name: "kotsadmdata", + VolumeSource: corev1.VolumeSource{ + PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ + ClaimName: "kotsadmdata", + }, + }, + }, + { + Name: "migrations", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{ + Medium: corev1.StorageMediumMemory, + }, + }, + }, + { + Name: "backup", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, + { + Name: "tmp", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, + } + + if deployOptions.TrustedCAsConfigmap != "" { + volumes = append(volumes, corev1.Volume{ + Name: "kotsadm-private-cas", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: deployOptions.TrustedCAsConfigmap, + }, + }, + }, + }) + } + + volumeMounts := []corev1.VolumeMount{ + { + Name: "kotsadmdata", + MountPath: "/kotsadmdata", + }, + { + Name: "backup", + MountPath: "/backup", + }, + { + Name: "tmp", + MountPath: "/tmp", + }, + } + + if deployOptions.TrustedCAsConfigmap != "" { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: "kotsadm-private-cas", + MountPath: "/certs", + }) + } + statefulset := &appsv1.StatefulSet{ TypeMeta: metav1.TypeMeta{ APIVersion: "apps/v1", @@ -893,37 +1006,8 @@ func KotsadmStatefulSet(deployOptions types.DeployOptions, size resource.Quantit Affinity: &corev1.Affinity{ NodeAffinity: defaultKOTSNodeAffinity(), }, - SecurityContext: securityContext, - Volumes: []corev1.Volume{ - { - Name: "kotsadmdata", - VolumeSource: corev1.VolumeSource{ - PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ - ClaimName: "kotsadmdata", - }, - }, - }, - { - Name: "migrations", - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{ - Medium: corev1.StorageMediumMemory, - }, - }, - }, - { - Name: "backup", - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - }, - { - Name: "tmp", - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - }, - }, + SecurityContext: securityContext, + Volumes: volumes, ServiceAccountName: "kotsadm", RestartPolicy: corev1.RestartPolicyAlways, ImagePullSecrets: pullSecrets, @@ -1153,21 +1237,8 @@ func KotsadmStatefulSet(deployOptions types.DeployOptions, size resource.Quantit }, }, }, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "kotsadmdata", - MountPath: "/kotsadmdata", - }, - { - Name: "backup", - MountPath: "/backup", - }, - { - Name: "tmp", - MountPath: "/tmp", - }, - }, - Env: env, + VolumeMounts: volumeMounts, + Env: env, Resources: corev1.ResourceRequirements{ Limits: corev1.ResourceList{ "cpu": resource.MustParse("1"), diff --git a/pkg/kotsadm/types/deployoptions.go b/pkg/kotsadm/types/deployoptions.go index cf6b6f2454..6570dfcddd 100644 --- a/pkg/kotsadm/types/deployoptions.go +++ b/pkg/kotsadm/types/deployoptions.go @@ -60,7 +60,6 @@ type DeployOptions struct { AdditionalAnnotations map[string]string AdditionalLabels map[string]string TrustedCAsConfigmap string - TrustedCAsConfigmapNS string IdentityConfig kotsv1beta1.IdentityConfig IngressConfig kotsv1beta1.IngressConfig diff --git a/pkg/template/static_context.go b/pkg/template/static_context.go index 4fe3abcfbf..d31d0f17e3 100644 --- a/pkg/template/static_context.go +++ b/pkg/template/static_context.go @@ -684,11 +684,3 @@ func (ctx StaticCtx) privateCACert() string { // return the name of a configmap holding additional CA certificates provided by the end user at install time return os.Getenv("SSL_CERT_CONFIGMAP") } - -func (ctx StaticCtx) privateCACertNamespace() string { - // return the namespace of a configmap holding additional CA certificates provided by the end user at install time - if os.Getenv("SSL_CERT_CONFIGMAP_NAMESPACE") != "" { - return os.Getenv("SSL_CERT_CONFIGMAP_NAMESPACE") - } - return ctx.namespace() -}