From da9578953aa56d09605da32dbeecf1a83f97d477 Mon Sep 17 00:00:00 2001 From: Brandon Dunne Date: Mon, 12 Dec 2022 15:33:39 -0500 Subject: [PATCH] Move server certificates to /etc/pki --- .../v1alpha1/helpers/miq-components/postgresql.go | 2 +- .../helpers/miq-components/postgresql_conf.go | 4 ++-- .../api/v1alpha1/helpers/miq-components/util.go | 14 ++++++++++++++ 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql.go index 0b21ff30..2bf10817 100644 --- a/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql.go +++ b/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql.go @@ -284,7 +284,7 @@ func PostgresqlDeployment(cr *miqv1alpha1.ManageIQ, client client.Client, scheme } deployment.Spec.Template.Spec.Volumes = addOrUpdateVolume(deployment.Spec.Template.Spec.Volumes, corev1.Volume{Name: "env-file", VolumeSource: corev1.VolumeSource{Secret: &secret}}) - addInternalCertificate(cr, deployment, client, "postgresql", "/opt/app-root/src/certificates") + addPkiCertificate(cr, deployment, client, "postgresql") return nil } diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql_conf.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql_conf.go index d68905f3..3a6c63c5 100644 --- a/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql_conf.go +++ b/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql_conf.go @@ -78,8 +78,8 @@ func postgresqlSslConf() string { #------------------------------------------------------------------------------ ssl = on -ssl_cert_file = '/var/lib/pgsql/data/userdata/server.crt' # server certificate -ssl_key_file = '/var/lib/pgsql/data/userdata/server.key' # server private key +ssl_cert_file = '/etc/pki/tls/certs/server.crt' # server certificate +ssl_key_file = '/etc/pki/tls/private/server.key' # server private key #ssl_ca_file # trusted certificate authorities #ssl_crl_file # certificates revoked by certificate authorities diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/util.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/util.go index 12e93f34..93c07990 100644 --- a/manageiq-operator/api/v1alpha1/helpers/miq-components/util.go +++ b/manageiq-operator/api/v1alpha1/helpers/miq-components/util.go @@ -116,6 +116,20 @@ func addInternalCertificate(cr *miqv1alpha1.ManageIQ, d *appsv1.Deployment, clie } } +func addPkiCertificate(cr *miqv1alpha1.ManageIQ, d *appsv1.Deployment, client client.Client, name string) { + secret := InternalCertificatesSecret(cr, client) + if secret.Data[fmt.Sprintf("%s_crt", name)] != nil && secret.Data[fmt.Sprintf("%s_key", name)] != nil { + volumeName := fmt.Sprintf("%s-certificate", name) + + volumeMount := corev1.VolumeMount{Name: volumeName, MountPath: "/etc/pki/tls", ReadOnly: true} + d.Spec.Template.Spec.Containers[0].VolumeMounts = addOrUpdateVolumeMount(d.Spec.Template.Spec.Containers[0].VolumeMounts, volumeMount) + + var mode int32 = 0o440 + secretVolumeSource := corev1.SecretVolumeSource{SecretName: secret.Name, Items: []corev1.KeyToPath{corev1.KeyToPath{Key: fmt.Sprintf("%s_crt", name), Path: "certs/server.crt", Mode: &mode}, corev1.KeyToPath{Key: fmt.Sprintf("%s_key", name), Path: "private/server.key", Mode: &mode}}} + d.Spec.Template.Spec.Volumes = addOrUpdateVolume(d.Spec.Template.Spec.Volumes, corev1.Volume{Name: volumeName, VolumeSource: corev1.VolumeSource{Secret: &secretVolumeSource}}) + } +} + func addOrUpdateEnvVar(environment []corev1.EnvVar, variable corev1.EnvVar) []corev1.EnvVar { index := -1 for i, env := range environment {