Merge "Ensure Zuul and Nodepool can execute the "update-ca-trust" com…

…mand"
softwarefactory-project · Jan 3, 2024 · ddc1ce7 · ddc1ce7
2 parents 9ca656a + a475df3
commit ddc1ce7
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 5 deletions.
diff --git a/controllers/nodepool.go b/controllers/nodepool.go
@@ -389,6 +389,7 @@ func (r *SFController) DeployNodepoolBuilder(statsdExporterVolume apiv1.Volume,
 		base.MkVolumeSecret("zookeeper-client-tls"),
 		base.MkVolumeSecret(NodepoolProvidersSecretsName),
 		base.MkEmptyDirVolume("nodepool-config"),
+		base.MkEmptyDirVolume("nodepool-ca"),
 		r.commonToolingVolume(),
 		{
 			Name: "nodepool-builder-ssh-key",
@@ -434,6 +435,10 @@ func (r *SFController) DeployNodepoolBuilder(statsdExporterVolume apiv1.Volume,
 			Name:      "nodepool-config",
 			MountPath: "/etc/nodepool",
 		},
+		{
+			Name:      "nodepool-ca",
+			MountPath: "/etc/pki/ca-trust/extracted",
+		},
 		configScriptVolumeMount,
 		{
 			Name:      "nodepool-tooling-vol",
@@ -512,8 +517,9 @@ func (r *SFController) DeployNodepoolBuilder(statsdExporterVolume apiv1.Volume,
 
 	nb.Spec.Template.Spec.InitContainers = []apiv1.Container{initContainer}
 	nb.Spec.Template.Spec.Volumes = volumes
-	nb.Spec.Template.Spec.Containers[0].Command = []string{"/usr/local/bin/dumb-init", "--",
-		"/usr/local/bin/nodepool-builder", "-f", "-l", "/etc/nodepool-logging/logging.yaml"}
+	nb.Spec.Template.Spec.Containers[0].Command = []string{
+		"/usr/local/bin/dumb-init", "--", "bash", "-c", "mkdir /etc/pki/ca-trust/extracted/{pem,java,edk2,openssl} && update-ca-trust && /usr/local/bin/nodepool-builder -f -l /etc/nodepool-logging/logging.yaml",
+	}
 	nb.Spec.Template.Spec.Containers[0].VolumeMounts = volumeMounts
 	nb.Spec.Template.Spec.Containers[0].Env = r.getNodepoolConfigEnvs()
 
@@ -604,6 +610,7 @@ func (r *SFController) DeployNodepoolLauncher(statsdExporterVolume apiv1.Volume,
 		base.MkVolumeSecret(NodepoolProvidersSecretsName),
 		base.MkEmptyDirVolume("nodepool-config"),
 		base.MkEmptyDirVolume("nodepool-home"),
+		base.MkEmptyDirVolume("nodepool-ca"),
 		r.commonToolingVolume(),
 		base.MkVolumeCM("nodepool-launcher-extra-config-vol",
 			"nodepool-launcher-extra-config-config-map"),
@@ -620,6 +627,10 @@ func (r *SFController) DeployNodepoolLauncher(statsdExporterVolume apiv1.Volume,
 			Name:      "nodepool-config",
 			MountPath: "/etc/nodepool/",
 		},
+		{
+			Name:      "nodepool-ca",
+			MountPath: "/etc/pki/ca-trust/extracted",
+		},
 		{
 			Name:      "nodepool-home",
 			MountPath: "/var/lib/nodepool",
@@ -650,8 +661,9 @@ func (r *SFController) DeployNodepoolLauncher(statsdExporterVolume apiv1.Volume,
 
 	container := base.MkContainer("launcher", base.NodepoolLauncherImage)
 	container.VolumeMounts = volumeMounts
-	container.Command = []string{"/usr/local/bin/dumb-init", "--",
-		"/usr/local/bin/nodepool-launcher", "-f", "-l", "/etc/nodepool-logging/logging.yaml"}
+	container.Command = []string{
+		"/usr/local/bin/dumb-init", "--", "bash", "-c", "mkdir /etc/pki/ca-trust/extracted/{pem,java,edk2,openssl} && update-ca-trust && /usr/local/bin/nodepool-launcher -f -l /etc/nodepool-logging/logging.yaml",
+	}
 	container.Env = r.getNodepoolConfigEnvs()
 
 	extraLoggingEnvVars := logging.SetupLogForwarding("nodepool-launcher", r.cr.Spec.FluentBitLogForwarding, nodepoolFluentBitLabels, annotations)

diff --git a/controllers/zuul.go b/controllers/zuul.go
@@ -122,6 +122,10 @@ func (r *SFController) mkZuulContainer(service string) []apiv1.Container {
 			ReadOnly:  true,
 			SubPath:   "ca.crt",
 		},
+		{
+			Name:      "zuul-ca",
+			MountPath: "/etc/pki/ca-trust/extracted",
+		},
 	}
 	envs := []apiv1.EnvVar{
 		base.MkEnvVar("REQUESTS_CA_BUNDLE", "/etc/ssl/certs/ca-bundle.crt"),
@@ -149,7 +153,7 @@ func (r *SFController) mkZuulContainer(service string) []apiv1.Container {
 	container := apiv1.Container{
 		Name:         service,
 		Image:        base.ZuulImage(service),
-		Command:      []string{"/usr/local/bin/dumb-init", "--", "/usr/local/bin/" + service, "-f", "-d"},
+		Command:      []string{"/usr/local/bin/dumb-init", "--", "bash", "-c", "mkdir /etc/pki/ca-trust/extracted/{pem,java,edk2,openssl} && update-ca-trust && /usr/local/bin/" + service + " -f -d"},
 		Env:          envs,
 		VolumeMounts: volumes,
 	}
@@ -175,6 +179,7 @@ func mkZuulVolumes(service string, r *SFController) []apiv1.Volume {
 		},
 		base.MkVolumeCM("statsd-config", "zuul-statsd-config-map"),
 		base.MkVolumeCM("extra-config", "zuul-extra-config-map"),
+		base.MkEmptyDirVolume("zuul-ca"),
 	}
 	if !isStatefulset(service) {
 		// statefulset already has a PV for the service-name,