Merge pull request #1595 from bradbeam/cacerts

Fixing CA certificate locations for k8s components

roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2

@@ -105,9 +105,14 @@ spec:
     - mountPath: {{ kube_config_dir }}
       name: kubernetes-config
       readOnly: true
-    - mountPath: /etc/ssl/certs
+    - mountPath: /etc/ssl
       name: ssl-certs-host
       readOnly: true
+{% for dir in ssl_ca_dirs %}
+    - mountPath: {{ dir }}
+      name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+      readOnly: true
+{% endfor %}
     - mountPath: {{ etcd_cert_dir }}
       name: etcd-certs
       readOnly: true
@@ -120,9 +125,14 @@ spec:
   - hostPath:
       path: {{ kube_config_dir }}
     name: kubernetes-config
-  - hostPath:
-      path: /etc/ssl/certs/
-    name: ssl-certs-host
+  - name: ssl-certs-host
+    hostPath:
+      path: /etc/ssl
+{% for dir in ssl_ca_dirs %}
+  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+    hostPath:
+      path: {{ dir }}
+{% endfor %}
   - hostPath:
       path: {{ etcd_cert_dir }}
     name: etcd-certs

roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2

@@ -70,9 +70,14 @@ spec:
       initialDelaySeconds: 30
       timeoutSeconds: 10
     volumeMounts:
-    - mountPath: /etc/ssl/certs
+    - mountPath: /etc/ssl
       name: ssl-certs-host
       readOnly: true
+{% for dir in ssl_ca_dirs %}
+    - mountPath: {{ dir }}
+      name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+      readOnly: true
+{% endfor %}
     - mountPath: "{{kube_config_dir}}/ssl"
       name: etc-kube-ssl
       readOnly: true
@@ -87,11 +92,12 @@ spec:
   volumes:
   - name: ssl-certs-host
     hostPath:
-{% if ansible_os_family == 'RedHat' %}
-      path: /etc/pki/tls
-{% else %}
-      path: /usr/share/ca-certificates
-{% endif %}
+      path: /etc/ssl
+{% for dir in ssl_ca_dirs %}
+  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+    hostPath:
+      path: {{ dir }}
+{% endfor %}
   - name: etc-kube-ssl
     hostPath:
       path: "{{ kube_config_dir }}/ssl"

roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2

@@ -45,9 +45,14 @@ spec:
       initialDelaySeconds: 30
       timeoutSeconds: 10
     volumeMounts:
-    - mountPath: /etc/ssl/certs
+    - mountPath: /etc/ssl
       name: ssl-certs-host
       readOnly: true
+{% for dir in ssl_ca_dirs %}
+    - mountPath: {{ dir }}
+      name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+      readOnly: true
+{% endfor %}
     - mountPath: "{{ kube_config_dir }}/ssl"
       name: etc-kube-ssl
       readOnly: true
@@ -57,11 +62,12 @@ spec:
   volumes:
   - name: ssl-certs-host
     hostPath:
-{% if ansible_os_family == 'RedHat' %}
-      path: /etc/pki/tls
-{% else %}
-      path: /usr/share/ca-certificates
-{% endif %}
+      path: /etc/ssl
+{% for dir in ssl_ca_dirs %}
+  - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
+    hostPath:
+      path: {{ dir }}
+{% endfor %}
   - name: etc-kube-ssl
     hostPath:
       path: "{{ kube_config_dir }}/ssl"