Change way how certificates are mounted into the container

Author: notandy

Makefile

@@ -216,7 +216,7 @@ build-helm: helm
 	mkdir -p dist
 	helm package charts/kvm-node-agent -d dist/
 
-upload-helm: build-helm
+helm-push: build-helm
 	helm push dist/kvm-node-agent* ${OCI}
 
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist

charts/kvm-node-agent/templates/daemonset.yaml

@@ -69,8 +69,31 @@ spec:
         - mountPath: /etc/os-release
           name: os-release
           readOnly: true
-        - mountPath: /pki
-          name: pki
+        - mountPath: /pki/CA
+          name: pki-ca
+        - mountPath: /pki/libvirt
+          name: pki-libvirt
+        - mountPath: /pki/qemu
+          name: pki-qemu
+      initContainers:
+      - command:
+        - sh
+        - -c
+        - cd /host/etc/pki && for i in CA libvirt qemu; do if [ -L ${i} ]; then rm ${i};
+          fi; done && mkdir -p CA libvirt qemu && chown 42438:42438 CA libvirt qemu && chmod
+          0755 CA libvirt qemu
+        env:
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: {{ quote .Values.kubernetesClusterDomain }}
+        image: {{ .Values.controllerManager.createPkiDirs.image.repository }}:{{ .Values.controllerManager.createPkiDirs.image.tag
+          | default .Chart.AppVersion }}
+        name: create-pki-dirs
+        resources: {}
+        securityContext: {{- toYaml .Values.controllerManager.createPkiDirs.containerSecurityContext
+          | nindent 10 }}
+        volumeMounts:
+        - mountPath: /host
+          name: host
       nodeSelector: {{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }}
       securityContext: {{- toYaml .Values.controllerManager.podSecurityContext | nindent
         8 }}
@@ -94,6 +117,17 @@ spec:
           type: File
         name: os-release
       - hostPath:
-          path: /var/lib/kvm-node-agent
-          type: Directory
-        name: pki
+          path: /etc/pki/CA
+          type: DirectoryOrCreate
+        name: pki-ca
+      - hostPath:
+          path: /etc/pki/libvirt
+          type: DirectoryOrCreate
+        name: pki-libvirt
+      - hostPath:
+          path: /etc/pki/qemu
+          type: DirectoryOrCreate
+        name: pki-qemu
+      - hostPath:
+          path: /
+        name: host

charts/kvm-node-agent/values.yaml

@@ -1,4 +1,10 @@
 controllerManager:
+  createPkiDirs:
+    containerSecurityContext:
+      runAsUser: 0
+    image:
+      repository: busybox
+      tag: "1.28"
   manager:
     args:
     - --health-probe-bind-address=:8081
@@ -23,7 +29,6 @@ controllerManager:
   nodeSelector:
     nova.openstack.cloud.sap/virt-driver: libvirt
   podSecurityContext:
-    runAsNonRoot: true
     supplementalGroups:
     - 108
   serviceAccount:

config/manager/manager.yaml

@@ -53,9 +53,18 @@ spec:
       #             values:
       #               - linux
       securityContext:
-        runAsNonRoot: true
+      #  runAsNonRoot: true
         supplementalGroups:
           - 108 # libvirt group
+      initContainers:
+      - name: create-pki-dirs
+        securityContext:
+          runAsUser: 0
+        image: busybox:1.28
+        command: ['sh', '-c', 'cd /host/etc/pki && for i in CA libvirt qemu; do if [ -L ${i} ]; then rm ${i}; fi; done && mkdir -p CA libvirt qemu && chown 42438:42438 CA libvirt qemu && chmod 0755 CA libvirt qemu']
+        volumeMounts:
+        - mountPath: /host
+          name: host
       containers:
       - command:
         - /manager
@@ -115,8 +124,12 @@ spec:
         - mountPath: /etc/os-release
           name: os-release
           readOnly: true
-        - mountPath: /pki
-          name: pki
+        - mountPath: /pki/CA
+          name: pki-ca
+        - mountPath: /pki/libvirt
+          name: pki-libvirt
+        - mountPath: /pki/qemu
+          name: pki-qemu
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
       volumes:
@@ -136,7 +149,18 @@ spec:
         hostPath:
           path: /etc/os-release
           type: File
-      - name: pki
+      - name: pki-ca
+        hostPath:
+          path: /etc/pki/CA
+          type: DirectoryOrCreate
+      - name: pki-libvirt
+        hostPath:
+          path: /etc/pki/libvirt
+          type: DirectoryOrCreate
+      - name: pki-qemu
+        hostPath:
+          path: /etc/pki/qemu
+          type: DirectoryOrCreate
+      - name: host
         hostPath:
-          path: /var/lib/kvm-node-agent
-          type: Directory
+          path: /

internal/certificates/manage_libvirt.go

@@ -159,7 +159,7 @@ func UpdateTLSCertificate(ctx context.Context, data map[string][]byte) error {
 			}
 
 			// write the file
-			if err := os.WriteFile(target, data[source], 0640); err != nil {
+			if err := os.WriteFile(target, data[source], 0644); err != nil {
 				return fmt.Errorf("failed to write targetFile %s: %w", target, err)
 			}
 		}

internal/controller/secret_controller.go

@@ -78,7 +78,7 @@ func (r *SecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 
 	// Save the last resource version to file system
 	pki := os.Getenv("PKI_PATH")
-	path := filepath.Join(pki, ".last_resource_version")
+	path := filepath.Join(pki, "CA", ".last_resource_version")
 	if err = os.WriteFile(path, []byte(secret.ResourceVersion), 0600); err != nil {
 		// not a failure condition, just log the error
 		log.Error(err, "failed to write last resource version", "path", path)
@@ -93,7 +93,7 @@ func (r *SecretReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	// Load the last resource version from file system, so we can skip
 	// processing if the resource version hasn't changed
 	pki := os.Getenv("PKI_PATH")
-	path := filepath.Join(pki, ".last_resource_version")
+	path := filepath.Join(pki, "CA", ".last_resource_version")
 	if buf, err := os.ReadFile(path); err != nil {
 		logger.Log.Info("No last resource version found for PKI secrets", "path", path)
 	} else {