Skip to content

Commit

Permalink
Update volumes path to /var/lib/ service cert + key
Browse files Browse the repository at this point in the history 
This commit updates the mounting path for the service certificate and key to /var/lib/. This change eliminates the requirement for the pod to run with root privileges.

Signed-off-by: Veronika Fisarova <[email protected]>
  • Loading branch information
@Deydra71
Deydra71 committed Jan 5, 2024
1 parent 7629711 commit 24d9736
Show file tree
Hide file tree
Showing 2 changed files with 108 additions and 54 deletions.
50 changes: 38 additions & 12 deletions modules/common/tls/tls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,12 +61,12 @@ const (
PrivateKey = "tls.key"
// CAKey - key of the secret entry holding the CA
CAKey = "ca.crt"
// DefaultCertMountDir - default path to mount cert files inside container
DefaultCertMountDir = "/etc/pki/tls/certs"
// DefaultKeyMountDir - default path to mount cert keys inside container
DefaultKeyMountDir = "/etc/pki/tls/private"
// DefaultCertMountDir - updated default path to mount cert files inside container
DefaultCertMountDir = "/var/lib/config-data/tls/certs"
// DefaultKeyMountDir - updated default path to mount cert keys inside container
DefaultKeyMountDir = "/var/lib/config-data/tls/private"

// TLSHashName - Name of the hash of hashes of all cert resources used to indentify a change
// TLSHashName - Name of the hash of hashes of all cert resources used to identify a change
TLSHashName = "certs"
)

Expand Down Expand Up @@ -376,24 +376,50 @@ func (s *Service) CreateVolumeMounts(serviceID string) []corev1.VolumeMount {
}

// CreateVolume - add volume for TLS certificates and CA certificate for the service
func (s *Service) CreateVolume(serviceID string) corev1.Volume {
volume := corev1.Volume{}
func (s *Service) CreateVolume(serviceID string) []corev1.Volume {
volumes := []corev1.Volume{}
if serviceID == "" {
serviceID = "default"
}
if s.SecretName != "" {
volume = corev1.Volume{
Name: serviceID + "-tls-certs",
// Volume for the private key with read-only permission for the owner
privateKeyVolume := corev1.Volume{
Name: serviceID + "-tls-private-key",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: s.SecretName,
Items: []corev1.KeyToPath{
{
Key: PrivateKey,
Path: "tls.key",
Mode: ptr.To[int32](0400),
},
},
},
},
}

// Volume for the public cert with read-only permissions for the owner and the group
publicCertVolume := corev1.Volume{
Name: serviceID + "-tls-public-cert",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: s.SecretName,
DefaultMode: ptr.To[int32](0440),
SecretName: s.SecretName,
Items: []corev1.KeyToPath{
{
Key: CertKey,
Path: "tls.crt",
Mode: ptr.To[int32](0440),
},
},
},
},
}

volumes = append(volumes, privateKeyVolume, publicCertVolume)
}

return volume
return volumes
}

// CreateVolumeMounts creates volume mounts for CA bundle file
Expand Down
112 changes: 70 additions & 42 deletions modules/common/tls/tls_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,59 +147,41 @@ func TestServiceCreateVolumeMounts(t *testing.T) {
id: "foo",
want: []corev1.VolumeMount{
{
MountPath: "/etc/pki/tls/certs/foo.crt",
MountPath: "/var/lib/config-data/tls/certs/foo.crt",
Name: "foo-tls-certs",
ReadOnly: true,
SubPath: "tls.crt",
},
{
MountPath: "/etc/pki/tls/private/foo.key",
MountPath: "/var/lib/config-data/tls/private/foo.key",
Name: "foo-tls-certs",
ReadOnly: true,
SubPath: "tls.key",
},
},
},
{
name: "Only TLS Secret no serviceID",
service: &Service{SecretName: "cert-secret"},
want: []corev1.VolumeMount{
{
MountPath: "/etc/pki/tls/certs/default.crt",
Name: "default-tls-certs",
ReadOnly: true,
SubPath: "tls.crt",
},
{
MountPath: "/etc/pki/tls/private/default.key",
Name: "default-tls-certs",
ReadOnly: true,
SubPath: "tls.key",
},
},
},
{
name: "TLS and CA Secrets",
service: &Service{
SecretName: "cert-secret",
CaMount: ptr.To("/mount/my/ca.crt"),
CaMount: ptr.To("/var/lib/config-data/ca-bundle/ca.crt"),
},
id: "foo",
want: []corev1.VolumeMount{
{
MountPath: "/etc/pki/tls/certs/foo.crt",
MountPath: "/var/lib/config-data/tls/certs/foo.crt",
Name: "foo-tls-certs",
ReadOnly: true,
SubPath: "tls.crt",
},
{
MountPath: "/etc/pki/tls/private/foo.key",
MountPath: "/var/lib/config-data/tls/private/foo.key",
Name: "foo-tls-certs",
ReadOnly: true,
SubPath: "tls.key",
},
{
MountPath: "/mount/my/ca.crt",
MountPath: "/var/lib/config-data/ca-bundle/ca.crt",
Name: "foo-tls-certs",
ReadOnly: true,
SubPath: "ca.crt",
Expand All @@ -224,36 +206,82 @@ func TestServiceCreateVolume(t *testing.T) {
name string
service *Service
id string
want corev1.Volume
want []corev1.Volume // Change the expected type to a slice of volumes
}{
{
name: "No Secrets",
service: &Service{},
want: corev1.Volume{},
want: []corev1.Volume{}, // Change the expected type to a slice of volumes
},
{
name: "Only TLS Secret",
service: &Service{SecretName: "cert-secret"},
id: "foo",
want: corev1.Volume{
Name: "foo-tls-certs",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "cert-secret",
DefaultMode: ptr.To[int32](0440),
want: []corev1.Volume{ // Change the expected type to a slice of volumes
{
Name: "foo-tls-private-key",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "cert-secret",
Items: []corev1.KeyToPath{
{
Key: PrivateKey,
Path: "tls.key",
Mode: ptr.To[int32](0400),
},
},
},
},
},
{
Name: "foo-tls-public-cert",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "cert-secret",
Items: []corev1.KeyToPath{
{
Key: CertKey,
Path: "tls.crt",
Mode: ptr.To[int32](0440),
},
},
},
},
},
},
},
{
name: "Only TLS Secret no serviceID",
service: &Service{SecretName: "cert-secret"},
want: corev1.Volume{
Name: "default-tls-certs",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "cert-secret",
DefaultMode: ptr.To[int32](0440),
want: []corev1.Volume{ // Change the expected type to a slice of volumes
{
Name: "default-tls-private-key",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "cert-secret",
Items: []corev1.KeyToPath{
{
Key: PrivateKey,
Path: "tls.key",
Mode: ptr.To[int32](0400),
},
},
},
},
},
{
Name: "default-tls-public-cert",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "cert-secret",
Items: []corev1.KeyToPath{
{
Key: CertKey,
Path: "tls.crt",
Mode: ptr.To[int32](0440),
},
},
},
},
},
},
Expand All @@ -264,8 +292,8 @@ func TestServiceCreateVolume(t *testing.T) {
t.Run(tt.name, func(t *testing.T) {
g := NewWithT(t)

volume := tt.service.CreateVolume(tt.id)
g.Expect(volume).To(Equal(tt.want))
volumes := tt.service.CreateVolume(tt.id)
g.Expect(volumes).To(Equal(tt.want))
})
}
}
Expand Down Expand Up @@ -381,14 +409,14 @@ func TestCreateDatabaseClientConfig(t *testing.T) {
name: "TLS Secret specified",
service: Service{SecretName: "test-tls-secret"},
serviceID: "foo",
wantStmts: []string{"ssl=1", "ssl-cert=/etc/pki/tls/certs/foo.crt", "ssl-key=/etc/pki/tls/private/foo.key", "ssl-ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"},
wantStmts: []string{"ssl=1", "ssl-cert=/var/lib/config-data/tls/certs/foo.crt", "ssl-key=/var/lib/config-data/tls/private/foo.key", "ssl-ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"},
excludeStmts: []string{},
},
{
name: "TLS and CA custom mount",
service: Service{SecretName: "test-tls-secret", CaMount: ptr.To("/some/path/ca.crt")},
serviceID: "foo",
wantStmts: []string{"ssl=1", "ssl-cert=/etc/pki/tls/certs/foo.crt", "ssl-key=/etc/pki/tls/private/foo.key", "ssl-ca=/some/path/ca.crt"},
wantStmts: []string{"ssl=1", "ssl-cert=/var/lib/config-data/tls/certs/foo.crt", "ssl-key=/var/lib/config-data/tls/private/foo.key", "ssl-ca=/some/path/ca.crt"},
excludeStmts: []string{},
},
{
Expand Down

0 comments on commit 24d9736

Please sign in to comment.