Update volumes path to /var/lib/ service cert + key

This commit updates the mounting path for the service certificate and key to /var/lib/. This change eliminates the requirement for the pod to run with root privileges. Signed-off-by: Veronika Fisarova <[email protected]>
openstack-k8s-operators · Jan 5, 2024 · 4abe2fd · 4abe2fd
1 parent 7629711
commit 4abe2fd
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 34 deletions.
diff --git a/modules/common/tls/tls.go b/modules/common/tls/tls.go
@@ -61,12 +61,12 @@ const (
 	PrivateKey = "tls.key"
 	// CAKey - key of the secret entry holding the CA
 	CAKey = "ca.crt"
-	// DefaultCertMountDir - default path to mount cert files inside container
-	DefaultCertMountDir = "/etc/pki/tls/certs"
-	// DefaultKeyMountDir - default path to mount cert keys inside container
-	DefaultKeyMountDir = "/etc/pki/tls/private"
+	// DefaultCertMountDir - updated default path to mount cert files inside container
+	DefaultCertMountDir = "/var/lib/config-data/tls/certs"
+	// DefaultKeyMountDir - updated default path to mount cert keys inside container
+	DefaultKeyMountDir = "/var/lib/config-data/tls/private"
 
-	// TLSHashName - Name of the hash of hashes of all cert resources used to indentify a change
+	// TLSHashName - Name of the hash of hashes of all cert resources used to identify a change
 	TLSHashName = "certs"
 )
 
@@ -387,7 +387,7 @@ func (s *Service) CreateVolume(serviceID string) corev1.Volume {
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
 					SecretName:  s.SecretName,
-					DefaultMode: ptr.To[int32](0440),
+					DefaultMode: ptr.To[int32](0400),
 				},
 			},
 		}

diff --git a/modules/common/tls/tls_test.go b/modules/common/tls/tls_test.go
@@ -147,59 +147,41 @@ func TestServiceCreateVolumeMounts(t *testing.T) {
 			id:      "foo",
 			want: []corev1.VolumeMount{
 				{
-					MountPath: "/etc/pki/tls/certs/foo.crt",
+					MountPath: "/var/lib/config-data/tls/certs/foo.crt",
 					Name:      "foo-tls-certs",
 					ReadOnly:  true,
 					SubPath:   "tls.crt",
 				},
 				{
-					MountPath: "/etc/pki/tls/private/foo.key",
+					MountPath: "/var/lib/config-data/tls/private/foo.key",
 					Name:      "foo-tls-certs",
 					ReadOnly:  true,
 					SubPath:   "tls.key",
 				},
 			},
 		},
-		{
-			name:    "Only TLS Secret no serviceID",
-			service: &Service{SecretName: "cert-secret"},
-			want: []corev1.VolumeMount{
-				{
-					MountPath: "/etc/pki/tls/certs/default.crt",
-					Name:      "default-tls-certs",
-					ReadOnly:  true,
-					SubPath:   "tls.crt",
-				},
-				{
-					MountPath: "/etc/pki/tls/private/default.key",
-					Name:      "default-tls-certs",
-					ReadOnly:  true,
-					SubPath:   "tls.key",
-				},
-			},
-		},
 		{
 			name: "TLS and CA Secrets",
 			service: &Service{
 				SecretName: "cert-secret",
-				CaMount:    ptr.To("/mount/my/ca.crt"),
+				CaMount:    ptr.To("/var/lib/config-data/ca-bundle/ca.crt"),
 			},
 			id: "foo",
 			want: []corev1.VolumeMount{
 				{
-					MountPath: "/etc/pki/tls/certs/foo.crt",
+					MountPath: "/var/lib/config-data/tls/certs/foo.crt",
 					Name:      "foo-tls-certs",
 					ReadOnly:  true,
 					SubPath:   "tls.crt",
 				},
 				{
-					MountPath: "/etc/pki/tls/private/foo.key",
+					MountPath: "/var/lib/config-data/tls/private/foo.key",
 					Name:      "foo-tls-certs",
 					ReadOnly:  true,
 					SubPath:   "tls.key",
 				},
 				{
-					MountPath: "/mount/my/ca.crt",
+					MountPath: "/var/lib/config-data/ca-bundle/ca.crt",
 					Name:      "foo-tls-certs",
 					ReadOnly:  true,
 					SubPath:   "ca.crt",
@@ -240,7 +222,7 @@ func TestServiceCreateVolume(t *testing.T) {
 				VolumeSource: corev1.VolumeSource{
 					Secret: &corev1.SecretVolumeSource{
 						SecretName:  "cert-secret",
-						DefaultMode: ptr.To[int32](0440),
+						DefaultMode: ptr.To[int32](0400),
 					},
 				},
 			},
@@ -253,7 +235,7 @@ func TestServiceCreateVolume(t *testing.T) {
 				VolumeSource: corev1.VolumeSource{
 					Secret: &corev1.SecretVolumeSource{
 						SecretName:  "cert-secret",
-						DefaultMode: ptr.To[int32](0440),
+						DefaultMode: ptr.To[int32](0400),
 					},
 				},
 			},
@@ -381,14 +363,14 @@ func TestCreateDatabaseClientConfig(t *testing.T) {
 			name:         "TLS Secret specified",
 			service:      Service{SecretName: "test-tls-secret"},
 			serviceID:    "foo",
-			wantStmts:    []string{"ssl=1", "ssl-cert=/etc/pki/tls/certs/foo.crt", "ssl-key=/etc/pki/tls/private/foo.key", "ssl-ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"},
+			wantStmts:    []string{"ssl=1", "ssl-cert=/var/lib/config-data/tls/certs/foo.crt", "ssl-key=/var/lib/config-data/tls/private/foo.key", "ssl-ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"},
 			excludeStmts: []string{},
 		},
 		{
 			name:         "TLS and CA custom mount",
 			service:      Service{SecretName: "test-tls-secret", CaMount: ptr.To("/some/path/ca.crt")},
 			serviceID:    "foo",
-			wantStmts:    []string{"ssl=1", "ssl-cert=/etc/pki/tls/certs/foo.crt", "ssl-key=/etc/pki/tls/private/foo.key", "ssl-ca=/some/path/ca.crt"},
+			wantStmts:    []string{"ssl=1", "ssl-cert=/var/lib/config-data/tls/certs/foo.crt", "ssl-key=/var/lib/config-data/tls/private/foo.key", "ssl-ca=/some/path/ca.crt"},
 			excludeStmts: []string{},
 		},
 		{