fix: Allow CA bundle path without config map #4451
Conversation
| ca_bundle_full_path = ( | ||
| global_ca_bundle_volume_mount_path + "/cabundle.crt" | ||
| ) | ||
| isvc_aws_ca_bundle_path = os.getenv("AWS_CA_BUNDLE") |
There was a problem hiding this comment.
The AWS_CA_BUNDLE environment variable is used to specify the path to the CA file, under the assumption that the CA is already present inside the pod. However, shouldn’t there be a logic to check whether this file actually exists?
Also, in the OpenShift use case, it's said that the service-ca.crt file is always present, but in reality, this is controlled by configuration. For example, in this link, if the value is set to false, the file is not attached to the pod. Our team discussed whether we really can remove this file from runtime. @VedantMahabaleshwarkar can you please share the result ?
There was a problem hiding this comment.
There is a check for the file existence lower. I am just splitting the logic between AWS_CA_BUNDLE and CA_BUNDLE_VOLUME_MOUNT_POINT environment variables. Then, the if os.path.exists(ca_bundle_full_path): block is checking the file.
There was a problem hiding this comment.
Yes I missed the part! then I am ok with this change :)
| ca_bundle_full_path = ( | ||
| global_ca_bundle_volume_mount_path + "/cabundle.crt" | ||
| ) | ||
| isvc_aws_ca_bundle_path = os.getenv("AWS_CA_B 8000 UNDLE") |
There was a problem hiding this comment.
Yes I missed the part! then I am ok with this change :)
|
/ok-to-test |
2744a5b to
9c1b57a
Compare
In the previous code, the AWS_CA_BUNDLE environment variable is only considered if the CA_BUNDLE_CONFIGMAP_NAME environment variable is set, while the doc doesn't explicitely tie they together. This change allows using AWS_CA_BUNDLE independently to leverage a CA bundle certificate that would be preexistent in the image or injected by Kubernetes in a known path. One use case is leveraging OpenShift service serving certificates, which injects the service CA in the containers via a projected ConfigMap. The service CA is always available in /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt. Signed-off-by: Fabien Dupont <fabiendupont@pm.me>
a89179c to
2f3fbda
Compare
|
@fabiendupont Can you add a unit test for this ? |
What this PR does / why we need it:
In the previous code, the AWS_CA_BUNDLE environment variable is only considered if the CA_BUNDLE_CONFIGMAP_NAME environment variable is set, while the doc doesn't explicitely tie they together. This change allows using AWS_CA_BUNDLE independently to leverage a CA bundle certificate that would be preexisting in the image or injected by Kubernetes in a known path.
One use case is leveraging OpenShift service serving certificates, which injects the service CA in the containers via a projected ConfigMap. The service CA is always available in
/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt.
The documentation already says that this variable can be used to set the path to the CA bundle, while the ConfigMap uses a static file name (cabundle.crt) located in the ConfigMap volume mount point.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Type of changes
Please delete options that are not relevant.