You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For use with Cluster trust bundles. The way a CA bundle is added to the container's CA trust store depends on the distro:
Debian distros:
Place the certificates in /usr/local/share/ca-certificates with .crt extension.
Run update-ca-certificates as root.
The output is at /etc/ssl/certs/ which is where we want to mount our volume to be populated.
Redhat distros:
Place the certificates in /usr/share/pki/ca-trust-source/anchors with .pem extension.
Run update-ca-trust as root.
The output is at /etc/pki/ca-trust/extracted which is where we want to mount our volume to be populated.
I plan to mount a volume at the appropriate location for my containers and would like it to be populated with the contents of the CA trust store in the expected layout based on distro.
Limitiations of the current implementation
Only the PV can be mounted. Cluster trust bundles cannot be mounted.
The volume mount path is passed to the controller. Therefore, one controller is required for each volume mount path.
The command that must be run cannot be provided directly via the command field - update-ca-trust vs update-ca-certificates
How I would like to implement this.
Currently we have a callback to get the pod container arguments. Rather we should have a callback for the entire pods spec. The CRD is already being provided as a callback argument.
Then we can use the CRD to provide these variables. One CRD for each type of distro - RedhatCaTrustStore, DebianCaTrustStore.
k8s-ci-robot
added
lifecycle/rotten
Denotes an issue or PR that has aged beyond stale and will be auto-closed.
and removed
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
labels
Dec 30, 2024
Use Case and Context
For use with Cluster trust bundles. The way a CA bundle is added to the container's CA trust store depends on the distro:
Debian distros:
/usr/local/share/ca-certificates
with .crt extension.update-ca-certificates
as root./etc/ssl/certs/
which is where we want to mount our volume to be populated.Redhat distros:
/usr/share/pki/ca-trust-source/anchors
with .pem extension.update-ca-trust
as root./etc/pki/ca-trust/extracted
which is where we want to mount our volume to be populated.I plan to mount a volume at the appropriate location for my containers and would like it to be populated with the contents of the CA trust store in the expected layout based on distro.
Limitiations of the current implementation
command
field -update-ca-trust
vsupdate-ca-certificates
How I would like to implement this.
Currently we have a callback to get the pod container arguments. Rather we should have a callback for the entire pods spec. The CRD is already being provided as a callback argument.
Then we can use the CRD to provide these variables. One CRD for each type of distro -
RedhatCaTrustStore
,DebianCaTrustStore
.My container's PVC can reference what type of distro it'd like to use.
A single controller will be able to handle both these scenarios as well.
The text was updated successfully, but these errors were encountered: