Skip to content

Commit

Permalink
fix: trusting public CA from k8s.io container images (#682)
Browse files Browse the repository at this point in the history 
* fix: trusting public CA from k8s.io container images

Signed-off-by: Dario Tranchitella <[email protected]>

* chore(golangci-lint): timeout from configuration file

Signed-off-by: Dario Tranchitella <[email protected]>

---------

Signed-off-by: Dario Tranchitella <[email protected]>
  • Loading branch information
@prometherion
prometherion authored Feb 1, 2025
1 parent d3580c8 commit 1ddaeb3
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 29 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
with:
version: v1.62.2
only-new-issues: false
args: --timeout 5m --config .golangci.yml
args: --config .golangci.yml
diff:
name: diff
runs-on: ubuntu-22.04
Expand Down
3 changes: 3 additions & 0 deletions .golangci.yml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
run:
timeout: 10m

linters-settings:
revive:
rules:
Expand Down
28 changes: 0 additions & 28 deletions internal/builders/controlplane/deployment.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ import (
const (
kubernetesPKIVolumeName = "etc-kubernetes-pki"
caCertificatesVolumeName = "etc-ca-certificates"
sslCertsVolumeName = "etc-ssl-certs"
usrShareCACertificatesVolumeName = "usr-share-ca-certificates"
usrLocalShareCaCertificateVolumeName = "usr-local-share-ca-certificates"
schedulerKubeconfigVolumeName = "scheduler-kubeconfig"
Expand Down Expand Up @@ -162,7 +161,6 @@ func (d Deployment) setVolumes(podSpec *corev1.PodSpec, tcp kamajiv1alpha1.Tenan
for _, fn := range []func(*corev1.PodSpec, kamajiv1alpha1.TenantControlPlane){
d.buildPKIVolume,
d.buildCAVolume,
d.buildSSLCertsVolume,
d.buildShareCAVolume,
d.buildLocalShareCAVolume,
d.buildSchedulerVolume,
Expand Down Expand Up @@ -250,22 +248,6 @@ func (d Deployment) buildCAVolume(podSpec *corev1.PodSpec, tcp kamajiv1alpha1.Te
}
}

func (d Deployment) buildSSLCertsVolume(podSpec *corev1.PodSpec, tcp kamajiv1alpha1.TenantControlPlane) {
found, index := utilities.HasNamedVolume(podSpec.Volumes, sslCertsVolumeName)
if !found {
index = len(podSpec.Volumes)
podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{})
}

podSpec.Volumes[index].Name = sslCertsVolumeName
podSpec.Volumes[index].VolumeSource = corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: tcp.Status.Certificates.CA.SecretName,
DefaultMode: pointer.To(int32(420)),
},
}
}

func (d Deployment) buildShareCAVolume(podSpec *corev1.PodSpec, tcp kamajiv1alpha1.TenantControlPlane) {
found, index := utilities.HasNamedVolume(podSpec.Volumes, usrShareCACertificatesVolumeName)
if !found {
Expand Down Expand Up @@ -521,11 +503,6 @@ func (d Deployment) buildControllerManager(podSpec *corev1.PodSpec, tenantContro
ReadOnly: true,
MountPath: "/etc/ca-certificates",
})
d.ensureVolumeMount(&volumeMounts, corev1.VolumeMount{
Name: sslCertsVolumeName,
ReadOnly: true,
MountPath: "/etc/ssl/certs",
})
d.ensureVolumeMount(&volumeMounts, corev1.VolumeMount{
Name: usrShareCACertificatesVolumeName,
ReadOnly: true,
Expand Down Expand Up @@ -655,11 +632,6 @@ func (d Deployment) buildKubeAPIServer(podSpec *corev1.PodSpec, tenantControlPla
ReadOnly: true,
MountPath: "/etc/ca-certificates",
})
d.ensureVolumeMount(&volumeMounts, corev1.VolumeMount{
Name: sslCertsVolumeName,
ReadOnly: true,
MountPath: "/etc/ssl/certs",
})
d.ensureVolumeMount(&volumeMounts, corev1.VolumeMount{
Name: usrShareCACertificatesVolumeName,
ReadOnly: true,
Expand Down

0 comments on commit 1ddaeb3

Please sign in to comment.