Fix custom CA certificates for task/web/migration #1846
Conversation
- added a new init container init-bundle-ca-trust - added volume ca-trust-extracted to the migration job - added volume ca-trust-extracted to the init container init-database - removed volume bundle-ca from all follow-up containers
|
Thank you for the nice work done on this PR @JoelKle . |
|
@rooftopcellist @fosterseth Could you have a look on this PR? Thx :) |
| securityContext: | ||
| runAsUser: 0 | ||
| runAsGroup: 0 |
There was a problem hiding this comment.
@JoelKle This will break on Openshift. Can we template this in only if is_k8s=true?
There was a problem hiding this comment.
Did update-ca-trust extract require more permissions than just update-ca-trust? I am trying to understand why the securityContext bit was added.
There was a problem hiding this comment.
I removed the whole securityContext block from this PR. Now the init-container behaves as before.
@rooftopcellist Is this fine for you?
TL;DR
Withouth the runAsUser: 0 parameter the init-container runs the update-ca-trust command as uid=1000(awx) gid=0(root). That means the files in the folder /etc/pki/ca-trust/extracted are owned by awx:root
With the runAsUser: 0 parameter all files are owned by root:root which is more accurate.
There was a problem hiding this comment.
The update-ca-trust extract behaves the same as withouth the extract. However with the extract the command may print more warnings, ...
Check the manpage of update-ca-trust extract > "COMMANDS"
SUMMARY
This PR fixes the usage of custom CA certificates in the migration job and improves the existing implementation in the task & web deployment.
During the upgrade to awx 24.0.0, a new pod is created for migration. This pod doesnt contain the custom ca certificate and fails when using external postgres with verify enabled.
PR fixes: #1782
Follow up / Improves: #1800
ISSUE TYPE
ADDITIONAL INFORMATION
This PR is based on the great work of @YassineFadhlaoui in #1782 (comment) and @akkaba23 in #1800 (comment)
The following has changed:
Added a new init container
init-bundle-ca-trustto thetask+webdeployment and to themigrationjobupdate-ca-trust extractifbundle_ca_crtis set.runAsUser: 0Removed the
update-ca-trustcommand from the init containerinit-receptorbecause it will run once in the new init containerinit-bundle-ca-trustRemoved the mounting of the volume
{{ ansible_operator_meta.name }}-bundle-cacertfrom containers that really do not need itAdded the whole
bundle_ca_crtlogic to themigrationjobI've successfully tested that change during my upgrade from awx-operator v2.12.1 to v2.15.0