Add custom root ca certificate via configmap

Signed-off-by: Brant Evans <bevans@redhat.com>
2024-10-27 00:55:06 +03:00 · 2020-09-22 14:27:05 -07:00 · 2020-09-22 14:27:05 -07:00 · 512da5a01c
commit 512da5a01c
parent 31cd36b768
5 changed files with 76 additions and 2 deletions
--- a/installer/inventory
+++ b/installer/inventory
@ -91,6 +91,12 @@ pg_database=awx
 pg_port=5432
 #pg_sslmode=require

+# If requiring SSL communication (e.g. pg_sslmode='verify-full') with Postgres
+# and using a self-signed certificate or a certificate signed by a custom CA
+# set pg_root_ca_file to a file containing the self-signed certificate or the
+# root CA certificate chain.
+# pg_root_ca_file='example_root_ca.crt'
+
 # The following variable is only required when using the provided
 # containerized postgres deployment on OpenShift
 # pg_admin_password=postgrespass
--- a/installer/roles/kubernetes/tasks/main.yml
+++ b/installer/roles/kubernetes/tasks/main.yml
@ -201,6 +201,34 @@
  set_fact:
    kubernetes_deployment_api_version: "{{ 'apps/v1' if kube_api_version is version('1.9', '>=') else 'apps/v1beta1' }}"

+- name: Use Custom Root CA file for PosgtreSQL SSL communication
+  block:
+    - name: Get Root CA file contents
+      set_fact:
+        postgres_root_ca_cert: "{{ lookup('file', pg_root_ca_file) }}"
+      no_log: true
+
+    - name: Render Root CA template
+      set_fact:
+        postgres_root_ca: "{{ lookup('template', 'postgres_root_ca.yml.j2') }}"
+      no_log: true
+
+    - name: Apply Root CA template
+      shell: |
+        echo {{ postgres_root_ca | quote }} | {{ kubectl_or_oc }} apply -f -
+      no_log: true
+
+    - name: Set Root CA file name
+      set_fact:
+        postgres_root_ca_filename: 'postgres_root_ca.crt'
+
+    - name: Set Root CA file location
+      set_fact:
+        ca_trust_bundle: '/etc/tower/{{ postgres_root_ca_filename }}'
+  when:
+    - pg_root_ca_file is defined
+    - pg_root_ca_file != ''
+
 - name: Render deployment templates
  set_fact:
    "{{ item }}": "{{ lookup('template', item + '.yml.j2') }}"
--- a/installer/roles/kubernetes/templates/deployment.yml.j2
+++ b/installer/roles/kubernetes/templates/deployment.yml.j2
@ -171,6 +171,12 @@ spec:
              value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 {% endif %}
          volumeMounts:
+{% if postgres_root_ca_cert is defined %}
+            - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+              mountPath: {{ ca_trust_bundle }}
+              subPath: {{ postgres_root_ca_filename }}
+              readOnly: true
+{% endif %}
            - name: supervisor-socket
              mountPath: "/var/run/supervisor"
            - name: rsyslog-socket
@ -258,6 +264,12 @@ spec:
            - /usr/bin/launch_awx_task.sh
          imagePullPolicy: Always
          volumeMounts:
+{% if postgres_root_ca_cert is defined %}
+            - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+              mountPath: {{ ca_trust_bundle }}
+              subPath: {{ postgres_root_ca_filename }}
+              readOnly: true
+{% endif %}
            - name: supervisor-socket
              mountPath: "/var/run/supervisor"
            - name: rsyslog-socket
@ -386,6 +398,14 @@ spec:
 {{ affinity | to_nice_yaml(indent=2) | indent(width=8, indentfirst=True) }}
 {% endif %}
      volumes:
+{% if postgres_root_ca_cert is defined %}
+        - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+          configMap:
+            name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+            items:
+            - key: postgres_root_ca.crt
+              path: postgres_root_ca.crt
+{% endif %}
        - name: supervisor-socket
          emptyDir: {}
        - name: rsyslog-socket
--- a/installer/roles/kubernetes/templates/management-pod.yml.j2
+++ b/installer/roles/kubernetes/templates/management-pod.yml.j2
@ -25,7 +25,12 @@ spec:
          mountPath: "/etc/tower/settings.py"
          subPath: settings.py
          readOnly: true
-
+{% if postgres_root_ca_cert is defined %}
+        - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+          mountPath: {{ ca_trust_bundle }}
+          subPath: {{ postgres_root_ca_filename }}
+          readOnly: true
+{% endif %}
        - name: "{{ kubernetes_deployment_name }}-application-credentials"
          mountPath: "/etc/tower/conf.d/"
          readOnly: true
@ -70,7 +75,14 @@ spec:
        items:
          - key: {{ kubernetes_deployment_name }}_settings
            path: settings.py
-
+{% if postgres_root_ca_cert is defined %}
+    - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+      configMap:
+        name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+        items:
+        - key: postgres_root_ca.crt
+          path: postgres_root_ca.crt
+{% endif %}
    - name: {{ kubernetes_deployment_name }}-secret-key
      secret:
        secretName: "{{ kubernetes_deployment_name }}-secrets"
--- a/installer/roles/kubernetes/templates/postgres_root_ca.yml.j2
+++ b/installer/roles/kubernetes/templates/postgres_root_ca.yml.j2
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+  namespace: {{ kubernetes_namespace }}
+data:
+  postgres_root_ca.crt: |
+    {{ postgres_root_ca_cert | indent(width=4) }}