cluster: bindmount more cert paths

/etc/ssl/certs is currently mounted through in a number of places. However, on Gentoo and CoreOS (and probably others), the files in /etc/ssl/certs are just symlinks to files in /usr/share/ca-certificates. For these components to correclty work, the target of the symlinks needs to be available as well. This is especially important for kube-controller-manager, where this issue was noticed. This change was originally part of #33965, but was split out for ease of review.
2016-12-07 15:21:53 -08:00
parent ca049360e2
commit b8d2099b3f
6 changed files with 51 additions and 2 deletions
--- a/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest
+++ b/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest
@@ -57,7 +57,10 @@ spec:
      privileged: true
    volumeMounts:
    - mountPath: /etc/ssl/certs
-      name: ssl-certs-host
+      name: etc-ssl-certs
+      readOnly: true
+    - mountPath: /usr/share/ca-certificates
+      name: usr-ca-certs
      readOnly: true
    - mountPath: /var/log
      name: varlog
@@ -68,7 +71,10 @@ spec:
  volumes:
  - hostPath:
      path: /usr/share/ca-certificates
-    name: ssl-certs-host
+    name: usr-ca-certs
+  - hostPath:
+      path: /etc/ssl/certs
+    name: etc-ssl-certs
  - hostPath:
      path: /var/lib/kube-proxy/kubeconfig
    name: kubeconfig