Move server certificates to /etc/pki

ManageIQ · Feb 14, 2023 · da95789 · da95789
1 parent b9e0e3e
commit da95789
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 3 deletions.
diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql.go
@@ -284,7 +284,7 @@ func PostgresqlDeployment(cr *miqv1alpha1.ManageIQ, client client.Client, scheme
 		}
 		deployment.Spec.Template.Spec.Volumes = addOrUpdateVolume(deployment.Spec.Template.Spec.Volumes, corev1.Volume{Name: "env-file", VolumeSource: corev1.VolumeSource{Secret: &secret}})
 
-		addInternalCertificate(cr, deployment, client, "postgresql", "/opt/app-root/src/certificates")
+		addPkiCertificate(cr, deployment, client, "postgresql")
 
 		return nil
 	}

diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql_conf.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql_conf.go
@@ -78,8 +78,8 @@ func postgresqlSslConf() string {
 #------------------------------------------------------------------------------
 
 ssl = on
-ssl_cert_file = '/var/lib/pgsql/data/userdata/server.crt' # server certificate
-ssl_key_file =  '/var/lib/pgsql/data/userdata/server.key' # server private key
+ssl_cert_file = '/etc/pki/tls/certs/server.crt' # server certificate
+ssl_key_file =  '/etc/pki/tls/private/server.key' # server private key
 #ssl_ca_file                                   # trusted certificate authorities
 #ssl_crl_file                                  # certificates revoked by certificate authorities
 

diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/util.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/util.go
@@ -116,6 +116,20 @@ func addInternalCertificate(cr *miqv1alpha1.ManageIQ, d *appsv1.Deployment, clie
 	}
 }
 
+func addPkiCertificate(cr *miqv1alpha1.ManageIQ, d *appsv1.Deployment, client client.Client, name string) {
+	secret := InternalCertificatesSecret(cr, client)
+	if secret.Data[fmt.Sprintf("%s_crt", name)] != nil && secret.Data[fmt.Sprintf("%s_key", name)] != nil {
+		volumeName := fmt.Sprintf("%s-certificate", name)
+
+		volumeMount := corev1.VolumeMount{Name: volumeName, MountPath: "/etc/pki/tls", ReadOnly: true}
+		d.Spec.Template.Spec.Containers[0].VolumeMounts = addOrUpdateVolumeMount(d.Spec.Template.Spec.Containers[0].VolumeMounts, volumeMount)
+
+		var mode int32 = 0o440
+		secretVolumeSource := corev1.SecretVolumeSource{SecretName: secret.Name, Items: []corev1.KeyToPath{corev1.KeyToPath{Key: fmt.Sprintf("%s_crt", name), Path: "certs/server.crt", Mode: &mode}, corev1.KeyToPath{Key: fmt.Sprintf("%s_key", name), Path: "private/server.key", Mode: &mode}}}
+		d.Spec.Template.Spec.Volumes = addOrUpdateVolume(d.Spec.Template.Spec.Volumes, corev1.Volume{Name: volumeName, VolumeSource: corev1.VolumeSource{Secret: &secretVolumeSource}})
+	}
+}
+
 func addOrUpdateEnvVar(environment []corev1.EnvVar, variable corev1.EnvVar) []corev1.EnvVar {
 	index := -1
 	for i, env := range environment {