From 92977da6b8b51f09269c70bc3c9938fef4f66816 Mon Sep 17 00:00:00 2001 From: "Mosher, Jaymes (jm616v)" Date: Thu, 14 Apr 2022 23:43:50 -0600 Subject: [PATCH] [cert-rotatation] Also check initContainers for mounted certs rotate-certs.sh script currently only checks if a certificate is mounted in containers. This updates it to also consider initContainers when restarting resources. Change-Id: I5d48c5bbd671c9f74b72ef4ecca36777c735c398 --- cert-rotation/Chart.yaml | 2 +- cert-rotation/templates/bin/_rotate-certs.sh.tpl | 9 +++++---- releasenotes/notes/cert-rotation.yaml | 1 + 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/cert-rotation/Chart.yaml b/cert-rotation/Chart.yaml index c85463451..6e09e33a7 100644 --- a/cert-rotation/Chart.yaml +++ b/cert-rotation/Chart.yaml @@ -16,5 +16,5 @@ appVersion: "1.0" description: Rotate the certificates generated by cert-manager home: https://cert-manager.io/ name: cert-rotation -version: 0.1.3 +version: 0.1.4 ... diff --git a/cert-rotation/templates/bin/_rotate-certs.sh.tpl b/cert-rotation/templates/bin/_rotate-certs.sh.tpl index e71ba60ca..fe55d7bac 100644 --- a/cert-rotation/templates/bin/_rotate-certs.sh.tpl +++ b/cert-rotation/templates/bin/_rotate-certs.sh.tpl @@ -136,9 +136,10 @@ function restart_the_pods(){ # - get the name of the kind (which will index 1 = idx=0 of the output) # - get the names of the secrets mounted on this kind (which will be index 2 = idx+1) # - find if tls.crt was mounted to the container: get the subpaths of volumeMount in - # the container and grep for tls.crt. (This will be index 2 = idx+2) + # the container and grep for tls.crt. (This will be index 3 = idx+2) + # - or, find if tls.crt was mounted to the initContainer (This will be index 4 = idx+3) - resource=($(kubectl get ${kind} -n ${namespace} -o custom-columns='NAME:.metadata.name,SECRETS:.spec.template.spec.volumes[*].secret.secretName,TLS:.spec.template.spec.containers[*].volumeMounts[*].subPath' --no-headers | grep tls.crt || true)) + resource=($(kubectl get ${kind} -n ${namespace} -o custom-columns='NAME:.metadata.name,SECRETS:.spec.template.spec.volumes[*].secret.secretName,TLS-CONTAINER:.spec.template.spec.containers[*].volumeMounts[*].subPath,TLS-INIT:.spec.template.spec.initContainers[*].volumeMounts[*].subPath' --no-headers | grep tls.crt || true)) idx=0 while [[ $idx -lt ${#resource[@]} ]] @@ -161,9 +162,9 @@ function restart_the_pods(){ fi done - # Since we have 3 custom colums in the output, every 4th index will be start of new tuple. + # Since we have 4 custom columns in the output, every 5th index will be start of new tuple. # Jump to the next tuple. - idx=$((idx+3)) + idx=$((idx+4)) done done } diff --git a/releasenotes/notes/cert-rotation.yaml b/releasenotes/notes/cert-rotation.yaml index 48e59997b..e66ca2d04 100644 --- a/releasenotes/notes/cert-rotation.yaml +++ b/releasenotes/notes/cert-rotation.yaml @@ -4,4 +4,5 @@ cert-rotation: - 0.1.1 Return true if grep finds no match - 0.1.2 Correct and enhance the rotation script - 0.1.3 Update htk requirements + - 0.1.4 Consider initContainers when restarting resources ...