openstack/openstack-helm-infra
Code Issues Proposed changes

[cert-rotatation] Also check initContainers for mounted certs

Browse Source 
rotate-certs.sh script currently only checks if a certificate is
mounted in containers.  This updates it to also consider
initContainers when restarting resources.

Change-Id: I5d48c5bbd671c9f74b72ef4ecca36777c735c398
This commit is contained in:
Mosher, Jaymes (jm616v) 2022-04-14 23:43:50 -06:00
parent f900462c33
commit 92977da6b8
3 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cert-rotation/Chart.yaml
View File

@ -16,5 +16,5 @@ appVersion: "1.0"
description: Rotate the certificates generated by cert-manager description: Rotate the certificates generated by cert-manager
home: https://cert-manager.io/ home: https://cert-manager.io/
name: cert-rotation name: cert-rotation
version: 0.1.3 version: 0.1.4
... ...

9
cert-rotation/templates/bin/_rotate-certs.sh.tpl
View File

@ -136,9 +136,10 @@ function restart_the_pods(){
# - get the name of the kind (which will index 1 = idx=0 of the output) # - get the name of the kind (which will index 1 = idx=0 of the output)
# - get the names of the secrets mounted on this kind (which will be index 2 = idx+1) # - get the names of the secrets mounted on this kind (which will be index 2 = idx+1)
# - find if tls.crt was mounted to the container: get the subpaths of volumeMount in # - find if tls.crt was mounted to the container: get the subpaths of volumeMount in
# the container and grep for tls.crt. (This will be index 2 = idx+2) # the container and grep for tls.crt. (This will be index 3 = idx+2)
# - or, find if tls.crt was mounted to the initContainer (This will be index 4 = idx+3)
resource=($(kubectl get ${kind} -n ${namespace} -o custom-columns='NAME:.metadata.name,SECRETS:.spec.template.spec.volumes[*].secret.secretName,TLS:.spec.template.spec.containers[*].volumeMounts[*].subPath' --no-headers | grep tls.crt || true)) resource=($(kubectl get ${kind} -n ${namespace} -o custom-columns='NAME:.metadata.name,SECRETS:.spec.template.spec.volumes[*].secret.secretName,TLS-CONTAINER:.spec.template.spec.containers[*].volumeMounts[*].subPath,TLS-INIT:.spec.template.spec.initContainers[*].volumeMounts[*].subPath' --no-headers | grep tls.crt || true))
idx=0 idx=0
while [[ $idx -lt ${#resource[@]} ]] while [[ $idx -lt ${#resource[@]} ]]
@ -161,9 +162,9 @@ function restart_the_pods(){
fi fi
done done
# Since we have 3 custom colums in the output, every 4th index will be start of new tuple. # Since we have 4 custom columns in the output, every 5th index will be start of new tuple.
# Jump to the next tuple. # Jump to the next tuple.
idx=$((idx+3)) idx=$((idx+4))
done done
done done
} }

1
releasenotes/notes/cert-rotation.yaml
View File

@ -4,4 +4,5 @@ cert-rotation:
- 0.1.1 Return true if grep finds no match - 0.1.1 Return true if grep finds no match
- 0.1.2 Correct and enhance the rotation script - 0.1.2 Correct and enhance the rotation script
- 0.1.3 Update htk requirements - 0.1.3 Update htk requirements
- 0.1.4 Consider initContainers when restarting resources
... ...