Skip to content

Commit 2a2f034

Browse files
prometherionprometherion
committed
fix: trusting public CA from k8s.io container images
Signed-off-by: Dario Tranchitella <[email protected]>
1 parent d3580c8 commit 2a2f034

File tree

1 file changed

+0
-28
lines changed

1 file changed

+0
-28
lines changed

internal/builders/controlplane/deployment.go

-28
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,6 @@ import (
3131
const (
3232
kubernetesPKIVolumeName = "etc-kubernetes-pki"
3333
caCertificatesVolumeName = "etc-ca-certificates"
34-
sslCertsVolumeName = "etc-ssl-certs"
3534
usrShareCACertificatesVolumeName = "usr-share-ca-certificates"
3635
usrLocalShareCaCertificateVolumeName = "usr-local-share-ca-certificates"
3736
schedulerKubeconfigVolumeName = "scheduler-kubeconfig"
@@ -162,7 +161,6 @@ func (d Deployment) setVolumes(podSpec *corev1.PodSpec, tcp kamajiv1alpha1.Tenan
162161
for _, fn := range []func(*corev1.PodSpec, kamajiv1alpha1.TenantControlPlane){
163162
d.buildPKIVolume,
164163
d.buildCAVolume,
165-
d.buildSSLCertsVolume,
166164
d.buildShareCAVolume,
167165
d.buildLocalShareCAVolume,
168166
d.buildSchedulerVolume,
@@ -250,22 +248,6 @@ func (d Deployment) buildCAVolume(podSpec *corev1.PodSpec, tcp kamajiv1alpha1.Te
250248
}
251249
}
252250

253-
func (d Deployment) buildSSLCertsVolume(podSpec *corev1.PodSpec, tcp kamajiv1alpha1.TenantControlPlane) {
254-
found, index := utilities.HasNamedVolume(podSpec.Volumes, sslCertsVolumeName)
255-
if !found {
256-
index = len(podSpec.Volumes)
257-
podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{})
258-
}
259-
260-
podSpec.Volumes[index].Name = sslCertsVolumeName
261-
podSpec.Volumes[index].VolumeSource = corev1.VolumeSource{
262-
Secret: &corev1.SecretVolumeSource{
263-
SecretName: tcp.Status.Certificates.CA.SecretName,
264-
DefaultMode: pointer.To(int32(420)),
265-
},
266-
}
267-
}
268-
269251
func (d Deployment) buildShareCAVolume(podSpec *corev1.PodSpec, tcp kamajiv1alpha1.TenantControlPlane) {
270252
found, index := utilities.HasNamedVolume(podSpec.Volumes, usrShareCACertificatesVolumeName)
271253
if !found {
@@ -521,11 +503,6 @@ func (d Deployment) buildControllerManager(podSpec *corev1.PodSpec, tenantContro
521503
ReadOnly: true,
522504
MountPath: "/etc/ca-certificates",
523505
})
524-
d.ensureVolumeMount(&volumeMounts, corev1.VolumeMount{
525-
Name: sslCertsVolumeName,
526-
ReadOnly: true,
527-
MountPath: "/etc/ssl/certs",
528-
})
529506
d.ensureVolumeMount(&volumeMounts, corev1.VolumeMount{
530507
Name: usrShareCACertificatesVolumeName,
531508
ReadOnly: true,
@@ -655,11 +632,6 @@ func (d Deployment) buildKubeAPIServer(podSpec *corev1.PodSpec, tenantControlPla
655632
ReadOnly: true,
656633
MountPath: "/etc/ca-certificates",
657634
})
658-
d.ensureVolumeMount(&volumeMounts, corev1.VolumeMount{
659-
Name: sslCertsVolumeName,
660-
ReadOnly: true,
661-
MountPath: "/etc/ssl/certs",
662-
})
663635
d.ensureVolumeMount(&volumeMounts, corev1.VolumeMount{
664636
Name: usrShareCACertificatesVolumeName,
665637
ReadOnly: true,

0 commit comments

Comments
 (0)