From 1dcf6dbe7845732960eb009f7d6213c77ed45e55 Mon Sep 17 00:00:00 2001 From: Jason Plum Date: Tue, 24 Sep 2024 13:58:08 -0400 Subject: [PATCH] certificates: update the UBI paths for certificates, address perms Update the `templates/_certificates.tpl` to alter the mount and paths for `/etc/pki/ca-trust/extracted`, removing `/pem` from the end. This address concerns seen in some deployments of `update-ca-trust` failing with permissions on a file witin the `openssl/` subdirectory. All of the content within `/etc/pki/ca-trust/extracted` is generated on a per-run basis, so this is simply now inclusive all all content generated by the scripted patterns of `update-ca-trust`. Changelog: changed --- templates/_certificates.tpl | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/_certificates.tpl b/templates/_certificates.tpl index 51a205cae5..bf72d94f4c 100644 --- a/templates/_certificates.tpl +++ b/templates/_certificates.tpl @@ -17,8 +17,8 @@ - name: etc-ssl-certs mountPath: /etc/ssl/certs readOnly: false - - name: etc-pki-ca-trust-extracted-pem - mountPath: /etc/pki/ca-trust/extracted/pem + - name: etc-pki-ca-trust-extracted + mountPath: /etc/pki/ca-trust/extracted readOnly: false {{- if or $customCAsEnabled (or $certmanagerDisabled $internalGitalyTLSEnabled $internalPraefectTLSEnabled) }} - name: custom-ca-certificates @@ -37,7 +37,7 @@ - name: etc-ssl-certs emptyDir: medium: "Memory" -- name: etc-pki-ca-trust-extracted-pem +- name: etc-pki-ca-trust-extracted emptyDir: medium: "Memory" {{- if or $customCAsEnabled (or $certmanagerDisabled $internalGitalyTLSEnabled $internalPraefectTLSEnabled) }} @@ -103,7 +103,7 @@ - name: etc-ssl-certs mountPath: /etc/ssl/certs/ readOnly: true -- name: etc-pki-ca-trust-extracted-pem - mountPath: /etc/pki/ca-trust/extracted/pem +- name: etc-pki-ca-trust-extracted + mountPath: /etc/pki/ca-trust/extracted readOnly: true {{- end -}} -- GitLab