Merge pull request #36373 from vwfs/kubeadm_fix_centos_ssl

Automatic merge from submit-queue (batch tested with PRs 37366, 36373)

kubeadm: Let apiserver and controller-manager host-mount /etc/pki when required

#<!--  Thanks for sending a pull request!  Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->

**What this PR does / why we need it**:
This PR checks if /etc/pki is present on the host machine and adds a host-mount to the apiserver and controller-manager manifest if required.

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #36150

**Special notes for your reviewer**:

**Release note**:
<!--  Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access) 
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`. 
-->
```release-note
Fix incompatible host mounts for SSL certificates when deploying on CentOS with kubeadm
```

cmd/kubeadm/app/master/manifests.go

@@ -54,24 +54,37 @@ const (
 // WriteStaticPodManifests builds manifest objects based on user provided configuration and then dumps it to disk
 // where kubelet will pick and schedule them.
 func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
+	volumes := []api.Volume{k8sVolume(cfg)}
+	volumeMounts := []api.VolumeMount{k8sVolumeMount()}
+
+	if isCertsVolumeMountNeeded() {
+		volumes = append(volumes, certsVolume(cfg))
+		volumeMounts = append(volumeMounts, certsVolumeMount())
+	}
+
+	if isPkiVolumeMountNeeded() {
+		volumes = append(volumes, pkiVolume(cfg))
+		volumeMounts = append(volumeMounts, pkiVolumeMount())
+	}
+
 	// Prepare static pod specs
 	staticPodSpecs := map[string]api.Pod{
 		kubeAPIServer: componentPod(api.Container{
 			Name:          kubeAPIServer,
 			Image:         images.GetCoreImage(images.KubeAPIServerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
 			Command:       getAPIServerCommand(cfg),
-			VolumeMounts:  []api.VolumeMount{certsVolumeMount(), k8sVolumeMount()},
+			VolumeMounts:  volumeMounts,
 			LivenessProbe: componentProbe(8080, "/healthz"),
 			Resources:     componentResources("250m"),
-		}, certsVolume(cfg), k8sVolume(cfg)),
+		}, volumes...),
 		kubeControllerManager: componentPod(api.Container{
 			Name:          kubeControllerManager,
 			Image:         images.GetCoreImage(images.KubeControllerManagerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
 			Command:       getControllerManagerCommand(cfg),
-			VolumeMounts:  []api.VolumeMount{certsVolumeMount(), k8sVolumeMount()},
+			VolumeMounts:  volumeMounts,
 			LivenessProbe: componentProbe(10252, "/healthz"),
 			Resources:     componentResources("200m"),
-		}, certsVolume(cfg), k8sVolume(cfg)),
+		}, volumes...),
 		kubeScheduler: componentPod(api.Container{
 			Name:          kubeScheduler,
 			Image:         images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
@@ -141,6 +154,12 @@ func etcdVolumeMount() api.VolumeMount {
 	}
 }
 
+func isCertsVolumeMountNeeded() bool {
+	// Always return true for now. We may add conditional logic here for images which do not require host mounting /etc/ssl
+	// hyperkube for example already has valid ca-certificates installed
+	return true
+}
+
 // certsVolume exposes host SSL certificates to pod containers.
 func certsVolume(cfg *kubeadmapi.MasterConfiguration) api.Volume {
 	return api.Volume{
@@ -159,9 +178,35 @@ func certsVolumeMount() api.VolumeMount {
 	}
 }
 
-func k8sVolume(cfg *kubeadmapi.MasterConfiguration) api.Volume {
+func isPkiVolumeMountNeeded() bool {
+	// On some systems were we host-mount /etc/ssl/certs, it is also required to mount /etc/pki. This is needed
+	// due to symlinks pointing from files in /etc/ssl/certs into /etc/pki/
+	if _, err := os.Stat("/etc/pki"); err == nil {
+		return true
+	}
+	return false
+}
+
+func pkiVolume(cfg *kubeadmapi.MasterConfiguration) api.Volume {
 	return api.Volume{
 		Name: "pki",
+		VolumeSource: api.VolumeSource{
+			// TODO(phase1+) make path configurable
+			HostPath: &api.HostPathVolumeSource{Path: "/etc/pki"},
+		},
+	}
+}
+
+func pkiVolumeMount() api.VolumeMount {
+	return api.VolumeMount{
+		Name:      "pki",
+		MountPath: "/etc/pki",
+	}
+}
+
+func k8sVolume(cfg *kubeadmapi.MasterConfiguration) api.Volume {
+	return api.Volume{
+		Name: "k8s",
 		VolumeSource: api.VolumeSource{
 			HostPath: &api.HostPathVolumeSource{Path: kubeadmapi.GlobalEnvParams.KubernetesDir},
 		},
@@ -170,7 +215,7 @@ func k8sVolume(cfg *kubeadmapi.MasterConfiguration) api.Volume {
 
 func k8sVolumeMount() api.VolumeMount {
 	return api.VolumeMount{
-		Name:      "pki",
+		Name:      "k8s",
 		MountPath: "/etc/kubernetes/",
 		ReadOnly:  true,
 	}

cmd/kubeadm/app/master/manifests_test.go

@@ -201,7 +201,7 @@ func TestK8sVolume(t *testing.T) {
 		{
 			cfg: &kubeadmapi.MasterConfiguration{},
 			expected: api.Volume{
-				Name: "pki",
+				Name: "k8s",
 				VolumeSource: api.VolumeSource{
 					HostPath: &api.HostPathVolumeSource{
 						Path: kubeadmapi.GlobalEnvParams.KubernetesDir},
@@ -234,7 +234,7 @@ func TestK8sVolumeMount(t *testing.T) {
 	}{
 		{
 			expected: api.VolumeMount{
-				Name:      "pki",
+				Name:      "k8s",
 				MountPath: "/etc/kubernetes/",
 				ReadOnly:  true,
 			},