cluster: bindmount more cert paths

/etc/ssl/certs is currently mounted through in a number of places. However, on Gentoo and CoreOS (and probably others), the files in /etc/ssl/certs are just symlinks to files in /usr/share/ca-certificates. For these components to correclty work, the target of the symlinks needs to be available as well. This is especially important for kube-controller-manager, where this issue was noticed. This change was originally part of #33965, but was split out for ease of review.
2026-01-04 23:17:50 +00:00 · 2016-12-07 15:21:53 -08:00
parent ca049360e2
commit b8d2099b3f
6 changed files with 51 additions and 2 deletions
--- a/cluster/addons/cluster-monitoring/google/heapster-controller.yaml
+++ b/cluster/addons/cluster-monitoring/google/heapster-controller.yaml
@@ -53,6 +53,9 @@ spec:
            - name: ssl-certs
              mountPath: /etc/ssl/certs
              readOnly: true
+            - name: usr-ca-certs
+              mountPath: /usr/share/ca-certificates
+              readOnly: true
        - image: gcr.io/google_containers/heapster:v1.2.0
          name: eventer
          command:
@@ -63,6 +66,9 @@ spec:
            - name: ssl-certs
              mountPath: /etc/ssl/certs
              readOnly: true
+            - name: usr-ca-certs
+              mountPath: /usr/share/ca-certificates
+              readOnly: true
        - image: gcr.io/google_containers/addon-resizer:1.6
          name: heapster-nanny
          resources:
@@ -125,3 +131,6 @@ spec:
        - name: ssl-certs
          hostPath:
            path: "/etc/ssl/certs"
+        - name: usr-ca-certs
+          hostPath:
+            path: "/usr/share/ca-certificates"
--- a/cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml
+++ b/cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml
@@ -54,6 +54,9 @@ spec:
            - name: ssl-certs
              mountPath: /etc/ssl/certs
              readOnly: true
+            - name: usr-ca-certs
+              mountPath: /usr/share/ca-certificates
+              readOnly: true
        - image: gcr.io/google_containers/heapster:v1.2.0
          name: eventer
          command:
@@ -64,6 +67,9 @@ spec:
            - name: ssl-certs
              mountPath: /etc/ssl/certs
              readOnly: true
+            - name: usr-ca-certs
+              mountPath: /usr/share/ca-certificates
+              readOnly: true
        - image: gcr.io/google_containers/addon-resizer:1.6
          name: heapster-nanny
          resources:
@@ -126,3 +132,6 @@ spec:
        - name: ssl-certs
          hostPath:
            path: "/etc/ssl/certs"
+        - name: usr-ca-certs
+          hostPath:
+            path: "/usr/share/ca-certificates"