cerc-io
/
stack-orchestrator
mirror of https://github.com/cerc-io/stack-orchestrator
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Fix CA cert mounting: subPath for Go, expanduser for configmaps 

- CA certs mounted via subPath into /etc/ssl/certs/ so Go's x509
  picks them up (directory mount replaces the entire dir)
- get_configmaps() now expands ~ in paths via os.path.expanduser()
- Both changes discovered during testing with mkcert + MinIO

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
afd-dumpster-local-testing
Snake Game Developer 2026-03-21 19:27:14 +00:00
parent 713a81c245
commit f93541f7db
2 changed files with 2130 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
stack_orchestrator/deploy/k8s/cluster_info.py
View File

@ -389,6 +389,7 @@ class ClusterInfo:
print(f"{cfg_map_name} not in pod files") print(f"{cfg_map_name} not in pod files")
continue continue
cfg_map_path = os.path.expanduser(cfg_map_path)
if not cfg_map_path.startswith("/") and self.spec.file_path is not None: if not cfg_map_path.startswith("/") and self.spec.file_path is not None:
cfg_map_path = os.path.join( cfg_map_path = os.path.join(
os.path.dirname(str(self.spec.file_path)), cfg_map_path os.path.dirname(str(self.spec.file_path)), cfg_map_path
@ -846,7 +847,7 @@ class ClusterInfo:
selector_labels["app.kubernetes.io/component"] = pod_name selector_labels["app.kubernetes.io/component"] = pod_name
# Add CA certificate volume and env vars if configured # Add CA certificate volume and env vars if configured
_ca_secret, ca_volume, ca_mount, ca_envs = ( _ca_secret, ca_volume, ca_mounts, ca_envs = (
self.get_ca_certificate_resources() self.get_ca_certificate_resources()
) )
if ca_volume: if ca_volume:
@ -854,7 +855,7 @@ class ClusterInfo:
for container in containers: for container in containers:
if container.volume_mounts is None: if container.volume_mounts is None:
container.volume_mounts = [] container.volume_mounts = []
container.volume_mounts.append(ca_mount) container.volume_mounts.extend(ca_mounts)
if container.env is None: if container.env is None:
container.env = [] container.env = []
container.env.extend(ca_envs) container.env.extend(ca_envs)
@ -1170,20 +1171,29 @@ class ClusterInfo:
) )
# Mount each CA file into /etc/ssl/certs/ (Go reads this dir) # Mount each CA file into /etc/ssl/certs/ (Go reads this dir)
volume_mount = client.V1VolumeMount( # Mount each CA file directly into /etc/ssl/certs/ using subPath
name="laconic-ca-certs", # so Go's x509 package picks them up (it reads *.pem from that dir).
mount_path="/etc/ssl/certs/laconic-extra-ca", # Also return env vars for Node/Bun containers.
read_only=True, volume_mounts = []
) first_mount_path = None
for key in secret_data.keys():
mount_path = f"/etc/ssl/certs/{key}"
if first_mount_path is None:
first_mount_path = mount_path
volume_mounts.append(
client.V1VolumeMount(
name="laconic-ca-certs",
mount_path=mount_path,
sub_path=key,
read_only=True,
)
)
# Set NODE_EXTRA_CA_CERTS for Node/Bun containers.
# Point at the first CA file (most common: single mkcert root CA).
first_key = list(secret_data.keys())[0]
env_vars = [ env_vars = [
client.V1EnvVar( client.V1EnvVar(
name="NODE_EXTRA_CA_CERTS", name="NODE_EXTRA_CA_CERTS",
value=f"/etc/ssl/certs/laconic-extra-ca/{first_key}", value=first_mount_path,
), ),
] ]
return secret, volume, volume_mount, env_vars return secret, volume, volume_mounts, env_vars

2108
uv.lock 100644
View File

File diff suppressed because it is too large Load Diff