-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcertificate-updater-ds.yaml
128 lines (126 loc) · 3.67 KB
/
certificate-updater-ds.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: certificate-updater-deny-all
namespace: certificate-updater
spec:
podSelector:
matchLabels:
k8s-app: certificate-updater
policyTypes:
- Ingress
- Egress
ingress: []
egress:
- {}
---
apiVersion: "apps/v1"
kind: DaemonSet
metadata:
name: certificate-updater
namespace: certificate-updater
labels:
k8s-app: certificate-updater
version: 2v
spec:
selector:
matchLabels:
k8s-app: certificate-updater
template:
metadata:
labels:
k8s-app: certificate-updater
spec:
hostPID: true
hostIPC: true
containers:
- name: certificate-updater
image: cr.yandex/yc/mk8s-openssl:stable
command:
- sh
- -c
- |
while true; do
diff -x '.*' -r /mnt/user-cert-path/ /usr/local/share/ca-certificates
if [ $? -ne 0 ];
then
echo "Removing all old certificates"
rm -r /usr/local/share/ca-certificates/*
echo "Copying certificates from configmap"
cp /mnt/sbin/update-ca-certificates /usr/sbin/
cp /mnt/user-cert-path/* /usr/local/share/ca-certificates
echo "Updating cerfificates authorities"
update-ca-certificates
echo "Restarting containerd and dockerd"
ps -x -o pid= -o comm= | awk '$2 ~ "^(containerd|dockerd)$" { print $1 }' | xargs kill
#systemd will get them back less than a minute
else
echo "Doing Nothing as no certs has not been changed"
fi
taint="state=certificate-updater:NoSchedule"
res=$(/mnt/kube-tools/kubectl describe node $NODE_NAME | grep $taint)
if [ -n "$res" ]; then
echo "Disable the state taint to allow scheduling the app pods"
/mnt/kube-tools/kubectl taint node $NODE_NAME $taint-
fi
sleep 60
done
imagePullPolicy: Never
securityContext:
privileged: true
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- mountPath: /etc/
name: etc
- mountPath: /usr/local/share/ca-certificates
name: docker-cert
- name: secret
mountPath: /mnt/user-cert-path
- name: sbin
mountPath: /mnt/sbin
readOnly: true
- name: ca-cert
mountPath: /usr/share/ca-certificates
- name: kube-tools
mountPath: /mnt/kube-tools
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumes:
- name: secret
secret:
secretName: crt
- name: sbin
hostPath:
path: /usr/sbin/
type: Directory
- name: ca-cert
hostPath:
path: /usr/share/ca-certificates
type: Directory
- name: docker-cert
hostPath:
path: /usr/local/share/ca-certificates
type: DirectoryOrCreate
- name: etc
hostPath:
path: /etc/
type: Directory
- name: kube-tools
hostPath:
path: /home/kubernetes/bin/
type: Directory
tolerations:
- key: "state"
operator: "Equal"
value: "certificate-updater"
effect: "NoSchedule"
serviceAccountName: certificate-updater-sa