Automate / tidy CA bundle deployment
The server, conveyor and reaper helm charts use pre-deployed secrets to host the CA bundles for their (potentially different) X.509 certificates (see here].
We're currently generating those secrets as part of an initial kustomization deployment using CA files from a local /etc/grid-security/certificates
directory which were manually identified as being required.
This has some downsides:
- Requires explicit enumeration of the CA files (as opposed to just installing osg-ca-certs, say)
- We need to track the multiple symlinks for the CA versions (I think)
- New or updated files must be moved into place manually.
We need to find a convenient way of provisioning the ca-bundles and keeping them up to date.
Notes:
- The full contents of
/etc/grid-security/certificates
is too large to be housed in a k8s secret so we cannot just include everything fromosg-ca-certs
- Installing
osg-ca-certs
in the containers will not keep them up to date (without rebuilding/redeploying containers) - The helm charts expect the CA bundles in secrets in order to mount them properly.