feat: Consume policy-server-root-ca Secret in auditScanner Cronjob

This is done with a volumeMount. The `policy-server-root-ca` is created by the kubewarden-controller deployment, but only when there is a policy-server. This means that the first installation of kubearden-controller chart will deploy an audit-scanner cronjob that will continously fail, until there's a policy-server instantiated. This doesn't need to be this way, we can change the kubewarden-controller reconcile loop so it creates the ca secret without needing a policy-server first. Signed-off-by: Víctor Cuadrado Juan <[email protected]>
kubewarden · Jul 27, 2023 · b1218e2 · b1218e2
1 parent a080317
commit b1218e2
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/charts/kubewarden-controller/templates/audit-scanner.yaml b/charts/kubewarden-controller/templates/audit-scanner.yaml
@@ -27,13 +27,25 @@ spec:
           {{- toYaml .Values.imagePullSecrets | nindent 12 }}
           {{- end }}
           restartPolicy: {{ .Values.auditScanner.containerRestartPolicy }}
+          volumes:
+          - name: policyservers-ca-cert
+            secret:
+              defaultMode: 420
+              secretName: policy-server-root-ca
           containers:
           - name: audit-scanner
             image: '{{ template "system_default_registry" . }}{{ .Values.auditScanner.image.repository }}:{{ .Values.auditScanner.image.tag }}'
             imagePullPolicy: {{ .Values.auditScanner.image.pullPolicy }}
             command:
               {{- include "audit-scanner.command" . | nindent 14 -}}
             {{- with .Values.containerSecurityContext }}
+            env:
+            - name: KUBEWARDEN_CACERT_PEM_POLICYSERVERS
+              value: "/pki/policy-server-root-ca-pem"
+            volumeMounts:
+            - mountPath: "/pki"
+              name: policyservers-ca-cert
+              readOnly: true
             securityContext:
               {{- toYaml . | nindent 14 }}
             {{- end }}