From 728bb5713f2d1d814f4f1dc5d2ab61b375f51ebb Mon Sep 17 00:00:00 2001
From: tomdds <tom.chandler-ctr@friends.dds.mil>
Date: Mon, 2 Dec 2019 15:41:46 -0500
Subject: [PATCH] Fix flexVol serving of nginx certificates

FlexVol requires that you specify certificates as secrets in order to get both the certificate and private key in the appropriate format for nginx to consume. Additionally, flexvol shouldn't interfer with other secrets mounted in it's host directory.
---
 deploy/azure/atst-nginx-configmap.yml |  4 ++--
 deploy/azure/azure.yml                | 15 +++++++++------
 deploy/overlays/staging/flex_vol.yml  |  2 +-
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/deploy/azure/atst-nginx-configmap.yml b/deploy/azure/atst-nginx-configmap.yml
index b7959845..5f51c7d6 100644
--- a/deploy/azure/atst-nginx-configmap.yml
+++ b/deploy/azure/atst-nginx-configmap.yml
@@ -40,7 +40,7 @@ data:
         listen ${PORT_PREFIX}442 ssl;
         listen [::]:${PORT_PREFIX}442 ssl ipv6only=on;
         ssl_certificate /etc/ssl/atat.crt;
-        ssl_certificate_key /etc/ssl/atat.crt;
+        ssl_certificate_key /etc/ssl/atat.key;
         # additional SSL/TLS settings
         include /etc/nginx/snippets/ssl.conf;
 
@@ -73,7 +73,7 @@ data:
         listen ${PORT_PREFIX}443 ssl;
         listen [::]:${PORT_PREFIX}443 ssl ipv6only=on;
         ssl_certificate /etc/ssl/atat.crt;
-        ssl_certificate_key /etc/ssl/atat.crt;
+        ssl_certificate_key /etc/ssl/atat.key;
         # Request and validate client certificate
         ssl_verify_client on;
         ssl_verify_depth 10;
diff --git a/deploy/azure/azure.yml b/deploy/azure/azure.yml
index e8a9eacb..02952029 100644
--- a/deploy/azure/azure.yml
+++ b/deploy/azure/azure.yml
@@ -70,14 +70,14 @@ spec:
               mountPath: "/etc/nginx/.htpasswd"
               subPath: .htpasswd
             - name: nginx-client-ca-bundle
-              mountPath: "/etc/ssl/"
+              mountPath: "/etc/ssl/client-ca-bundle.pem"
+              subPath: "client-ca-bundle.pem"
             - name: acme
               mountPath: "/usr/share/nginx/html/.well-known/acme-challenge/"
             - name: snippets
               mountPath: "/etc/nginx/snippets/"
             - name: nginx-secret
               mountPath: "/etc/ssl/"
-              readOnly: true
       volumes:
         - name: atst-config
           secret:
@@ -89,7 +89,10 @@ spec:
         - name: nginx-client-ca-bundle
           configMap:
             name: nginx-client-ca-bundle
-            defaultMode: 0666
+            defaultMode: 0444
+            items:
+              - key: "client-ca-bundle.pem"
+                path: "client-ca-bundle.pem"
         - name: nginx-config
           configMap:
             name: atst-nginx
@@ -134,9 +137,9 @@ spec:
             options:
               usepodidentity: "true"
               keyvaultname: "atat-vault-test"
-              keyvaultobjectnames: "dhparam4096;master-cert"
-              keyvaultobjectaliases: "dhparam.pem;atat.crt"
-              keyvaultobjecttypes: "secret;cert"
+              keyvaultobjectnames: "dhparam4096;master-cert;master-cert"
+              keyvaultobjectaliases: "dhparam.pem;atat.key;atat.crt"
+              keyvaultobjecttypes: "secret;secret;secret"
               tenantid: $TENANT_ID
 ---
 apiVersion: extensions/v1beta1
diff --git a/deploy/overlays/staging/flex_vol.yml b/deploy/overlays/staging/flex_vol.yml
index ef8ca168..0ebeea84 100644
--- a/deploy/overlays/staging/flex_vol.yml
+++ b/deploy/overlays/staging/flex_vol.yml
@@ -10,4 +10,4 @@ spec:
           flexVolume:
             options:
               keyvaultname: "atat-vault-test"
-              keyvaultobjectnames: "dhparam4096;staging-cert"
+              keyvaultobjectnames: "dhparam4096;staging-cert;staging-cert"