Fix flexVol serving of nginx certificates

FlexVol requires that you specify certificates as secrets in order to get both the certificate and private key in the appropriate format for nginx to consume. Additionally, flexvol shouldn't interfer with other secrets mounted in it's host directory.

deploy/azure/atst-nginx-configmap.yml

@@ -40,7 +40,7 @@ data:
         listen ${PORT_PREFIX}442 ssl;
         listen [::]:${PORT_PREFIX}442 ssl ipv6only=on;
         ssl_certificate /etc/ssl/atat.crt;
-        ssl_certificate_key /etc/ssl/atat.crt;
+        ssl_certificate_key /etc/ssl/atat.key;
         # additional SSL/TLS settings
         include /etc/nginx/snippets/ssl.conf;
 
@@ -73,7 +73,7 @@ data:
         listen ${PORT_PREFIX}443 ssl;
         listen [::]:${PORT_PREFIX}443 ssl ipv6only=on;
         ssl_certificate /etc/ssl/atat.crt;
-        ssl_certificate_key /etc/ssl/atat.crt;
+        ssl_certificate_key /etc/ssl/atat.key;
         # Request and validate client certificate
         ssl_verify_client on;
         ssl_verify_depth 10;

deploy/azure/azure.yml

@@ -70,14 +70,14 @@ spec:
               mountPath: "/etc/nginx/.htpasswd"
               subPath: .htpasswd
             - name: nginx-client-ca-bundle
-              mountPath: "/etc/ssl/"
+              mountPath: "/etc/ssl/client-ca-bundle.pem"
+              subPath: "client-ca-bundle.pem"
             - name: acme
               mountPath: "/usr/share/nginx/html/.well-known/acme-challenge/"
             - name: snippets
               mountPath: "/etc/nginx/snippets/"
             - name: nginx-secret
               mountPath: "/etc/ssl/"
-              readOnly: true
       volumes:
         - name: atst-config
           secret:
@@ -89,7 +89,10 @@ spec:
         - name: nginx-client-ca-bundle
           configMap:
             name: nginx-client-ca-bundle
-            defaultMode: 0666
+            defaultMode: 0444
+            items:
+              - key: "client-ca-bundle.pem"
+                path: "client-ca-bundle.pem"
         - name: nginx-config
           configMap:
             name: atst-nginx
@@ -134,9 +137,9 @@ spec:
             options:
               usepodidentity: "true"
               keyvaultname: "atat-vault-test"
-              keyvaultobjectnames: "dhparam4096;master-cert"
+              keyvaultobjectnames: "dhparam4096;master-cert;master-cert"
-              keyvaultobjectaliases: "dhparam.pem;atat.crt"
+              keyvaultobjectaliases: "dhparam.pem;atat.key;atat.crt"
-              keyvaultobjecttypes: "secret;cert"
+              keyvaultobjecttypes: "secret;secret;secret"
               tenantid: $TENANT_ID
 ---
 apiVersion: extensions/v1beta1

deploy/overlays/staging/flex_vol.yml

@@ -10,4 +10,4 @@ spec:
           flexVolume:
             options:
               keyvaultname: "atat-vault-test"
-              keyvaultobjectnames: "dhparam4096;staging-cert"
+              keyvaultobjectnames: "dhparam4096;staging-cert;staging-cert"