add support run both docker and containerd certs update (#2092)

* add support run both docker and containerd certs update

* update certificate path

* update containerd test case

* update containerd cert mount name

templates/trust-private-ca-on-all-nodes/containerd-ca-update-script.yaml

@@ -55,8 +55,8 @@ data:
             if [ ! -d /hostcontainerd/certs.d/$REGISTRY_HOST ]; then
                 mkdir -p /hostcontainerd/certs.d/$REGISTRY_HOST;
             fi
-            cp $dir/*.crt /hostcontainerd/certs.d/$REGISTRY_HOST/;
-            cp $dir/*.crt /hostcontainerd/certs.d/registry.{{ .Values.global.baseDomain }}/;
+            cp $dir/*.pem /hostcontainerd/certs.d/$REGISTRY_HOST/;
+            cp $dir/*.pem /hostcontainerd/certs.d/registry.{{ .Values.global.baseDomain }}/;
             if [ "$CONFIG_KEY" = true ]; then
                cp /hostcontainerd/host.toml /hostcontainerd/certs.d/$REGISTRY_HOST/host.toml
             else

templates/trust-private-ca-on-all-nodes/containerd-daemonset.yaml

@@ -68,8 +68,8 @@ spec:
           subPath: update-containerd-certs.sh
         {{ range $secret_name := (.Values.global.privateCaCerts) }}
         - name: {{ $secret_name }}
-          mountPath: /private-ca-certs/{{ $secret_name }}/{{ $secret_name }}.crt
-          subPath: {{ $secret_name }}.crt
+          mountPath: /private-ca-certs/{{ $secret_name }}/{{ $secret_name }}.pem
+          subPath: cert.pem
         {{- end }}
       terminationGracePeriodSeconds: 1
       hostNetwork: true

templates/trust-private-ca-on-all-nodes/daemonset.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.global.privateCaCertsAddToHost.enabled  ( not .Values.global.privateCaCertsAddToHost.addToContainerd ) }}
+{{- if and .Values.global.privateCaCertsAddToHost.enabled .Values.global.privateCaCertsAddToHost.addToDockerd }}
 ################################
 ## DaemonSet to mount the private root CA
 ##

tests/chart_tests/test_containerd_privateca.py

@@ -68,9 +68,9 @@ def test_containerd_privateca_daemonset_enabled(self, kube_version):
         cert_copier = docs[0]["spec"]["template"]["spec"]["containers"][0]
         cert_copier["image"].startswith("alpine:3")
 
-        volmounts = cert_copier["volumeMounts"]
+        volumemounts = cert_copier["volumeMounts"]
 
-        volmounts_expected = [
+        expected_volumemounts = [
             {"name": "hostcerts", "mountPath": "/host-trust-store"},
             {
                 "mountPath": "/hostcontainerd",
@@ -84,14 +84,14 @@ def test_containerd_privateca_daemonset_enabled(self, kube_version):
             },
             {
                 "name": "private-ca-cert-foo",
-                "mountPath": "/private-ca-certs/private-ca-cert-foo/private-ca-cert-foo.crt",
-                "subPath": "private-ca-cert-foo.crt",
+                "mountPath": "/private-ca-certs/private-ca-cert-foo/private-ca-cert-foo.pem",
+                "subPath": "cert.pem",
             },
             {
                 "name": "private-ca-cert-bar",
-                "mountPath": "/private-ca-certs/private-ca-cert-bar/private-ca-cert-bar.crt",
-                "subPath": "private-ca-cert-bar.crt",
+                "mountPath": "/private-ca-certs/private-ca-cert-bar/private-ca-cert-bar.pem",
+                "subPath": "cert.pem",
             },
         ]
 
-        assert volmounts == volmounts_expected
+        assert volumemounts == expected_volumemounts

values.yaml

@@ -20,6 +20,7 @@ global:
     enabled: false
     hostDirectory: /etc/docker/certs.d
     addToContainerd: false
+    addToDockerd: true
     containerdCertConfigPath: /etc/containerd/certs.d
     containerdConfigToml: ~
     containerdnodeAffinitys: []