kubeadm: Mount additional paths inside apiserver/controller-manager for working CA root

[klausenbusk]

This is required for a working CA root, as /etc/ssl/certs on a few
Linux distributions just contains a bunch of symlinks.
Container Linux and Debian have symlinks pointing to
/usr/share/ca-certificates, ArchLinux has symlinks pointing
to /etc/ca-certificates.
On Debian /etc/ssl/certs can also include symlinks pointing
to /usr/local/share/ca-certificates for local CA certificates.

Fix: kubeadm/#671

---

What this PR does / why we need it:

Without this PR, controller-manager and apiserver would lack a CA root on some Linux distro (ex: Container Linux) which for example break flexplugins which require a CA root [1].

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes kubernetes/kubeadm#671

Special notes for your reviewer:

Release note:

Mount additional paths required for a working CA root, for setups where /etc/ssl/certs doesn't contains certificates but just symlink.

/sig sig-kubeadm

[klausenbusk]

/assign @krousey

[dixudx]

/area kubeadm

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please email the CNCF helpdesk: helpdesk@rt.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[dixudx]

In your case, you can try to use config file to add extra volumes. Please refer to Using kubeadm init with a configuration file.

[dixudx]

I don't think we should include this.

[klausenbusk]

Dunno, it is required at least on Container Linux if you want a working CA root. Maybe we should just mention it on the Install kubeadm page?

[detiber]

I don't see any issue with adding this as a stopgap for now, since we are already special casing /etc/pki.

[jdumars]

/ok-to-test

[klausenbusk]

/retest

[klausenbusk]

@klausenbusk: The following test failed, say /retest to rerun them all:

I think the failed test is unrelated to this PR.

[klausenbusk]

I think the failed test is unrelated to this PR.

The test was fixed in master ~ 22 hours ago (#60730). I have just rebased the PR and force pushed.

[timothysc]

/cc @detiber @stealthybox - want to quick review.

[detiber]

I don't see any issue with adding this as a stopgap for now, since we are already special casing /etc/pki.

[detiber]

Comment needs to be updated to caCertsExtraVolumePaths

[detiber]

Outside of the minor comments, this looks okay to me as a bandaid fix.

[klausenbusk]

@detiber Good catch :) I have fixed the comments, rebased and squashed the commits.

[klausenbusk]

/test pull-kubernetes-e2e-kops-aws

[detiber]

/lgtm

[stealthybox]

Do we want to address the other paths for OS's mentioned in kubernetes/kubeadm#671 (comment) ?

[stealthybox]

Cc @klausenbusk

[klausenbusk]

Sorry about the late response, I will add the extra paths when I get home. :)

[klausenbusk]

Done..

[timothysc]

/approve

@stealthybox feel free to lgtm when you think the changes are ready.

[timothysc]

@stealthybox @detiber - requires re-eval b/c of PR change.

[detiber]

@stealthybox I do not believe that this will conflict with the other changes in flight, lgtm

[timothysc]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: detiber, klausenbusk, timothysc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cmd/kubeadm/OWNERS [timothysc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[klausenbusk]

/test pull-kubernetes-node-e2e

Looks unrelated: There was a problem refreshing your current auth tokens: Unable to find the server at accounts.google.com

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 62655, 61711, 59122, 62853, 62390). If you want to cherry-pick this change to another branch, please follow the instructions here.