/
nodecadaemon.yaml
80 lines (80 loc) · 2.36 KB
/
nodecadaemon.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: node-ca
namespace: openshift-image-registry
spec:
selector:
matchLabels:
name: node-ca
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 10%
template:
metadata:
annotations:
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
labels:
name: node-ca
spec:
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-cluster-critical
tolerations:
- operator: Exists
hostNetwork: true # run as host network to tolerate unready networks
serviceAccountName: node-ca
containers:
- name: node-ca
securityContext:
privileged: true
runAsUser: 1001
runAsGroup: 0
image: docker.io/openshift/origin-cluster-image-registry-operator:latest
resources:
requests:
cpu: 10m
memory: 10Mi
command:
- "/bin/sh"
- "-c"
- |
trap 'jobs -p | xargs -r kill; echo shutting down node-ca; exit 0' TERM
while [ true ];
do
for f in $(ls /tmp/serviceca); do
echo $f
ca_file_path="/tmp/serviceca/${f}"
f=$(echo $f | sed -r 's/(.*)\.\./\1:/')
reg_dir_path="/etc/docker/certs.d/${f}"
if [ -e "${reg_dir_path}" ]; then
cp -u $ca_file_path $reg_dir_path/ca.crt
else
mkdir $reg_dir_path
cp $ca_file_path $reg_dir_path/ca.crt
fi
done
for d in $(ls /etc/docker/certs.d); do
echo $d
dp=$(echo $d | sed -r 's/(.*):/\1\.\./')
reg_conf_path="/tmp/serviceca/${dp}"
if [ ! -e "${reg_conf_path}" ]; then
rm -rf /etc/docker/certs.d/$d
fi
done
sleep 60 & wait ${!}
done
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: serviceca
mountPath: /tmp/serviceca
- name: host
mountPath: /etc/docker/certs.d
volumes:
- name: host
hostPath:
path: /etc/docker/certs.d
- name: serviceca
configMap:
name: image-registry-certificates