fix: update ENC script CA certificate path (#62)

- Mount vault-ca-cert secret at /opt/vault-ca-cert.crt in both deployments
- Update cobbler-enc script to use correct CA certificate path
- Resolves OSError about missing TLS CA certificate bundle

Reviewed-on: #62
This commit was merged in pull request #62.
This commit is contained in:
2026-03-20 23:05:35 +11:00
parent f474c5c530
commit 00cbb6a817
3 changed files with 13 additions and 1 deletions
@@ -96,6 +96,9 @@ spec:
readOnly: true readOnly: true
- mountPath: /opt/bin/ - mountPath: /opt/bin/
name: puppet-shared-bins name: puppet-shared-bins
- mountPath: /opt/vault-ca-cert.crt
name: vault-ca-cert
subPath: ca.crt
initContainers: initContainers:
- name: copy-configmaps - name: copy-configmaps
image: busybox:1.35 image: busybox:1.35
@@ -229,5 +232,8 @@ spec:
- name: puppet-shared-bins - name: puppet-shared-bins
persistentVolumeClaim: persistentVolumeClaim:
claimName: puppet-shared-bins claimName: puppet-shared-bins
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
strategy: strategy:
type: RollingUpdate type: RollingUpdate
@@ -95,6 +95,9 @@ spec:
readOnly: true readOnly: true
- mountPath: /opt/bin/ - mountPath: /opt/bin/
name: puppet-shared-bins name: puppet-shared-bins
- mountPath: /opt/vault-ca-cert.crt
name: vault-ca-cert
subPath: ca.crt
initContainers: initContainers:
- args: - args:
- mkdir -p /etc/puppetlabs/puppet/eyaml/keys; - mkdir -p /etc/puppetlabs/puppet/eyaml/keys;
@@ -168,3 +171,6 @@ spec:
- name: puppet-shared-bins - name: puppet-shared-bins
persistentVolumeClaim: persistentVolumeClaim:
claimName: puppet-shared-bins claimName: puppet-shared-bins
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
+1 -1
View File
@@ -20,7 +20,7 @@ def fetch_enc_data(cobbler_url: str, hostname: str) -> str:
""" """
url = f"{cobbler_url}/cblr/svc/op/puppet/hostname/{hostname}" url = f"{cobbler_url}/cblr/svc/op/puppet/hostname/{hostname}"
try: try:
response = requests.get(url, verify='/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem') response = requests.get(url, verify='/opt/vault-ca-cert.crt')
response.raise_for_status() response.raise_for_status()
except requests.RequestException as e: except requests.RequestException as e:
sys.exit(f"Request failed: {e}") sys.exit(f"Request failed: {e}")