Add custom root ca certificate via configmap

Signed-off-by: Brant Evans <bevans@redhat.com>

installer/inventory

@@ -91,6 +91,12 @@ pg_database=awx
 pg_port=5432
 #pg_sslmode=require
 
+# If requiring SSL communication (e.g. pg_sslmode='verify-full') with Postgres
+# and using a self-signed certificate or a certificate signed by a custom CA
+# set pg_root_ca_file to a file containing the self-signed certificate or the
+# root CA certificate chain.
+# pg_root_ca_file='example_root_ca.crt'
+
 # The following variable is only required when using the provided
 # containerized postgres deployment on OpenShift
 # pg_admin_password=postgrespass

installer/roles/kubernetes/tasks/main.yml

@@ -201,6 +201,34 @@
   set_fact:
     kubernetes_deployment_api_version: "{{ 'apps/v1' if kube_api_version is version('1.9', '>=') else 'apps/v1beta1' }}"
 
+- name: Use Custom Root CA file for PosgtreSQL SSL communication
+  block:
+    - name: Get Root CA file contents
+      set_fact:
+        postgres_root_ca_cert: "{{ lookup('file', pg_root_ca_file) }}"
+      no_log: true
+
+    - name: Render Root CA template
+      set_fact:
+        postgres_root_ca: "{{ lookup('template', 'postgres_root_ca.yml.j2') }}"
+      no_log: true
+
+    - name: Apply Root CA template
+      shell: |
+        echo {{ postgres_root_ca | quote }} | {{ kubectl_or_oc }} apply -f -
+      no_log: true
+
+    - name: Set Root CA file name
+      set_fact:
+        postgres_root_ca_filename: 'postgres_root_ca.crt'
+
+    - name: Set Root CA file location
+      set_fact:
+        ca_trust_bundle: '/etc/tower/{{ postgres_root_ca_filename }}'
+  when:
+    - pg_root_ca_file is defined
+    - pg_root_ca_file != ''
+
 - name: Render deployment templates
   set_fact:
     "{{ item }}": "{{ lookup('template', item + '.yml.j2') }}"

installer/roles/kubernetes/templates/deployment.yml.j2

@@ -171,6 +171,12 @@ spec:
               value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 {% endif %}
           volumeMounts:
+{% if postgres_root_ca_cert is defined %}
+            - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+              mountPath: {{ ca_trust_bundle }}
+              subPath: {{ postgres_root_ca_filename }}
+              readOnly: true
+{% endif %}
             - name: supervisor-socket
               mountPath: "/var/run/supervisor"
             - name: rsyslog-socket
@@ -258,6 +264,12 @@ spec:
             - /usr/bin/launch_awx_task.sh
           imagePullPolicy: Always
           volumeMounts:
+{% if postgres_root_ca_cert is defined %}
+            - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+              mountPath: {{ ca_trust_bundle }}
+              subPath: {{ postgres_root_ca_filename }}
+              readOnly: true
+{% endif %}
             - name: supervisor-socket
               mountPath: "/var/run/supervisor"
             - name: rsyslog-socket
@@ -386,6 +398,14 @@ spec:
 {{ affinity | to_nice_yaml(indent=2) | indent(width=8, indentfirst=True) }}
 {% endif %}
       volumes:
+{% if postgres_root_ca_cert is defined %}
+        - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+          configMap:
+            name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+            items:
+            - key: postgres_root_ca.crt
+              path: postgres_root_ca.crt
+{% endif %}
         - name: supervisor-socket
           emptyDir: {}
         - name: rsyslog-socket

installer/roles/kubernetes/templates/management-pod.yml.j2

@@ -25,7 +25,12 @@ spec:
           mountPath: "/etc/tower/settings.py"
           subPath: settings.py
           readOnly: true
-
+{% if postgres_root_ca_cert is defined %}
+        - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+          mountPath: {{ ca_trust_bundle }}
+          subPath: {{ postgres_root_ca_filename }}
+          readOnly: true
+{% endif %}
         - name: "{{ kubernetes_deployment_name }}-application-credentials"
           mountPath: "/etc/tower/conf.d/"
           readOnly: true
@@ -70,7 +75,14 @@ spec:
         items:
           - key: {{ kubernetes_deployment_name }}_settings
             path: settings.py
-
+{% if postgres_root_ca_cert is defined %}
+    - name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+      configMap:
+        name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+        items:
+        - key: postgres_root_ca.crt
+          path: postgres_root_ca.crt
+{% endif %}
     - name: {{ kubernetes_deployment_name }}-secret-key
       secret:
         secretName: "{{ kubernetes_deployment_name }}-secrets"

installer/roles/kubernetes/templates/postgres_root_ca.yml.j2

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ kubernetes_deployment_name }}-postgres-root-ca-cert
+  namespace: {{ kubernetes_namespace }}
+data:
+  postgres_root_ca.crt: |
+    {{ postgres_root_ca_cert | indent(width=4) }}