From 736e7a33ac5564e864437e777963ab1e6c42e077 Mon Sep 17 00:00:00 2001
From: Marcelo Moreira de Mello <tchello.mello@gmail.com>
Date: Fri, 15 May 2020 02:37:33 -0400
Subject: [PATCH] Fixes ca_trust_dir mapping for k8s and openshift

Signed-off-by: Marcelo Moreira de Mello <tchello.mello@gmail.com>
---
 installer/inventory                                 |  2 ++
 .../roles/kubernetes/templates/deployment.yml.j2    | 13 +++++++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/installer/inventory b/installer/inventory
index 84a4b77b00..4b644ba21d 100644
--- a/installer/inventory
+++ b/installer/inventory
@@ -145,6 +145,8 @@ secret_key=awxsecret
 # CA Trust directory. If you need to provide custom CA certificates, supplying
 # this variable causes this directory on the host to be bind mounted over
 # /etc/pki/ca-trust in the awx_task and awx_web containers.
+# If you are deploying on openshift or kubernetes, set the variable to /etc/pki/ca-trust instead,
+# as the awx_web and awx_task containers will not run the `update-ca-trust` command.
 #ca_trust_dir=/etc/pki/ca-trust/source/anchors
 
 # Include /etc/nginx/awx_extra.conf
diff --git a/installer/roles/kubernetes/templates/deployment.yml.j2 b/installer/roles/kubernetes/templates/deployment.yml.j2
index 2da7d6ffaa..f5cf12cb99 100644
--- a/installer/roles/kubernetes/templates/deployment.yml.j2
+++ b/installer/roles/kubernetes/templates/deployment.yml.j2
@@ -93,6 +93,11 @@ spec:
           imagePullPolicy: Always
           ports:
             - containerPort: 8052
+{% if ca_trust_dir is defined %}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+{% endif %}
           volumeMounts:
             - name: supervisor-socket
               mountPath: "/var/run/supervisor"
@@ -102,7 +107,7 @@ spec:
               mountPath: "/var/lib/awx/rsyslog"
 {% if ca_trust_dir is defined %}
             - name: {{ kubernetes_deployment_name }}-ca-trust-dir
-              mountPath: "/etc/pki/ca-trust/source/anchors/"
+              mountPath: "{{ ca_trust_dir }}"
               readOnly: true
 {% endif %}
 {% if project_data_dir is defined %}
@@ -188,7 +193,7 @@ spec:
               mountPath: "/var/lib/awx/rsyslog"
 {% if ca_trust_dir is defined %}
             - name: {{ kubernetes_deployment_name }}-ca-trust-dir
-              mountPath: "/etc/pki/ca-trust/source/anchors/"
+              mountPath: "{{ ca_trust_dir }}"
               readOnly: true
 {% endif %}
 {% if custom_venvs is defined %}
@@ -247,6 +252,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
+{% if ca_trust_dir is defined %}
+            - name: REQUESTS_CA_BUNDLE
+              value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+{% endif %}
           resources:
             requests:
               memory: "{{ task_mem_request }}Gi"