From ae15aa6c28e4209e60a52ca6412b9c211f6866f5 Mon Sep 17 00:00:00 2001
From: Mohammed Naser <mnaser@vexxhost.com>
Date: Fri, 28 Jul 2017 12:08:31 -0400
Subject: [PATCH] Remove /etc/ssl/certs in the controller manager pod

For system such as Fedora Atomic, the CA bundle files which are
contained in /etc/ssl/certs are symbolic links to /etc/pki. When
configuring the controller manager to use an SSL endpoint, it will
raise an error as it is unable to authenticate the SSL endpoint.

This patch removes the host mount at /etc/ssl/certs.  The Hyperkube
images already ship a collection of CAs which are likely good for
all needs.

Closes-Bug: #1708452

Change-Id: Ife2b60d1968482a8c3ab9b44abbe401c6230881c
---
 .../enable-kube-controller-manager-scheduler.sh      | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/enable-kube-controller-manager-scheduler.sh b/magnum/drivers/common/templates/kubernetes/fragments/enable-kube-controller-manager-scheduler.sh
index a73f946763..cdec7a3342 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/enable-kube-controller-manager-scheduler.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/enable-kube-controller-manager-scheduler.sh
@@ -59,16 +59,10 @@ $(generate_pod_args "    - " $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUB
       initialDelaySeconds: ${SYSTEM_PODS_INITIAL_DELAY}
       timeoutSeconds: ${SYSTEM_PODS_TIMEOUT}
     volumeMounts:
-    - mountPath: /etc/ssl/certs
-      name: ssl-certs-host
-      readOnly: true
     - mountPath: /etc/kubernetes
       name: kubernetes-config
       readOnly: true
   volumes:
-  - hostPath:
-      path: /etc/ssl/certs
-    name: ssl-certs-host
   - hostPath:
       path: /etc/kubernetes
     name: kubernetes-config
@@ -105,16 +99,10 @@ $(generate_pod_args "    - " $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUB
       initialDelaySeconds: ${SYSTEM_PODS_INITIAL_DELAY}
       timeoutSeconds: ${SYSTEM_PODS_TIMEOUT}
     volumeMounts:
-    - mountPath: /etc/ssl/certs
-      name: ssl-certs-host
-      readOnly: true
     - mountPath: /etc/kubernetes
       name: kubernetes-config
       readOnly: true
   volumes:
-  - hostPath:
-      path: /etc/ssl/certs
-    name: ssl-certs-host
   - hostPath:
       path: /etc/kubernetes
     name: kubernetes-config