deploy: /etc/krb5.conf.d/crypto-policies configurable via helm rather…

… than being baked into dockerfile (#17)

* move crypto-policies to be configurable via helm

deployments/docker/Dockerfile

@@ -46,10 +46,6 @@ LABEL description="EOSxd CSI Plugin" \
       org.opencontainers.image.base.digest="" \
       org.opencontainers.image.base.name=""
 
-# Override the default list of accepted KRB ciphers by adding "arcfour-hmac-md5"
-# to retain support for tickets created by cc7 clients.
-COPY deployments/docker/crypto-policies /etc/krb5.conf.d/crypto-policies
-
 COPY bin/linux-${TARGETARCH}/csi-driver /csi-driver
 COPY bin/linux-${TARGETARCH}/automount-runner /automount-runner
 COPY bin/linux-${TARGETARCH}/mount-reconciler /mount-reconciler

deployments/helm/eosxd-csi/values.yaml

@@ -11,6 +11,19 @@ extraSecrets:
 # These can be used e.g. when defining eosxd client configuration.
 # ConfigMap data supports go-template expressions.
 extraConfigMaps:
+  # /etc/krb5.conf.d/crypto-policies
+  #
+  # Required to override the default list of accepted KRB ciphers by adding
+  # "arcfour-hmac-md5" to retain support for tickets created by cc7 clients.
+  eos-csi-dir-etc-krb5-conf:
+    crypto-policies: |
+      # Added by EOSxd CSI driver.
+      # Overrides the default list of accepted KRB ciphers by adding "arcfour-hmac-md5"
+      # to retain support for tickets created by cc7 clients.
+
+      [libdefaults]
+      permitted_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96
+
   eos-csi-dir-etc-auto-master-d:
     # /etc/auto.master.d/eos.autofs
     eos.autofs: |
@@ -171,6 +184,9 @@ nodeplugin:
       secret:
         secretName: eos-csi-file-etc-eos-keytab
         defaultMode: 0400
+    - name: eos-csi-dir-etc-krb5-conf
+      configMap:
+        name: eos-csi-dir-etc-krb5-conf
 
   # eosxd CSI image and container resources specs.
   plugin:
@@ -181,7 +197,9 @@ nodeplugin:
     resources: {}
     # Extra volume mounts to append to nodeplugin's
     # Pod.spec.containers[name="nodeplugin"].volumeMounts.
-    extraVolumeMounts: []
+    extraVolumeMounts:
+      - name: eos-csi-dir-etc-krb5-conf
+        mountPath: /etc/krb5.conf.d
 
   # eosxd CSI image and container resources specs.
   automount:
@@ -202,6 +220,8 @@ nodeplugin:
       - name: etc-eos-keytab
         mountPath: /etc/eos.keytab
         subPath: eos.keytab
+      - name: eos-csi-dir-etc-krb5-conf
+        mountPath: /etc/krb5.conf.d
 
   mountreconciler:
     image:
@@ -211,7 +231,9 @@ nodeplugin:
     resources: {}
     # Extra volume mounts to append to nodeplugin's
     # Pod.spec.containers[name="mountreconciler"].volumeMounts.
-    extraVolumeMounts: []
+    extraVolumeMounts:
+      - name: eos-csi-dir-etc-krb5-conf
+        mountPath: /etc/krb5.conf.d
 
   # csi-node-driver-registrar image and container resources specs.
   registrar:
@@ -258,7 +280,7 @@ nodeplugin:
   dnsPolicy: ClusterFirstWithHostNet
 
 # CSI Controller plugin Deployment configuration.
-# eosxd CSI supports volume provisioning, however the provisioned volumes only fulfill the role
+# eosxd CSI supports volume provisioning, however the provisioned volumes only fulfil the role
 # of a reference to eosxd repositories used inside the CO (e.g. Kubernetes), and are not modifying
 # the eosxd store in any way.
 controllerplugin:
@@ -269,7 +291,10 @@ controllerplugin:
   # Number of Deployment replicas. In general, one is sufficient.
   replicas: 1
 
-  extraVolumes: []
+  extraVolumes:
+    - name: eos-csi-dir-etc-krb5-conf
+      configMap:
+        name: eos-csi-dir-etc-krb5-conf
 
   # eosxd CSI image and container resources specs.
   plugin:
@@ -278,7 +303,9 @@ controllerplugin:
       tag: v1.4.0
       pullPolicy: IfNotPresent
     resources: {}
-    extraVolumeMounts: []
+    extraVolumeMounts:
+      - name: eos-csi-dir-etc-krb5-conf
+        mountPath: /etc/krb5.conf.d
 
   # CSI external-provisioner image and container resources specs.
   provisioner: