From b327536060865d65c39ca4428be5ba012be362df Mon Sep 17 00:00:00 2001
From: jack <62025739+1602077@users.noreply.github.com>
Date: Thu, 6 Jun 2024 15:44:59 +0200
Subject: [PATCH] deploy: /etc/krb5.conf.d/crypto-policies configurable via
 helm rather than being baked into dockerfile (#17)

* move crypto-policies to be configurable via helm
---
 deployments/docker/Dockerfile          |  4 ---
 deployments/docker/crypto-policies     |  6 -----
 deployments/helm/eosxd-csi/values.yaml | 37 ++++++++++++++++++++++----
 3 files changed, 32 insertions(+), 15 deletions(-)
 delete mode 100644 deployments/docker/crypto-policies

diff --git a/deployments/docker/Dockerfile b/deployments/docker/Dockerfile
index 2743779..b0efca1 100644
--- a/deployments/docker/Dockerfile
+++ b/deployments/docker/Dockerfile
@@ -46,10 +46,6 @@ LABEL description="EOSxd CSI Plugin" \
       org.opencontainers.image.base.digest="" \
       org.opencontainers.image.base.name=""
 
-# Override the default list of accepted KRB ciphers by adding "arcfour-hmac-md5"
-# to retain support for tickets created by cc7 clients.
-COPY deployments/docker/crypto-policies /etc/krb5.conf.d/crypto-policies
-
 COPY bin/linux-${TARGETARCH}/csi-driver /csi-driver
 COPY bin/linux-${TARGETARCH}/automount-runner /automount-runner
 COPY bin/linux-${TARGETARCH}/mount-reconciler /mount-reconciler
diff --git a/deployments/docker/crypto-policies b/deployments/docker/crypto-policies
deleted file mode 100644
index bb6d4d6..0000000
--- a/deployments/docker/crypto-policies
+++ /dev/null
@@ -1,6 +0,0 @@
-# Added by EOSxd CSI driver.
-# Overrides the default list of accepted KRB ciphers by adding "arcfour-hmac-md5"
-# to retain support for tickets created by cc7 clients.
-
-[libdefaults]
-permitted_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96
diff --git a/deployments/helm/eosxd-csi/values.yaml b/deployments/helm/eosxd-csi/values.yaml
index 0841c42..b5e0883 100644
--- a/deployments/helm/eosxd-csi/values.yaml
+++ b/deployments/helm/eosxd-csi/values.yaml
@@ -11,6 +11,19 @@ extraSecrets:
 # These can be used e.g. when defining eosxd client configuration.
 # ConfigMap data supports go-template expressions.
 extraConfigMaps:
+  # /etc/krb5.conf.d/crypto-policies
+  #
+  # Required to override the default list of accepted KRB ciphers by adding
+  # "arcfour-hmac-md5" to retain support for tickets created by cc7 clients.
+  eos-csi-dir-etc-krb5-conf:
+    crypto-policies: |
+      # Added by EOSxd CSI driver.
+      # Overrides the default list of accepted KRB ciphers by adding "arcfour-hmac-md5"
+      # to retain support for tickets created by cc7 clients.
+
+      [libdefaults]
+      permitted_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96
+
   eos-csi-dir-etc-auto-master-d:
     # /etc/auto.master.d/eos.autofs
     eos.autofs: |
@@ -171,6 +184,9 @@ nodeplugin:
       secret:
         secretName: eos-csi-file-etc-eos-keytab
         defaultMode: 0400
+    - name: eos-csi-dir-etc-krb5-conf
+      configMap:
+        name: eos-csi-dir-etc-krb5-conf
 
   # eosxd CSI image and container resources specs.
   plugin:
@@ -181,7 +197,9 @@ nodeplugin:
     resources: {}
     # Extra volume mounts to append to nodeplugin's
     # Pod.spec.containers[name="nodeplugin"].volumeMounts.
-    extraVolumeMounts: []
+    extraVolumeMounts:
+      - name: eos-csi-dir-etc-krb5-conf
+        mountPath: /etc/krb5.conf.d
 
   # eosxd CSI image and container resources specs.
   automount:
@@ -202,6 +220,8 @@ nodeplugin:
       - name: etc-eos-keytab
         mountPath: /etc/eos.keytab
         subPath: eos.keytab
+      - name: eos-csi-dir-etc-krb5-conf
+        mountPath: /etc/krb5.conf.d
 
   mountreconciler:
     image:
@@ -211,7 +231,9 @@ nodeplugin:
     resources: {}
     # Extra volume mounts to append to nodeplugin's
     # Pod.spec.containers[name="mountreconciler"].volumeMounts.
-    extraVolumeMounts: []
+    extraVolumeMounts:
+      - name: eos-csi-dir-etc-krb5-conf
+        mountPath: /etc/krb5.conf.d
 
   # csi-node-driver-registrar image and container resources specs.
   registrar:
@@ -258,7 +280,7 @@ nodeplugin:
   dnsPolicy: ClusterFirstWithHostNet
 
 # CSI Controller plugin Deployment configuration.
-# eosxd CSI supports volume provisioning, however the provisioned volumes only fulfill the role
+# eosxd CSI supports volume provisioning, however the provisioned volumes only fulfil the role
 # of a reference to eosxd repositories used inside the CO (e.g. Kubernetes), and are not modifying
 # the eosxd store in any way.
 controllerplugin:
@@ -269,7 +291,10 @@ controllerplugin:
   # Number of Deployment replicas. In general, one is sufficient.
   replicas: 1
 
-  extraVolumes: []
+  extraVolumes:
+    - name: eos-csi-dir-etc-krb5-conf
+      configMap:
+        name: eos-csi-dir-etc-krb5-conf
 
   # eosxd CSI image and container resources specs.
   plugin:
@@ -278,7 +303,9 @@ controllerplugin:
       tag: v1.4.0
       pullPolicy: IfNotPresent
     resources: {}
-    extraVolumeMounts: []
+    extraVolumeMounts:
+      - name: eos-csi-dir-etc-krb5-conf
+        mountPath: /etc/krb5.conf.d
 
   # CSI external-provisioner image and container resources specs.
   provisioner: