Merge pull request #315 from metal-stack/hotfix-rvpn-audit

Fix volume names and TLS config for auditforwarder with reversed vpn
metal-stack · Jun 1, 2023 · 67c1f57 · 67c1f57
2 parents 885a4c0 + 09eb8f7
commit 67c1f57
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/pkg/webhook/controlplane/ensurer.go b/pkg/webhook/controlplane/ensurer.go
@@ -241,24 +241,28 @@ var (
 	}
 	reversedVpnVolumeMounts = []corev1.VolumeMount{
 		{
-			Name:      "kube-apiserver-http-proxy",
+			Name:      "ca-vpn",
 			MountPath: "/proxy/ca",
 			ReadOnly:  true,
 		},
 		{
-			Name:      "kube-aggregator",
+			Name:      "http-proxy",
 			MountPath: "/proxy/client",
 			ReadOnly:  true,
 		},
 	}
 	kubeAggregatorClientTlsEnvVars = []corev1.EnvVar{
+		{
+			Name:  "AUDIT_PROXY_CA_FILE",
+			Value: "/proxy/ca/bundle.crt",
+		},
 		{
 			Name:  "AUDIT_PROXY_CLIENT_CRT_FILE",
-			Value: "/proxy/client/kube-aggregator.crt",
+			Value: "/proxy/client/tls.crt",
 		},
 		{
 			Name:  "AUDIT_PROXY_CLIENT_KEY_FILE",
-			Value: "/proxy/client/kube-aggregator.key",
+			Value: "/proxy/client/tls.key",
 		},
 	}
 	auditForwarderSidecarTemplate = corev1.Container{
@@ -379,7 +383,7 @@ func ensureAuditForwarder(ps *corev1.PodSpec, auditToSplunk bool) error {
 
 	for _, volume := range ps.Volumes {
 		switch volume.Name {
-		case "kube-apiserver-http-proxy":
+		case "egress-selection-config":
 			proxyHost = "vpn-seed-server"
 		}
 	}