kbsLocalCertCacheSpec mountPath is optional

lmilleri · lmilleri · commit f6e2a9abb77e · 2025-10-14T14:59:07.000+01:00
Signed-off-by: Leonardo Milleri &lt;lmilleri@redhat.com&gt;
diff --git a/api/v1alpha1/kbsconfig_types.go b/api/v1alpha1/kbsconfig_types.go
@@ -55,6 +55,8 @@ type KbsLocalCertCacheEntry struct {
 	// SecretName is the name of the secret that maps to a local directory containing the certificates
 	SecretName string `json:"secretName"`
 	// MountPath is the destination path in the trustee file system
+	// The default path is "/etc/kbs/certs" if not specified by the user
+	// +optional
 	MountPath string `json:"mountPath"`
 }
 
diff --git a/bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml b/bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml
@@ -114,15 +114,15 @@ spec:
                         cache entry with secret and mount path
                       properties:
                         mountPath:
-                          description: MountPath is the destination path in the trustee
-                            file system
+                          description: |-
+                            MountPath is the destination path in the trustee file system
+                            The default path is "/etc/kbs/certs" if not specified by the user
                           type: string
                         secretName:
                           description: SecretName is the name of the secret that maps
                             to a local directory containing the certificates
                           type: string
                       required:
-                      - mountPath
                       - secretName
                       type: object
                     type: array
diff --git a/config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml b/config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml
@@ -114,15 +114,15 @@ spec:
                         cache entry with secret and mount path
                       properties:
                         mountPath:
-                          description: MountPath is the destination path in the trustee
-                            file system
+                          description: |-
+                            MountPath is the destination path in the trustee file system
+                            The default path is "/etc/kbs/certs" if not specified by the user
                           type: string
                         secretName:
                           description: SecretName is the name of the secret that maps
                             to a local directory containing the certificates
                           type: string
                       required:
-                      - mountPath
                       - secretName
                       type: object
                     type: array
diff --git a/docs/disconnected.md b/docs/disconnected.md
@@ -38,6 +38,7 @@ spec:
 ```
 
 The `VCEK.crt` certificate will be mounted in the trustee `mountPath` directory.
+The `mountPath` directory defaults to `/etc/kbs/certs` if not provided by the user.
 
 ### Multiple Certificates
 
@@ -54,12 +55,12 @@ spec:
   # ...
   kbsLocalCertCacheSpec:
     secrets:
-    - secretName: vcek-secret
-      mountPath: "/etc/kbs/snp/ek"
-    - secretName: ca-certs-secret
-      mountPath: "/etc/ssl/certs"
-    - secretName: client-certs-secret
-      mountPath: "/etc/ssl/client-certs"
+    - secretName: vcek-milan
+      mountPath: "/etc/kbs/snp/ek/milan"
+    - secretName: vcek-genoa
+      mountPath: "/etc/kbs/snp/ek/genoa"
+    - secretName: vcek-turin
+      mountPath: "/etc/kbs/snp/ek/turin"
 ```
 
 Each secret will be mounted to its specified `mountPath` in the trustee file system.
diff --git a/internal/controller/common.go b/internal/controller/common.go
@@ -76,6 +76,9 @@ const (
 
 	// default attestation policy filename for cpu
 	defaultAttestationCpuPolicy = "default_cpu.rego"
+
+	// default directory for locally cached certificates
+	kbsDefaultLocalCacheDir = "/etc/kbs/certs"
 )
 
 func contains(list []string, s string) bool {
diff --git a/internal/controller/kbsconfig_controller.go b/internal/controller/kbsconfig_controller.go
@@ -427,6 +427,9 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) (*appsv1.Dep
 			return nil, err
 		}
 		volumes = append(volumes, *volume)
+		if certCacheEntry.MountPath == "" {
+			certCacheEntry.MountPath = kbsDefaultLocalCacheDir
+		}
 		volumeMount = createVolumeMount(volume.Name, certCacheEntry.MountPath)
 		kbsVM = append(kbsVM, volumeMount)
 	}

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,8 @@ type KbsLocalCertCacheEntry struct {`
`55`	`55`	`// SecretName is the name of the secret that maps to a local directory containing the certificates`
`56`	`56`	SecretName string `json:"secretName"`
`57`	`57`	`// MountPath is the destination path in the trustee file system`
	`58`	`+ // The default path is "/etc/kbs/certs" if not specified by the user`
	`59`	`+ // +optional`
`58`	`60`	MountPath string `json:"mountPath"`
`59`	`61`	`}`
`60`	`62`
Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,9 @@ const (`
`76`	`76`
`77`	`77`	`// default attestation policy filename for cpu`
`78`	`78`	`defaultAttestationCpuPolicy = "default_cpu.rego"`
	`79`	`+`
	`80`	`+ // default directory for locally cached certificates`
	`81`	`+ kbsDefaultLocalCacheDir = "/etc/kbs/certs"`
`79`	`82`	`)`
`80`	`83`
`81`	`84`	`func contains(list []string, s string) bool {`
Original file line number	Diff line number	Diff line change
`@@ -427,6 +427,9 @@ func (r KbsConfigReconciler) newKbsDeployment(ctx context.Context) (appsv1.Dep`
`427`	`427`	`return nil, err`
`428`	`428`	`}`
`429`	`429`	`volumes = append(volumes, *volume)`
	`430`	`+ if certCacheEntry.MountPath == "" {`
	`431`	`+ certCacheEntry.MountPath = kbsDefaultLocalCacheDir`
	`432`	`+ }`
`430`	`433`	`volumeMount = createVolumeMount(volume.Name, certCacheEntry.MountPath)`
`431`	`434`	`kbsVM = append(kbsVM, volumeMount)`
`432`	`435`	`}`