fix: create symlinks to /etc/ssl/certs

In order to accomodate the various ways that SSL certs are managed by
the different Linux distros, kubeadm creates control plane compoents
with volume mounts of the type DirectoryOrCreate to all well known SSL
cert locations. This change creates symlinks to /etc/ss/certs at all the
well known paths to account for the fact that the rootfs is read-only.

Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>

internal/pkg/rootfs/rootfs.go

@@ -67,11 +67,23 @@ func Prepare(s string, inContainer bool, data *userdata.UserData) (err error) {
 	}
 
 	// Create required directories that are not part of FHS.
-	for _, p := range []string{"/etc/kubernetes/manifests", "/etc/cni", "/var/lib/kubelet", "/var/log/pods", "/usr/libexec/kubernetes"} {
-		if err = os.MkdirAll(filepath.Join(s, p), 0700); err != nil {
+	for _, path := range []string{"/etc/kubernetes/manifests", "/etc/cni", "/var/lib/kubelet", "/var/log/pods", "/usr/libexec/kubernetes"} {
+		if err = os.MkdirAll(filepath.Join(s, path), 0700); err != nil {
 			return err
 		}
 	}
+	// Create symlinks to /etc/ssl/certs as required by the control plane.
+	for _, path := range []string{"/etc/pki", "/usr/share/ca-certificates", "/usr/local/share/ca-certificates", "/etc/ca-certificates"} {
+		if _, err = os.Stat(path); os.IsNotExist(err) {
+			target := filepath.Join(s, path)
+			if err = os.MkdirAll(filepath.Dir(target), 0700); err != nil {
+				return err
+			}
+			if err = os.Symlink("/etc/ssl/certs", target); err != nil {
+				return err
+			}
+		}
+	}
 	// Create /etc/os-release.
 	if err = etc.OSRelease(s); err != nil {
 		return