From 576873d3b153e10cc892865f97ec8a03a2a0c87c Mon Sep 17 00:00:00 2001
From: zhukov-d-man <zhukov.d@2gis.ru>
Date: Mon, 26 Aug 2024 13:02:34 +0700
Subject: [PATCH] search-api: custom CA certificates support (#478)

---
 charts/search-api/README.md                 |  7 +++++
 charts/search-api/templates/_helpers.tpl    | 22 ++++++++++++++
 charts/search-api/templates/configmap.yaml  |  4 +++
 charts/search-api/templates/deployment.yaml | 32 +++++++++++++++++++--
 charts/search-api/values.yaml               | 13 +++++++++
 5 files changed, 76 insertions(+), 2 deletions(-)

diff --git a/charts/search-api/README.md b/charts/search-api/README.md
index 231c18d09..4ab831791 100644
--- a/charts/search-api/README.md
+++ b/charts/search-api/README.md
@@ -142,6 +142,13 @@ See the [documentation](https://docs.2gis.com/en/on-premise/search) to learn abo
 | `nginx.resources.limits.cpu`      | A CPU limit, e.g., `100m`        |       |
 | `nginx.resources.limits.memory`   | A memory limit, e.g., `128Mi`    |       |
 
+### customCAs **Custom Certificate Authority**
+
+| Name                  | Description                                                                                                                 | Value |
+| --------------------- | --------------------------------------------------------------------------------------------------------------------------- | ----- |
+| `customCAs.bundle`    | Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1) | `""`  |
+| `customCAs.certsPath` | Custom CA bundle mount directory in the container.                                                                          | `""`  |
+
 
 ## Maintainers
 
diff --git a/charts/search-api/templates/_helpers.tpl b/charts/search-api/templates/_helpers.tpl
index aed8e4ca9..1ef711582 100644
--- a/charts/search-api/templates/_helpers.tpl
+++ b/charts/search-api/templates/_helpers.tpl
@@ -37,6 +37,28 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
 {{- end }}
 
+{{- define "search_api.env.custom.ca.path" -}}
+- name: SSL_CERT_FILE
+  value: {{ include "search_api.custom.ca.mountPath" . }}/custom-ca.crt
+{{- end }}
+
+{{- define "search_api.custom.ca.mountPath" -}}
+{{ .Values.customCAs.certsPath | default "/usr/local/share/ca-certificates" }}
+{{- end -}}
+
+{{- define "search_api.custom.ca.volumeMounts" -}}
+- name: custom-ca
+  mountPath: {{ include "search_api.custom.ca.mountPath" . }}/custom-ca.crt
+  subPath: custom-ca.crt
+  readOnly: true
+{{- end -}}
+
+{{- define "search_api.custom.ca.deploys.volumes" -}}
+- name: custom-ca
+  configMap:
+    name: {{ include "search_api.fullname" . }}
+{{- end -}}
+
 {{/*
 Return the target Kubernetes version
 */}}
diff --git a/charts/search-api/templates/configmap.yaml b/charts/search-api/templates/configmap.yaml
index b3e9fa14a..89c3071f9 100644
--- a/charts/search-api/templates/configmap.yaml
+++ b/charts/search-api/templates/configmap.yaml
@@ -74,3 +74,7 @@ data:
             }
         }
     }
+{{- if .Values.customCAs.bundle }}
+  custom-ca.crt: |-
+{{- .Values.customCAs.bundle | nindent 4 }}
+{{- end }}
diff --git a/charts/search-api/templates/deployment.yaml b/charts/search-api/templates/deployment.yaml
index 6fc6dd2ee..1e5d41d30 100644
--- a/charts/search-api/templates/deployment.yaml
+++ b/charts/search-api/templates/deployment.yaml
@@ -4,9 +4,14 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "search_api.fullname" . }}
-  {{- if .Values.annotations }}
+  {{- if or .Values.annotations .Values.customCAs.bundle }}
   annotations:
-    {{- toYaml .Values.annotations | nindent 4 }}
+    {{- if .Values.customCAs.bundle }}
+    checksum/config: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
+    {{- end }}
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}    
   {{- end }}
   labels:
     {{- include "search_api.labels" . | nindent 4 }}
@@ -53,6 +58,9 @@ spec:
               secretKeyRef:
                 name: {{ include "search_api.fullname" . }}
                 key: s3SecretKey
+          {{- if .Values.customCAs.bundle }}
+          {{- include "search_api.env.custom.ca.path" . | nindent 10 }}
+          {{- end }}
           command:
             - importer
             - --endpoint={{ required "Valid .Values.dgctlStorage.host required!" .Values.dgctlStorage.host }}
@@ -72,6 +80,9 @@ spec:
               mountPath: /etc/2gis
             - name: search-api-data
               mountPath: {{ .Values.api.dataDir }}
+          {{- if .Values.customCAs.bundle }}
+            {{- include "search_api.custom.ca.volumeMounts" . | nindent 12 }}
+          {{- end }}
       containers:
         - name: api
           image: {{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.api.image.repository }}:{{ .Values.api.image.tag }}
@@ -88,9 +99,16 @@ spec:
               mountPath: /etc/2gis
             - name: search-api-data
               mountPath: {{ .Values.api.dataDir }}
+          {{- if .Values.customCAs.bundle }}
+            {{- include "search_api.custom.ca.volumeMounts" . | nindent 12 }}
+          {{- end }}
           env:
             - name: REDEPLOY_LABEL
               value: "{{ .Values.redeployLabel }}"
+            {{- if .Values.customCAs.bundle }}
+            {{- include "search_api.env.custom.ca.path" . | nindent 12 }}
+            {{- end }}
+
         - name: nginx
           image: {{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}
           imagePullPolicy: {{ .Values.nginx.image.pullPolicy }}
@@ -122,6 +140,13 @@ spec:
           volumeMounts:
             - name: {{ include "search_api.name" $ }}-configmap
               mountPath: /etc/2gis
+          {{- if .Values.customCAs.bundle }}
+            {{- include "search_api.custom.ca.volumeMounts" . | nindent 12 }}
+          {{- end }}
+          env:
+            {{- if .Values.customCAs.bundle }}
+            {{- include "search_api.env.custom.ca.path" . | nindent 12 }}
+            {{- end }}
       volumes:
         - name: {{ include "search_api.name" . }}-configmap
           configMap:
@@ -133,6 +158,9 @@ spec:
                 path: nginx.conf
         - name: search-api-data
           emptyDir: {}
+        {{- if .Values.customCAs.bundle }}
+        {{- include "search_api.custom.ca.deploys.volumes" . | nindent 8 }}
+        {{- end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/search-api/values.yaml b/charts/search-api/values.yaml
index beb29a0aa..a2b3a94f0 100644
--- a/charts/search-api/values.yaml
+++ b/charts/search-api/values.yaml
@@ -189,3 +189,16 @@ ingress:
 # @extra nginx.resources.requests.memory A memory request, e.g., `128Mi`
 # @extra nginx.resources.limits.cpu A CPU limit, e.g., `100m`
 # @extra nginx.resources.limits.memory A memory limit, e.g., `128Mi`
+
+# @section customCAs **Custom Certificate Authority**
+
+# @param customCAs.bundle Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1)
+# @param customCAs.certsPath Custom CA bundle mount directory in the container.
+
+customCAs:
+  bundle: ''
+# bundle: |
+    # -----BEGIN CERTIFICATE-----
+    # ...
+    # -----END CERTIFICATE-----
+  certsPath: ''