add custom ca for navi-castle, navi-restrictions, navi-async-matrix

2gis · Sep 27, 2024 · e70600f · e70600f
1 parent 59b7f91
commit e70600f
Show file tree

Hide file tree

Showing 17 changed files with 203 additions and 0 deletions.
diff --git a/charts/navi-async-matrix/README.md b/charts/navi-async-matrix/README.md
@@ -202,6 +202,13 @@ See the [documentation](https://docs.2gis.com/en/on-premise/navigation/distance-
 | `keys.url`   | API keys service URL, ex: http://keys-api.svc/service/v1/keys. **Required** | `""`  |
 | `keys.token` | API token to authorize at the service. **Required**                         | `""`  |
 
+### customCAs **Custom Certificate Authority**
+
+| Name                  | Description                                                                                                                 | Value |
+| --------------------- | --------------------------------------------------------------------------------------------------------------------------- | ----- |
+| `customCAs.bundle`    | Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1) | `""`  |
+| `customCAs.certsPath` | Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates"          | `""`  |
+
 
 ## Maintainers
 

diff --git a/charts/navi-async-matrix/templates/_helpers.tpl b/charts/navi-async-matrix/templates/_helpers.tpl
@@ -212,3 +212,12 @@ Name for psql secret and volume
 {{- define "navi-async-matrix.fullname-psql" -}}
 {{- printf "%s-psql" (include "navi-async-matrix.fullname" .) -}}
 {{- end }}
+
+{{/*
+Set custom CAs mount path
+Usage:
+{{ include "custom.ca.mountPath" $ }}
+*/}}
+{{- define "custom.ca.mountPath" -}}
+{{ .Values.customCAs.certsPath | default "/usr/local/share/ca-certificates" }}
+{{- end -}}
diff --git a/charts/navi-async-matrix/templates/configmap-ca.yaml b/charts/navi-async-matrix/templates/configmap-ca.yaml
@@ -0,0 +1,10 @@
+
+{{- if .Values.customCAs.bundle }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "navi-async-matrix.fullname" . }}-ca
+data:
+  custom-ca.crt: |-
+    {{- .Values.customCAs.bundle | nindent 4 }}
+{{- end }}
diff --git a/charts/navi-async-matrix/templates/statefulset.yaml b/charts/navi-async-matrix/templates/statefulset.yaml
@@ -33,6 +33,9 @@ spec:
         {{- end }}
         checksum/config: {{ (include (print $.Template.BasePath "/configmap.yaml") . | fromYaml).data | toYaml | sha256sum }}
         checksum/secret: {{ (include (print $.Template.BasePath "/secret.yaml") . | fromYaml).data | toYaml | sha256sum }}
+        {{- if .Values.customCAs.bundle }}
+        checksum/custom-ca: {{ (include (print $.Template.BasePath "/configmap-ca.yaml") . | fromYaml).data | toYaml | sha256sum }}
+        {{- end }}
       {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -93,6 +96,11 @@ spec:
         - name: {{ include "navi-async-matrix.fullname-psql" . | quote }}
           emptyDir: {}
       {{- end }}
+      {{- if .Values.customCAs.bundle }}
+        - name: {{ include "navi-async-matrix.fullname" . }}-ca
+          configMap:
+            name: {{ include "navi-async-matrix.fullname" . }}-ca
+      {{- end }}
       initContainers:
         {{- if .Values.db.tls.enabled }}
         - name: copy-certs
@@ -155,6 +163,11 @@ spec:
           - name: {{ printf "%s-psql" (include "navi-async-matrix.fullname" .) | quote }}
             mountPath: /etc/2gis/secret/psql
           {{- end }}
+          {{- if .Values.customCAs.bundle }}
+          - name: {{ include "navi-async-matrix.fullname" . }}-ca
+            mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+            subPath: custom-ca.crt
+          {{- end }}
           env:
             - name: DM_ASYNC_SERVICE_HOST
               value: {{ .Values.dm.host | quote }}
@@ -263,3 +276,7 @@ spec:
                 secretKeyRef:
                   name: {{ include "navi-async-matrix.fullname" . | quote }}
                   key: dmApiKey
+            {{- if .Values.customCAs.bundle }}
+            - name: SSL_CERT_FILE
+              value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+            {{- end }}
diff --git a/charts/navi-async-matrix/values.yaml b/charts/navi-async-matrix/values.yaml
@@ -389,3 +389,17 @@ bss:
 keys:
   url: ''
   token: ''
+
+
+# @section customCAs **Custom Certificate Authority**
+
+# @param customCAs.bundle Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1)
+# @param customCAs.certsPath Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates"
+
+customCAs:
+  bundle: ''
+# bundle: |
+    # -----BEGIN CERTIFICATE-----
+    # ...
+    # -----END CERTIFICATE-----
+  certsPath: ''
diff --git a/charts/navi-castle/README.md b/charts/navi-castle/README.md
@@ -150,6 +150,13 @@ See the [documentation](https://docs.2gis.com/en/on-premise/navigation) to learn
 | `persistentVolume.storageClass` | Volume [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). | `ceph-csi-rbd`      |
 | `persistentVolume.size`         | Volume size.                                                                          | `5Gi`               |
 
+### customCAs **Custom Certificate Authority**
+
+| Name                  | Description                                                                                                                 | Value |
+| --------------------- | --------------------------------------------------------------------------------------------------------------------------- | ----- |
+| `customCAs.bundle`    | Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1) | `""`  |
+| `customCAs.certsPath` | Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates"          | `""`  |
+
 
 ## Maintainers
 

diff --git a/charts/navi-castle/templates/_helpers.tpl b/charts/navi-castle/templates/_helpers.tpl
@@ -83,3 +83,13 @@ Determine --service parameter for a specific cron job flavor
 {{- define "castle.serviceParameter" -}}
 {{- eq "restrictionImport" .flavor | ternary "import-restrictions" .flavor -}}
 {{- end -}}
+
+
+{{/*
+Set custom CAs mount path
+Usage:
+{{ include "custom.ca.mountPath" $ }}
+*/}}
+{{- define "custom.ca.mountPath" -}}
+{{ .Values.customCAs.certsPath | default "/usr/local/share/ca-certificates" }}
+{{- end -}}
diff --git a/charts/navi-castle/templates/configmap-ca.yaml b/charts/navi-castle/templates/configmap-ca.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.customCAs.bundle }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "castle.fullname" . }}-ca
+data:
+  custom-ca.crt: |-
+    {{- .Values.customCAs.bundle | nindent 4 }}
+{{- end }}
diff --git a/charts/navi-castle/templates/cronjob.yaml b/charts/navi-castle/templates/cronjob.yaml
@@ -38,6 +38,11 @@ spec:
           - name: {{ include "castle.fullname" $ }}-builder-config
             configMap:
               name: {{ include "castle.fullname" $ }}-builder-config
+          {{- if .Values.customCAs.bundle }}
+          - name: {{ include "castle.fullname" $ }}-ca
+            configMap:
+              name: {{ include "castle.fullname" $ }}-ca
+          {{- end }}
           containers:
             - name: castle-cron
               image: {{ required "A valid .Values.dgctlDockerRegistry entry required" $.Values.dgctlDockerRegistry }}/{{ $.Values.castle.image.repository }}:{{ $.Values.castle.image.tag | default $.Chart.AppVersion }}
@@ -48,13 +53,23 @@ spec:
               - /opt/config_builder.conf
               - --service={{ include "castle.serviceParameter" ( dict "flavor" $flavor ) }}
               - --jobs={{ $.Values.castle.jobs | default 1 | int }}
+              {{- if .Values.customCAs.bundle }}
+              env:
+              - name: SSL_CERT_FILE
+                value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+              {{- end }}
               volumeMounts:
               - name: {{ include "castle.fullname" $ }}-builder-config
                 mountPath: /opt/config_builder.conf
                 subPath: config_builder.conf
               - name: {{ include "castle.fullname" $ }}-builder-config
                 mountPath: {{ $.Values.castle.castleDataPath }}/cities_template
                 subPath: cities_template
+              {{- if .Values.customCAs.bundle }}
+              - name: {{ include "castle.fullname" $ }}-ca
+                mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+                subPath: custom-ca.crt
+              {{- end }}
               - name: {{ include "castle.fullname" $ }}-pvc
                 mountPath: {{ $.Values.castle.castleDataPath }}
               resources:

diff --git a/charts/navi-castle/templates/statefulset.yaml b/charts/navi-castle/templates/statefulset.yaml
@@ -25,6 +25,9 @@ spec:
         checksum/configbuilder: {{ include (print $.Template.BasePath "/configmapbuilder.yaml") . | sha256sum }}
         checksum/configbuilder-runnable: {{ include (print $.Template.BasePath "/configmapbuilder-runnable.yaml") . | sha256sum }}
         checksum/confignginx: {{ include (print $.Template.BasePath "/configmapnginx.yaml") . | sha256sum }}
+        {{- if .Values.customCAs.bundle }}
+        checksum/custom-ca: {{ (include (print $.Template.BasePath "/configmap-ca.yaml") . | fromYaml).data | toYaml | sha256sum }}
+        {{- end }}
       {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -49,6 +52,11 @@ spec:
         - name: {{ include "castle.fullname" . }}-castle-nginx-config
           configMap:
             name: {{ include "castle.fullname" . }}-castle-nginx-config
+        {{- if .Values.customCAs.bundle }}
+        - name: {{ include "castle.fullname" $ }}-ca
+          configMap:
+            name: {{ include "castle.fullname" $ }}-ca
+        {{- end }}
         {{- if (not .Values.persistentVolume.enabled) }}
         - name: {{ include "castle.fullname" . }}-data
           emptyDir: {}
@@ -97,6 +105,11 @@ spec:
           command: ["/tini","--"]
           args:
           - /opt/update_services_init.sh
+          env:
+          {{- if .Values.customCAs.bundle }}
+          - name: SSL_CERT_FILE
+            value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+          {{- end }}
           resources:
             {{- toYaml $.Values.resources | nindent 12 }}
           startupProbe:
@@ -130,6 +143,11 @@ spec:
           - name: {{ include "castle.fullname" $ }}-builder-config
             mountPath: /opt/update_services
             subPath: update_services
+          {{- if .Values.customCAs.bundle }}
+          - name: {{ include "castle.fullname" $ }}-ca
+            mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+            subPath: custom-ca.crt
+          {{- end }}
           {{- if .Values.persistentVolume.enabled }}
           - name: {{ include "castle.fullname" . }}-pvc
             mountPath: {{ .Values.castle.castleDataPath }}

diff --git a/charts/navi-castle/values.yaml b/charts/navi-castle/values.yaml
@@ -205,3 +205,16 @@ persistentVolume:
   - ReadWriteOnce
   storageClass: ceph-csi-rbd
   size: 5Gi
+
+# @section customCAs **Custom Certificate Authority**
+
+# @param customCAs.bundle Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1)
+# @param customCAs.certsPath Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates"
+
+customCAs:
+  bundle: ''
+# bundle: |
+    # -----BEGIN CERTIFICATE-----
+    # ...
+    # -----END CERTIFICATE-----
+  certsPath: ''
diff --git a/charts/navi-restrictions/README.md b/charts/navi-restrictions/README.md
@@ -174,6 +174,13 @@ See the [documentation](https://docs.2gis.com/en/on-premise/restrictions) to lea
 | `cron.resources.limits.cpu`      | A CPU limit                     | `1000m`  |
 | `cron.resources.limits.memory`   | A memory limit                  | `1024Mi` |
 
+### customCAs **Custom Certificate Authority**
+
+| Name                  | Description                                                                                                                 | Value |
+| --------------------- | --------------------------------------------------------------------------------------------------------------------------- | ----- |
+| `customCAs.bundle`    | Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1) | `""`  |
+| `customCAs.certsPath` | Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates"          | `""`  |
+
 
 ## Maintainers
 

diff --git a/charts/navi-restrictions/templates/_helpers.tpl b/charts/navi-restrictions/templates/_helpers.tpl
@@ -87,3 +87,12 @@ Check for deprecated values
 {{- if .Values.db -}}{{ fail "[after 1.20.2] .Values.db renamed to .Values.postgres" }}{{- end }}
 {{- end }} {{/* 1.20.2 */}}
 {{- end }}
+
+{{/*
+Set custom CAs mount path
+Usage:
+{{ include "custom.ca.mountPath" $ }}
+*/}}
+{{- define "custom.ca.mountPath" -}}
+{{ .Values.customCAs.certsPath | default "/usr/local/share/ca-certificates" }}
+{{- end -}}
diff --git a/charts/navi-restrictions/templates/configmap-ca.yaml b/charts/navi-restrictions/templates/configmap-ca.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.customCAs.bundle }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "navi-restrictions.fullname" . }}-ca
+data:
+  custom-ca.crt: |-
+    {{- .Values.customCAs.bundle | nindent 4 }}
+{{- end }}
diff --git a/charts/navi-restrictions/templates/cronjob.yaml b/charts/navi-restrictions/templates/cronjob.yaml
@@ -32,6 +32,12 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
         spec:
+          {{- if .Values.customCAs.bundle }}
+          volumes:
+            - name: {{ include "navi-restrictions.fullname" $ }}-ca
+              configMap:
+                name: {{ include "navi-restrictions.fullname" $ }}-ca
+          {{- end }}
           {{- with .Values.imagePullSecrets }}
           imagePullSecrets:
             {{- toYaml . | nindent 12 }}
@@ -83,4 +89,14 @@ spec:
                     secretKeyRef:
                       name: {{ include "navi-restrictions.fullname" . }}
                       key: keysApi
+                {{- if .Values.customCAs.bundle }}
+                - name: SSL_CERT_FILE
+                  value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+                {{- end }}
+              {{- if .Values.customCAs.bundle }}
+              volumeMounts:
+                - name: {{ include "navi-restrictions.fullname" $ }}-ca
+                  mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+                  subPath: custom-ca.crt
+              {{- end }}
 {{- end }}
diff --git a/charts/navi-restrictions/templates/deployment.yaml b/charts/navi-restrictions/templates/deployment.yaml
@@ -31,6 +31,9 @@ spec:
         {{- if .Values.prometheusEnabled }}
         prometheus.io/scrape: "true"
         {{- end }}
+        {{- if .Values.customCAs.bundle }}
+        checksum/custom-ca: {{ (include (print $.Template.BasePath "/configmap-ca.yaml") . | fromYaml).data | toYaml | sha256sum }}
+        {{- end }}
       {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -41,6 +44,12 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      {{- if .Values.customCAs.bundle }}
+      volumes:
+        - name: {{ include "navi-restrictions.fullname" . }}-ca
+          configMap:
+            name: {{ include "navi-restrictions.fullname" . }}-ca
+      {{- end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -90,6 +99,12 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- if .Values.customCAs.bundle }}
+          volumeMounts:
+            - name: {{ include "navi-restrictions.fullname" . }}-ca
+              mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+              subPath: custom-ca.crt
+          {{- end }}
           env:
             - name: DEBUG
               value: "{{ .Values.api.debug | ternary "True" "False" }}"
@@ -115,3 +130,7 @@ spec:
                 secretKeyRef:
                   name: {{ include "navi-restrictions.fullname" . }}
                   key: keysApi
+          {{- if .Values.customCAs.bundle }}
+            - name: SSL_CERT_FILE
+              value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+          {{- end }}
diff --git a/charts/navi-restrictions/values.yaml b/charts/navi-restrictions/values.yaml
@@ -267,3 +267,17 @@ cron:
 # @param cron.resources.requests.memory A memory request
 # @param cron.resources.limits.cpu A CPU limit
 # @param cron.resources.limits.memory A memory limit
+
+
+# @section customCAs **Custom Certificate Authority**
+
+# @param customCAs.bundle Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1)
+# @param customCAs.certsPath Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates"
+
+customCAs:
+  bundle: ''
+# bundle: |
+    # -----BEGIN CERTIFICATE-----
+    # ...
+    # -----END CERTIFICATE-----
+  certsPath: ''