From e70600fdf80bc79cd63d980dab898a63e486ab82 Mon Sep 17 00:00:00 2001 From: Morozov Dmitriy Date: Fri, 27 Sep 2024 10:36:35 +0300 Subject: [PATCH] add custom ca for navi-castle, navi-restrictions, navi-async-matrix --- charts/navi-async-matrix/README.md | 7 +++++++ .../navi-async-matrix/templates/_helpers.tpl | 9 +++++++++ .../templates/configmap-ca.yaml | 10 ++++++++++ .../templates/statefulset.yaml | 17 +++++++++++++++++ charts/navi-async-matrix/values.yaml | 14 ++++++++++++++ charts/navi-castle/README.md | 7 +++++++ charts/navi-castle/templates/_helpers.tpl | 10 ++++++++++ .../navi-castle/templates/configmap-ca.yaml | 9 +++++++++ charts/navi-castle/templates/cronjob.yaml | 15 +++++++++++++++ charts/navi-castle/templates/statefulset.yaml | 18 ++++++++++++++++++ charts/navi-castle/values.yaml | 13 +++++++++++++ charts/navi-restrictions/README.md | 7 +++++++ .../navi-restrictions/templates/_helpers.tpl | 9 +++++++++ .../templates/configmap-ca.yaml | 9 +++++++++ .../navi-restrictions/templates/cronjob.yaml | 16 ++++++++++++++++ .../templates/deployment.yaml | 19 +++++++++++++++++++ charts/navi-restrictions/values.yaml | 14 ++++++++++++++ 17 files changed, 203 insertions(+) create mode 100644 charts/navi-async-matrix/templates/configmap-ca.yaml create mode 100644 charts/navi-castle/templates/configmap-ca.yaml create mode 100644 charts/navi-restrictions/templates/configmap-ca.yaml diff --git a/charts/navi-async-matrix/README.md b/charts/navi-async-matrix/README.md index 5d2d7fd7d..ab82fb334 100644 --- a/charts/navi-async-matrix/README.md +++ b/charts/navi-async-matrix/README.md @@ -202,6 +202,13 @@ See the [documentation](https://docs.2gis.com/en/on-premise/navigation/distance- | `keys.url` | API keys service URL, ex: http://keys-api.svc/service/v1/keys. **Required** | `""` | | `keys.token` | API token to authorize at the service. **Required** | `""` | +### customCAs **Custom Certificate Authority** + +| Name | Description | Value | +| --------------------- | --------------------------------------------------------------------------------------------------------------------------- | ----- | +| `customCAs.bundle` | Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1) | `""` | +| `customCAs.certsPath` | Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates" | `""` | + ## Maintainers diff --git a/charts/navi-async-matrix/templates/_helpers.tpl b/charts/navi-async-matrix/templates/_helpers.tpl index f18deae00..9d18c9a6f 100644 --- a/charts/navi-async-matrix/templates/_helpers.tpl +++ b/charts/navi-async-matrix/templates/_helpers.tpl @@ -212,3 +212,12 @@ Name for psql secret and volume {{- define "navi-async-matrix.fullname-psql" -}} {{- printf "%s-psql" (include "navi-async-matrix.fullname" .) -}} {{- end }} + +{{/* +Set custom CAs mount path +Usage: +{{ include "custom.ca.mountPath" $ }} +*/}} +{{- define "custom.ca.mountPath" -}} +{{ .Values.customCAs.certsPath | default "/usr/local/share/ca-certificates" }} +{{- end -}} diff --git a/charts/navi-async-matrix/templates/configmap-ca.yaml b/charts/navi-async-matrix/templates/configmap-ca.yaml new file mode 100644 index 000000000..87141aca4 --- /dev/null +++ b/charts/navi-async-matrix/templates/configmap-ca.yaml @@ -0,0 +1,10 @@ + +{{- if .Values.customCAs.bundle }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "navi-async-matrix.fullname" . }}-ca +data: + custom-ca.crt: |- + {{- .Values.customCAs.bundle | nindent 4 }} +{{- end }} diff --git a/charts/navi-async-matrix/templates/statefulset.yaml b/charts/navi-async-matrix/templates/statefulset.yaml index d02897f01..b1a48dd73 100644 --- a/charts/navi-async-matrix/templates/statefulset.yaml +++ b/charts/navi-async-matrix/templates/statefulset.yaml @@ -33,6 +33,9 @@ spec: {{- end }} checksum/config: {{ (include (print $.Template.BasePath "/configmap.yaml") . | fromYaml).data | toYaml | sha256sum }} checksum/secret: {{ (include (print $.Template.BasePath "/secret.yaml") . | fromYaml).data | toYaml | sha256sum }} + {{- if .Values.customCAs.bundle }} + checksum/custom-ca: {{ (include (print $.Template.BasePath "/configmap-ca.yaml") . | fromYaml).data | toYaml | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -93,6 +96,11 @@ spec: - name: {{ include "navi-async-matrix.fullname-psql" . | quote }} emptyDir: {} {{- end }} + {{- if .Values.customCAs.bundle }} + - name: {{ include "navi-async-matrix.fullname" . }}-ca + configMap: + name: {{ include "navi-async-matrix.fullname" . }}-ca + {{- end }} initContainers: {{- if .Values.db.tls.enabled }} - name: copy-certs @@ -155,6 +163,11 @@ spec: - name: {{ printf "%s-psql" (include "navi-async-matrix.fullname" .) | quote }} mountPath: /etc/2gis/secret/psql {{- end }} + {{- if .Values.customCAs.bundle }} + - name: {{ include "navi-async-matrix.fullname" . }}-ca + mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt + subPath: custom-ca.crt + {{- end }} env: - name: DM_ASYNC_SERVICE_HOST value: {{ .Values.dm.host | quote }} @@ -263,3 +276,7 @@ spec: secretKeyRef: name: {{ include "navi-async-matrix.fullname" . | quote }} key: dmApiKey + {{- if .Values.customCAs.bundle }} + - name: SSL_CERT_FILE + value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt + {{- end }} diff --git a/charts/navi-async-matrix/values.yaml b/charts/navi-async-matrix/values.yaml index 4d3ca0cf0..7569c1393 100644 --- a/charts/navi-async-matrix/values.yaml +++ b/charts/navi-async-matrix/values.yaml @@ -389,3 +389,17 @@ bss: keys: url: '' token: '' + + +# @section customCAs **Custom Certificate Authority** + +# @param customCAs.bundle Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1) +# @param customCAs.certsPath Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates" + +customCAs: + bundle: '' +# bundle: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + certsPath: '' diff --git a/charts/navi-castle/README.md b/charts/navi-castle/README.md index 7705cae84..9145e9a79 100644 --- a/charts/navi-castle/README.md +++ b/charts/navi-castle/README.md @@ -150,6 +150,13 @@ See the [documentation](https://docs.2gis.com/en/on-premise/navigation) to learn | `persistentVolume.storageClass` | Volume [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). | `ceph-csi-rbd` | | `persistentVolume.size` | Volume size. | `5Gi` | +### customCAs **Custom Certificate Authority** + +| Name | Description | Value | +| --------------------- | --------------------------------------------------------------------------------------------------------------------------- | ----- | +| `customCAs.bundle` | Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1) | `""` | +| `customCAs.certsPath` | Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates" | `""` | + ## Maintainers diff --git a/charts/navi-castle/templates/_helpers.tpl b/charts/navi-castle/templates/_helpers.tpl index 8e4d071bb..20c641d06 100644 --- a/charts/navi-castle/templates/_helpers.tpl +++ b/charts/navi-castle/templates/_helpers.tpl @@ -83,3 +83,13 @@ Determine --service parameter for a specific cron job flavor {{- define "castle.serviceParameter" -}} {{- eq "restrictionImport" .flavor | ternary "import-restrictions" .flavor -}} {{- end -}} + + +{{/* +Set custom CAs mount path +Usage: +{{ include "custom.ca.mountPath" $ }} +*/}} +{{- define "custom.ca.mountPath" -}} +{{ .Values.customCAs.certsPath | default "/usr/local/share/ca-certificates" }} +{{- end -}} diff --git a/charts/navi-castle/templates/configmap-ca.yaml b/charts/navi-castle/templates/configmap-ca.yaml new file mode 100644 index 000000000..96d19c95c --- /dev/null +++ b/charts/navi-castle/templates/configmap-ca.yaml @@ -0,0 +1,9 @@ +{{- if .Values.customCAs.bundle }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "castle.fullname" . }}-ca +data: + custom-ca.crt: |- + {{- .Values.customCAs.bundle | nindent 4 }} +{{- end }} diff --git a/charts/navi-castle/templates/cronjob.yaml b/charts/navi-castle/templates/cronjob.yaml index ff1011da3..87dde3969 100644 --- a/charts/navi-castle/templates/cronjob.yaml +++ b/charts/navi-castle/templates/cronjob.yaml @@ -38,6 +38,11 @@ spec: - name: {{ include "castle.fullname" $ }}-builder-config configMap: name: {{ include "castle.fullname" $ }}-builder-config + {{- if .Values.customCAs.bundle }} + - name: {{ include "castle.fullname" $ }}-ca + configMap: + name: {{ include "castle.fullname" $ }}-ca + {{- end }} containers: - name: castle-cron image: {{ required "A valid .Values.dgctlDockerRegistry entry required" $.Values.dgctlDockerRegistry }}/{{ $.Values.castle.image.repository }}:{{ $.Values.castle.image.tag | default $.Chart.AppVersion }} @@ -48,6 +53,11 @@ spec: - /opt/config_builder.conf - --service={{ include "castle.serviceParameter" ( dict "flavor" $flavor ) }} - --jobs={{ $.Values.castle.jobs | default 1 | int }} + {{- if .Values.customCAs.bundle }} + env: + - name: SSL_CERT_FILE + value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt + {{- end }} volumeMounts: - name: {{ include "castle.fullname" $ }}-builder-config mountPath: /opt/config_builder.conf @@ -55,6 +65,11 @@ spec: - name: {{ include "castle.fullname" $ }}-builder-config mountPath: {{ $.Values.castle.castleDataPath }}/cities_template subPath: cities_template + {{- if .Values.customCAs.bundle }} + - name: {{ include "castle.fullname" $ }}-ca + mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt + subPath: custom-ca.crt + {{- end }} - name: {{ include "castle.fullname" $ }}-pvc mountPath: {{ $.Values.castle.castleDataPath }} resources: diff --git a/charts/navi-castle/templates/statefulset.yaml b/charts/navi-castle/templates/statefulset.yaml index 1ebb39524..c6ef8fedc 100644 --- a/charts/navi-castle/templates/statefulset.yaml +++ b/charts/navi-castle/templates/statefulset.yaml @@ -25,6 +25,9 @@ spec: checksum/configbuilder: {{ include (print $.Template.BasePath "/configmapbuilder.yaml") . | sha256sum }} checksum/configbuilder-runnable: {{ include (print $.Template.BasePath "/configmapbuilder-runnable.yaml") . | sha256sum }} checksum/confignginx: {{ include (print $.Template.BasePath "/configmapnginx.yaml") . | sha256sum }} + {{- if .Values.customCAs.bundle }} + checksum/custom-ca: {{ (include (print $.Template.BasePath "/configmap-ca.yaml") . | fromYaml).data | toYaml | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -49,6 +52,11 @@ spec: - name: {{ include "castle.fullname" . }}-castle-nginx-config configMap: name: {{ include "castle.fullname" . }}-castle-nginx-config + {{- if .Values.customCAs.bundle }} + - name: {{ include "castle.fullname" $ }}-ca + configMap: + name: {{ include "castle.fullname" $ }}-ca + {{- end }} {{- if (not .Values.persistentVolume.enabled) }} - name: {{ include "castle.fullname" . }}-data emptyDir: {} @@ -97,6 +105,11 @@ spec: command: ["/tini","--"] args: - /opt/update_services_init.sh + env: + {{- if .Values.customCAs.bundle }} + - name: SSL_CERT_FILE + value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt + {{- end }} resources: {{- toYaml $.Values.resources | nindent 12 }} startupProbe: @@ -130,6 +143,11 @@ spec: - name: {{ include "castle.fullname" $ }}-builder-config mountPath: /opt/update_services subPath: update_services + {{- if .Values.customCAs.bundle }} + - name: {{ include "castle.fullname" $ }}-ca + mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt + subPath: custom-ca.crt + {{- end }} {{- if .Values.persistentVolume.enabled }} - name: {{ include "castle.fullname" . }}-pvc mountPath: {{ .Values.castle.castleDataPath }} diff --git a/charts/navi-castle/values.yaml b/charts/navi-castle/values.yaml index fcc24587b..a8a2e9385 100644 --- a/charts/navi-castle/values.yaml +++ b/charts/navi-castle/values.yaml @@ -205,3 +205,16 @@ persistentVolume: - ReadWriteOnce storageClass: ceph-csi-rbd size: 5Gi + +# @section customCAs **Custom Certificate Authority** + +# @param customCAs.bundle Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1) +# @param customCAs.certsPath Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates" + +customCAs: + bundle: '' +# bundle: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + certsPath: '' diff --git a/charts/navi-restrictions/README.md b/charts/navi-restrictions/README.md index bbbb34e1d..1c27f5777 100644 --- a/charts/navi-restrictions/README.md +++ b/charts/navi-restrictions/README.md @@ -174,6 +174,13 @@ See the [documentation](https://docs.2gis.com/en/on-premise/restrictions) to lea | `cron.resources.limits.cpu` | A CPU limit | `1000m` | | `cron.resources.limits.memory` | A memory limit | `1024Mi` | +### customCAs **Custom Certificate Authority** + +| Name | Description | Value | +| --------------------- | --------------------------------------------------------------------------------------------------------------------------- | ----- | +| `customCAs.bundle` | Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1) | `""` | +| `customCAs.certsPath` | Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates" | `""` | + ## Maintainers diff --git a/charts/navi-restrictions/templates/_helpers.tpl b/charts/navi-restrictions/templates/_helpers.tpl index ebbefcc47..cefd13446 100644 --- a/charts/navi-restrictions/templates/_helpers.tpl +++ b/charts/navi-restrictions/templates/_helpers.tpl @@ -87,3 +87,12 @@ Check for deprecated values {{- if .Values.db -}}{{ fail "[after 1.20.2] .Values.db renamed to .Values.postgres" }}{{- end }} {{- end }} {{/* 1.20.2 */}} {{- end }} + +{{/* +Set custom CAs mount path +Usage: +{{ include "custom.ca.mountPath" $ }} +*/}} +{{- define "custom.ca.mountPath" -}} +{{ .Values.customCAs.certsPath | default "/usr/local/share/ca-certificates" }} +{{- end -}} diff --git a/charts/navi-restrictions/templates/configmap-ca.yaml b/charts/navi-restrictions/templates/configmap-ca.yaml new file mode 100644 index 000000000..a45b15138 --- /dev/null +++ b/charts/navi-restrictions/templates/configmap-ca.yaml @@ -0,0 +1,9 @@ +{{- if .Values.customCAs.bundle }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "navi-restrictions.fullname" . }}-ca +data: + custom-ca.crt: |- + {{- .Values.customCAs.bundle | nindent 4 }} +{{- end }} diff --git a/charts/navi-restrictions/templates/cronjob.yaml b/charts/navi-restrictions/templates/cronjob.yaml index da2f23c5f..31818a91c 100644 --- a/charts/navi-restrictions/templates/cronjob.yaml +++ b/charts/navi-restrictions/templates/cronjob.yaml @@ -32,6 +32,12 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} spec: + {{- if .Values.customCAs.bundle }} + volumes: + - name: {{ include "navi-restrictions.fullname" $ }}-ca + configMap: + name: {{ include "navi-restrictions.fullname" $ }}-ca + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 12 }} @@ -83,4 +89,14 @@ spec: secretKeyRef: name: {{ include "navi-restrictions.fullname" . }} key: keysApi + {{- if .Values.customCAs.bundle }} + - name: SSL_CERT_FILE + value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt + {{- end }} + {{- if .Values.customCAs.bundle }} + volumeMounts: + - name: {{ include "navi-restrictions.fullname" $ }}-ca + mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt + subPath: custom-ca.crt + {{- end }} {{- end }} diff --git a/charts/navi-restrictions/templates/deployment.yaml b/charts/navi-restrictions/templates/deployment.yaml index 9369ad4ae..e2d6b8c1e 100644 --- a/charts/navi-restrictions/templates/deployment.yaml +++ b/charts/navi-restrictions/templates/deployment.yaml @@ -31,6 +31,9 @@ spec: {{- if .Values.prometheusEnabled }} prometheus.io/scrape: "true" {{- end }} + {{- if .Values.customCAs.bundle }} + checksum/custom-ca: {{ (include (print $.Template.BasePath "/configmap-ca.yaml") . | fromYaml).data | toYaml | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -41,6 +44,12 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.customCAs.bundle }} + volumes: + - name: {{ include "navi-restrictions.fullname" . }}-ca + configMap: + name: {{ include "navi-restrictions.fullname" . }}-ca + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -90,6 +99,12 @@ spec: securityContext: {{- toYaml . | nindent 12 }} {{- end }} + {{- if .Values.customCAs.bundle }} + volumeMounts: + - name: {{ include "navi-restrictions.fullname" . }}-ca + mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt + subPath: custom-ca.crt + {{- end }} env: - name: DEBUG value: "{{ .Values.api.debug | ternary "True" "False" }}" @@ -115,3 +130,7 @@ spec: secretKeyRef: name: {{ include "navi-restrictions.fullname" . }} key: keysApi + {{- if .Values.customCAs.bundle }} + - name: SSL_CERT_FILE + value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt + {{- end }} diff --git a/charts/navi-restrictions/values.yaml b/charts/navi-restrictions/values.yaml index 20e1c7d32..76b524fee 100644 --- a/charts/navi-restrictions/values.yaml +++ b/charts/navi-restrictions/values.yaml @@ -267,3 +267,17 @@ cron: # @param cron.resources.requests.memory A memory request # @param cron.resources.limits.cpu A CPU limit # @param cron.resources.limits.memory A memory limit + + +# @section customCAs **Custom Certificate Authority** + +# @param customCAs.bundle Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1) +# @param customCAs.certsPath Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates" + +customCAs: + bundle: '' +# bundle: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + certsPath: ''