From e0d2baeab91b3d47780c0f124651a2fad56fef59 Mon Sep 17 00:00:00 2001
From: Anton Kuraev <anton.kuraev@acryl.io>
Date: Mon, 23 Sep 2024 14:51:53 -0700
Subject: [PATCH] Support for custom CA certs

---
 charts/datahub-executor-worker/Chart.yaml     |  2 +-
 .../templates/statefulset.yaml                | 40 +++++++++++++++++++
 charts/datahub-executor-worker/values.yaml    |  2 +
 3 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/charts/datahub-executor-worker/Chart.yaml b/charts/datahub-executor-worker/Chart.yaml
index 6d055db..807a3d8 100644
--- a/charts/datahub-executor-worker/Chart.yaml
+++ b/charts/datahub-executor-worker/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: datahub-executor-worker
 description: A Helm chart for datahub-executor-worker
 type: application
-version: 0.0.6
+version: 0.0.7
 appVersion: 0.0.1
 maintainers:
   - name: DataHub
diff --git a/charts/datahub-executor-worker/templates/statefulset.yaml b/charts/datahub-executor-worker/templates/statefulset.yaml
index ad291d0..e86f4b5 100644
--- a/charts/datahub-executor-worker/templates/statefulset.yaml
+++ b/charts/datahub-executor-worker/templates/statefulset.yaml
@@ -59,10 +59,40 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       volumes:
+      {{- with .Values.extraCaCerts }}
+          - name: ca-certs
+            emptyDir: {}
+      {{- range $key, $value := . }}
+          - name: {{ $key }}
+            secret:
+              secretName: {{ $value }}
+      {{- end }}
+      {{- end }}
       {{- if .Values.extraVolumes }}
         {{ toYaml .Values.extraVolumes | nindent 8 }}
       {{- end }}
       initContainers:
+      {{- if .Values.extraCaCerts }}
+        - name: install-ca-certs
+          image: "{{ .Values.image.repository }}:{{ required "image tag is required" .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["/bin/bash", "-c"]
+          args:
+            - update-ca-certificates && cp -Lr /etc/ssl/certs/. /mnt/ca-certs/
+          securityContext:
+            privileged: true
+            runAsUser: 0
+          volumeMounts:
+            - name: ca-certs
+              mountPath: /mnt/ca-certs
+            {{- with .Values.extraCaCerts -}}
+            {{ range $key, $value := . }}
+            - mountPath: "/usr/local/share/ca-certificates/{{ $key }}"
+              name: {{ $key | quote }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+      {{- end }}
       {{- if .Values.extraInitContainers }}
       {{- .Values.extraInitContainers | toYaml | nindent 6 }}
       {{- end }}
@@ -109,10 +139,20 @@ spec:
               value: {{ .Values.global.datahub.executor.ingestions.signal_poll_interval | quote }}
             - name: DATAHUB_EXECUTOR_MONITORS_MAX_WORKERS
               value: {{ .Values.global.datahub.executor.monitors.max_workers | quote }}
+          {{- if .Values.extraCaCerts }}
+            - name: REQUESTS_CA_BUNDLE
+              value: /etc/ssl/certs/ca-certificates.crt
+            - name: SSL_CERT_FILE
+              value: /etc/ssl/certs/ca-certificates.crt
+          {{- end }}
           {{- if .Values.extraEnvs }}
             {{ toYaml .Values.extraEnvs | nindent 12 }}
           {{- end }}
           volumeMounts:
+            {{- if .Values.extraCaCerts }}
+            - name: ca-certs
+              mountPath: /etc/ssl/certs
+            {{- end }}
           {{- if .Values.persistentVolume.enabled }}
             - name: executor-storage-volume
               mountPath: {{ .Values.persistentVolume.mountPath }}
diff --git a/charts/datahub-executor-worker/values.yaml b/charts/datahub-executor-worker/values.yaml
index fde458b..766d004 100644
--- a/charts/datahub-executor-worker/values.yaml
+++ b/charts/datahub-executor-worker/values.yaml
@@ -63,6 +63,8 @@ extraVolumeMounts: []
 
 extraInitContainers: []
 
+extraCaCerts: {}
+
 extraLabels: {}
 
 extraPodLabels: {}