From e70600fdf80bc79cd63d980dab898a63e486ab82 Mon Sep 17 00:00:00 2001
From: Morozov Dmitriy <dm.morozov@2gis.ru>
Date: Fri, 27 Sep 2024 10:36:35 +0300
Subject: [PATCH] add custom ca for navi-castle, navi-restrictions,
navi-async-matrix
---
charts/navi-async-matrix/README.md | 7 +++++++
.../navi-async-matrix/templates/_helpers.tpl | 9 +++++++++
.../templates/configmap-ca.yaml | 10 ++++++++++
.../templates/statefulset.yaml | 17 +++++++++++++++++
charts/navi-async-matrix/values.yaml | 14 ++++++++++++++
charts/navi-castle/README.md | 7 +++++++
charts/navi-castle/templates/_helpers.tpl | 10 ++++++++++
.../navi-castle/templates/configmap-ca.yaml | 9 +++++++++
charts/navi-castle/templates/cronjob.yaml | 15 +++++++++++++++
charts/navi-castle/templates/statefulset.yaml | 18 ++++++++++++++++++
charts/navi-castle/values.yaml | 13 +++++++++++++
charts/navi-restrictions/README.md | 7 +++++++
.../navi-restrictions/templates/_helpers.tpl | 9 +++++++++
.../templates/configmap-ca.yaml | 9 +++++++++
.../navi-restrictions/templates/cronjob.yaml | 16 ++++++++++++++++
.../templates/deployment.yaml | 19 +++++++++++++++++++
charts/navi-restrictions/values.yaml | 14 ++++++++++++++
17 files changed, 203 insertions(+)
create mode 100644 charts/navi-async-matrix/templates/configmap-ca.yaml
create mode 100644 charts/navi-castle/templates/configmap-ca.yaml
create mode 100644 charts/navi-restrictions/templates/configmap-ca.yaml
diff --git a/charts/navi-async-matrix/README.md b/charts/navi-async-matrix/README.md
index 5d2d7fd7d..ab82fb334 100644
--- a/charts/navi-async-matrix/README.md
+++ b/charts/navi-async-matrix/README.md
@@ -202,6 +202,13 @@ See the [documentation](https://docs.2gis.com/en/on-premise/navigation/distance-
| `keys.url` | API keys service URL, ex: http://keys-api.svc/service/v1/keys. **Required** | `""` |
| `keys.token` | API token to authorize at the service. **Required** | `""` |
+### customCAs **Custom Certificate Authority**
+
+| Name | Description | Value |
+| --------------------- | --------------------------------------------------------------------------------------------------------------------------- | ----- |
+| `customCAs.bundle` | Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1) | `""` |
+| `customCAs.certsPath` | Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates" | `""` |
+
## Maintainers
diff --git a/charts/navi-async-matrix/templates/_helpers.tpl b/charts/navi-async-matrix/templates/_helpers.tpl
index f18deae00..9d18c9a6f 100644
--- a/charts/navi-async-matrix/templates/_helpers.tpl
+++ b/charts/navi-async-matrix/templates/_helpers.tpl
@@ -212,3 +212,12 @@ Name for psql secret and volume
{{- define "navi-async-matrix.fullname-psql" -}}
{{- printf "%s-psql" (include "navi-async-matrix.fullname" .) -}}
{{- end }}
+
+{{/*
+Set custom CAs mount path
+Usage:
+{{ include "custom.ca.mountPath" $ }}
+*/}}
+{{- define "custom.ca.mountPath" -}}
+{{ .Values.customCAs.certsPath | default "/usr/local/share/ca-certificates" }}
+{{- end -}}
diff --git a/charts/navi-async-matrix/templates/configmap-ca.yaml b/charts/navi-async-matrix/templates/configmap-ca.yaml
new file mode 100644
index 000000000..87141aca4
--- /dev/null
+++ b/charts/navi-async-matrix/templates/configmap-ca.yaml
@@ -0,0 +1,10 @@
+
+{{- if .Values.customCAs.bundle }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "navi-async-matrix.fullname" . }}-ca
+data:
+ custom-ca.crt: |-
+ {{- .Values.customCAs.bundle | nindent 4 }}
+{{- end }}
diff --git a/charts/navi-async-matrix/templates/statefulset.yaml b/charts/navi-async-matrix/templates/statefulset.yaml
index d02897f01..b1a48dd73 100644
--- a/charts/navi-async-matrix/templates/statefulset.yaml
+++ b/charts/navi-async-matrix/templates/statefulset.yaml
@@ -33,6 +33,9 @@ spec:
{{- end }}
checksum/config: {{ (include (print $.Template.BasePath "/configmap.yaml") . | fromYaml).data | toYaml | sha256sum }}
checksum/secret: {{ (include (print $.Template.BasePath "/secret.yaml") . | fromYaml).data | toYaml | sha256sum }}
+ {{- if .Values.customCAs.bundle }}
+ checksum/custom-ca: {{ (include (print $.Template.BasePath "/configmap-ca.yaml") . | fromYaml).data | toYaml | sha256sum }}
+ {{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -93,6 +96,11 @@ spec:
- name: {{ include "navi-async-matrix.fullname-psql" . | quote }}
emptyDir: {}
{{- end }}
+ {{- if .Values.customCAs.bundle }}
+ - name: {{ include "navi-async-matrix.fullname" . }}-ca
+ configMap:
+ name: {{ include "navi-async-matrix.fullname" . }}-ca
+ {{- end }}
initContainers:
{{- if .Values.db.tls.enabled }}
- name: copy-certs
@@ -155,6 +163,11 @@ spec:
- name: {{ printf "%s-psql" (include "navi-async-matrix.fullname" .) | quote }}
mountPath: /etc/2gis/secret/psql
{{- end }}
+ {{- if .Values.customCAs.bundle }}
+ - name: {{ include "navi-async-matrix.fullname" . }}-ca
+ mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+ subPath: custom-ca.crt
+ {{- end }}
env:
- name: DM_ASYNC_SERVICE_HOST
value: {{ .Values.dm.host | quote }}
@@ -263,3 +276,7 @@ spec:
secretKeyRef:
name: {{ include "navi-async-matrix.fullname" . | quote }}
key: dmApiKey
+ {{- if .Values.customCAs.bundle }}
+ - name: SSL_CERT_FILE
+ value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+ {{- end }}
diff --git a/charts/navi-async-matrix/values.yaml b/charts/navi-async-matrix/values.yaml
index 4d3ca0cf0..7569c1393 100644
--- a/charts/navi-async-matrix/values.yaml
+++ b/charts/navi-async-matrix/values.yaml
@@ -389,3 +389,17 @@ bss:
keys:
url: ''
token: ''
+
+
+# @section customCAs **Custom Certificate Authority**
+
+# @param customCAs.bundle Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1)
+# @param customCAs.certsPath Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates"
+
+customCAs:
+ bundle: ''
+# bundle: |
+ # -----BEGIN CERTIFICATE-----
+ # ...
+ # -----END CERTIFICATE-----
+ certsPath: ''
diff --git a/charts/navi-castle/README.md b/charts/navi-castle/README.md
index 7705cae84..9145e9a79 100644
--- a/charts/navi-castle/README.md
+++ b/charts/navi-castle/README.md
@@ -150,6 +150,13 @@ See the [documentation](https://docs.2gis.com/en/on-premise/navigation) to learn
| `persistentVolume.storageClass` | Volume [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). | `ceph-csi-rbd` |
| `persistentVolume.size` | Volume size. | `5Gi` |
+### customCAs **Custom Certificate Authority**
+
+| Name | Description | Value |
+| --------------------- | --------------------------------------------------------------------------------------------------------------------------- | ----- |
+| `customCAs.bundle` | Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1) | `""` |
+| `customCAs.certsPath` | Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates" | `""` |
+
## Maintainers
diff --git a/charts/navi-castle/templates/_helpers.tpl b/charts/navi-castle/templates/_helpers.tpl
index 8e4d071bb..20c641d06 100644
--- a/charts/navi-castle/templates/_helpers.tpl
+++ b/charts/navi-castle/templates/_helpers.tpl
@@ -83,3 +83,13 @@ Determine --service parameter for a specific cron job flavor
{{- define "castle.serviceParameter" -}}
{{- eq "restrictionImport" .flavor | ternary "import-restrictions" .flavor -}}
{{- end -}}
+
+
+{{/*
+Set custom CAs mount path
+Usage:
+{{ include "custom.ca.mountPath" $ }}
+*/}}
+{{- define "custom.ca.mountPath" -}}
+{{ .Values.customCAs.certsPath | default "/usr/local/share/ca-certificates" }}
+{{- end -}}
diff --git a/charts/navi-castle/templates/configmap-ca.yaml b/charts/navi-castle/templates/configmap-ca.yaml
new file mode 100644
index 000000000..96d19c95c
--- /dev/null
+++ b/charts/navi-castle/templates/configmap-ca.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.customCAs.bundle }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "castle.fullname" . }}-ca
+data:
+ custom-ca.crt: |-
+ {{- .Values.customCAs.bundle | nindent 4 }}
+{{- end }}
diff --git a/charts/navi-castle/templates/cronjob.yaml b/charts/navi-castle/templates/cronjob.yaml
index ff1011da3..87dde3969 100644
--- a/charts/navi-castle/templates/cronjob.yaml
+++ b/charts/navi-castle/templates/cronjob.yaml
@@ -38,6 +38,11 @@ spec:
- name: {{ include "castle.fullname" $ }}-builder-config
configMap:
name: {{ include "castle.fullname" $ }}-builder-config
+ {{- if .Values.customCAs.bundle }}
+ - name: {{ include "castle.fullname" $ }}-ca
+ configMap:
+ name: {{ include "castle.fullname" $ }}-ca
+ {{- end }}
containers:
- name: castle-cron
image: {{ required "A valid .Values.dgctlDockerRegistry entry required" $.Values.dgctlDockerRegistry }}/{{ $.Values.castle.image.repository }}:{{ $.Values.castle.image.tag | default $.Chart.AppVersion }}
@@ -48,6 +53,11 @@ spec:
- /opt/config_builder.conf
- --service={{ include "castle.serviceParameter" ( dict "flavor" $flavor ) }}
- --jobs={{ $.Values.castle.jobs | default 1 | int }}
+ {{- if .Values.customCAs.bundle }}
+ env:
+ - name: SSL_CERT_FILE
+ value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+ {{- end }}
volumeMounts:
- name: {{ include "castle.fullname" $ }}-builder-config
mountPath: /opt/config_builder.conf
@@ -55,6 +65,11 @@ spec:
- name: {{ include "castle.fullname" $ }}-builder-config
mountPath: {{ $.Values.castle.castleDataPath }}/cities_template
subPath: cities_template
+ {{- if .Values.customCAs.bundle }}
+ - name: {{ include "castle.fullname" $ }}-ca
+ mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+ subPath: custom-ca.crt
+ {{- end }}
- name: {{ include "castle.fullname" $ }}-pvc
mountPath: {{ $.Values.castle.castleDataPath }}
resources:
diff --git a/charts/navi-castle/templates/statefulset.yaml b/charts/navi-castle/templates/statefulset.yaml
index 1ebb39524..c6ef8fedc 100644
--- a/charts/navi-castle/templates/statefulset.yaml
+++ b/charts/navi-castle/templates/statefulset.yaml
@@ -25,6 +25,9 @@ spec:
checksum/configbuilder: {{ include (print $.Template.BasePath "/configmapbuilder.yaml") . | sha256sum }}
checksum/configbuilder-runnable: {{ include (print $.Template.BasePath "/configmapbuilder-runnable.yaml") . | sha256sum }}
checksum/confignginx: {{ include (print $.Template.BasePath "/configmapnginx.yaml") . | sha256sum }}
+ {{- if .Values.customCAs.bundle }}
+ checksum/custom-ca: {{ (include (print $.Template.BasePath "/configmap-ca.yaml") . | fromYaml).data | toYaml | sha256sum }}
+ {{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -49,6 +52,11 @@ spec:
- name: {{ include "castle.fullname" . }}-castle-nginx-config
configMap:
name: {{ include "castle.fullname" . }}-castle-nginx-config
+ {{- if .Values.customCAs.bundle }}
+ - name: {{ include "castle.fullname" $ }}-ca
+ configMap:
+ name: {{ include "castle.fullname" $ }}-ca
+ {{- end }}
{{- if (not .Values.persistentVolume.enabled) }}
- name: {{ include "castle.fullname" . }}-data
emptyDir: {}
@@ -97,6 +105,11 @@ spec:
command: ["/tini","--"]
args:
- /opt/update_services_init.sh
+ env:
+ {{- if .Values.customCAs.bundle }}
+ - name: SSL_CERT_FILE
+ value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+ {{- end }}
resources:
{{- toYaml $.Values.resources | nindent 12 }}
startupProbe:
@@ -130,6 +143,11 @@ spec:
- name: {{ include "castle.fullname" $ }}-builder-config
mountPath: /opt/update_services
subPath: update_services
+ {{- if .Values.customCAs.bundle }}
+ - name: {{ include "castle.fullname" $ }}-ca
+ mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+ subPath: custom-ca.crt
+ {{- end }}
{{- if .Values.persistentVolume.enabled }}
- name: {{ include "castle.fullname" . }}-pvc
mountPath: {{ .Values.castle.castleDataPath }}
diff --git a/charts/navi-castle/values.yaml b/charts/navi-castle/values.yaml
index fcc24587b..a8a2e9385 100644
--- a/charts/navi-castle/values.yaml
+++ b/charts/navi-castle/values.yaml
@@ -205,3 +205,16 @@ persistentVolume:
- ReadWriteOnce
storageClass: ceph-csi-rbd
size: 5Gi
+
+# @section customCAs **Custom Certificate Authority**
+
+# @param customCAs.bundle Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1)
+# @param customCAs.certsPath Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates"
+
+customCAs:
+ bundle: ''
+# bundle: |
+ # -----BEGIN CERTIFICATE-----
+ # ...
+ # -----END CERTIFICATE-----
+ certsPath: ''
diff --git a/charts/navi-restrictions/README.md b/charts/navi-restrictions/README.md
index bbbb34e1d..1c27f5777 100644
--- a/charts/navi-restrictions/README.md
+++ b/charts/navi-restrictions/README.md
@@ -174,6 +174,13 @@ See the [documentation](https://docs.2gis.com/en/on-premise/restrictions) to lea
| `cron.resources.limits.cpu` | A CPU limit | `1000m` |
| `cron.resources.limits.memory` | A memory limit | `1024Mi` |
+### customCAs **Custom Certificate Authority**
+
+| Name | Description | Value |
+| --------------------- | --------------------------------------------------------------------------------------------------------------------------- | ----- |
+| `customCAs.bundle` | Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1) | `""` |
+| `customCAs.certsPath` | Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates" | `""` |
+
## Maintainers
diff --git a/charts/navi-restrictions/templates/_helpers.tpl b/charts/navi-restrictions/templates/_helpers.tpl
index ebbefcc47..cefd13446 100644
--- a/charts/navi-restrictions/templates/_helpers.tpl
+++ b/charts/navi-restrictions/templates/_helpers.tpl
@@ -87,3 +87,12 @@ Check for deprecated values
{{- if .Values.db -}}{{ fail "[after 1.20.2] .Values.db renamed to .Values.postgres" }}{{- end }}
{{- end }} {{/* 1.20.2 */}}
{{- end }}
+
+{{/*
+Set custom CAs mount path
+Usage:
+{{ include "custom.ca.mountPath" $ }}
+*/}}
+{{- define "custom.ca.mountPath" -}}
+{{ .Values.customCAs.certsPath | default "/usr/local/share/ca-certificates" }}
+{{- end -}}
diff --git a/charts/navi-restrictions/templates/configmap-ca.yaml b/charts/navi-restrictions/templates/configmap-ca.yaml
new file mode 100644
index 000000000..a45b15138
--- /dev/null
+++ b/charts/navi-restrictions/templates/configmap-ca.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.customCAs.bundle }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "navi-restrictions.fullname" . }}-ca
+data:
+ custom-ca.crt: |-
+ {{- .Values.customCAs.bundle | nindent 4 }}
+{{- end }}
diff --git a/charts/navi-restrictions/templates/cronjob.yaml b/charts/navi-restrictions/templates/cronjob.yaml
index da2f23c5f..31818a91c 100644
--- a/charts/navi-restrictions/templates/cronjob.yaml
+++ b/charts/navi-restrictions/templates/cronjob.yaml
@@ -32,6 +32,12 @@ spec:
{{- toYaml . | nindent 12 }}
{{- end }}
spec:
+ {{- if .Values.customCAs.bundle }}
+ volumes:
+ - name: {{ include "navi-restrictions.fullname" $ }}-ca
+ configMap:
+ name: {{ include "navi-restrictions.fullname" $ }}-ca
+ {{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 12 }}
@@ -83,4 +89,14 @@ spec:
secretKeyRef:
name: {{ include "navi-restrictions.fullname" . }}
key: keysApi
+ {{- if .Values.customCAs.bundle }}
+ - name: SSL_CERT_FILE
+ value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+ {{- end }}
+ {{- if .Values.customCAs.bundle }}
+ volumeMounts:
+ - name: {{ include "navi-restrictions.fullname" $ }}-ca
+ mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+ subPath: custom-ca.crt
+ {{- end }}
{{- end }}
diff --git a/charts/navi-restrictions/templates/deployment.yaml b/charts/navi-restrictions/templates/deployment.yaml
index 9369ad4ae..e2d6b8c1e 100644
--- a/charts/navi-restrictions/templates/deployment.yaml
+++ b/charts/navi-restrictions/templates/deployment.yaml
@@ -31,6 +31,9 @@ spec:
{{- if .Values.prometheusEnabled }}
prometheus.io/scrape: "true"
{{- end }}
+ {{- if .Values.customCAs.bundle }}
+ checksum/custom-ca: {{ (include (print $.Template.BasePath "/configmap-ca.yaml") . | fromYaml).data | toYaml | sha256sum }}
+ {{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -41,6 +44,12 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
+ {{- if .Values.customCAs.bundle }}
+ volumes:
+ - name: {{ include "navi-restrictions.fullname" . }}-ca
+ configMap:
+ name: {{ include "navi-restrictions.fullname" . }}-ca
+ {{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
@@ -90,6 +99,12 @@ spec:
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
+ {{- if .Values.customCAs.bundle }}
+ volumeMounts:
+ - name: {{ include "navi-restrictions.fullname" . }}-ca
+ mountPath: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+ subPath: custom-ca.crt
+ {{- end }}
env:
- name: DEBUG
value: "{{ .Values.api.debug | ternary "True" "False" }}"
@@ -115,3 +130,7 @@ spec:
secretKeyRef:
name: {{ include "navi-restrictions.fullname" . }}
key: keysApi
+ {{- if .Values.customCAs.bundle }}
+ - name: SSL_CERT_FILE
+ value: {{ include "custom.ca.mountPath" . }}/custom-ca.crt
+ {{- end }}
diff --git a/charts/navi-restrictions/values.yaml b/charts/navi-restrictions/values.yaml
index 20e1c7d32..76b524fee 100644
--- a/charts/navi-restrictions/values.yaml
+++ b/charts/navi-restrictions/values.yaml
@@ -267,3 +267,17 @@ cron:
# @param cron.resources.requests.memory A memory request
# @param cron.resources.limits.cpu A CPU limit
# @param cron.resources.limits.memory A memory limit
+
+
+# @section customCAs **Custom Certificate Authority**
+
+# @param customCAs.bundle Custom CA [text representation of the X.509 PEM public-key certificate](https://www.rfc-editor.org/rfc/rfc7468#section-5.1)
+# @param customCAs.certsPath Custom CA bundle mount directory in the container. If empty, the default value: "/usr/local/share/ca-certificates"
+
+customCAs:
+ bundle: ''
+# bundle: |
+ # -----BEGIN CERTIFICATE-----
+ # ...
+ # -----END CERTIFICATE-----
+ certsPath: ''