Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(helm): add customCaCerts value #707

Merged
merged 3 commits into from
Aug 14, 2023
Merged

feat(helm): add customCaCerts value #707

merged 3 commits into from
Aug 14, 2023

Conversation

fty4
Copy link
Member

@fty4 fty4 commented Aug 12, 2023

WHAT

Add Helm chart value (customCaCerts) to support adding additional custom ca-certs to the control- and dataplane pods.

WHY

If your company is using a certificate authority which is not inside the common /opt/java/openjdk/lib/security/cacerts file connections will not be trusted.
A connection in between will then fail in lack of trusted certificates.
When only using public signed certificate you will not need this value.

HOW

With this change you will be able to specify additional custom certificates as follows in your values file:

customCaCerts:
  YourCompany.pem: |
    -----BEGIN CERTIFICATE-----
    MIICuzCCAaMCAQAwMzELMAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExEjAQ
    ...
    -----END CERTIFICATE-----

When one or more certificates are added to the dict they will be each added via a initContainer and emptyDir to both cp and dp.

To view the added certificates you can run the keytool with following command:

keytool -list -keystore /opt/java/openjdk/lib/security/cacerts -storepass changeit | grep -i your-cert-name

Marco Lecheler [email protected] Mercedes-Benz Tech Innovation GmbH (ProviderInformation)

fty4 and others added 3 commits August 11, 2023 11:53
@fty4
fix(helm): only temple initContainers if specified
1681d4f 
The initContainers key should only be templated if there are any initContainers specified in the values file.
@fty4 @mbctec
feat(helm): add customCaCerts to cp and dp
e4af2e1 
Co-authored-by: Michael Berlec <[email protected]>
@fty4
chore(helm): update chart docs (readme)
737994c
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@fty4 fty4 marked this pull request as ready for review August 12, 2023 12:16
@fty4 fty4 requested a review from paullatzelsperger August 12, 2023 12:16
paullatzelsperger
paullatzelsperger reviewed Aug 14, 2023
View reviewed changes
Copy link
Contributor

@paullatzelsperger paullatzelsperger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work fine, but is there any way to test this? For example could there be a helm test, that executes the keytool command via a remote shell, and verifies that the cert is in the resulting list?
Don't know if it's worth it though, just a thought.

@fty4
Copy link
Member Author

fty4 commented Aug 14, 2023

Testing is always a good thing - but I see some challenges here.
If it will be implemented as a Helm test a customCaCerts must be added on the installation then the test could verify if this specific certificate was added.
The problem here would be that a Helm test will fail on every other executions (when someone else is testing the edc installation without the test-certificate). So a generic test will always fail.

Another way would be to implement a separate test via e.g. CI which might be a little bit overwhelming here.

@paullatzelsperger
Copy link
Contributor

Testing is always a good thing - but I see some challenges here.
If it will be implemented as a Helm test a customCaCerts must be added on the installation then the test could verify if this specific certificate was added.
The problem here would be that a Helm test will fail on every other executions (when someone else is testing the edc installation without the test-certificate). So a generic test will always fail.

I see your point.

Another way would be to implement a separate test via e.g. CI which might be a little bit overwhelming here.

Maybe it could be as easy as opening a shell to the running container, and execute the keytool command? We'd have to effectively duplicate out test runs, and generate Certs beforehand, but it seems doable. Definitely should be done in another issue though.

@paullatzelsperger paullatzelsperger merged commit 6b04820 into eclipse-tractusx:main Aug 14, 2023
@fty4 fty4 deleted the feat/custom-cacerts branch August 14, 2023 08:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paullatzelsperger paullatzelsperger paullatzelsperger approved these changes

@mbctec mbctec mbctec approved these changes

Assignees
No one assigned
Labels
None yet
Projects
EDC PR Board
Status: Merged
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fty4 @paullatzelsperger @mbctec