Feature/add internal ca

charts/dependency-track/Chart.yaml

@@ -4,7 +4,7 @@ description: |
   Dependency-Track is an intelligent Software Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.
 name: dependency-track
 home: https://dependencytrack.org/
-version: 1.5.4
+version: 1.5.5
 icon: https://raw.githubusercontent.com/DependencyTrack/branding/master/dt-logo-black-text.svg
 keywords:
  - security

charts/dependency-track/README.md

@@ -1,6 +1,6 @@
 # dependency-track
 
-![Version: 1.5.2](https://img.shields.io/badge/Version-1.5.2-informational?style=flat-square) ![AppVersion: 4.6.2](https://img.shields.io/badge/AppVersion-4.6.2-informational?style=flat-square)
+![Version: 1.5.5](https://img.shields.io/badge/Version-1.5.5-informational?style=flat-square) ![AppVersion: 4.6.2](https://img.shields.io/badge/AppVersion-4.6.2-informational?style=flat-square)
 
 Dependency-Track is an intelligent Software Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.
 
@@ -29,7 +29,7 @@ Dependency-Track is an intelligent Software Supply Chain Component Analysis plat
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| apiserver | object | `{"affinity":{},"emptyDir":{"sizeLimit":"8Gi"},"enabled":true,annotations":{},"env":[],"fullnameOverride":"","image":{"pullPolicy":"IfNotPresent","repository":"dependencytrack/apiserver","tag":"4.6.2"},"initContainers":[],"livenessProbe":{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"path":"/api/version","periodSeconds":10,"successThreshold":1,"timeoutSeconds":2},"nameOverride":"","nodeSelector":{},"persistentVolume":{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"size":"8Gi","storageClass":""},"podSecurityContext":{"fsGroup":1000},"readinessProbe":{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"path":"/","periodSeconds":10,"successThreshold":1,"timeoutSeconds":2},"replicaCount":1,"resources":{"limits":{"cpu":4,"memory":"16Gi"},"requests":{"cpu":2,"memory":"4608Mi"}},"securityContext":{"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000},"service":{"annotations":{},"port":80,"type":"ClusterIP"},"serviceAccount":{"annotations":{},"create":true,"name":"apiserver-serviceaccount"},"tolerations":[]}` | config of the apiserver |
+| apiserver | object | `{"affinity":{},"emptyDir":{"sizeLimit":"8Gi"},"enabled":true,annotations":{},"env":[],"fullnameOverride":"","image":{"pullPolicy":"IfNotPresent","repository":"dependencytrack/apiserver","tag":"4.6.2"},"initContainers":[],"internalCertificate":{"enabled":false},"livenessProbe":{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"path":"/api/version","periodSeconds":10,"successThreshold":1,"timeoutSeconds":2},"nameOverride":"","nodeSelector":{},"persistentVolume":{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"size":"8Gi","storageClass":""},"podSecurityContext":{"fsGroup":1000},"readinessProbe":{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"path":"/","periodSeconds":10,"successThreshold":1,"timeoutSeconds":2},"replicaCount":1,"resources":{"limits":{"cpu":4,"memory":"16Gi"},"requests":{"cpu":2,"memory":"4608Mi"}},"securityContext":{"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000},"service":{"annotations":{},"port":80,"type":"ClusterIP"},"serviceAccount":{"annotations":{},"create":true,"name":"apiserver-serviceaccount"},"tolerations":[]}` | config of the apiserver |
 | frontend | object | `{"affinity":{},"emptyDir":{"sizeLimit":"8Gi"},"enabled":true,annotations":{},"env":[{"name":"API_BASE_URL","value":""}],"fullnameOverride":"","image":{"pullPolicy":"IfNotPresent","repository":"dependencytrack/frontend","tag":"4.6.1"},"initContainers":[],"livenessProbe":{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"path":"/","periodSeconds":10,"successThreshold":1,"timeoutSeconds":2},"nameOverride":"","nodeSelector":{},"readinessProbe":{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"path":"/","periodSeconds":10,"successThreshold":1,"timeoutSeconds":2},"replicaCount":2,"resources":{"limits":{"cpu":1,"memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"runAsUser":101},"service":{"annotations":{},"port":80,"type":"ClusterIP"},"serviceAccount":{"annotations":{},"create":true,"name":"frontend-serviceaccount"},"tolerations":[]}` | config of the frontend |
 | frontend.env | list | `[{"name":"API_BASE_URL","value":""}]` | See https://docs.dependencytrack.org/getting-started/configuration/ for frontend ENV variables. |
 | global | object | `{"imageRegistry":"docker.io"}` | global configuration |

charts/dependency-track/ci/withinternalcertificat-values.yaml

@@ -0,0 +1,37 @@
+postgresql:
+  enabled: false
+apiserver:
+  resources:
+    requests:
+      cpu: 1600m
+      memory: 5Gi
+    limits:
+      cpu: 2
+      memory: 5Gi
+  internalCertificate:
+    enabled: true
+    keytool:
+      image:
+        repository: eclipse-temurin
+        tag: 11-jre
+    data:
+      alias: acme-inc
+      filename: acme-inc.crt
+      content: |
+        -----BEGIN CERTIFICATE-----
+        MIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG
+        A1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE
+        MRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl
+        YiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw
+        ODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE
+        CAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs
+        ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl
+        8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID
+        AQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx
+        8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy
+        2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0
+        Hn+GmxZA
+        -----END CERTIFICATE-----
+
+frontend:
+  replicaCount: 1

charts/dependency-track/templates/_helpers.tpl

@@ -4,6 +4,10 @@
 {{- include "common.images.image" ( dict "imageRoot" .Values.apiserver.image "global" .Values.global ) -}}
 {{- end -}}
 
+{{- define "apiserver.internalCertificate.keytool.image" -}}
+{{- include "common.images.image" ( dict "imageRoot" .Values.apiserver.internalCertificate.keytool.image "global" .Values.global ) -}}
+{{- end -}}
+
 {{- define "frontend.image" -}}
 {{- include "common.images.image" ( dict "imageRoot" .Values.frontend.image "global" .Values.global ) -}}
 {{- end -}}

charts/dependency-track/templates/backend/cert-configmap.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.apiserver.internalCertificate.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cert-{{ include "common.names.fullname" . }}-apiserver
+  labels: {{- include "backend.labels.standard" . | nindent 4 }}
+data:
+  {{ .Values.apiserver.internalCertificate.data.filename }}: |
+{{ .Values.apiserver.internalCertificate.data.content | indent 4 }}
+{{- end }}

charts/dependency-track/templates/backend/deployment.yaml

@@ -28,6 +28,39 @@ spec:
       {{- with .Values.apiserver.initContainers }}
       initContainers: {{- toYaml . | nindent 6 }}
       {{- end }}
+      {{- if .Values.apiserver.internalCertificate.enabled }}
+      {{- if not .Values.apiserver.initContainers }}
+      initContainers:
+      {{- end }}
+      - name: init-cacerts
+        image: {{ include "apiserver.image" . }}
+        securityContext: {{- toYaml .Values.apiserver.securityContext | nindent 12 }}
+        command:
+        - bash
+        - -c
+        - |
+          cp -R /opt/java/openjdk/lib/security/* /security/
+        volumeMounts:
+        - mountPath: /security
+          name: security
+      - name: amend-cacerts
+        image: {{ include "apiserver.internalCertificate.keytool.image" . }}
+        securityContext: {{- toYaml .Values.apiserver.securityContext | nindent 12 }}
+        command:
+        - bash
+        - -c
+        - |
+          while [ ! –e /security/cacerts ]
+          do
+            sleep 1
+          done
+          keytool -keystore /security/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias {{ .Values.apiserver.internalCertificate.data.alias }} -file /work/{{ .Values.apiserver.internalCertificate.data.filename }}
+        volumeMounts:
+        - mountPath: /security
+          name: security
+        - mountPath: /work
+          name: cert-{{ include "common.names.fullname" . }}-apiserver-volume
+      {{- end }}
       containers:
       - name: {{ .Chart.Name }}-apiserver
         securityContext: {{- toYaml .Values.apiserver.securityContext | nindent 12 }}
@@ -62,6 +95,10 @@ spec:
           mountPath: /data
         - name: tmp
           mountPath: /tmp
+        {{- if .Values.apiserver.internalCertificate.enabled }}
+        - name: security
+          mountPath: /opt/java/openjdk/lib/security
+        {{- end }}
         ports:
         - name: api
           containerPort: 8080
@@ -103,6 +140,14 @@ spec:
       volumes:
       - name: tmp
         emptyDir: {}
+      {{- if .Values.apiserver.internalCertificate.enabled }}
+      - name: security
+        emptyDir: {}
+      - configMap:
+          name: cert-{{ include "common.names.fullname" . }}-apiserver
+          defaultMode: 420
+        name: cert-{{ include "common.names.fullname" . }}-apiserver-volume
+      {{- end }}
       - name: data
         {{- if .Values.apiserver.persistentVolume.enabled }}
         persistentVolumeClaim:

charts/dependency-track/values.yaml

@@ -132,6 +132,8 @@ apiserver:
   nameOverride: ""
   fullnameOverride: ""
   initContainers: []
+  internalCertificate:
+    enabled: false
   serviceAccount:
     # Specifies whether a service account should be created
     create: true