fix: update manifests to have user certs mounted through configmap (#300

)

charts/operator/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: operator
 description: A Helm chart for Weights & Biases operator
 type: application
-version: 1.3.10
+version: 1.3.11
 appVersion: "1.0.0"
 maintainers:
   - name: wandb

charts/operator/templates/deployment.yaml

@@ -47,9 +47,9 @@ spec:
               fieldPath: spec.serviceAccountName
         - name: AIRGAPPED
           value: {{ .Values.airgapped | quote }}
-        {{- if .Values.customCACerts }}
+        {{- if or .Values.customCACerts .Values.caCertsConfigMap }}
         - name: SSL_CERT_DIR
-          value: /certs
+          value: /certs/
         {{- end }}
         livenessProbe:
           httpGet:
@@ -64,33 +64,36 @@ spec:
           initialDelaySeconds: 5
           periodSeconds: 10
         resources: {{- toYaml .Values.resources | nindent 10 }}
-        {{- if or .Values.airgapped .Values.customCACerts }}
+        {{- if or .Values.airgapped .Values.customCACerts .Values.caCertsConfigMap }}
         volumeMounts:
           {{- if or .Values.airgapped }}
           - name: {{ include "name" . }}-charts
             mountPath: /charts
           {{- end }}
-          {{- if .Values.customCACerts }}
-            {{- range $index, $v := .Values.customCACerts }}
+          {{- if .Values.caCertsConfigMap }}
           - name: wandb-ca-certs
-            mountPath: /certs/customCA{{$index}}.crt
-            subPath: customCA{{$index}}.crt
-            {{- end }}
+            mountPath: /certs/
           {{- end }}
         {{- end }}
-      {{- if or .Values.airgapped .Values.customCACerts }}
+      {{- if or .Values.airgapped .Values.customCACerts .Values.caCertsConfigMap }}
       volumes:
         {{- if .Values.airgapped }}
         - name: {{ include "name" . }}-charts
           configMap:
             name: {{ include "name" . }}-charts
             optional: true
         {{- end }}
-        {{- if .Values.customCACerts }}
         - name: wandb-ca-certs
-          configMap:
-            name: {{ include "operator.fullname" . }}-ca-certs
-        {{- end }}
+          projected:
+            sources:
+          {{- if .Values.caCertsConfigMap }}
+              - configMap:
+                  name: {{ .Values.caCertsConfigMap }}
+          {{- end }}
+          {{- if .Values.customCACerts }}
+              - configMap:
+                  name: {{ include "operator.fullname" . }}-ca-certs
+          {{- end }}
       {{- end }}
       serviceAccountName: {{ include "manager.serviceAccount.name" . }}
       {{- if .Values.nodeSelector }}

charts/operator/values.yaml

@@ -228,7 +228,19 @@ namespaceIsolation:
   enabled: false
   additionalNamespaces: []
 
+# To provide custom CA certificates, you can use either:
+# 1. `customCACerts`: a list of certificates provided directly within this Helm chart.
+# 2. `configMapName`: the name of a ConfigMap containing CA certificates.
+#
+# Important:
+# - If using a ConfigMap, each key in the ConfigMap must end with `.crt` (e.g., `my-cert.crt`).
+# - This naming convention is required for `update-ca-certificates` to parse and add each
+#   certificate to the system CA store on Ubuntu-based systems.
+
+# List of custom CA certificates in PEM format.
 customCACerts: []
+# Name of a ConfigMap containing additional .crt files for CA certificates.
+caCertsConfigMap: ""
 
 # Affinity rules for scheduling the Pod of this application.
 # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity