Support custom CA certificates in Helm

Author: iQQBot

chart/templates/_helpers.tpl

@@ -357,6 +357,39 @@ storage:
 {{- end -}}
 {{- end -}}
 
+{{/* custom ca bundle volume and volumeMount */}}
+{{- define "gitpod.caBundleVolume" -}}
+{{- if .Values.fullCABundleSecretName -}}
+- name: ca-bundle-certs
+  secret:
+    secretName: {{ .Values.fullCABundleSecretName }}
+{{- end -}}
+{{- end -}}
+
+{{- define "gitpod.caBundleVolumeMount" -}}
+{{- if .Values.fullCABundleSecretName -}}
+- name: ca-bundle-certs
+  mountPath: /etc/ssl/certs/ca-certificates.crt
+  subPath: ca-certificates.crt
+{{- end -}}
+{{- end -}}
+
+{{- define "gitpod.extraCABundleVolume" -}}
+{{- if .Values.extraCABundleSecretName -}}
+- name: extra-certs
+  secret:
+    secretName: {{ .Values.extraCABundleSecretName }}
+{{- end -}}
+{{- end -}}
+
+{{- define "gitpod.extraCABundleVolumeMount" -}}
+{{- if .Values.extraCABundleSecretName -}}
+- name: extra-certs
+  mountPath: /etc/ssl/certs/extra/ca-certificates.crt
+  subPath: ca-certificates.crt
+{{- end -}}
+{{- end -}}
+
 {{- define "gitpod.kube-rbac-proxy" -}}
 - name: kube-rbac-proxy
   image: quay.io/brancz/kube-rbac-proxy:v0.11.0

chart/templates/blobserve-deployment.yaml

@@ -65,6 +65,9 @@ spec:
           mountPath: /mnt/pull-secret.json
           subPath: .dockerconfigjson
         {{- end }}
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
 {{ include "gitpod.kube-rbac-proxy" $this | indent 6 }}
       volumes:
       - name: cache
@@ -77,5 +80,8 @@ spec:
         secret:
           secretName: {{ .Values.components.workspace.pullSecret.secretName }}
       {{- end }}
+      {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
 {{ toYaml .Values.defaults | indent 6 }}
 {{ end }}

chart/templates/content-service-deployment.yaml

@@ -61,13 +61,19 @@ spec:
         - name: config
           mountPath: "/config"
           readOnly: true
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
 {{- if $comp.volumeMounts }}
 {{ toYaml $comp.volumeMounts | indent 8 }}
 {{- end }}
       volumes:
       - name: config
         configMap:
           name: {{ template "gitpod.comp.configMap" $this }}
+      {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
 {{- if $comp.volumes }}
 {{ toYaml $comp.volumes | indent 6 }}
 {{- end }}

chart/templates/image-builder-deployment.yaml

@@ -64,6 +64,9 @@ spec:
         secret:
           secretName: {{ $sec.secret }}
 {{- end }}
+      {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
       enableServiceLinks: false
       containers:
       - name: dind
@@ -80,6 +83,9 @@ spec:
         - mountPath: /etc/docker/certs.d/{{- if eq $sec.name "builtin" -}}{{ template "gitpod.builtinRegistry.name" $this.root }}{{ else }}{{ $sec.name }}{{ end }}
           name: docker-tls-certs-{{ $idx }}
 {{- end }}
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
 {{- if $comp.dindResources }}
         resources:
 {{ toYaml $comp.dindResources | indent 10 }}
@@ -105,6 +111,9 @@ spec:
           name: pull-secret
 {{- end }}
 {{- end }}
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
         resources:
           requests:
             cpu: {{ $.Values.resources.default.cpu }}

chart/templates/image-builder-mk3-deployment.yaml

@@ -60,6 +60,9 @@ spec:
       - name: wsman-tls-certs
         secret:
           secretName: {{ .Values.components.wsManager.tls.server.secretName }}
+      {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
       enableServiceLinks: false
       containers:
 {{ include "gitpod.kube-rbac-proxy" $this | indent 6 }}
@@ -86,6 +89,9 @@ spec:
           name: pull-secret
 {{- end }}
 {{- end }}
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
         resources:
           requests:
             cpu: {{ $.Values.resources.default.cpu }}

chart/templates/proxy-deployment.yaml

@@ -105,6 +105,9 @@ spec:
 {{- end }}
         - name: config-certificates
           mountPath: "/etc/caddy/certificates"
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
 {{ include "gitpod.container.defaultEnv" (dict "root" . "gp" $.Values "comp" $comp) | indent 8 }}
         - name: PROXY_DOMAIN
           value: "{{ $.Values.hostname }}"
@@ -123,5 +126,8 @@ spec:
       - name: config-certificates
         secret:
           secretName: {{ $.Values.certificatesSecret.secretName }}
+      {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
 {{ toYaml .Values.defaults | indent 6 }}
 {{ end }}

chart/templates/registry-facade-daemonset.yaml

@@ -71,6 +71,9 @@ spec:
         - name: https-certificates
           mountPath: "/mnt/certificates"
         {{- end }}
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
 {{ include "gitpod.kube-rbac-proxy" $this | indent 6 }}
       volumes:
       - name: cache
@@ -91,5 +94,8 @@ spec:
         secret:
           secretName: {{ .Values.certificatesSecret.secretName }}
       {{- end }}
+      {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
 {{ toYaml .Values.defaults | indent 6 }}
 {{ end }}

chart/templates/server-deployment.yaml

@@ -105,6 +105,9 @@ spec:
           mountPath: "{{ dir $comp.githubApp.certPath }}"
           readOnly: true
 {{- end }}
+{{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+{{- end }}
 {{- if $comp.serverContainer.volumeMounts }}
 {{ toYaml $comp.serverContainer.volumeMounts | indent 8 }}
 {{- end }}
@@ -145,5 +148,8 @@ spec:
 {{- if $comp.volumes }}
 {{ toYaml $comp.volumes | indent 6 }}
 {{- end }}
+{{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+{{- end }}
 {{ toYaml .Values.defaults | indent 6 }}
 {{ end }}

chart/templates/ws-daemon-daemonset.yaml

@@ -100,6 +100,9 @@ spec:
       {{- end }}
 {{- if $comp.volumes }}
 {{ toYaml $comp.volumes | indent 6 }}
+{{- end }}
+{{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
 {{- end }}
       enableServiceLinks: false
 {{- if (or $comp.userNamespaces.shiftfsModuleLoader.enabled $comp.userNamespaces.seccompProfileInstaller.enabled) }}
@@ -267,6 +270,9 @@ spec:
           name: tls-certs
 {{- if $comp.volumeMounts }}
 {{ toYaml $comp.volumeMounts | indent 8 }}
+{{- end }}
+{{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
 {{- end }}
         args: ["run", "--config", "/config/config.json"]
         image: {{ template "gitpod.comp.imageFull" $this }}

chart/templates/ws-manager-deployment.yaml

@@ -56,6 +56,9 @@ spec:
       - name: workspace-template
         configMap:
           name: workspace-template
+      {{- if .Values.extraCABundleSecretName }}
+{{ include "gitpod.extraCABundleVolume" . | indent 6 }}
+      {{- end }}
 {{- if $comp.volumes }}
 {{ toYaml $comp.volumes | indent 6 }}
 {{- end }}
@@ -81,6 +84,9 @@ spec:
         - mountPath: /certs
           name: tls-certs
           readOnly: true
+        {{- if .Values.extraCABundleSecretName }}
+{{ include "gitpod.extraCABundleVolumeMount" . | indent 8 }}
+        {{- end }}
 {{- if $comp.volumeMounts }}
 {{ toYaml $comp.volumeMounts | indent 8 }}
 {{- end }}