Support custom CA certificates in Helm

jgallucci32 · jgallucci32 · commit 59304205d6cc · 2021-02-04T21:54:34.000Z
Signed-off-by: jgallucci32 &lt;john.gallucci.iv@gmail.com&gt;
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
@@ -319,6 +319,7 @@ data:
 {{- end -}}
 {{- end -}}
 
+<<<<<<< HEAD
 {{- define "gitpod.remoteStorage.config" -}}
 {{- $ := .root -}}
 {{- $remoteStorageMinio := .remoteStorage.minio | default dict -}}
@@ -339,4 +340,17 @@ storage:
 {{- else }}
 {{ toYaml .remoteStorage | indent 2 }}
 {{- end -}}
+=======
+{{/* custom ca bundle volume and volumeMount */}}
+{{- define "gitpod.caBundleVolume" -}}
+- name: ca-bundle-certs
+  secret:
+    secretName: {{ .Values.caBundleSecretName }}
+{{- end -}}
+
+{{- define "gitpod.caBundleVolumeMount" -}}
+- name: ca-bundle-certs
+  mountPath: /etc/ssl/certs/ca-certificates.crt
+  subPath: ca-certificates.crt
+>>>>>>> 3cae036 (Support custom CA certificates in Helm)
 {{- end -}}
diff --git a/chart/templates/blobserve-deployment.yaml b/chart/templates/blobserve-deployment.yaml
@@ -69,6 +69,9 @@ spec:
           mountPath: /mnt/pull-secret.json
           subPath: .dockerconfigjson
         {{- end }}
+        {{- if .Values.caBundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
       volumes:
       - name: cache
         emptyDir: {}
@@ -80,5 +83,8 @@ spec:
         secret:
           secretName: {{ .Values.components.workspace.pullSecret.secretName }}
       {{- end }}
+      {{- if .Values.caBundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
 {{ toYaml .Values.defaults | indent 6 }}
 {{ end }}
diff --git a/chart/templates/image-builder-deployment.yaml b/chart/templates/image-builder-deployment.yaml
@@ -64,6 +64,9 @@ spec:
         secret:
           secretName: {{ $sec.secret }}
 {{- end }}
+      {{- if .Values.caBundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
       containers:
       - name: dind
         image: {{ $comp.dindImage | default "docker:19.03-dind" }}
@@ -78,6 +81,9 @@ spec:
 {{- range $idx, $sec := $comp.registryCerts }}
         - mountPath: /etc/docker/certs.d/{{- if eq $sec.name "builtin" -}}{{ template "gitpod.builtinRegistry.name" $this.root }}{{ else }}{{ $sec.name }}{{ end }}
           name: docker-tls-certs-{{ $idx }}
+        {{- if .Values.caBundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
 {{- end }}
 {{- if $comp.dindResources }}
         resources:
diff --git a/chart/templates/registry-facade-daemonset.yaml b/chart/templates/registry-facade-daemonset.yaml
@@ -97,6 +97,9 @@ spec:
         - name: https-certificates
           mountPath: "/mnt/certificates"
         {{- end }}
+        {{- if .Values.caBundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
       volumes:
       - name: cache
         emptyDir: {}
@@ -132,5 +135,8 @@ spec:
             path: privkey.pem
           {{- end }}
       {{- end }}
+      {{- if .Values.caBundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
 {{ toYaml .Values.defaults | indent 6 }}
 {{ end }}
diff --git a/chart/templates/server-deployment.yaml b/chart/templates/server-deployment.yaml
@@ -81,6 +81,9 @@ spec:
 {{- if $comp.serverContainer.volumeMounts }}
 {{ toYaml $comp.serverContainer.volumeMounts | indent 8 }}
 {{- end }}
+{{- if .Values.caBundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+{{- end }}
 {{ include "gitpod.container.defaultEnv" $this | indent 8 }}
 {{ include "gitpod.container.dbEnv" $this | indent 8 }}
 {{ include "gitpod.container.tracingEnv" $this | indent 8 }}
@@ -213,6 +216,10 @@ spec:
           value: {{ $comp.garbageCollection.disabled | default "false" | quote }}
 {{- if $comp.serverContainer.env }}
 {{ toYaml $comp.serverContainer.env | indent 8 }}
+{{- end }}
+{{- if .Values.caBundleSecretName }}
+        - name: NODE_EXTRA_CA_CERTS
+          value: /etc/ssl/certs/ca-certificates.crt
 {{- end }}
       volumes:
 {{- if $comp.storage.secretName }}
@@ -228,5 +235,8 @@ spec:
 {{- if $comp.volumes }}
 {{ toYaml $comp.volumes | indent 6 }}
 {{- end }}
+{{- if .Values.caBundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+{{- end }}
 {{ toYaml .Values.defaults | indent 6 }}
 {{ end }}
diff --git a/chart/templates/ws-daemon-daemonset.yaml b/chart/templates/ws-daemon-daemonset.yaml
@@ -105,6 +105,9 @@ spec:
 {{- if $comp.volumes }}
 {{ toYaml $comp.volumes | indent 6 }}
 {{- end }}
+{{- if .Values.caBundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+{{- end }}
 {{- if (or $comp.userNamespaces.shiftfsModuleLoader.enabled $comp.userNamespaces.seccompProfileInstaller.enabled) }}
       initContainers:
 {{- end }}
@@ -155,6 +158,9 @@ spec:
           name: tls-certs
 {{- if $comp.volumeMounts }}
 {{ toYaml $comp.volumeMounts | indent 8 }}
+{{- end }}
+{{- if .Values.caBundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
 {{- end }}
         args: ["run", "-v", "--config", "/config/config.json"]
         image: {{ template "gitpod.comp.imageFull" $this }}
