From d1d8b0dcae52848f4cf5a135c400987aeaee76f8 Mon Sep 17 00:00:00 2001 From: Sergi Philipsen Date: Mon, 25 Sep 2023 18:59:42 +0200 Subject: [PATCH 1/2] feat: make it possible to add ca-certs as secret --- charts/zaakbrug/Chart.yaml | 2 +- charts/zaakbrug/README.md | 11 ++++++++++ .../templates/configmap.zaakbrug.env.yaml | 5 ++++- charts/zaakbrug/templates/deployment.yaml | 21 +++++++++++++++---- charts/zaakbrug/values.schema.json | 16 ++++++++++++++ charts/zaakbrug/values.yaml | 15 +++++++++++++ 6 files changed, 64 insertions(+), 6 deletions(-) diff --git a/charts/zaakbrug/Chart.yaml b/charts/zaakbrug/Chart.yaml index 4d8beed..6ead1e0 100644 --- a/charts/zaakbrug/Chart.yaml +++ b/charts/zaakbrug/Chart.yaml @@ -4,7 +4,7 @@ description: A Helm chart for running ZaakBrug on Kubernetes name: zaakbrug icon: https://raw.githubusercontent.com/wearefrank/charts/master/charts/zaakbrug/icon.png type: application -version: 2.0.7 +version: 2.1.0 dependencies: - name: ff-common diff --git a/charts/zaakbrug/README.md b/charts/zaakbrug/README.md index dc76628..6ab86aa 100644 --- a/charts/zaakbrug/README.md +++ b/charts/zaakbrug/README.md @@ -77,6 +77,17 @@ helm delete zaakbrug | `frank.server.transactionManager` | Set the transaction manager for Tomcat. Options: `NARAYANA`, `BTM`, `` | `""` | | `frank.environmentVariables` | Set extra environment variables for the Frank! | `{}` | +### Section CA Certificates + +Adds given CA Certificated to the truststore. + +The key in the secret will be used as filename. + +| Name | Description | Value | +| ------------------------------ | ----------------------- | ------- | +| `frank.caCertificates.enabled` | Use system certificates | `false` | +| `frank.caCertificates.secrets` | List of secretNames | `[]` | + ### Frank!Framework Connection parameters | Name | Description | Value | diff --git a/charts/zaakbrug/templates/configmap.zaakbrug.env.yaml b/charts/zaakbrug/templates/configmap.zaakbrug.env.yaml index 0a22f80..e742589 100644 --- a/charts/zaakbrug/templates/configmap.zaakbrug.env.yaml +++ b/charts/zaakbrug/templates/configmap.zaakbrug.env.yaml @@ -5,4 +5,7 @@ metadata: labels: {{- include "ff-common.labels" . | nindent 4 }} data: - zaakbrug.zds.timezone: "{{ .Values.zaakbrug.zds.timezone | default "UTC" }}" \ No newline at end of file + zaakbrug.zds.timezone: "{{ .Values.zaakbrug.zds.timezone | default "UTC" }}" + {{- with .Values.frank.caCertificates.enabled }} + USE_SYSTEM_CA_CERTS: "Yes Please" + {{- end }} \ No newline at end of file diff --git a/charts/zaakbrug/templates/deployment.yaml b/charts/zaakbrug/templates/deployment.yaml index 63dd5f0..45a81c8 100644 --- a/charts/zaakbrug/templates/deployment.yaml +++ b/charts/zaakbrug/templates/deployment.yaml @@ -1,11 +1,11 @@ -{{- template "ff-common.deployment" (list . "ff-test.deployment") -}} -{{- define "ff-test.deployment" -}} +{{- template "ff-common.deployment" (list . "zaakbrug.deployment") -}} +{{- define "zaakbrug.deployment" -}} spec: template: spec: containers: - - {{ include "ff-common.container" (list . "ff-test.deployment.container") | nindent 10}} + {{ include "ff-common.container" (list . "zaakbrug.deployment.container") | nindent 10}} volumes: {{- if .Values.securityContext.readOnlyRootFilesystem }} - name: tmpfs @@ -41,8 +41,15 @@ spec: configMap: name: {{ template "ff-common.fullname" . }}-profiles {{- end -}} + {{- if .Values.frank.caCertificates.enabled }} + {{- range .Values.frank.caCertificates.secrets }} + - name: {{ . }}-ca-cert + secret: + secretName: {{ . }} + {{- end }} + {{- end }} {{- end -}} -{{- define "ff-test.deployment.container" -}} +{{- define "zaakbrug.deployment.container" -}} envFrom: - configMapRef: name: {{ template "ff-common.fullname" . }}-env @@ -94,4 +101,10 @@ volumeMounts: subPath: Profiles.json readOnly: true {{- end }} + {{- if .Values.frank.caCertificates.enabled }} + {{- range .Values.frank.caCertificates.secrets }} + - name: {{ . }}-ca-cert + mountPath: /certificates/ + {{- end }} + {{- end }} {{- end -}} \ No newline at end of file diff --git a/charts/zaakbrug/values.schema.json b/charts/zaakbrug/values.schema.json index 5858eca..5f7efc7 100644 --- a/charts/zaakbrug/values.schema.json +++ b/charts/zaakbrug/values.schema.json @@ -182,6 +182,22 @@ "default": "NARAYANA" } } + }, + "caCertificates": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Use system certificates", + "default": false + }, + "secrets": { + "type": "array", + "description": "List of secretNames", + "default": [], + "items": {} + } + } } } }, diff --git a/charts/zaakbrug/values.yaml b/charts/zaakbrug/values.yaml index 77363ee..d2f507c 100644 --- a/charts/zaakbrug/values.yaml +++ b/charts/zaakbrug/values.yaml @@ -124,6 +124,21 @@ frank: ## @param frank.environmentVariables [object] Set extra environment variables for the Frank! ## environmentVariables: { } + ## @section Section CA Certificates + ## @descriptionStart + ## Adds given CA Certificated to the truststore. + ## + ## The key in the secret will be used as filename. + ## + ## Ref: https://github.com/docker-library/docs/blob/master/eclipse-temurin/README.md#can-i-add-my-internal-ca-certificates-to-the-truststore + ## @descriptionEnd + ## + ## @param frank.caCertificates.enabled Use system certificates + ## @param frank.caCertificates.secrets [array] List of secretNames + ## + caCertificates: + enabled: false + secrets: [] ## @section Frank!Framework Connection parameters ## From 857f98d11c1913dc32a862ba375355a5cad2f275 Mon Sep 17 00:00:00 2001 From: Sergi Philipsen Date: Mon, 25 Sep 2023 19:41:42 +0200 Subject: [PATCH 2/2] fix: add more flexability for ca certs --- charts/zaakbrug/README.md | 13 +++++--- charts/zaakbrug/templates/deployment.yaml | 15 +++++---- charts/zaakbrug/values.schema.json | 40 +++++++++++------------ charts/zaakbrug/values.yaml | 3 ++ 4 files changed, 41 insertions(+), 30 deletions(-) diff --git a/charts/zaakbrug/README.md b/charts/zaakbrug/README.md index 6ab86aa..2df93c5 100644 --- a/charts/zaakbrug/README.md +++ b/charts/zaakbrug/README.md @@ -83,10 +83,15 @@ Adds given CA Certificated to the truststore. The key in the secret will be used as filename. -| Name | Description | Value | -| ------------------------------ | ----------------------- | ------- | -| `frank.caCertificates.enabled` | Use system certificates | `false` | -| `frank.caCertificates.secrets` | List of secretNames | `[]` | +Ref: https://github.com/docker-library/docs/blob/master/eclipse-temurin/README.md#can-i-add-my-internal-ca-certificates-to-the-truststore + +| Name | Description | Value | +| ----------------------------------------- | -------------------------------------------- | ------- | +| `frank.caCertificates.enabled` | Use system certificates | `false` | +| `frank.caCertificates.secrets` | List of secretNames | `[]` | +| `frank.caCertificates.secrets.secretName` | Name of the secret to use | `""` | +| `frank.caCertificates.secrets.subPath` | Key in the secret to use | `""` | +| `frank.caCertificates.secrets.mountPath` | Filename to mount in `/certificates/` folder | `""` | ### Frank!Framework Connection parameters diff --git a/charts/zaakbrug/templates/deployment.yaml b/charts/zaakbrug/templates/deployment.yaml index 45a81c8..092db9e 100644 --- a/charts/zaakbrug/templates/deployment.yaml +++ b/charts/zaakbrug/templates/deployment.yaml @@ -42,10 +42,10 @@ spec: name: {{ template "ff-common.fullname" . }}-profiles {{- end -}} {{- if .Values.frank.caCertificates.enabled }} - {{- range .Values.frank.caCertificates.secrets }} - - name: {{ . }}-ca-cert + {{- range $index, $value := .Values.frank.caCertificates.secrets }} + - name: ca-cert-{{ $index }} secret: - secretName: {{ . }} + secretName: {{ $value.secretName }} {{- end }} {{- end }} {{- end -}} @@ -102,9 +102,12 @@ volumeMounts: readOnly: true {{- end }} {{- if .Values.frank.caCertificates.enabled }} - {{- range .Values.frank.caCertificates.secrets }} - - name: {{ . }}-ca-cert - mountPath: /certificates/ + {{- range $index, $value := .Values.frank.caCertificates.secrets }} + - name: ca-cert-{{ $index }} + mountPath: "/certificates/{{ default "" $value.mountPath }}" + {{- with $value.subPath }} + subPath: {{ . }} + {{- end }} {{- end }} {{- end }} {{- end -}} \ No newline at end of file diff --git a/charts/zaakbrug/values.schema.json b/charts/zaakbrug/values.schema.json index 5f7efc7..55dd4d1 100644 --- a/charts/zaakbrug/values.schema.json +++ b/charts/zaakbrug/values.schema.json @@ -380,26 +380,6 @@ } } }, - "serviceAccount": { - "type": "object", - "properties": { - "create": { - "type": "boolean", - "description": "Enable creation of ServiceAccount for Frank!Framework pod", - "default": true - }, - "annotations": { - "type": "object", - "description": "Additional custom annotations for the ServiceAccount", - "default": {} - }, - "name": { - "type": "string", - "description": "The name of the ServiceAccount to use.", - "default": "" - } - } - }, "zaakbrug": { "type": "object", "properties": { @@ -727,6 +707,26 @@ } } }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean", + "description": "Enable creation of ServiceAccount for Frank!Framework pod", + "default": true + }, + "annotations": { + "type": "object", + "description": "Additional custom annotations for the ServiceAccount", + "default": {} + }, + "name": { + "type": "string", + "description": "The name of the ServiceAccount to use.", + "default": "" + } + } + }, "podAnnotations": { "type": "object", "description": "Annotations for Frank!Framework pods", diff --git a/charts/zaakbrug/values.yaml b/charts/zaakbrug/values.yaml index d2f507c..dfd199a 100644 --- a/charts/zaakbrug/values.yaml +++ b/charts/zaakbrug/values.yaml @@ -135,6 +135,9 @@ frank: ## ## @param frank.caCertificates.enabled Use system certificates ## @param frank.caCertificates.secrets [array] List of secretNames + ## @param frank.caCertificates.secrets.secretName [string] Name of the secret to use + ## @param frank.caCertificates.secrets.subPath [string] Key in the secret to use + ## @param frank.caCertificates.secrets.mountPath [string] Filename to mount in `/certificates/` folder ## caCertificates: enabled: false