feat: make it possible to add ca-certs as secret

wearefrank · Sep 25, 2023 · d1d8b0d · d1d8b0d
1 parent a0d03d1
commit d1d8b0d
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 6 deletions.
diff --git a/charts/zaakbrug/Chart.yaml b/charts/zaakbrug/Chart.yaml
@@ -4,7 +4,7 @@ description: A Helm chart for running ZaakBrug on Kubernetes
 name: zaakbrug
 icon: https://raw.githubusercontent.com/wearefrank/charts/master/charts/zaakbrug/icon.png
 type: application
-version: 2.0.7
+version: 2.1.0
 
 dependencies:
   - name: ff-common

diff --git a/charts/zaakbrug/README.md b/charts/zaakbrug/README.md
@@ -77,6 +77,17 @@ helm delete zaakbrug
 | `frank.server.transactionManager`                            | Set the transaction manager for Tomcat. Options: `NARAYANA`, `BTM`, ``                                           | `""`      |
 | `frank.environmentVariables`                                 | Set extra environment variables for the Frank!                                                                   | `{}`      |
 
+### Section CA Certificates
+
+Adds given CA Certificated to the truststore.
+
+The key in the secret will be used as filename.
+
+| Name                           | Description             | Value   |
+| ------------------------------ | ----------------------- | ------- |
+| `frank.caCertificates.enabled` | Use system certificates | `false` |
+| `frank.caCertificates.secrets` | List of secretNames     | `[]`    |
+
 ### Frank!Framework Connection parameters
 
 | Name                        | Description                                                                                                                                          | Value  |

diff --git a/charts/zaakbrug/templates/configmap.zaakbrug.env.yaml b/charts/zaakbrug/templates/configmap.zaakbrug.env.yaml
@@ -5,4 +5,7 @@ metadata:
   labels:
     {{- include "ff-common.labels" . | nindent 4 }}
 data:
-  zaakbrug.zds.timezone: "{{ .Values.zaakbrug.zds.timezone | default "UTC" }}"
+  zaakbrug.zds.timezone: "{{ .Values.zaakbrug.zds.timezone | default "UTC" }}"
+  {{- with .Values.frank.caCertificates.enabled }}
+  USE_SYSTEM_CA_CERTS: "Yes Please"
+  {{- end }}
diff --git a/charts/zaakbrug/templates/deployment.yaml b/charts/zaakbrug/templates/deployment.yaml
@@ -1,11 +1,11 @@
-{{- template "ff-common.deployment" (list . "ff-test.deployment") -}}
-{{- define "ff-test.deployment" -}}
+{{- template "ff-common.deployment" (list . "zaakbrug.deployment") -}}
+{{- define "zaakbrug.deployment" -}}
 spec:
   template:
     spec:
       containers:
         -
-          {{ include "ff-common.container" (list . "ff-test.deployment.container") | nindent 10}}
+          {{ include "ff-common.container" (list . "zaakbrug.deployment.container") | nindent 10}}
       volumes:
         {{- if .Values.securityContext.readOnlyRootFilesystem }}
         - name: tmpfs
@@ -41,8 +41,15 @@ spec:
           configMap:
             name: {{ template "ff-common.fullname" . }}-profiles
         {{- end -}}
+        {{- if .Values.frank.caCertificates.enabled }}
+        {{- range .Values.frank.caCertificates.secrets }}
+        - name: {{ . }}-ca-cert
+          secret:
+            secretName: {{ . }}
+        {{- end }}
+        {{- end }}
 {{- end -}}
-{{- define "ff-test.deployment.container" -}}
+{{- define "zaakbrug.deployment.container" -}}
 envFrom:
   - configMapRef:
       name: {{ template "ff-common.fullname" . }}-env
@@ -94,4 +101,10 @@ volumeMounts:
     subPath: Profiles.json
     readOnly: true
   {{- end }}
+  {{- if .Values.frank.caCertificates.enabled }}
+  {{- range .Values.frank.caCertificates.secrets }}
+  - name: {{ . }}-ca-cert
+    mountPath: /certificates/
+  {{- end }}
+  {{- end }}
 {{- end -}}
diff --git a/charts/zaakbrug/values.schema.json b/charts/zaakbrug/values.schema.json
@@ -182,6 +182,22 @@
                             "default": "NARAYANA"
                         }
                     }
+                },
+                "caCertificates": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "Use system certificates",
+                            "default": false
+                        },
+                        "secrets": {
+                            "type": "array",
+                            "description": "List of secretNames",
+                            "default": [],
+                            "items": {}
+                        }
+                    }
                 }
             }
         },

diff --git a/charts/zaakbrug/values.yaml b/charts/zaakbrug/values.yaml
@@ -124,6 +124,21 @@ frank:
   ## @param frank.environmentVariables [object] Set extra environment variables for the Frank!
   ##
   environmentVariables: { }
+  ## @section Section CA Certificates
+  ## @descriptionStart
+  ## Adds given CA Certificated to the truststore.
+  ##
+  ## The key in the secret will be used as filename.
+  ##
+  ## Ref: https://github.com/docker-library/docs/blob/master/eclipse-temurin/README.md#can-i-add-my-internal-ca-certificates-to-the-truststore
+  ## @descriptionEnd
+  ##
+  ## @param frank.caCertificates.enabled Use system certificates
+  ## @param frank.caCertificates.secrets [array] List of secretNames
+  ##
+  caCertificates:
+    enabled: false
+    secrets: []
 
 ## @section Frank!Framework Connection parameters
 ##