Skip to content

Commit

Permalink
Add configuration for an additional ca chain (#599)
Browse files Browse the repository at this point in the history
* add configuration for an additional ca chain

---------

Co-authored-by: schumacher <[email protected]>
Co-authored-by: Willy Kloucek <[email protected]>
Co-authored-by: Dennis Sieben <[email protected]>
  • Loading branch information
4 people authored and butonic committed Oct 29, 2024
1 parent ce1b1c1 commit aa4edda
Show file tree
Hide file tree
Showing 44 changed files with 353 additions and 5 deletions.
4 changes: 4 additions & 0 deletions charts/ocis/ci/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,10 @@ features:
policies:
enabled: true

customCAChain:
enabled: true
existingSecret: myCAchain

extraLabels:
extra1: lorem
extra2: ipsum
Expand Down
12 changes: 12 additions & 0 deletions charts/ocis/docs/values-desc-table.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,18 @@ a| [subs=-attributes]
a| [subs=-attributes]
`""`
| Optional reference to an existing web theme config. Will be mounted to /var/lib/ocis/web/assets/themes/owncloud for Web. Does not get autogenerated. Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI.
| customCAChain.enabled
a| [subs=-attributes]
+bool+
a| [subs=-attributes]
`false`
| Custom CA enables SSL_CERT_DIR in pods with the additional path /etc/ssl/custom.
| customCAChain.existingConfigMap
a| [subs=-attributes]
+string+
a| [subs=-attributes]
`""`
| If custom CA chain is enabled this attribute mounts the existing ConfigMap to /etc/ssl/custom.
| debug.profiling
a| [subs=-attributes]
+bool+
Expand Down
9 changes: 9 additions & 0 deletions charts/ocis/docs/values.adoc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -725,6 +725,15 @@ secretRefs:
# -- The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
globalNotificationsSecretRef: ""

# Custom CA chain
# If a custom CA chain is needed for the communcation in between services or with external services like S3 or notification services.
# The secret needs to be manually created.
customCAChain:
# -- Custom CA enables SSL_CERT_DIR in pods with the additional path /etc/ssl/custom.
enabled: false
# -- If custom CA chain is enabled this attribute mounts the existing ConfigMap to /etc/ssl/custom.
existingConfigMap: ""

# Security context options.
securityContext:
# -- File system group for all volumes.
Expand Down
26 changes: 26 additions & 0 deletions charts/ocis/templates/_common/customcachain.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
{{/*
oCIS ca mount
*/}}
{{- define "ocis.caPath" -}}
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
mountPath: /etc/ssl/custom/
readOnly: true
{{- end }}
{{- end -}}

{{- define "ocis.caVolume" -}}
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
configMap:
name: {{ required "customCAChain.existingConfigMap needs to be configured when customCAChain.enabled is set to true" .Values.customCAChain.existingConfigMap | quote }}
{{- end }}
{{- end -}}

{{- define "ocis.caEnv" -}}
{{- if .Values.customCAChain.enabled }}
- name: SSL_CERT_DIR
value: "/etc/ssl/certs:/etc/ssl/custom"
{{- end }}
{{- end -}}
4 changes: 4 additions & 0 deletions charts/ocis/templates/antivirus/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ spec:
- name: ANTIVIRUS_MAX_SCAN_SIZE
value: {{ .Values.features.virusscan.maxScanSize | quote }}

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -75,6 +77,7 @@ spec:
- name: messaging-system-ca
mountPath: /etc/ocis/messaging-system-ca
readOnly: true
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -87,4 +90,5 @@ spec:
{{ else }}
emptyDir: {}
{{ end }}
{{- include "ocis.caVolume" . | nindent 8}}
{{ end }}
4 changes: 4 additions & 0 deletions charts/ocis/templates/appregistry/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ spec:
name: {{ include "secrets.jwtSecret" . }}
key: jwt-secret

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -68,6 +70,7 @@ spec:
mountPath: /tmp
- name: configs
mountPath: /etc/ocis
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -76,3 +79,4 @@ spec:
- name: configs
configMap:
name: {{ .appName }}-config
{{- include "ocis.caVolume" . | nindent 8}}
4 changes: 4 additions & 0 deletions charts/ocis/templates/audit/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ spec:
- name: AUDIT_LOG_TO_CONSOLE
value: "true"

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -65,6 +67,7 @@ spec:
- name: messaging-system-ca
mountPath: /etc/ocis/messaging-system-ca
readOnly: true
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -77,3 +80,4 @@ spec:
{{ else }}
emptyDir: {}
{{ end }}
{{- include "ocis.caVolume" . | nindent 8}}
4 changes: 4 additions & 0 deletions charts/ocis/templates/authmachine/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ spec:
name: {{ include "secrets.machineAuthAPIKeySecret" . }}
key: machine-auth-api-key

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -74,8 +76,10 @@ spec:
volumeMounts:
- name: tmp-volume
mountPath: /tmp
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
- name: tmp-volume
emptyDir: {}
{{- include "ocis.caVolume" . | nindent 8}}
4 changes: 4 additions & 0 deletions charts/ocis/templates/authservice/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,8 @@ spec:
name: {{ include "secrets.serviceAccountSecret" . }}
key: service-account-secret

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -79,8 +81,10 @@ spec:
volumeMounts:
- name: tmp-volume
mountPath: /tmp
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
- name: tmp-volume
emptyDir: {}
{{- include "ocis.caVolume" . | nindent 8}}
4 changes: 4 additions & 0 deletions charts/ocis/templates/clientlog/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,8 @@ spec:
name: {{ include "secrets.jwtSecret" . }}
key: jwt-secret

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -79,6 +81,7 @@ spec:
- name: messaging-system-ca
mountPath: /etc/ocis/messaging-system-ca
readOnly: true
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -91,3 +94,4 @@ spec:
{{ else }}
emptyDir: {}
{{ end }}
{{- include "ocis.caVolume" . | nindent 8}}
4 changes: 4 additions & 0 deletions charts/ocis/templates/eventhistory/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ spec:
- name: EVENTHISTORY_DEBUG_ADDR
value: 0.0.0.0:9270

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -70,6 +72,7 @@ spec:
- name: messaging-system-ca
mountPath: /etc/ocis/messaging-system-ca
readOnly: true
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -82,3 +85,4 @@ spec:
{{ else }}
emptyDir: {}
{{ end }}
{{- include "ocis.caVolume" . | nindent 8}}
4 changes: 4 additions & 0 deletions charts/ocis/templates/frontend/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,8 @@ spec:
- name: FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST
value: /etc/ocis/sharing-banned-passwords.txt

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -179,6 +181,7 @@ spec:
mountPath: /tmp
- name: configs
mountPath: /etc/ocis
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -187,3 +190,4 @@ spec:
- name: configs
configMap:
name: sharing-banned-passwords-{{ .appName }}
{{- include "ocis.caVolume" . | nindent 8}}
4 changes: 4 additions & 0 deletions charts/ocis/templates/gateway/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,8 @@ spec:
name: {{ include "secrets.transferSecret" . }}
key: transfer-secret

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -94,8 +96,10 @@ spec:
volumeMounts:
- name: tmp-volume
mountPath: /tmp
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
- name: tmp-volume
emptyDir: {}
{{- include "ocis.caVolume" . | nindent 8}}
4 changes: 4 additions & 0 deletions charts/ocis/templates/graph/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,8 @@ spec:
name: {{ include "secrets.serviceAccountSecret" . }}
key: service-account-secret

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -229,6 +231,7 @@ spec:
- name: ldap-ca
mountPath: /etc/ocis/ldap-ca
readOnly: true
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -248,3 +251,4 @@ spec:
{{ else }}
emptyDir: {}
{{ end }}
{{- include "ocis.caVolume" . | nindent 8}}
4 changes: 4 additions & 0 deletions charts/ocis/templates/groups/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,8 @@ spec:
name: {{ include "secrets.jwtSecret" . }}
key: jwt-secret

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -158,6 +160,7 @@ spec:
- name: ldap-ca
mountPath: /etc/ocis/ldap-ca
readOnly: true
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -170,3 +173,4 @@ spec:
{{ else }}
emptyDir: {}
{{ end }}
{{- include "ocis.caVolume" . | nindent 8}}
4 changes: 4 additions & 0 deletions charts/ocis/templates/idm/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,8 @@ spec:
- name: IDM_LDAPS_KEY
value: /etc/ocis/ldap-cert/ldap.key

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -127,6 +129,7 @@ spec:
readOnly: true
- name: {{ include "ocis.persistence.dataVolumeName" . }}
mountPath: /var/lib/ocis
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -135,5 +138,6 @@ spec:
- name: ldap-cert
secret:
secretName: {{ include "secrets.ldapCertSecret" . }}
{{- include "ocis.caVolume" . | nindent 8}}
{{- include "ocis.persistence.dataVolume" . | nindent 8 }}
{{- end }}
4 changes: 4 additions & 0 deletions charts/ocis/templates/idp/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,8 @@ spec:
- name: IDP_ENCRYPTION_SECRET_FILE
value: /etc/ocis/idp/encryption.key

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -93,6 +95,7 @@ spec:
- name: idp-secrets
mountPath: /etc/ocis/idp
readOnly: true
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -106,4 +109,5 @@ spec:
- name: idp-secrets
secret:
secretName: {{ include "secrets.idpSecret" . }}
{{- include "ocis.caVolume" . | nindent 8}}
{{- end }}
4 changes: 4 additions & 0 deletions charts/ocis/templates/nats/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,8 @@ spec:
- name: NATS_DEBUG_ADDR
value: 0.0.0.0:9234

{{- include "ocis.caEnv" . | nindent 12}}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -78,10 +80,12 @@ spec:
mountPath: /tmp
- name: {{ include "ocis.persistence.dataVolumeName" . }}
mountPath: /var/lib/ocis
{{- include "ocis.caPath" . | nindent 12}}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
- name: tmp-volume
emptyDir: {}
{{- include "ocis.persistence.dataVolume" . | nindent 8 }}
{{- include "ocis.caVolume" . | nindent 8}}
{{- end }}
Loading

0 comments on commit aa4edda

Please sign in to comment.