Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added custom ca chain to deployments #599

Merged
merged 18 commits into from
Jul 25, 2024
Merged

Added custom ca chain to deployments #599

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
92ac2a2
Added custom ca chain to deployments
blicknix Jun 11, 2024
ecfe21c
Update deployment.yaml
b1schumacher Jun 11, 2024
6eb7f67
Fixed nil pointer issue
blicknix Jun 11, 2024
0943799
Added values to doc
blicknix Jun 12, 2024
0a50987
Added doc for customCAChain
blicknix Jun 12, 2024
7b2d45a
Changes to values-desc-table for custom ca chain
blicknix Jun 12, 2024
df80602
Added template for custom ca chain in container
blicknix Jun 12, 2024
75036a5
Typos in customcachain templates
blicknix Jun 12, 2024
bb9f057
apply format
wkloucek Jun 13, 2024
9bd49f8
use custom CA chain for linting
wkloucek Jun 13, 2024
a0f6e71
Added custom ca chain to jobs and missing deployments
blicknix Jun 17, 2024
f989b05
Merge branch 'owncloud:main' into ca_integration
b1schumacher Jun 17, 2024
9daee56
Changed ca volume in Thumbnails Jobs
blicknix Jun 17, 2024
eb0d84a
ensure newlines
wkloucek Jul 15, 2024
e344382
move customCAChain to a ConfigMap instead of a Secret
wkloucek Jul 24, 2024
62adac1
add custom-certificate-autority deployment example
wkloucek Jul 24, 2024
d3e3466
fix typo
wkloucek Jul 25, 2024
3811ec1
generate documentation
wkloucek Jul 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions charts/ocis/docs/values-desc-table.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,18 @@ a| [subs=-attributes]
a| [subs=-attributes]
`""`
| Optional reference to an existing web theme config. Will be mounted to /var/lib/ocis/web/assets/themes/owncloud for Web. Does not get autogenerated. Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI.
| customCAChain.enabled
a| [subs=-attributes]
+bool+
a| [subs=-attributes]
`false`
| Custom CA enables SSL_CERT_DIR in pods with the path /etc/ssl/certs.
| customCAChain.existingSecret
a| [subs=-attributes]
+string+
a| [subs=-attributes]
`""`
| If custom CA chain is enabled this attribute mounts the existing secret to /etc/ssl/certs.
| debug.profiling
a| [subs=-attributes]
+bool+
Expand Down
9 changes: 9 additions & 0 deletions charts/ocis/docs/values.adoc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -614,6 +614,15 @@ secretRefs:
# -- The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
globalNotificationsSecretRef: ""

# Custom CA chain
# If a custom CA chain is needed for the communcation with other services like S3 or notification services.
# The secret needs to be manually created.
customCAChain:
# -- Custom CA enables SSL_CERT_DIR in pods with the path /etc/ssl/certs.
enabled: false
# -- If custom CA chain is enabled this attribute mounts the existing secret to /etc/ssl/certs.
existingSecret: ""

# Security context options.
securityContext:
# -- File system group for all volumes.
Expand Down
14 changes: 14 additions & 0 deletions charts/ocis/templates/antivirus/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,11 @@ spec:
- name: ANTIVIRUS_MAX_SCAN_SIZE
value: {{ .Values.features.virusscan.maxScanSize | quote }}

{{- if .Values.customCAChain.enabled }}
- name: SSL_CERT_DIR
value: /etc/ssl/certs
{{- end }}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -75,6 +80,10 @@ spec:
- name: messaging-system-ca
mountPath: /etc/ocis/messaging-system-ca
readOnly: true
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
mountPath: /etc/ssl/certs/
{{- end }}
Copy link
Contributor

@d7oc d7oc Jun 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be good to have this fragment templated so we don't have these lines in all deployments.yml file but only one with a call here.

suggestion

{{/*
oCIS ca mount

@param .path          The path to mount
@param .scope.      The current scope
*/}}
{{- define "ocis.caPath" -}}
            {{- if .scope.Values.customCAChain.enabled }}
            - name: custom-ca-chain
              mountPath: {{ .path }}
            {{- end }}
{{- end -}}

Usage afterwards with {{- include "ocis.caPath" (dict "scope" . "path" /etc/ssl/certs) }}


{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -87,4 +96,9 @@ spec:
{{ else }}
emptyDir: {}
{{ end }}
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
secret:
secretName: {{ .Value.customCAChain.existingSecret }}
{{ end }}
{{ end }}
15 changes: 15 additions & 0 deletions charts/ocis/templates/appprovider/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,11 @@ spec:
value: {{ $.Values.features.appsIntegration.wopiIntegration.wopiFolderURIPathTemplate | quote }}
{{- end }}

{{- if $.Values.customCAChain.enabled }}
- name: SSL_CERT_DIR
value: /etc/ssl/certs
{{- end }}

- name: APP_PROVIDER_JWT_SECRET
valueFrom:
secretKeyRef:
Expand Down Expand Up @@ -107,11 +112,21 @@ spec:
volumeMounts:
- name: tmp-volume
mountPath: /tmp
{{- if $.Values.customCAChain.enabled }}
- name: custom-ca-chain
mountPath: /etc/ssl/certs/
{{- end }}


{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
- name: tmp-volume
emptyDir: {}
{{- if $.Values.customCAChain.enabled }}
- name: custom-ca-chain
secret:
secretName: {{ .Value.customCAChain.existingSecret }}
{{ end }}
{{ end }}
{{ end }}
{{ end }}
14 changes: 14 additions & 0 deletions charts/ocis/templates/appregistry/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,11 @@ spec:
name: {{ include "secrets.jwtSecret" . }}
key: jwt-secret

{{- if .Values.customCAChain.enabled }}
- name: SSL_CERT_DIR
value: /etc/ssl/certs
{{- end }}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -68,6 +73,10 @@ spec:
mountPath: /tmp
- name: configs
mountPath: /etc/ocis
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
mountPath: /etc/ssl/certs/
{{- end }}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -76,3 +85,8 @@ spec:
- name: configs
configMap:
name: {{ .appName }}-config
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
secret:
secretName: {{ .Value.customCAChain.existingSecret }}
{{- end }}
14 changes: 14 additions & 0 deletions charts/ocis/templates/audit/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,11 @@ spec:

- name: AUDIT_LOG_TO_CONSOLE
value: "true"

{{- if .Values.customCAChain.enabled }}
- name: SSL_CERT_DIR
value: /etc/ssl/certs
{{- end }}

{{- include "ocis.livenessProbe" . | nindent 10 }}

Expand All @@ -65,6 +70,10 @@ spec:
- name: messaging-system-ca
mountPath: /etc/ocis/messaging-system-ca
readOnly: true
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
mountPath: /etc/ssl/certs/
{{- end }}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -77,3 +86,8 @@ spec:
{{ else }}
emptyDir: {}
{{ end }}
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
secret:
secretName: {{ .Value.customCAChain.existingSecret }}
{{- end }}
14 changes: 14 additions & 0 deletions charts/ocis/templates/authbasic/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,11 @@ spec:
value: {{ .Values.features.externalUserManagement.ldap.disableUsers.disableMechanism | quote }}
- name: AUTH_BASIC_DISABLED_USERS_GROUP_DN
value: {{ .Values.features.externalUserManagement.ldap.disableUsers.disabledUsersGroupDN | quote }}

{{- if .Values.customCAChain.enabled }}
- name: SSL_CERT_DIR
value: /etc/ssl/certs
{{- end }}

{{- include "ocis.livenessProbe" . | nindent 10 }}

Expand All @@ -169,6 +174,10 @@ spec:
- name: ldap-ca
mountPath: /etc/ocis/ldap-ca
readOnly: true
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
mountPath: /etc/ssl/certs/
{{- end }}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -183,4 +192,9 @@ spec:
{{ else }}
emptyDir: {}
{{ end }}
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
secret:
secretName: {{ .Value.customCAChain.existingSecret }}
{{- end }}
{{ end }}
14 changes: 14 additions & 0 deletions charts/ocis/templates/authmachine/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,11 @@ spec:
name: {{ include "secrets.machineAuthAPIKeySecret" . }}
key: machine-auth-api-key

{{- if .Values.customCAChain.enabled }}
- name: SSL_CERT_DIR
value: /etc/ssl/certs
{{- end }}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -74,8 +79,17 @@ spec:
volumeMounts:
- name: tmp-volume
mountPath: /tmp
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
mountPath: /etc/ssl/certs/
{{- end }}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
- name: tmp-volume
emptyDir: {}
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
secret:
secretName: {{ .Value.customCAChain.existingSecret }}
{{- end }}
14 changes: 14 additions & 0 deletions charts/ocis/templates/authservice/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,11 @@ spec:
name: {{ include "secrets.serviceAccountSecret" . }}
key: service-account-secret

{{- if .Values.customCAChain.enabled }}
- name: SSL_CERT_DIR
value: /etc/ssl/certs
{{- end }}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -79,8 +84,17 @@ spec:
volumeMounts:
- name: tmp-volume
mountPath: /tmp
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
mountPath: /etc/ssl/certs/
{{- end }}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
- name: tmp-volume
emptyDir: {}
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
secret:
secretName: {{ .Value.customCAChain.existingSecret }}
{{- end }}
14 changes: 14 additions & 0 deletions charts/ocis/templates/clientlog/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,11 @@ spec:
name: {{ include "secrets.jwtSecret" . }}
key: jwt-secret

{{- if .Values.customCAChain.enabled }}
- name: SSL_CERT_DIR
value: /etc/ssl/certs
{{- end }}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -79,6 +84,10 @@ spec:
- name: messaging-system-ca
mountPath: /etc/ocis/messaging-system-ca
readOnly: true
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
mountPath: /etc/ssl/certs/
{{- end }}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -91,3 +100,8 @@ spec:
{{ else }}
emptyDir: {}
{{ end }}
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
secret:
secretName: {{ .Value.customCAChain.existingSecret }}
{{- end }}
14 changes: 14 additions & 0 deletions charts/ocis/templates/eventhistory/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,11 @@ spec:
- name: EVENTHISTORY_DEBUG_ADDR
value: 0.0.0.0:9270

{{- if .Values.customCAChain.enabled }}
- name: SSL_CERT_DIR
value: /etc/ssl/certs
{{- end }}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -70,6 +75,10 @@ spec:
- name: messaging-system-ca
mountPath: /etc/ocis/messaging-system-ca
readOnly: true
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
mountPath: /etc/ssl/certs/
{{- end }}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -82,3 +91,8 @@ spec:
{{ else }}
emptyDir: {}
{{ end }}
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
secret:
secretName: {{ .Value.customCAChain.existingSecret }}
{{- end }}
14 changes: 14 additions & 0 deletions charts/ocis/templates/frontend/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,11 @@ spec:
- name: FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST
value: /etc/ocis/sharing-banned-passwords.txt

{{- if .Values.customCAChain.enabled }}
- name: SSL_CERT_DIR
value: /etc/ssl/certs
{{- end }}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -172,6 +177,10 @@ spec:
mountPath: /etc/ocis
- name: tmp-volume
mountPath: /tmp
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
mountPath: /etc/ssl/certs/
{{- end }}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -180,3 +189,8 @@ spec:
- name: configs
configMap:
name: sharing-banned-passwords-{{ .appName }}
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
secret:
secretName: {{ .Value.customCAChain.existingSecret }}
{{- end }}
14 changes: 14 additions & 0 deletions charts/ocis/templates/gateway/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,11 @@ spec:
name: {{ include "secrets.transferSecret" . }}
key: transfer-secret

{{- if .Values.customCAChain.enabled }}
- name: SSL_CERT_DIR
value: /etc/ssl/certs
{{- end }}

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -94,8 +99,17 @@ spec:
volumeMounts:
- name: tmp-volume
mountPath: /tmp
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
mountPath: /etc/ssl/certs/
{{- end }}

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
- name: tmp-volume
emptyDir: {}
{{- if .Values.customCAChain.enabled }}
- name: custom-ca-chain
secret:
secretName: {{ .Value.customCAChain.existingSecret }}
{{- end }}
Loading