Added custom ca chain to deployments

charts/ocis/ci/values.yaml

@@ -59,6 +59,10 @@ features:
   policies:
     enabled: true
 
+customCAChain:
+  enabled: true
+  existingSecret: myCAchain
+
 extraLabels:
   extra1: lorem
   extra2: ipsum

charts/ocis/docs/values-desc-table.adoc

@@ -72,6 +72,18 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 `""`
 | Optional reference to an existing web theme config. Will be mounted to /var/lib/ocis/web/assets/themes/owncloud for Web. Does not get autogenerated. Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI.
+| customCAChain.enabled
+a| [subs=-attributes]
++bool+
+a| [subs=-attributes]
+`false`
+| Custom CA enables SSL_CERT_DIR in pods with the additional path /etc/ssl/custom.
+| customCAChain.existingSecret
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`""`
+| If custom CA chain is enabled this attribute mounts the existing secret to /etc/ssl/custom.
 | debug.profiling
 a| [subs=-attributes]
 +bool+

charts/ocis/docs/values.adoc.yaml

@@ -614,6 +614,15 @@ secretRefs:
   # -- The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
   globalNotificationsSecretRef: ""
 
+# Custom CA chain
+# If a custom CA chain is needed for the communcation with other services like S3 or notification services.
+# The secret needs to be manually created.
+customCAChain:
+  # -- Custom CA enables SSL_CERT_DIR in pods with the additional path /etc/ssl/custom.
+  enabled: false
+  # -- If custom CA chain is enabled this attribute mounts the existing secret to /etc/ssl/custom.
+  existingSecret: ""
+
 # Security context options.
 securityContext:
   # -- File system group for all volumes.

charts/ocis/templates/_common/customcachain.tpl

@@ -0,0 +1,25 @@
+{{/*
+oCIS ca mount
+
+*/}}
+{{- define "ocis.caPath" -}}
+{{- if .Values.customCAChain.enabled }}
+- name: custom-ca-chain
+  mountPath: /etc/ssl/custom/
+{{- end }}
+{{- end -}}
+
+{{- define "ocis.caVolume" -}}
+{{- if .Values.customCAChain.enabled }}
+- name: custom-ca-chain
+  secret:
+    secretName:  {{ .Values.customCAChain.existingSecret }}
+{{- end }}
+{{- end -}}
+
+{{- define "ocis.caEnv" -}}
+{{- if .Values.customCAChain.enabled }}
+- name: SSL_CERT_DIR
+  value: "/etc/ssl/certs:/etc/ssl/custom"
+{{- end }}
+{{- end -}}

charts/ocis/templates/antivirus/deployment.yaml

@@ -61,6 +61,8 @@ spec:
             - name: ANTIVIRUS_MAX_SCAN_SIZE
               value: {{ .Values.features.virusscan.maxScanSize | quote }}
 
+            {{- include "ocis.caEnv" . | nindent 12}}
+
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
           resources: {{ toYaml .resources | nindent 12 }}
@@ -75,6 +77,7 @@ spec:
             - name: messaging-system-ca
               mountPath: /etc/ocis/messaging-system-ca
               readOnly: true
+            {{- include "ocis.caPath" . | nindent 12}}
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
@@ -87,4 +90,5 @@ spec:
           {{ else }}
           emptyDir: {}
           {{ end }}
+        {{- include "ocis.caVolume" . | nindent 8}}
 {{ end }}

charts/ocis/templates/appprovider/deployment.yaml

@@ -79,6 +79,8 @@ spec:
               value: {{ $.Values.features.appsIntegration.wopiIntegration.wopiFolderURIPathTemplate | quote }}
             {{- end }}
 
+            {{- include "ocis.caEnv" $ | nindent 12}}
+
             - name: APP_PROVIDER_JWT_SECRET
               valueFrom:
                 secretKeyRef:
@@ -107,11 +109,14 @@ spec:
           volumeMounts:
             - name: tmp-volume
               mountPath: /tmp
+            {{- include "ocis.caPath" $ | nindent 12}}
+
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
         - name: tmp-volume
           emptyDir: {}
+        {{- include "ocis.caVolume" $ | nindent 8}}
 {{ end }}
 {{ end }}
 {{ end }}

charts/ocis/templates/appregistry/deployment.yaml

@@ -53,6 +53,8 @@ spec:
                   name: {{ include "secrets.jwtSecret" . }}
                   key: jwt-secret
 
+            {{- include "ocis.caEnv" . | nindent 12}}
+
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
           resources: {{ toYaml .resources | nindent 12 }}
@@ -68,6 +70,7 @@ spec:
               mountPath: /tmp
             - name: configs
               mountPath: /etc/ocis
+            {{- include "ocis.caPath" . | nindent 12}}
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
@@ -76,3 +79,4 @@ spec:
         - name: configs
           configMap:
             name: {{ .appName }}-config
+        {{- include "ocis.caVolume" . | nindent 8}}

charts/ocis/templates/audit/deployment.yaml

@@ -51,6 +51,8 @@ spec:
             - name: AUDIT_LOG_TO_CONSOLE
               value: "true"
 
+            {{- include "ocis.caEnv" . | nindent 12}}
+
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
           resources: {{ toYaml .resources | nindent 12 }}
@@ -65,6 +67,7 @@ spec:
             - name: messaging-system-ca
               mountPath: /etc/ocis/messaging-system-ca
               readOnly: true
+            {{- include "ocis.caPath" . | nindent 12}}
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
@@ -77,3 +80,4 @@ spec:
           {{ else }}
           emptyDir: {}
           {{ end }}
+        {{- include "ocis.caVolume" . | nindent 8}}

charts/ocis/templates/authbasic/deployment.yaml

@@ -150,6 +150,8 @@ spec:
               value: {{ .Values.features.externalUserManagement.ldap.disableUsers.disableMechanism | quote }}
             - name: AUTH_BASIC_DISABLED_USERS_GROUP_DN
               value: {{ .Values.features.externalUserManagement.ldap.disableUsers.disabledUsersGroupDN | quote }}
+
+            {{- include "ocis.caEnv" . | nindent 12}}
 
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
@@ -169,6 +171,7 @@ spec:
             - name: ldap-ca
               mountPath: /etc/ocis/ldap-ca
               readOnly: true
+            {{- include "ocis.caPath" . | nindent 12}}
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
@@ -183,4 +186,5 @@ spec:
           {{ else }}
           emptyDir: {}
           {{ end }}
+        {{- include "ocis.caVolume" . | nindent 8}} 
 {{ end }}

charts/ocis/templates/authmachine/deployment.yaml

@@ -61,6 +61,8 @@ spec:
                   name: {{ include "secrets.machineAuthAPIKeySecret" . }}
                   key: machine-auth-api-key
 
+            {{- include "ocis.caEnv" . | nindent 12}}
+
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
           resources: {{ toYaml .resources | nindent 12 }}
@@ -74,8 +76,10 @@ spec:
           volumeMounts:
             - name: tmp-volume
               mountPath: /tmp
+            {{- include "ocis.caPath" . | nindent 12}}
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
         - name: tmp-volume
           emptyDir: {}
+        {{- include "ocis.caVolume" . | nindent 8}}

charts/ocis/templates/authservice/deployment.yaml

@@ -66,6 +66,8 @@ spec:
                   name: {{ include "secrets.serviceAccountSecret" . }}
                   key: service-account-secret
 
+            {{- include "ocis.caEnv" . | nindent 12}}
+
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
           resources: {{ toYaml .resources | nindent 12 }}
@@ -79,8 +81,10 @@ spec:
           volumeMounts:
             - name: tmp-volume
               mountPath: /tmp
+            {{- include "ocis.caPath" . | nindent 12}}
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
         - name: tmp-volume
           emptyDir: {}
+        {{- include "ocis.caVolume" . | nindent 8}}

charts/ocis/templates/clientlog/deployment.yaml

@@ -65,6 +65,8 @@ spec:
                   name: {{ include "secrets.jwtSecret" . }}
                   key: jwt-secret
 
+            {{- include "ocis.caEnv" . | nindent 12}}
+
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
           resources: {{ toYaml .resources | nindent 12 }}
@@ -79,6 +81,7 @@ spec:
             - name: messaging-system-ca
               mountPath: /etc/ocis/messaging-system-ca
               readOnly: true
+            {{- include "ocis.caPath" . | nindent 12}}
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
@@ -91,3 +94,4 @@ spec:
           {{ else }}
           emptyDir: {}
           {{ end }}
+        {{- include "ocis.caVolume" . | nindent 8}}

charts/ocis/templates/eventhistory/deployment.yaml

@@ -54,6 +54,8 @@ spec:
             - name: EVENTHISTORY_DEBUG_ADDR
               value: 0.0.0.0:9270
 
+            {{- include "ocis.caEnv" . | nindent 12}}
+
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
           resources: {{ toYaml .resources | nindent 12 }}
@@ -70,6 +72,7 @@ spec:
             - name: messaging-system-ca
               mountPath: /etc/ocis/messaging-system-ca
               readOnly: true
+            {{- include "ocis.caPath" . | nindent 12}}
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
@@ -82,3 +85,4 @@ spec:
           {{ else }}
           emptyDir: {}
           {{ end }}
+        {{- include "ocis.caVolume" . | nindent 8}}

charts/ocis/templates/frontend/deployment.yaml

@@ -157,6 +157,8 @@ spec:
             - name: FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST
               value: /etc/ocis/sharing-banned-passwords.txt
 
+            {{- include "ocis.caEnv" . | nindent 12}}
+
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
           resources: {{ toYaml .resources | nindent 12 }}
@@ -172,6 +174,7 @@ spec:
               mountPath: /etc/ocis
             - name: tmp-volume
               mountPath: /tmp
+            {{- include "ocis.caPath" . | nindent 12}}
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
@@ -180,3 +183,4 @@ spec:
         - name: configs
           configMap:
             name: sharing-banned-passwords-{{ .appName }}
+        {{- include "ocis.caVolume" . | nindent 8}}   

charts/ocis/templates/gateway/deployment.yaml

@@ -81,6 +81,8 @@ spec:
                   name: {{ include "secrets.transferSecret" . }}
                   key: transfer-secret
 
+            {{- include "ocis.caEnv" . | nindent 12}}
+
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
           resources: {{ toYaml .resources | nindent 12 }}
@@ -94,8 +96,10 @@ spec:
           volumeMounts:
             - name: tmp-volume
               mountPath: /tmp
+            {{- include "ocis.caPath" . | nindent 12}}
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
         - name: tmp-volume
           emptyDir: {}
+        {{- include "ocis.caVolume" . | nindent 8}}

charts/ocis/templates/graph/deployment.yaml

@@ -196,6 +196,8 @@ spec:
                   name: {{ include "secrets.serviceAccountSecret" . }}
                   key: service-account-secret
 
+            {{- include "ocis.caEnv" . | nindent 12}}
+
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
           resources: {{ toYaml .resources | nindent 12 }}
@@ -215,6 +217,7 @@ spec:
             - name: ldap-ca
               mountPath: /etc/ocis/ldap-ca
               readOnly: true
+            {{- include "ocis.caPath" . | nindent 12}}
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
@@ -234,3 +237,4 @@ spec:
           {{ else }}
           emptyDir: {}
           {{ end }}
+        {{- include "ocis.caVolume" . | nindent 8}}

charts/ocis/templates/groups/deployment.yaml

@@ -142,6 +142,8 @@ spec:
                   name: {{ include "secrets.jwtSecret" . }}
                   key: jwt-secret
 
+            {{- include "ocis.caEnv" . | nindent 12}}
+
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
           resources: {{ toYaml .resources | nindent 12 }}
@@ -160,6 +162,7 @@ spec:
             - name: ldap-ca
               mountPath: /etc/ocis/ldap-ca
               readOnly: true
+            {{- include "ocis.caPath" . | nindent 12}}
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
@@ -174,3 +177,4 @@ spec:
           {{ else }}
           emptyDir: {}
           {{ end }}
+        {{- include "ocis.caVolume" . | nindent 8}}

charts/ocis/templates/idm/deployment.yaml

@@ -107,6 +107,8 @@ spec:
             - name: IDM_LDAPS_KEY
               value: /etc/ocis/ldap-cert/ldap.key
 
+            {{- include "ocis.caEnv" . | nindent 12}}
+
           {{- include "ocis.livenessProbe" . | nindent 10 }}
 
           resources: {{ toYaml .resources | nindent 12 }}
@@ -125,6 +127,7 @@ spec:
               readOnly: true
             - name: {{ include "ocis.persistence.dataVolumeName" . }}
               mountPath: /var/lib/ocis
+            {{- include "ocis.caPath" . | nindent 12}}
 
       {{- include "ocis.imagePullSecrets" $ | nindent 6 }}
       volumes:
@@ -133,5 +136,6 @@ spec:
         - name: ldap-cert
           secret:
             secretName: {{ include "secrets.ldapCertSecret" . }}
+        {{- include "ocis.caVolume" . | nindent 8}}
         {{- include "ocis.persistence.dataVolume" . | nindent 8 }}
 {{- end }}