From 3552a5c7a8cf6d9f9cbc97cbed13c4d1fbc787ff Mon Sep 17 00:00:00 2001 From: Akash Gupta Date: Wed, 20 Nov 2024 18:18:14 +0530 Subject: [PATCH] [tfy-agent] support extra vol in proxy + add docs for insecure mode (#807) * [tfy-agent] support extra vol in proxy + add docs for insecure mode * Update README.md with readme-generator-for-helm Signed-off-by: akashg3627 * update * update * fix comments * Update README.md with readme-generator-for-helm Signed-off-by: akashg3627 --------- Signed-off-by: akashg3627 Co-authored-by: akashg3627 --- charts/tfy-agent/Chart.yaml | 2 +- charts/tfy-agent/README.md | 52 +++++++++++++++++++ .../templates/tfy-agent-proxy-deployment.yaml | 4 ++ charts/tfy-agent/values.yaml | 7 +++ 4 files changed, 64 insertions(+), 1 deletion(-) diff --git a/charts/tfy-agent/Chart.yaml b/charts/tfy-agent/Chart.yaml index 09629475..0bbd5eba 100644 --- a/charts/tfy-agent/Chart.yaml +++ b/charts/tfy-agent/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.39 +version: 0.2.40 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/tfy-agent/README.md b/charts/tfy-agent/README.md index 567189d2..0534edb3 100644 --- a/charts/tfy-agent/README.md +++ b/charts/tfy-agent/README.md @@ -33,6 +33,56 @@ This application has two parts. * If the list of allowed namespaces is empty. We set up [cluster-wide access](https://github.com/truefoundry/infra-charts/blob/main/charts/tfy-agent/templates/tfy-agent-proxy-clusterrolebinding-ns.yaml) for these namespaced resources. +## Trobleshoot + +### Using self-signed certificate in control plane URL +If your control plane URL is using self-signed CA certificate, follow these steps: +1. Update CA bundle in the container by mounting your CA bundle. This can be done in two ways: + 1. using volume mounts + - create a config map using your `ca-certificate.crt` file + + `kubectl create configmap tfy-ca-cert -n tfy-agent --from-file=ca-certificate.crt` + + - add following volume and volume mounts in both tfyAgent and tfyAgentProxy + ``` + tfyAgent: + extraVolumes: + - name: ca-certificates-volume + configMap: + name: tfy-ca-cert + items: + - key: ca-certificates.crt + path: ca-certificates.crt + extraVolumeMounts: + - name: ca-certificates-volume + mountPath: /etc/ssl/certs/ca-certificates.crt + subPath: ca-certificates.crt + readOnly: true + tfyAgentProxy: + extraVolumes: + - name: ca-certificates-volume + configMap: + name: tfy-ca-cert + items: + - key: ca-certificates.crt + path: ca-certificates.crt + extraVolumeMounts: + - name: ca-certificates-volume + mountPath: /etc/ssl/certs/ca-certificates.crt + subPath: ca-certificates.crt + readOnly: true + ``` + 2. using jspolicy - [link](https://artifacthub.io/packages/helm/truefoundry/tfy-jspolicy-config) + +2. Add extraEnv in tfyAgent to allow insecure connection + ``` + tfyAgent: + extraEnvVars: + - name: NODE_TLS_REJECT_UNAUTHORIZED + value: '0' + ``` + + ## Parameters ### Configuration parameters @@ -133,6 +183,8 @@ This application has two parts. | `tfyAgentProxy.serviceAccount.create` | Bool to enable serviceAccount creation | `true` | | `tfyAgentProxy.serviceAccount.annotations` | Annotations to add to the serviceAccount | `{}` | | `tfyAgentProxy.serviceAccount.name` | Name of the serviceAccount to use. If not set and create is true, a name is generated using the fullname template | `""` | +| `tfyAgentProxy.extraVolumes` | Extra volume for tfyAgentProxy container | `[]` | +| `tfyAgentProxy.extraVolumeMounts` | Extra volume mount for tfyAgentProxy container | `[]` | | `tfyAgentProxy.clusterRole.enable` | Create cluster role. | `true` | | `tfyAgentProxy.clusterRole.strictMode` | Only add required authz rules. | `false` | | `tfyAgentProxy.clusterRole.clusterScopedAdditionalClusterRoleRules` | Additional rules to add to the cluster role for cluster-scoped resources. | `[]` | diff --git a/charts/tfy-agent/templates/tfy-agent-proxy-deployment.yaml b/charts/tfy-agent/templates/tfy-agent-proxy-deployment.yaml index db42b4d1..568bf1ee 100644 --- a/charts/tfy-agent/templates/tfy-agent-proxy-deployment.yaml +++ b/charts/tfy-agent/templates/tfy-agent-proxy-deployment.yaml @@ -51,6 +51,8 @@ spec: imagePullPolicy: {{ .Values.tfyAgentProxy.image.pullPolicy }} resources: {{- toYaml .Values.tfyAgentProxy.resources | nindent 12 }} + volumeMounts: + {{- toYaml .Values.tfyAgentProxy.extraVolumeMounts | nindent 12 }} {{- with .Values.tfyAgentProxy.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -66,4 +68,6 @@ spec: {{- with .Values.tfyAgentProxy.priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} + volumes: + {{- toYaml .Values.tfyAgentProxy.extraVolumes | nindent 8 }} {{- end }} diff --git a/charts/tfy-agent/values.yaml b/charts/tfy-agent/values.yaml index 1de75514..09fb9007 100644 --- a/charts/tfy-agent/values.yaml +++ b/charts/tfy-agent/values.yaml @@ -420,6 +420,13 @@ tfyAgentProxy: ## @param tfyAgentProxy.serviceAccount.name Name of the serviceAccount to use. If not set and create is true, a name is generated using the fullname template ## name: "" + + ## @param tfyAgentProxy.extraVolumes Extra volume for tfyAgentProxy container + ## + extraVolumes: [] + ## @param tfyAgentProxy.extraVolumeMounts Extra volume mount for tfyAgentProxy container + ## + extraVolumeMounts: [] clusterRole: ## @param tfyAgentProxy.clusterRole.enable Create cluster role.