From 9ae8ccad4d4c788c6e526aaf58dfecce7947f4f3 Mon Sep 17 00:00:00 2001
From: AbrohamLincoln <64557460+AbrohamLincoln@users.noreply.github.com>
Date: Thu, 9 Nov 2023 09:49:46 -0500
Subject: [PATCH] feat: add REGISTRY_CA_BUNDLE variable to registry package and
 chart (#2008)

## Description

Allows users to specify a CA bundle to the Registry when performing a
`zarf init`.

An example of how to use this to supply a Root CA Bundle in commercial
AWS (although you don't need to):

Create a `zarf-config.yaml` similar to the following:

```yaml
package:
  deploy:
    set:
      REGISTRY_CA_BUNDLE: my-custom-ca.pem
```

Initialize the cluster:
`ZARF_CONFIG=./zarf-config.yaml zarf init --confirm`


## Related Issue

Fixes #2007

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor Guide
Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow)
followed

---------

Signed-off-by: Sam <sam@braingu.com>
Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com>
---
 .../zarf-registry/chart/templates/_helpers.tpl  | 12 ++++++++++++
 .../chart/templates/configmap.yaml              | 16 ++++++++++++++++
 .../chart/templates/deployment.yaml             | 11 +++++++++++
 packages/zarf-registry/chart/values.yaml        | 17 +++++++++++++++++
 packages/zarf-registry/registry-values.yaml     |  2 ++
 packages/zarf-registry/zarf.yaml                |  6 ++++++
 src/pkg/utils/io.go                             |  2 +-
 7 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 packages/zarf-registry/chart/templates/configmap.yaml

diff --git a/packages/zarf-registry/chart/templates/_helpers.tpl b/packages/zarf-registry/chart/templates/_helpers.tpl
index a91077ef6f..3e570d3078 100644
--- a/packages/zarf-registry/chart/templates/_helpers.tpl
+++ b/packages/zarf-registry/chart/templates/_helpers.tpl
@@ -22,3 +22,15 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Merge all configmaps
+*/}}
+{{- define "docker-registry.configMaps" -}}
+{{- if .Values.caBundle }}
+- name: {{ template "docker-registry.fullname" . }}-ca-bundle
+  data:
+    ca-certificates.crt: |
+{{ .Values.caBundle | indent 6 }}
+{{- end }}
+{{- end -}}
diff --git a/packages/zarf-registry/chart/templates/configmap.yaml b/packages/zarf-registry/chart/templates/configmap.yaml
new file mode 100644
index 0000000000..2c8471b661
--- /dev/null
+++ b/packages/zarf-registry/chart/templates/configmap.yaml
@@ -0,0 +1,16 @@
+{{- range (include "docker-registry.configMaps" . | fromYamlArray ) }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .name }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app: {{ default $.Chart.Name $.Values.nameOverride | trunc 63 | trimSuffix "-" }}
+    chart: {{ $.Chart.Name }}-{{ $.Chart.Version }}
+    heritage: {{ $.Release.Service }}
+    release: {{ $.Release.Name }}
+type: Opaque
+data:
+{{ toYaml .data | indent 2 }}
+{{- end }}
diff --git a/packages/zarf-registry/chart/templates/deployment.yaml b/packages/zarf-registry/chart/templates/deployment.yaml
index ab3a0c0562..ce8126f60a 100644
--- a/packages/zarf-registry/chart/templates/deployment.yaml
+++ b/packages/zarf-registry/chart/templates/deployment.yaml
@@ -77,6 +77,12 @@ spec:
               mountPath: /var/lib/registry/
             - name: config
               mountPath: "/etc/docker/registry"
+{{- if .Values.caBundle }}
+            - mountPath: /etc/ssl/certs/ca-certificates.crt
+              name: {{ template "docker-registry.fullname" . }}-ca-bundle
+              subPath: ca-certificates.crt
+              readOnly: true
+{{- end }}
       affinity:
 {{- if (eq "ReadWriteMany" .Values.persistence.accessMode) }}
         podAntiAffinity:
@@ -111,3 +117,8 @@ spec:
           emptyDir:
             sizeLimit: {{ .Values.persistence.size }}
 {{- end }}
+{{- if .Values.caBundle }}
+        - name: {{ template "docker-registry.fullname" . }}-ca-bundle
+          configMap:
+            name: {{ template "docker-registry.fullname" . }}-ca-bundle
+{{- end }}
diff --git a/packages/zarf-registry/chart/values.yaml b/packages/zarf-registry/chart/values.yaml
index 93276dc0b5..527578eca0 100644
--- a/packages/zarf-registry/chart/values.yaml
+++ b/packages/zarf-registry/chart/values.yaml
@@ -54,6 +54,23 @@ autoscaling:
   maxReplicas: 5
   targetCPUUtilizationPercentage: 80
 
+caBundle: ""
+## One or more concatenated certificates
+## Will be mounted to /etc/ssl/certs/ca-certificates.crt
+# caBundle: |
+#   # Root CA 1
+#   -----BEGIN CERTIFICATE-----
+#   ...
+#   -----END CERTIFICATE-----
+#   # Intermediate CA 1
+#   -----BEGIN CERTIFICATE-----
+#   ...
+#   -----END CERTIFICATE-----
+#   # Root CA 2
+#   -----BEGIN CERTIFICATE-----
+#   ...
+#   -----END CERTIFICATE-----
+
 extraEnvVars: []
 ## Additional ENV variables to set
 # - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
diff --git a/packages/zarf-registry/registry-values.yaml b/packages/zarf-registry/registry-values.yaml
index 7f43da9c67..bfaf046aa1 100644
--- a/packages/zarf-registry/registry-values.yaml
+++ b/packages/zarf-registry/registry-values.yaml
@@ -40,5 +40,7 @@ autoscaling:
   maxReplicas: "###ZARF_VAR_REGISTRY_HPA_MAX###"
   targetCPUUtilizationPercentage: 80
 
+caBundle: ###ZARF_VAR_REGISTRY_CA_BUNDLE###
+
 extraEnvVars:
   ###ZARF_VAR_REGISTRY_EXTRA_ENVS###
diff --git a/packages/zarf-registry/zarf.yaml b/packages/zarf-registry/zarf.yaml
index 1fe3fa9286..38a13006c1 100644
--- a/packages/zarf-registry/zarf.yaml
+++ b/packages/zarf-registry/zarf.yaml
@@ -47,6 +47,12 @@ variables:
     description: Enable the Horizontal Pod Autoscaler for the registry
     default: "true"
 
+  - name: REGISTRY_CA_BUNDLE
+    description: Filepath to a bundle of trusted certificates to mount into the registry container
+    default: ""
+    autoIndent: true
+    type: file
+
   - name: REGISTRY_EXTRA_ENVS
     description: Array of additional environment variables passed to the registry container
     default: ""
diff --git a/src/pkg/utils/io.go b/src/pkg/utils/io.go
index 662e1891d2..38349329fd 100755
--- a/src/pkg/utils/io.go
+++ b/src/pkg/utils/io.go
@@ -170,7 +170,7 @@ func ReplaceTextTemplate(path string, mappings map[string]*TextTemplate, depreca
 				value = template.Value
 
 				// Check if the value is a file type and load the value contents from the file
-				if template.Type == types.FileVariableType {
+				if template.Type == types.FileVariableType && value != "" {
 					if isText, err := IsTextFile(value); err != nil || !isText {
 						message.Warnf("Refusing to load a non-text file for templating %s", templateKey)
 						line = matches[regexTemplateLine.SubexpIndex("postTemplate")]