-
Jason Plum authored
Introduce `template/_certificates.tpl` for population of certificates to various containers that may require the insertion of custom certificate authority root certificates. This is implemented as a small set of changes to each affected Chart, and the addition of a template that provides the content that these charts will use. The use of template provides DRY development patterns, we all as simplifying any future alterations. This MR relies on gitlab-org/build/CNG!133, which introduces `alpine-certificates` container that is used by the injected `initContainer`. How it works: - Adds 2 volumes: - etc-ssl-certs is a shared `emptyDir` volume, mounted to `/etc/ssl/certs` in all application containers - custom-ca-certificates is a projected volume, mounting all keys of secrets provided to `global.certificates.customCAs` to `/usr/local/share/ca-certificates` into the `initContainer` - alpine-certificates container builds a complete system CA bundle into `/etc/ssl/certs`, dereferencing symlinks to ensure that volume's contents are portable. This pulls in `/usr/share/ca-certificates` from the `ca-certificates` package, and the contents of `/usr/local/share/ca-certificates` as provided by the `custom-ca-certificates` volume. - application containers mount etc-ssl-certs, now including custom CAs Closes #255 directly Closes #254 indirectly, as we're now injecting updated `ca-certificates` bundle as a part of `alpine-certificates` container operation.
91e6ec33