Resolve "Support internal root CA"
Introduce template/_certificates.tpl
for population of certificates to various containers that may require the insertion of custom certificate authority root certificates.
This is implemented as a small set of changes to each affected Chart, and the addition of a template that provides the content that these charts will use. The use of template provides DRY development patterns, we all as simplifying any future alterations.
This MR relies on gitlab-org/build/CNG!133 (merged), which introduces alpine-certificates
container that is used by the injected initContainer
.
How it works:
- Adds 2 volumes:
- etc-ssl-certs is a shared
emptyDir
volume, mounted to/etc/ssl/certs
in all application containers - custom-ca-certificates is a projected volume, mounting all keys of secrets provided to
global.certificates.customCAs
to/usr/local/share/ca-certificates
into theinitContainer
- etc-ssl-certs is a shared
- alpine-certificates container builds a complete system CA bundle into
/etc/ssl/certs
, dereferencing symlinks to ensure that volume's contents are portable. This pulls in/usr/share/ca-certificates
from theca-certificates
package, and the contents of/usr/local/share/ca-certificates
as provided by thecustom-ca-certificates
volume. - application containers mount etc-ssl-certs, now including custom CAs
Closes #255 (closed) directly
Closes #254 (closed) indirectly, as we're now injecting updated ca-certificates
bundle as a part of alpine-certificates
container operation.