add init container for updating ca trust and shift getting ca cert fr…

…om secret to config map (#3763)

* add init container for updating ca trust and shift getting ca cert from secret to config map

Co-authored-by: Jesse Goodier <[email protected]>
Co-authored-by: Thomas Nguyen <[email protected]>

cost-analyzer/templates/NOTES.txt

@@ -10,6 +10,7 @@
 {{- include "prometheusRetentionCheck" . -}}
 {{- include "clusterIDCheck" . -}}
 {{- include "kubeRBACProxyBearerTokenCheck" . -}}
+{{- include "caCertsSecretConfigCheck" . -}}
 
 {{- $servicePort := .Values.service.port | default 9090 }}
 Kubecost {{ .Chart.Version }} has been successfully installed.

cost-analyzer/templates/_helpers.tpl

@@ -1447,6 +1447,16 @@ for more information
 {{- end }}
 {{- end }}
 
+{{- define "caCertsSecretConfigCheck" }}
+  {{- if .Values.global.updateCaTrust.enabled }}
+    {{- if and .Values.global.updateCaTrust.caCertsSecret .Values.global.updateCaTrust.caCertsConfig }}
+      {{- fail "Both caCertsSecret and caCertsConfig are defined. Please specify only one." }}
+    {{- else if and (not .Values.global.updateCaTrust.caCertsSecret) (not .Values.global.updateCaTrust.caCertsConfig) }}
+      {{- fail "Neither caCertsSecret nor caCertsConfig is defined, but updateCaTrust is enabled. Please specify one." }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
 {{- define "clusterControllerEnabled" }}
 {{- if (.Values.clusterController).enabled }}
 {{- printf "true" -}}

cost-analyzer/templates/cost-analyzer-deployment-template.yaml

@@ -126,11 +126,18 @@ spec:
            defaultMode: 420
            secretName: {{ .Values.kubecostModel.federatedStorageConfigSecret | default "federated-store" }}
         {{- end }}
-        {{- if .Values.kubecostModel.caCertsSecret }}
+        {{- if .Values.global.updateCaTrust.enabled }}
         - name: ca-certs-secret
+          {{- if .Values.global.updateCaTrust.caCertsSecret }}
           secret:
-           defaultMode: 420
-           secretName: {{ .Values.kubecostModel.caCertsSecret}}
+            defaultMode: 420
+            secretName: {{ .Values.global.updateCaTrust.caCertsSecret }}
+          {{- else }}
+          configMap:
+            name: {{ .Values.global.updateCaTrust.caCertsConfig }}
+          {{- end }}
+        - name: ssl-path
+          emptyDir: {}
         {{- end }}
         {{- if .Values.kubecostProductConfigs }}
         {{- if and ((.Values.kubecostProductConfigs).productKey).enabled ((.Values.kubecostProductConfigs).productKey).secretname }}
@@ -351,6 +358,34 @@ spec:
           securityContext:
             runAsUser: 0
 {{ end }}
+        {{- if .Values.global.updateCaTrust.enabled }}
+        - name: update-ca-trust
+          image: {{ include "cost-model.image" . | trim | quote}}
+          {{- if .Values.kubecostModel.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.kubecostModel.imagePullPolicy }}
+          {{- else }}
+          imagePullPolicy: Always
+          {{- end }}
+          {{- with .Values.global.updateCaTrust.securityContext }}
+          securityContext: {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.global.updateCaTrust.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          command:
+            - 'sh'
+            - '-c'
+            - >
+              mkdir -p /etc/pki/ca-trust/extracted/{edk2,java,openssl,pem};
+              /usr/bin/update-ca-trust extract;
+          volumeMounts:
+            - name: ca-certs-secret
+              mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }}
+            - name: ssl-path
+              mountPath: "/etc/pki/ca-trust/extracted"
+              readOnly: false
+        {{- end}}
       containers:
         {{- if .Values.global.gmp.enabled }}
         - name: {{ .Values.global.gmp.gmpProxy.name }}
@@ -621,9 +656,12 @@ spec:
               mountPath: /var/configs/etl/federated
               readOnly: true
             {{- end }}
-            {{- if .Values.kubecostModel.caCertsSecret }}
+            {{- if .Values.global.updateCaTrust.enabled }}
             - name: ca-certs-secret
-              mountPath: /etc/pki/ca-trust/source/anchors
+              mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }}
+            - name: ssl-path
+              mountPath: "/etc/pki/ca-trust/extracted"
+              readOnly: false
             {{- end }}
             {{- if .Values.kubecostAdmissionController }}
             {{- if .Values.kubecostAdmissionController.enabled }}

cost-analyzer/values.yaml

@@ -226,6 +226,23 @@ global:
       drop:
       - ALL
 
+  # Installs custom CA certificates onto Kubecost pods
+  updateCaTrust:
+    enabled: false  # Set to true to enable the init container for updating CA trust
+    # Security context settings for the init container.
+    securityContext:
+      runAsUser: 0
+      runAsGroup: 0
+      runAsNonRoot: false
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      seccompProfile:
+        type: RuntimeDefault
+    caCertsSecret: ca-certs-secret  # The name of the Secret containing custom CA certificates to mount to the cost-model container.
+    # caCertsConfig: ca-certs-config  # The name of the ConfigMap containing the CA trust configuration.
+    resources: {}  # Resource requests and limits for the init container.
+    caCertsMountPath: /etc/pki/ca-trust/source/anchors  # The path where the custom CA certificates will be mounted in the init container
+
   # Platforms is a higher-level abstraction for platform-specific values and settings.
   platforms:
     # Deploying to OpenShift (OCP) requires enabling this option.
@@ -575,9 +592,6 @@ kubecostModel:
   #         "client_x509_cert_url": ""
   #       }
 
-  # the name of the Secret containing custom CA certs to mount to cost model container
-  # caCertsSecret: ca-certs-secret
-
   # Installs Kubecost/OpenCost plugins
   plugins:
     enabled: false