From 3eaddf172a83f530b881317b6945173e77751715 Mon Sep 17 00:00:00 2001 From: Ishaan Mittal Date: Thu, 12 Dec 2024 01:49:49 +0530 Subject: [PATCH] add init container for updating ca trust and shift getting ca cert from secret to config map (#3763) * add init container for updating ca trust and shift getting ca cert from secret to config map Co-authored-by: Jesse Goodier <31039225+jessegoodier@users.noreply.github.com> Co-authored-by: Thomas Nguyen --- cost-analyzer/templates/NOTES.txt | 1 + cost-analyzer/templates/_helpers.tpl | 10 ++++ .../cost-analyzer-deployment-template.yaml | 48 +++++++++++++++++-- cost-analyzer/values.yaml | 20 ++++++-- 4 files changed, 71 insertions(+), 8 deletions(-) diff --git a/cost-analyzer/templates/NOTES.txt b/cost-analyzer/templates/NOTES.txt index 5bed747ed..e653b3e71 100644 --- a/cost-analyzer/templates/NOTES.txt +++ b/cost-analyzer/templates/NOTES.txt @@ -10,6 +10,7 @@ {{- include "prometheusRetentionCheck" . -}} {{- include "clusterIDCheck" . -}} {{- include "kubeRBACProxyBearerTokenCheck" . -}} +{{- include "caCertsSecretConfigCheck" . -}} {{- $servicePort := .Values.service.port | default 9090 }} Kubecost {{ .Chart.Version }} has been successfully installed. diff --git a/cost-analyzer/templates/_helpers.tpl b/cost-analyzer/templates/_helpers.tpl index faf94e1b5..67ff512f5 100755 --- a/cost-analyzer/templates/_helpers.tpl +++ b/cost-analyzer/templates/_helpers.tpl @@ -1447,6 +1447,16 @@ for more information {{- end }} {{- end }} +{{- define "caCertsSecretConfigCheck" }} + {{- if .Values.global.updateCaTrust.enabled }} + {{- if and .Values.global.updateCaTrust.caCertsSecret .Values.global.updateCaTrust.caCertsConfig }} + {{- fail "Both caCertsSecret and caCertsConfig are defined. Please specify only one." }} + {{- else if and (not .Values.global.updateCaTrust.caCertsSecret) (not .Values.global.updateCaTrust.caCertsConfig) }} + {{- fail "Neither caCertsSecret nor caCertsConfig is defined, but updateCaTrust is enabled. Please specify one." }} + {{- end }} + {{- end }} +{{- end }} + {{- define "clusterControllerEnabled" }} {{- if (.Values.clusterController).enabled }} {{- printf "true" -}} diff --git a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml index 5cbfdafd1..ae4abf4eb 100644 --- a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml @@ -126,11 +126,18 @@ spec: defaultMode: 420 secretName: {{ .Values.kubecostModel.federatedStorageConfigSecret | default "federated-store" }} {{- end }} - {{- if .Values.kubecostModel.caCertsSecret }} + {{- if .Values.global.updateCaTrust.enabled }} - name: ca-certs-secret + {{- if .Values.global.updateCaTrust.caCertsSecret }} secret: - defaultMode: 420 - secretName: {{ .Values.kubecostModel.caCertsSecret}} + defaultMode: 420 + secretName: {{ .Values.global.updateCaTrust.caCertsSecret }} + {{- else }} + configMap: + name: {{ .Values.global.updateCaTrust.caCertsConfig }} + {{- end }} + - name: ssl-path + emptyDir: {} {{- end }} {{- if .Values.kubecostProductConfigs }} {{- if and ((.Values.kubecostProductConfigs).productKey).enabled ((.Values.kubecostProductConfigs).productKey).secretname }} @@ -351,6 +358,34 @@ spec: securityContext: runAsUser: 0 {{ end }} + {{- if .Values.global.updateCaTrust.enabled }} + - name: update-ca-trust + image: {{ include "cost-model.image" . | trim | quote}} + {{- if .Values.kubecostModel.imagePullPolicy }} + imagePullPolicy: {{ .Values.kubecostModel.imagePullPolicy }} + {{- else }} + imagePullPolicy: Always + {{- end }} + {{- with .Values.global.updateCaTrust.securityContext }} + securityContext: {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.global.updateCaTrust.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + command: + - 'sh' + - '-c' + - > + mkdir -p /etc/pki/ca-trust/extracted/{edk2,java,openssl,pem}; + /usr/bin/update-ca-trust extract; + volumeMounts: + - name: ca-certs-secret + mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }} + - name: ssl-path + mountPath: "/etc/pki/ca-trust/extracted" + readOnly: false + {{- end}} containers: {{- if .Values.global.gmp.enabled }} - name: {{ .Values.global.gmp.gmpProxy.name }} @@ -621,9 +656,12 @@ spec: mountPath: /var/configs/etl/federated readOnly: true {{- end }} - {{- if .Values.kubecostModel.caCertsSecret }} + {{- if .Values.global.updateCaTrust.enabled }} - name: ca-certs-secret - mountPath: /etc/pki/ca-trust/source/anchors + mountPath: {{ .Values.global.updateCaTrust.caCertsMountPath | quote }} + - name: ssl-path + mountPath: "/etc/pki/ca-trust/extracted" + readOnly: false {{- end }} {{- if .Values.kubecostAdmissionController }} {{- if .Values.kubecostAdmissionController.enabled }} diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml index fd9ffbcaf..42fbba2c4 100644 --- a/cost-analyzer/values.yaml +++ b/cost-analyzer/values.yaml @@ -226,6 +226,23 @@ global: drop: - ALL + # Installs custom CA certificates onto Kubecost pods + updateCaTrust: + enabled: false # Set to true to enable the init container for updating CA trust + # Security context settings for the init container. + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + caCertsSecret: ca-certs-secret # The name of the Secret containing custom CA certificates to mount to the cost-model container. + # caCertsConfig: ca-certs-config # The name of the ConfigMap containing the CA trust configuration. + resources: {} # Resource requests and limits for the init container. + caCertsMountPath: /etc/pki/ca-trust/source/anchors # The path where the custom CA certificates will be mounted in the init container + # Platforms is a higher-level abstraction for platform-specific values and settings. platforms: # Deploying to OpenShift (OCP) requires enabling this option. @@ -575,9 +592,6 @@ kubecostModel: # "client_x509_cert_url": "" # } - # the name of the Secret containing custom CA certs to mount to cost model container - # caCertsSecret: ca-certs-secret - # Installs Kubecost/OpenCost plugins plugins: enabled: false