Merge pull request #123 from snyk/fix/mount-ca-as-secret

fix: move ca to secret, tests
snyk · Jul 26, 2024 · d56ea94 · d56ea94
2 parents 99aa6f9 + aec8103
commit d56ea94
Show file tree

Hide file tree

Showing 12 changed files with 337 additions and 800 deletions.
diff --git a/charts/snyk-broker/Chart.yaml b/charts/snyk-broker/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
 name: snyk-broker
-version: 2.7.0
+version: 2.7.1
 description: A Helm chart for Kubernetes
 type: application
diff --git a/charts/snyk-broker/templates/_helpers.tpl b/charts/snyk-broker/templates/_helpers.tpl
@@ -116,12 +116,22 @@ Create the name of the broker service to use
 {{- end -}}
 
 {{/*
-Create TLS secret name
+Create a secret name.
+Pass a dict of Context ($) and secretName:
+include "snyk-broker.genericSecretName" (dict "Context" $ "secretName" "secret-name")
 */}}
-{{- define "tls-secret-name" -}}
-{{- if not .Values.disableSuffixes -}}
-{{ include "snyk-broker.fullname" .}}-tls-secret
+{{- define "snyk-broker.genericSecretName" -}}
+{{- if not .Context.Values.disableSuffixes -}}
+{{ printf "%s-%s" ( include "snyk-broker.fullname" .Context ) .secretName }}
 {{- else -}}
-tls-secret
+{{- printf "snyk-broker-%s" .secretName }}
 {{- end -}}
 {{- end -}}
+
+{{- define "snyk-broker.tlsSecretName" -}}
+{{- include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "tls-secret" ) -}}
+{{- end }}
+
+{{- define "snyk-broker.caCertSecretName" -}}
+{{- include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "cacert-secret" ) -}}
+{{- end }}
diff --git a/charts/snyk-broker/templates/broker_deployment.yaml b/charts/snyk-broker/templates/broker_deployment.yaml
@@ -428,8 +428,7 @@ spec:
             - name: HTTPS_KEY
               value: /home/node/tls-cert/tls.key
          {{- end }}
-
-         {{- if .Values.tlsRejectUnauthorized  }}
+         {{- if or ( and .Values.tlsRejectUnauthorized (not .Values.caCert ) (not .Values.caCertFile) ) ( and (or .Values.caCert .Values.caCertFile ) .Values.disableCaCertTrust ) }}
          # Troubleshooting - Set to 0 for SSL inspection testing
             - name: NODE_TLS_REJECT_UNAUTHORIZED
               value: "0"
@@ -497,13 +496,13 @@ spec:
       {{- end }}
       {{- if or (.Values.caCert) (.Values.caCertFile) }}
       - name: {{ include "snyk-broker.fullname" . }}-cacert-volume
-        configMap:
-          name: {{ include "snyk-broker.fullname" . }}-cacert-configmap{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
+        secret:
+          secretName: {{ include "snyk-broker.caCertSecretName" . }}
       {{- end }}
       {{- if and (.Values.httpsCert) (.Values.httpsKey) }}
       - name: {{ include "snyk-broker.fullname" . }}-tls-secret-volume
         secret:
-          secretName: {{ include "tls-secret-name" . }}
+          secretName: {{ include "snyk-broker.tlsSecretName" . }}
       {{- end }}
 {{- if .Values.extraVolumes }}
 {{ tpl (toYaml .Values.extraVolumes | indent 6) . }}

diff --git a/charts/snyk-broker/templates/cacert_configmap.yaml b/charts/snyk-broker/templates/cacert_configmap.yaml
diff --git a/charts/snyk-broker/templates/secrets.yaml b/charts/snyk-broker/templates/secrets.yaml
@@ -165,10 +165,26 @@ stringData:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "tls-secret-name" . }}
+  name: {{ include "snyk-broker.tlsSecretName" . }}
 type: kubernetes.io/tls
 data:
   tls.crt: {{ (.Files.Get .Values.httpsCert) | b64enc | quote }}
   tls.key: {{ (.Files.Get .Values.httpsKey) | b64enc | quote }}
 ---
 {{- end }}
+{{- if or .Values.caCert .Values.caCertFile }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "snyk-broker.caCertSecretName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "snyk-broker.labels" . | nindent 4 }}
+data:
+{{- if and .Values.caCert (not .Values.caCertFile) }}
+{{ (.Files.Glob .Values.caCert).AsSecrets | nindent 2 }}
+{{- else if and .Values.caCertFile (not .Values.caCert) }}
+  cacert: {{ .Values.caCertFile | trim |  b64enc | nindent 4}}
+{{- end }}
+---
+{{- end }}