Skip to content

Commit

Permalink
[ALL] Use a secret for CA certificates (#168)
Browse files Browse the repository at this point in the history 
* Storing CA certs in a secret and adding checksum for easy upgrade
* Applied modifications to all charts
  • Loading branch information
@Gaspi
Gaspi authored Oct 23, 2024
1 parent 8c74e18 commit b45d15e
Show file tree
Hide file tree
Showing 28 changed files with 3,424 additions and 3,139 deletions.
4 changes: 2 additions & 2 deletions charts/jupyter-pyspark/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,9 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 2.1.7
version: 2.1.8

dependencies:
- name: library-chart
version: 1.5.27
version: 1.5.28
repository: https://inseefrlab.github.io/helm-charts-interactive-services
1 change: 1 addition & 0 deletions charts/jupyter-pyspark/templates/secret-cacerts.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{{ include "library-chart.secretCacerts" . }}
52 changes: 39 additions & 13 deletions charts/jupyter-pyspark/templates/statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,19 +44,24 @@ spec:
{{- if .Values.s3.enabled }}
checksum/s3: {{ include (print $.Template.BasePath "/secret-s3.yaml") . | sha256sum }}
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (empty (trim (include "library-chart.secretSparkConf" .)))}}
checksum/sparkconf: {{ include (print $.Template.BasePath "/secret-sparkconf.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.vault.enabled }}
checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }}
{{- end }}
{{- if and .Values.certificates .Values.certificates.cacerts }}
checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }}
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "library-chart.selectorLabels" . | nindent 8 }}
spec:
volumes:
- name: config-files
emptyDir: {}
- name: home
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
Expand Down Expand Up @@ -99,8 +104,11 @@ spec:
secretName: {{ include "library-chart.secretNameCoreSite" . }}
defaultMode: 0664
{{- end }}
- name: config-files
emptyDir: {}
{{- if and .Values.certificates .Values.certificates.cacerts }}
- name: cacerts
secret:
secretName: {{ include "library-chart.secretNameCacerts" . }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
Expand All @@ -114,10 +122,10 @@ spec:
- name: make-configmaps-writable
image: inseefrlab/onyxia-base:latest
imagePullPolicy: IfNotPresent
command:
command:
- sh
- -c
- |
- -c
- |
echo 'initContainer make-configmaps-writable is started';
{{- if .Values.s3.enabled }}
mkdir /dest/coresite;
Expand All @@ -132,14 +140,29 @@ spec:
cp /src/ivysettings/ivysettings.xml /dest/ivysettings/ivysettings.xml;
{{- end }}
{{- if .Values.discovery.hive }}
mkdir /dest/hive;
mkdir /dest/hive;
cp /src/hive/hive-site.xml /dest/hive/hive-site.xml;
{{- end }}
{{- if .Values.discovery.metaflow }}
mkdir /dest/metaflow;
cp /src/metaflow/config.json /dest/metaflow/config.json;
{{- end }}
{{- if and .Values.certificates .Values.certificates.cacerts }}
mkdir /dest/cacerts;
{{- if regexMatch "^https?://" .Values.certificates.cacerts }}
curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem
{{- else }}
cp /cacerts/ca.pem /tmp/ca.pem
{{- end }}
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem;
{{- end }}
volumeMounts:
- name: config-files
mountPath: /dest
{{- if and .Values.certificates .Values.certificates.cacerts }}
- name: cacerts
mountPath: /cacerts
{{- end }}
{{- if .Values.s3.enabled }}
- name: secret-coresite
mountPath: /src/coresite
Expand All @@ -148,8 +171,6 @@ spec:
- name: secret-ivysettings
mountPath: /src/ivysettings
{{- end }}
- name: config-files
mountPath: /dest
{{- if .Values.spark.default }}
- name: secret-sparkconf
mountPath: /src/spark
Expand Down Expand Up @@ -218,8 +239,8 @@ spec:
{{- if .Values.userPreferences.darkMode }}
- name: DARK_MODE
value: "true"
{{- end }}
envFrom:
{{- end }}
envFrom:
- secretRef:
name: {{ include "library-chart.secretNameToken" . }}
{{- if .Values.s3.enabled }}
Expand Down Expand Up @@ -296,6 +317,11 @@ spec:
mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig
subPath: metaflow
{{- end }}
{{- if and .Values.certificates .Values.certificates.pathToCaBundle }}
- name: config-files
mountPath: {{ .Values.certificates.pathToCaBundle }}
subPath: cacerts
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down
94 changes: 60 additions & 34 deletions charts/jupyter-pyspark/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -692,7 +692,7 @@
"overwriteDefaultWith": "k8s.certManagerClusterIssuer"
}
},
"useTlsSecret":{
"useTlsSecret": {
"type": "boolean",
"description": "Whether you want to use the specified secretName in ingress tls",
"default": false,
Expand Down Expand Up @@ -787,41 +787,41 @@
"description": "It can be used to inject proxy settings in the services",
"type": "object",
"x-onyxia": {
"overwriteSchemaWith": "proxy.json"
"overwriteSchemaWith": "proxy.json"
},
"properties": {
"enabled": {
"type": "boolean",
"description": "Inject proxy settings",
"default": false
},
"httpProxy": {
"type": "string",
"description": "URL of the enterprise proxy for the region for HTTP.",
"default": "",
"hidden": {
"value": false,
"path": "proxy/enabled"
}
},
"httpsProxy": {
"type": "string",
"description": "URL of the enterprise proxy for the region for HTTPS.",
"default": "",
"hidden": {
"value": false,
"path": "proxy/enabled"
}
},
"noProxy": {
"type": "string",
"description": "enterprise local domain that should not take proxy comma separated",
"default": "",
"hidden": {
"value": false,
"path": "proxy/enabled"
}
"enabled": {
"type": "boolean",
"description": "Inject proxy settings",
"default": false
},
"httpProxy": {
"type": "string",
"description": "URL of the enterprise proxy for the region for HTTP.",
"default": "",
"hidden": {
"value": false,
"path": "proxy/enabled"
}
},
"httpsProxy": {
"type": "string",
"description": "URL of the enterprise proxy for the region for HTTPS.",
"default": "",
"hidden": {
"value": false,
"path": "proxy/enabled"
}
},
"noProxy": {
"type": "string",
"description": "enterprise local domain that should not take proxy comma separated",
"default": "",
"hidden": {
"value": false,
"path": "proxy/enabled"
}
}
}
},
"startupProbe": {
Expand Down Expand Up @@ -874,6 +874,32 @@
}
}
},
"certificates": {
"description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.",
"type": "object",
"x-onyxia": {
"overwriteSchemaWith": "certificates.json"
},
"default": {},
"properties": {
"cacerts": {
"type": "string",
"description": "String of concatenated CA certificates. Alternatively a target URL can be provided.",
"default": "",
"x-onyxia": {
"hidden": true
}
},
"pathToCaBundle": {
"type": "string",
"description": "String path where a bundle is made or injected by third party solution",
"default": "/usr/local/share/ca-certificates/",
"x-onyxia": {
"hidden": true
}
}
}
},
"message": {
"type": "object",
"description": "Warning message",
Expand All @@ -895,4 +921,4 @@
}
}
}
}
}
5 changes: 4 additions & 1 deletion charts/jupyter-pyspark/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,6 @@ s3:
secretAccessKey: ""
sessionToken: ""


vault:
# Specifies whether a config map should be created
enabled: false
Expand Down Expand Up @@ -246,6 +245,10 @@ userPreferences:
darkMode: false
language: "en"

certificates: {}
# pathToCaBundle: /usr/local/share/ca-certificates/
# cacerts: ""

message:
fr: ""
en: ""
4 changes: 2 additions & 2 deletions charts/jupyter-python/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 2.1.6
version: 2.1.7

dependencies:
- name: library-chart
version: 1.5.27
version: 1.5.28
repository: https://inseefrlab.github.io/helm-charts-interactive-services
1 change: 1 addition & 0 deletions charts/jupyter-python/templates/secret-cacerts.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{{ include "library-chart.secretCacerts" . }}
36 changes: 31 additions & 5 deletions charts/jupyter-python/templates/statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ spec:
{{- if .Values.vault.enabled }}
checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }}
{{- end }}
{{- if and .Values.certificates .Values.certificates.cacerts }}
checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }}
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
Expand Down Expand Up @@ -76,6 +79,11 @@ spec:
secret:
secretName: {{ include "library-chart.secretNameMetaflow" . }}
{{- end }}
{{- if and .Values.certificates .Values.certificates.cacerts }}
- name: cacerts
secret:
secretName: {{ include "library-chart.secretNameCacerts" . }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
Expand All @@ -89,9 +97,9 @@ spec:
- name: make-secrets-writable
image: inseefrlab/onyxia-base:latest
imagePullPolicy: IfNotPresent
command:
command:
- sh
- -c
- -c
- |
echo 'initContainer make-secrets-writable is started';
{{- if .Values.discovery.hive }}
Expand All @@ -102,9 +110,22 @@ spec:
mkdir /dest/metaflow/;
cp /src/metaflow/config.json /dest/metaflow/config.json;
{{- end }}
{{- if and .Values.certificates .Values.certificates.cacerts }}
mkdir /dest/cacerts;
{{- if regexMatch "^https?://" .Values.certificates.cacerts }}
curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem
{{- else }}
cp /cacerts/ca.pem /tmp/ca.pem
{{- end }}
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem;
{{- end }}
volumeMounts:
- name: config-files
mountPath: /dest
{{- if and .Values.certificates .Values.certificates.cacerts }}
- name: cacerts
mountPath: /cacerts
{{- end }}
{{- if .Values.discovery.hive }}
- name: secret-hive
mountPath: /src/hive
Expand Down Expand Up @@ -170,7 +191,7 @@ spec:
- name: DARK_MODE
value: "true"
{{- end }}
envFrom:
envFrom:
- secretRef:
name: {{ include "library-chart.secretNameToken" . }}
{{- if .Values.s3.enabled }}
Expand Down Expand Up @@ -226,12 +247,17 @@ spec:
- name: config-files
mountPath: /opt/hive/conf/hive-site.xml
subPath: hive/hive-site.xml
{{- end }}
{{- end }}
{{- if .Values.discovery.metaflow }}
- name: config-files
mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig
subPath: metaflow
{{- end }}
{{- end }}
{{- if and .Values.certificates .Values.certificates.pathToCaBundle }}
- name: config-files
mountPath: {{ .Values.certificates.pathToCaBundle }}
subPath: cacerts
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down
Loading

0 comments on commit b45d15e

Please sign in to comment.