feat: add support for custom TLS certificates from the platform (#519)

Author: mikhail-klimko

charts/gitops-runtime/Chart.yaml

@@ -129,4 +129,4 @@ dependencies:
   condition: gitops-operator.enabled
 - name: cf-argocd-extras
   repository: oci://quay.io/codefresh/charts
-  version: 0.5.2
+  version: 0.5.4

charts/gitops-runtime/templates/event-reporter.yaml

@@ -18,4 +18,11 @@
   {{- $_ := set $cfArgoCdExtrasContext.Values.eventReporter.container.env "ARGOCD_SERVER_ROOTPATH" (index .Values "global" "external-argo-cd" "server" "rootpath") }}
 {{- end }}
 
+{{- if or .Values.global.codefresh.tls.caCerts.secret.create .Values.global.codefresh.tls.caCerts.secretKeyRef }}
+  {{- $secretName := .Values.global.codefresh.tls.caCerts.secretKeyRef.name | default "codefresh-tls-certs" }}
+  {{- $secretKey := .Values.global.codefresh.tls.caCerts.secret.create | ternary (default "ca-bundle.crt" .Values.global.codefresh.tls.caCerts.secret.key) .Values.global.codefresh.tls.caCerts.secretKeyRef.key }}
+  {{- $_ := set $cfArgoCdExtrasContext.Values.eventReporter.container.env "CODEFRESH_SSL_CERT_PATH" (printf "/app/config/codefresh-tls-certs/%s" $secretKey ) }}
+  {{- $_ := set (index $cfArgoCdExtrasContext.Values.eventReporter.volumes "codefresh-tls-certs") "nameOverride" $secretName }}
+{{- end }}
+
 {{ include "cf-argocd-extras.event-reporter.resources" $cfArgoCdExtrasContext }}

charts/gitops-runtime/templates/sources-server.yaml

@@ -10,12 +10,19 @@
       {{- $_ := set $cfArgoCdExtrasContext.Values.sourcesServer.container.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.key is required" (index .Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" "key" )) }}
   {{- else }}
       {{- $_ := set $cfArgoCdExtrasContext.Values.sourcesServer.container.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }}
-      {{- $_ := set $cfArgoCdExtrasContext.Values.sourcesServer.container.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }}   
+      {{- $_ := set $cfArgoCdExtrasContext.Values.sourcesServer.container.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }}
   {{- end }}
 {{- end }}
 
 {{- if and (index .Values "global" "external-argo-cd" "server" "rootpath") }}
-  {{- $_ := set $cfArgoCdExtrasContext.Values.sourcesServer.container.env "ARGOCD_SERVER_ROOTPATH" (index .Values "global" "external-argo-cd" "server" "rootpath") }}  
+  {{- $_ := set $cfArgoCdExtrasContext.Values.sourcesServer.container.env "ARGOCD_SERVER_ROOTPATH" (index .Values "global" "external-argo-cd" "server" "rootpath") }}
+{{- end }}
+
+{{- if or .Values.global.codefresh.tls.caCerts.secret.create .Values.global.codefresh.tls.caCerts.secretKeyRef }}
+  {{- $secretName := .Values.global.codefresh.tls.caCerts.secretKeyRef.name | default "codefresh-tls-certs" }}
+  {{- $secretKey := .Values.global.codefresh.tls.caCerts.secret.create | ternary (default "ca-bundle.crt" .Values.global.codefresh.tls.caCerts.secret.key) .Values.global.codefresh.tls.caCerts.secretKeyRef.key }}
+  {{- $_ := set $cfArgoCdExtrasContext.Values.sourcesServer.container.env "CODEFRESH_SSL_CERT_PATH" (printf "/app/config/codefresh-tls-certs/%s" $secretKey ) }}
+  {{- $_ := set (index $cfArgoCdExtrasContext.Values.sourcesServer.volumes "codefresh-tls-certs") "nameOverride" $secretName }}
 {{- end }}
 
 {{- include "cf-argocd-extras.sources-server.hpa" $cfArgoCdExtrasContext }}

charts/gitops-runtime/tests/cf-argocd-extras_test.yaml

@@ -154,3 +154,187 @@ tests:
       - equal:
           path: data["redis.server"]
           value: RELEASE-NAME-redis-ha-haproxy:6379
+
+  - it: Sources-Server should have an OPTIONAL codefresh-tls-certs volume and volumeMount by default
+    template: sources-server.yaml
+    documentSelector:
+      path: kind
+      value: Deployment
+    values:
+      - ./values/mandatory-values-ingress.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: codefresh-tls-certs
+            secret:
+              secretName: codefresh-tls-certs
+              optional: true
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: codefresh-tls-certs
+            mountPath: /app/config/codefresh-tls-certs
+            readOnly: true
+
+  - it: Sources-Server should have CODEFRESH_SSL_CERT_PATH env var when .Values.global.codefresh.tls.caCerts.secret.create is true
+    template: sources-server.yaml
+    documentSelector:
+      path: kind
+      value: Deployment
+    values:
+      - ./values/mandatory-values-ingress.yaml
+    set:
+      global:
+        codefresh:
+          tls:
+            caCerts:
+              secret:
+                create: true
+                key: ca-bundle.crt
+                content: |
+                  -----BEGIN CERTIFICATE-----
+                  MIID...
+                  -----END CERTIFICATE-----
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].env[?(@.name == 'CODEFRESH_SSL_CERT_PATH')].value
+          value: /app/config/codefresh-tls-certs/ca-bundle.crt
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: codefresh-tls-certs
+            secret:
+              secretName: codefresh-tls-certs
+              optional: true
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: codefresh-tls-certs
+            mountPath: /app/config/codefresh-tls-certs
+            readOnly: true
+
+  - it: Sources-Server should have CODEFRESH_SSL_CERT_PATH env var when .Values.global.codefresh.tls.caCerts.secretKeyRef is set
+    template: sources-server.yaml
+    documentSelector:
+      path: kind
+      value: Deployment
+    values:
+      - ./values/mandatory-values-ingress.yaml
+    set:
+      global:
+        codefresh:
+          tls:
+            caCerts:
+              secretKeyRef:
+                name: my-codefresh-tls-certs
+                key: my-ca-bundle.crt
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].env[?(@.name == 'CODEFRESH_SSL_CERT_PATH')].value
+          value: /app/config/codefresh-tls-certs/my-ca-bundle.crt
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: codefresh-tls-certs
+            secret:
+              secretName: my-codefresh-tls-certs
+              optional: true
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: codefresh-tls-certs
+            mountPath: /app/config/codefresh-tls-certs
+            readOnly: true
+
+  - it: Event-Reporter should have an OPTIONAL codefresh-tls-certs volume and volumeMount by default
+    template: event-reporter.yaml
+    documentSelector:
+      path: kind
+      value: StatefulSet
+    values:
+      - ./values/mandatory-values-ingress.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: codefresh-tls-certs
+            secret:
+              secretName: codefresh-tls-certs
+              optional: true
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: codefresh-tls-certs
+            mountPath: /app/config/codefresh-tls-certs
+            readOnly: true
+
+  - it: Event-Reporter should have CODEFRESH_SSL_CERT_PATH env var when .Values.global.codefresh.tls.caCerts.secret.create is true
+    template: event-reporter.yaml
+    documentSelector:
+      path: kind
+      value: StatefulSet
+    values:
+      - ./values/mandatory-values-ingress.yaml
+    set:
+      global:
+        codefresh:
+          tls:
+            caCerts:
+              secret:
+                create: true
+                key: ca-bundle.crt
+                content: |
+                  -----BEGIN CERTIFICATE-----
+                  MIID...
+                  -----END CERTIFICATE-----
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].env[?(@.name == 'CODEFRESH_SSL_CERT_PATH')].value
+          value: /app/config/codefresh-tls-certs/ca-bundle.crt
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: codefresh-tls-certs
+            secret:
+              secretName: codefresh-tls-certs
+              optional: true
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: codefresh-tls-certs
+            mountPath: /app/config/codefresh-tls-certs
+            readOnly: true
+
+  - it: Event-Reporter should have CODEFRESH_SSL_CERT_PATH env var when .Values.global.codefresh.tls.caCerts.secretKeyRef is set
+    template: event-reporter.yaml
+    documentSelector:
+      path: kind
+      value: StatefulSet
+    values:
+      - ./values/mandatory-values-ingress.yaml
+    set:
+      global:
+        codefresh:
+          tls:
+            caCerts:
+              secretKeyRef:
+                name: my-codefresh-tls-certs
+                key: my-ca-bundle.crt
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].env[?(@.name == 'CODEFRESH_SSL_CERT_PATH')].value
+          value: /app/config/codefresh-tls-certs/my-ca-bundle.crt
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: codefresh-tls-certs
+            secret:
+              secretName: my-codefresh-tls-certs
+              optional: true
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: codefresh-tls-certs
+            mountPath: /app/config/codefresh-tls-certs
+            readOnly: true