gitops operator custom tls injection (#250)

ilia-medvedev-codefresh · web-flow · commit 64a60007f14d · 2024-07-28T11:01:00.000+03:00
diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml
@@ -38,7 +38,7 @@ dependencies:
   condition: tunnel-client.enabled
 - name: codefresh-gitops-operator
   repository: oci://quay.io/codefresh/charts
-  version: 0.1.5
+  version: 0.2.0
   alias: gitops-operator
   condition: gitops-operator.enabled
 - name: garage
diff --git a/charts/gitops-runtime/ci/default-values-custom-tls.yaml b/charts/gitops-runtime/ci/default-values-custom-tls.yaml
@@ -0,0 +1,65 @@
+global:
+  codefresh:
+    accountId: 628a80b693a15c0f9c13ab75 # Codefresh Account id for ilia-codefresh for now, needs to be some test account
+    userToken:
+      secretKeyRef:
+        name: mysecret
+        key: myvalue
+        optional: true
+    tls:
+      # --  Custom CA certificates bundle for platform access with ssl
+      caCerts:
+        # -- Reference to existing secret
+        secretKeyRef: {}
+        # -- Chart managed secret for custom platform CA certificates
+        secret:
+          # -- Whether to create the secret.
+          create: true
+          # -- The secret key that holds the ca bundle
+          key: 'ca-bundle.crt'
+          # Annotations
+          annotations: {}
+          # Certificate content
+          content: |
+            -----BEGIN CERTIFICATE-----
+            MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB
+            gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk
+            MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY
+            UmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcx
+            NDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3
+            dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2Vy
+            dmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB
+            dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS6
+            38eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCP
+            KZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt2W7Q
+            DxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4
+            qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRa
+            JSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNVi
+            PvryxS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P
+            BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASs
+            jVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0
+            eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQAD
+            ggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc/Kh4ZzXxHfAR
+            vbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt
+            qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLa
+            IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy
+            i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ
+            O+7ETPTsJ3xCwnR8gooJybQDJbw=
+            -----END CERTIFICATE-----
+
+  runtime:
+    name: default
+
+    ingress:
+      className: "nginx"
+      hosts:
+      - runtime.codefresh.local
+
+    repoCredentialsTemplate:
+      url: 'https://github.com'
+      username: 'username'
+      password: 'dummy'
+
+
+argo-rollouts:
+  enabled: true
diff --git a/charts/gitops-runtime/templates/gitops-operator.yaml b/charts/gitops-runtime/templates/gitops-operator.yaml
@@ -25,6 +25,12 @@
     {{- end }}
   {{- end}}
 
+  {{/* Set certificates */}}
+  {{- if or .Values.global.codefresh.tls.caCerts.secret.create .Values.global.codefresh.tls.caCerts.secretKeyRef}}
+    {{- $_ := set $gitopsOperatorContext.Values.global.codefresh.tls.caCerts.secretKeyRef "name" (.Values.global.codefresh.tls.caCerts.secret.create | ternary "codefresh-tls-certs" .Values.global.codefresh.tls.caCerts.secretKeyRef.name) }}
+    {{- $_ := set $gitopsOperatorContext.Values.global.codefresh.tls.caCerts.secretKeyRef "key" (.Values.global.codefresh.tls.caCerts.secret.create | ternary (default "ca-bundle.crt" .Values.global.codefresh.tls.caCerts.secret.key) .Values.global.codefresh.tls.caCerts.secretKeyRef.key) }}
+  {{- end }}
+
   {{- include "gitops-operator.resources" $gitopsOperatorContext}}
 
 {{- end }}
diff --git a/charts/gitops-runtime/tests/custom-ca_test.yaml b/charts/gitops-runtime/tests/custom-ca_test.yaml
@@ -8,6 +8,8 @@ templates:
   - event-reporters/events-reporter/sensor.yaml
   - event-reporters/rollout-reporter/sensor.yaml
   - hooks/pre-uninstall/delete-runtime-from-platform.yaml
+  - "gitops-operator.yaml"
+  - charts/gitops-operator/*
 tests:
 
 - it: test chart created secret contents - default secret key
@@ -441,3 +443,64 @@ tests:
             -----BEGIN CERTIFICATE-----
             override
             -----END CERTIFICATE-----
+
+- it: gitops operator chart created secret
+  template: gitops-operator.yaml
+  documentSelector:
+    path: kind
+    value: Deployment
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    global.codefresh.tls.caCerts.secret.annotations.test: 'test'
+    global.codefresh.tls.caCerts.secret.create: true
+    global.codefresh.tls.caCerts.secret.key: my-key
+    global.codefresh.tls.caCerts.secret.content: |
+      -----BEGIN CERTIFICATE-----
+      ... encoded certificate data here ...
+      -----END CERTIFICATE-----
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[1].env
+      content:
+        name: CF_CA_CERT
+        value: /app/config/codefresh-tls/my-key
+  - contains:
+      path: spec.template.spec.containers[1].volumeMounts
+      content:
+        name: codefresh-tls
+        mountPath: /app/config/codefresh-tls
+  - contains:
+      path: spec.template.spec.volumes
+      content:
+        name: codefresh-tls
+        secret:
+          secretName: codefresh-tls-certs
+
+- it: gitops operator existing secret
+  template: gitops-operator.yaml
+  documentSelector:
+    path: kind
+    value: Deployment
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    global.codefresh.tls.caCerts.secretKeyRef.name: my-tls
+    global.codefresh.tls.caCerts.secretKeyRef.key: my-key
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[1].env
+      content:
+        name: CF_CA_CERT
+        value: /app/config/codefresh-tls/my-key
+  - contains:
+      path: spec.template.spec.containers[1].volumeMounts
+      content:
+        name: codefresh-tls
+        mountPath: /app/config/codefresh-tls
+  - contains:
+      path: spec.template.spec.volumes
+      content:
+        name: codefresh-tls
+        secret:
+          secretName: my-tls
