[kots]: add configuration for using a custom CA certificate

Simon Emms · Simon Emms · commit 18ca596c87b8 · 2022-04-26T16:18:02.000Z
diff --git a/install/kots/manifests/gitpod-ca-secret.yaml b/install/kots/manifests/gitpod-ca-secret.yaml
@@ -0,0 +1,14 @@
+# Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ca-certificate
+  labels:
+    app: gitpod
+    component: gitpod-installer
+  annotations:
+    kots.io/when: '{{repl and (ConfigOptionEquals "cert_manager_enabled" "0") (ConfigOptionNotEquals "tls_ca_crt" "") }}'
+data:
+  ca.crt: '{{repl ConfigOption "tls_ca_crt" }}'
diff --git a/install/kots/manifests/gitpod-installer-job.yaml b/install/kots/manifests/gitpod-installer-job.yaml
@@ -194,6 +194,18 @@ spec:
                 yq e -i '.sshGatewayHostKey.name = "ssh-gateway-host-key"' "${CONFIG_FILE}"
               fi
 
+              if [ '{{repl ConfigOptionEquals "tls_self_signed_enabled" "1" }}' = "true" ];
+              then
+                echo "Gitpod: Generating a self-signed certificate with the internal CA"
+                yq e -i '.customCACert.kind = "secret"' "${CONFIG_FILE}"
+                yq e -i '.customCACert.name = "ca-issuer-ca"' "${CONFIG_FILE}"
+              elif [ '{{repl ConfigOptionNotEquals "tls_ca_crt" "" }}' = "true" ];
+              then
+                echo "Gitpod: Setting CA to be used for certificate"
+                yq e -i '.customCACert.kind = "secret"' "${CONFIG_FILE}"
+                yq e -i '.customCACert.name = "ca-certificate"' "${CONFIG_FILE}"
+              fi
+
               echo "Gitpod: Patch Gitpod config"
               base64 -d "${CONFIG_PATCH_FILE}" > /tmp/patch.yaml
               config_patch=$(cat /tmp/patch.yaml)
diff --git a/install/kots/manifests/kots-config.yaml b/install/kots/manifests/kots-config.yaml
@@ -28,7 +28,7 @@ spec:
         - name: reg_incluster
           title: Use in-cluster container registry
           type: bool
-          when: '{{repl eq HasLocalRegistry false }}'
+          when: "{{repl eq HasLocalRegistry false }}"
           default: "1"
           help_text: You may either use an in-cluster container registry or configure your own external container registry for better performance. This container registry must be accessible from your Kubernetes cluster.
           recommended: false
@@ -258,7 +258,14 @@ spec:
           title: Use a self-signed TLS certificate
           type: bool
           default: "0"
-          help_text: A self-signed certficate should only be used if applying TLS termination to your load balancer or other proxy.
+          help_text: |
+            A self-signed certficate should only be used if applying TLS termination to your load balancer or other proxy.
+
+            If you are terminating your TLS connection with this certificate, you will need to download the [CA](https://en.wikipedia.org/wiki/Certificate_authority)
+            certificate and install it to your browser.
+
+            To download the certificate, run
+            `kubectl get secrets -n {{repl Namespace }}  ca-issuer-ca -o jsonpath='{.data.ca\.crt}' | base64 -d > ~/ca.crt`
 
         - name: cert_manager_enabled
           title: Use cert-manager
@@ -302,14 +309,20 @@ spec:
           when: '{{repl and (ConfigOptionEquals "tls_self_signed_enabled" "0") (ConfigOptionEquals "cert_manager_enabled" "0") }}'
           help_text: A file containing the TLS private key.
 
+        - name: tls_ca_crt
+          title: CA certificate
+          type: file
+          when: '{{repl and (ConfigOptionEquals "tls_self_signed_enabled" "0") (ConfigOptionEquals "cert_manager_enabled" "0") }}'
+          help_text: A file containing the Certificate Authority certificate. To be used if your certificate is signed by a non-public CA.
+
     - name: features
       title: Additional features
       items:
         - name: ssh_gateway
           title: Allow login to your workspace via SSH
           type: bool
           default: "0"
-          help_text: 'Enabling the SSH gateway allows use of additional desktop IDEs. IMPORTANT: This uses port 22 on your Kubernetes nodes. When enabled, this will prevent login to the cluster via SSH. If you wish to maintain SSH access to your cluster, please configure another SSH port on your nodes.'
+          help_text: "Enabling the SSH gateway allows use of additional desktop IDEs. IMPORTANT: This uses port 22 on your Kubernetes nodes. When enabled, this will prevent login to the cluster via SSH. If you wish to maintain SSH access to your cluster, please configure another SSH port on your nodes."
 
     - name: advanced
       title: Advanced customizations (Expert Mode)
