Support custom CA certificates in Helm

Author: iQQBot

chart/templates/_helpers.tpl

@@ -357,6 +357,39 @@ storage:
 {{- end -}}
 {{- end -}}
 
+{{/* custom ca bundle volume and volumeMount */}}
+{{- define "gitpod.caBundleVolume" -}}
+{{- if .Values.fullCABundleSecretName -}}
+- name: ca-bundle-certs
+  secret:
+    secretName: {{ .Values.fullCABundleSecretName }}
+{{- end -}}
+{{- end -}}
+
+{{- define "gitpod.caBundleVolumeMount" -}}
+{{- if .Values.fullCABundleSecretName -}}
+- name: ca-bundle-certs
+  mountPath: /etc/ssl/certs/ca-certificates.crt
+  subPath: ca-certificates.crt
+{{- end -}}
+{{- end -}}
+
+{{- define "gitpod.extraCABundleVolume" -}}
+{{- if .Values.extraCABundleSecretName -}}
+- name: extra-certs
+  secret:
+    secretName: {{ .Values.extraCABundleSecretName }}
+{{- end -}}
+{{- end -}}
+
+{{- define "gitpod.extraCABundleVolumeMount" -}}
+{{- if .Values.extraCABundleSecretName -}}
+- name: extra-certs
+  mountPath: /etc/ssl/certs/extra/ca-certificates.crt
+  subPath: ca-certificates.crt
+{{- end -}}
+{{- end -}}
+
 {{- define "gitpod.kube-rbac-proxy" -}}
 - name: kube-rbac-proxy
   image: quay.io/brancz/kube-rbac-proxy:v0.11.0

chart/templates/blobserve-deployment.yaml

@@ -65,6 +65,9 @@ spec:
           mountPath: /mnt/pull-secret.json
           subPath: .dockerconfigjson
         {{- end }}
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
 {{ include "gitpod.kube-rbac-proxy" $this | indent 6 }}
       volumes:
       - name: cache
@@ -77,5 +80,8 @@ spec:
         secret:
           secretName: {{ .Values.components.workspace.pullSecret.secretName }}
       {{- end }}
+      {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
 {{ toYaml .Values.defaults | indent 6 }}
 {{ end }}

chart/templates/content-service-deployment.yaml

@@ -61,13 +61,19 @@ spec:
         - name: config
           mountPath: "/config"
           readOnly: true
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
 {{- if $comp.volumeMounts }}
 {{ toYaml $comp.volumeMounts | indent 8 }}
 {{- end }}
       volumes:
       - name: config
         configMap:
           name: {{ template "gitpod.comp.configMap" $this }}
+      {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
 {{- if $comp.volumes }}
 {{ toYaml $comp.volumes | indent 6 }}
 {{- end }}

chart/templates/image-builder-deployment.yaml

@@ -64,6 +64,9 @@ spec:
         secret:
           secretName: {{ $sec.secret }}
 {{- end }}
+      {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
       enableServiceLinks: false
       containers:
       - name: dind
@@ -80,6 +83,9 @@ spec:
         - mountPath: /etc/docker/certs.d/{{- if eq $sec.name "builtin" -}}{{ template "gitpod.builtinRegistry.name" $this.root }}{{ else }}{{ $sec.name }}{{ end }}
           name: docker-tls-certs-{{ $idx }}
 {{- end }}
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
 {{- if $comp.dindResources }}
         resources:
 {{ toYaml $comp.dindResources | indent 10 }}
@@ -105,6 +111,9 @@ spec:
           name: pull-secret
 {{- end }}
 {{- end }}
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
         resources:
           requests:
             cpu: {{ $.Values.resources.default.cpu }}

chart/templates/image-builder-mk3-deployment.yaml

@@ -60,6 +60,9 @@ spec:
       - name: wsman-tls-certs
         secret:
           secretName: {{ .Values.components.wsManager.tls.server.secretName }}
+      {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
       enableServiceLinks: false
       containers:
 {{ include "gitpod.kube-rbac-proxy" $this | indent 6 }}
@@ -86,6 +89,9 @@ spec:
           name: pull-secret
 {{- end }}
 {{- end }}
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
         resources:
           requests:
             cpu: {{ $.Values.resources.default.cpu }}

chart/templates/proxy-deployment.yaml

@@ -105,6 +105,9 @@ spec:
 {{- end }}
         - name: config-certificates
           mountPath: "/etc/caddy/certificates"
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
 {{ include "gitpod.container.defaultEnv" (dict "root" . "gp" $.Values "comp" $comp) | indent 8 }}
         - name: PROXY_DOMAIN
           value: "{{ $.Values.hostname }}"
@@ -123,5 +126,8 @@ spec:
       - name: config-certificates
         secret:
           secretName: {{ $.Values.certificatesSecret.secretName }}
+      {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
 {{ toYaml .Values.defaults | indent 6 }}
 {{ end }}

chart/templates/registry-facade-daemonset.yaml

@@ -71,6 +71,9 @@ spec:
         - name: https-certificates
           mountPath: "/mnt/certificates"
         {{- end }}
+        {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+        {{- end }}
 {{ include "gitpod.kube-rbac-proxy" $this | indent 6 }}
       volumes:
       - name: cache
@@ -91,5 +94,8 @@ spec:
         secret:
           secretName: {{ .Values.certificatesSecret.secretName }}
       {{- end }}
+      {{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+      {{- end }}
 {{ toYaml .Values.defaults | indent 6 }}
 {{ end }}

chart/templates/server-deployment.yaml

@@ -105,6 +105,9 @@ spec:
           mountPath: "{{ dir $comp.githubApp.certPath }}"
           readOnly: true
 {{- end }}
+{{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
+{{- end }}
 {{- if $comp.serverContainer.volumeMounts }}
 {{ toYaml $comp.serverContainer.volumeMounts | indent 8 }}
 {{- end }}
@@ -145,5 +148,8 @@ spec:
 {{- if $comp.volumes }}
 {{ toYaml $comp.volumes | indent 6 }}
 {{- end }}
+{{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
+{{- end }}
 {{ toYaml .Values.defaults | indent 6 }}
 {{ end }}

chart/templates/ws-daemon-daemonset.yaml

@@ -100,6 +100,9 @@ spec:
       {{- end }}
 {{- if $comp.volumes }}
 {{ toYaml $comp.volumes | indent 6 }}
+{{- end }}
+{{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolume" . | indent 6 }}
 {{- end }}
       enableServiceLinks: false
 {{- if (or $comp.userNamespaces.shiftfsModuleLoader.enabled $comp.userNamespaces.seccompProfileInstaller.enabled) }}
@@ -267,6 +270,9 @@ spec:
           name: tls-certs
 {{- if $comp.volumeMounts }}
 {{ toYaml $comp.volumeMounts | indent 8 }}
+{{- end }}
+{{- if .Values.fullCABundleSecretName }}
+{{ include "gitpod.caBundleVolumeMount" . | indent 8 }}
 {{- end }}
         args: ["run", "--config", "/config/config.json"]
         image: {{ template "gitpod.comp.imageFull" $this }}

chart/templates/ws-manager-deployment.yaml

@@ -56,6 +56,9 @@ spec:
       - name: workspace-template
         configMap:
           name: workspace-template
+      {{- if .Values.extraCABundleSecretName }}
+{{ include "gitpod.extraCABundleVolume" . | indent 6 }}
+      {{- end }}
 {{- if $comp.volumes }}
 {{ toYaml $comp.volumes | indent 6 }}
 {{- end }}
@@ -81,6 +84,9 @@ spec:
         - mountPath: /certs
           name: tls-certs
           readOnly: true
+        {{- if .Values.extraCABundleSecretName }}
+{{ include "gitpod.extraCABundleVolumeMount" . | indent 8 }}
+        {{- end }}
 {{- if $comp.volumeMounts }}
 {{ toYaml $comp.volumeMounts | indent 8 }}
 {{- end }}

chart/values.yaml

@@ -761,3 +761,5 @@ cert-manager:
     certificate:
       selfSigned: true
       secretName: gitpod-ca-certificate
+
+# fullCABundleSecretName: full-ca-bundle

components/supervisor/pkg/supervisor/supervisor.go

@@ -9,6 +9,7 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -148,6 +149,7 @@ func Run(options ...RunOption) {
 		return
 	}
 
+	mergeExtraCABundle()
 	err = AddGitpodUserIfNotExists()
 	if err != nil {
 		log.WithError(err).Fatal("cannot ensure Gitpod user exists")
@@ -352,6 +354,21 @@ func Run(options ...RunOption) {
 	wg.Wait()
 }
 
+func mergeExtraCABundle() {
+	if c := os.Getenv("GITPOD_EXTRA_CA_BUNDLE"); c != "" {
+		crt, err := base64.RawStdEncoding.DecodeString(c)
+		if err != nil {
+			return
+		}
+		file, err := os.OpenFile("/etc/ssl/certs/ca-certificates.crt", os.O_WRONLY|os.O_APPEND, 0622)
+		if err != nil {
+			return
+		}
+		_, _ = file.Write(crt)
+		_ = file.Close()
+	}
+}
+
 func createGitpodService(cfg *Config, tknsrv api.TokenServiceServer) *gitpod.APIoverJSONRPC {
 	endpoint, host, err := cfg.GitpodAPIEndpoint()
 	if err != nil {

components/ws-manager/pkg/manager/create.go

@@ -10,6 +10,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"io"
+	"os"
 	"path/filepath"
 	"reflect"
 	"strconv"
@@ -568,6 +569,14 @@ func (m *Manager) createWorkspaceEnvironment(startContext *startWorkspaceContext
 	result = append(result, corev1.EnvVar{Name: "THEIA_WEBVIEW_EXTERNAL_ENDPOINT", Value: "webview-{{hostname}}"})
 	result = append(result, corev1.EnvVar{Name: "THEIA_MINI_BROWSER_HOST_PATTERN", Value: "browser-{{hostname}}"})
 
+	if _, err := os.Stat("/etc/ssl/certs/extra/ca-certificates.crt"); err == nil {
+		crt, err := os.ReadFile("/etc/ssl/certs/extra/ca-certificates.crt")
+		if err == nil {
+			base64Crt := base64.RawStdEncoding.EncodeToString(crt)
+			result = append(result, corev1.EnvVar{Name: "GITPOD_EXTRA_CA_BUNDLE", Value: base64Crt})
+		}
+	}
+
 	// We don't require that Git be configured for workspaces
 	if spec.Git != nil {
 		result = append(result, corev1.EnvVar{Name: "GITPOD_GIT_USER_NAME", Value: spec.Git.Username})