feat: allow custom CAs to be used when mounting csi-rclone volumes (#94)

Add the possibility to deploy csi-rclone with added custom CAs for mounting data sources.

Author: leafty

deploy/csi-rclone/templates/_certificates-init-container.tpl

@@ -0,0 +1,13 @@
+{{- define "csiRcloneCertificates.initContainer" -}}
+{{- $customCAsEnabled := .Values.csiNodepluginRclone.certificates.customCAs -}}
+- name: init-certificates
+  image: "{{ .Values.csiNodepluginRclone.certificates.image.repository }}:{{ .Values.csiNodepluginRclone.certificates.image.tag }}"
+  volumeMounts:
+    - name: etc-ssl-certs
+      mountPath: /etc/ssl/certs/
+    {{- if $customCAsEnabled }}
+    - name: custom-ca-certs
+      mountPath: /usr/local/share/ca-certificates
+      readOnly: true
+    {{- end -}}
+{{- end -}}

deploy/csi-rclone/templates/_certificates-volume-mounts.tpl

@@ -0,0 +1,5 @@
+{{- define "csiRcloneCertificates.volumeMounts.system" -}}
+- name: etc-ssl-certs
+  mountPath: /etc/ssl/certs/
+  readOnly: true
+{{- end -}}

deploy/csi-rclone/templates/_certificates-volumes.tpl

@@ -0,0 +1,18 @@
+{{- define "csiRcloneCertificatesForMounts.volumes" -}}
+{{- $customCAsEnabled := .Values.csiNodepluginRclone.certificates.customCAs -}}
+- name: etc-ssl-certs
+  emptyDir:
+    medium: "Memory"
+{{- if $customCAsEnabled }}
+- name: custom-ca-certs
+  projected:
+    defaultMode: 0444
+    sources:
+    {{- if $customCAsEnabled }}
+    {{- range $customCA := .Values.csiNodepluginRclone.certificates.customCAs }}
+      - secret:
+          name: {{ $customCA.secret }}
+    {{- end -}}
+    {{- end -}}
+{{- end -}}
+{{- end -}}

deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml

@@ -20,6 +20,8 @@ spec:
     spec:
       serviceAccountName: {{ include "chart.fullname" . }}-nodeplugin
       dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+      {{- include "csiRcloneCertificates.initContainer" . | nindent 6 }}
       containers:
       - name: node-driver-registrar
         args:
@@ -143,6 +145,7 @@ spec:
           name: pods-mount-dir
         - mountPath: /var/lib/rclone
           name: cache-dir
+        {{- include "csiRcloneCertificates.volumeMounts.system" . | nindent 8 }}
     {{- with .Values.csiNodepluginRclone.nodeSelector }}
       nodeSelector:
         {{ toYaml . | nindent 8 }}
@@ -170,3 +173,4 @@ spec:
         name: registration-dir
       - name: cache-dir
         emptyDir: {}
+      {{- include "csiRcloneCertificatesForMounts.volumes" . | nindent 6 }}

deploy/csi-rclone/values.yaml

@@ -106,6 +106,17 @@ csiNodepluginRclone:
     #   value: "32M"
     # - name: "transfers"
     #   value: "8"
+  ## Specify the name of a existing K8s secrets that contains the certificate
+  ## if you would like to use custom CAs. The key for the secret
+  ## should have the .crt extension otherwise it is ignored. The
+  ## keys across all secrets are mounted as files in one location so
+  ## the keys across all secrets have to be unique.
+  certificates:
+    image:
+      repository: renku/certificates
+      tag: "0.0.2"
+    customCAs: []
+    # - secret:
   serviceAccount:
     annotations: {}
   nodeSelector: {}