[bitnami/dokuwiki] Inject certificates into image (#2942)

Add a certificate authority and tls certificate into the image. Pulls
from kubernetes secret using a sidecar init container.

Signed-off-by: Joseph Ball <joseph.ball@packetsolutions.io>

bitnami/dokuwiki/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: dokuwiki
-version: 6.0.18
+version: 6.1.0
 appVersion: 0.20180422.202005011246
 description: DokuWiki is a standards-compliant, simple to use wiki optimized for creating
   documentation. It is targeted at developer teams, workgroups, and small companies.

bitnami/dokuwiki/README.md

@@ -111,6 +111,19 @@ The following table lists the configurable parameters of the DokuWiki chart and
 | `metrics.image.pullSecrets`          | Specify docker-registry secret names as an array                                                      | `[]` (does not add image pull secrets to deployed pods)      |
 | `metrics.podAnnotations`             | Additional annotations for Metrics exporter pod                                                       | `{prometheus.io/scrape: "true", prometheus.io/port: "9117"}` |
 | `metrics.resources`                  | Exporter resource requests/limit                                                                      | {}                                                           |
+| `certificates.customCertificate.certificateSecret`   | Secret containing the certificate and key to add                                      | `""`                                                         |
+| `certificates.customCertificate.chainSecret.name`    | Name of the secret containing the certificate chain                                   | `""`                                                         |
+| `certificates.customCertificate.chainSecret.key`     | Key of the certificate chain file inside the secret                                   | `""`                                                         |
+| `certificates.customCertificate.certificateLocation` | Location in the container to store the certificate                                    | `/etc/ssl/certs/ssl-cert-snakeoil.pem`                       |
+| `certificates.customCertificate.keyLocation`         | Location in the container to store the private key                                    | `/etc/ssl/private/ssl-cert-snakeoil.key`                     |
+| `certificates.customCertificate.chainLocation`       | Location in the container to store the certificate chain                              | `/etc/ssl/certs/chain.pem`                                   |
+| `certificates.customCA`              | Defines a list of secrets to import into the container trust store                                    | `[]`                                                         |
+| `certificates.image.registry`        | Container sidecar registry                                                                            | `docker.io`                                                  |
+| `certificates.image.repository`      | Container sidecar image                                                                               | `bitnami/minideb`                                            |
+| `certificates.image.tag`             | Container sidecar image tag                                                                           | `buster`                                                     |
+| `certificates.image.pullPolicy`      | Container sidecar image pull policy                                                                   | `IfNotPresent`                                               |
+| `certificates.image.pullSecrets`     | Container sidecar image pull secrets                                                                  | `image.pullSecrets`                                          |
+| `certificates.extraEnvVars`          | Container sidecar extra environment variables (eg proxy)                                              | `[]`                                                         |
 
 The above parameters map to the env variables defined in [bitnami/dokuwiki](http://github.com/bitnami/bitnami-docker-dokuwiki). For more information please refer to the [bitnami/dokuwiki](http://github.com/bitnami/bitnami-docker-dokuwiki) image documentation.
 
@@ -148,6 +161,55 @@ Persistent Volume Claims are used to keep the data across deployments. There is
 
 See the [Parameters](#parameters) section to configure the PVC or to disable persistence.
 
+## Certificates
+
+### CA Certificates
+Custom CA certificates not included in the base docker image can be added with
+the following configuration. The secret must exist in the same namespace as the
+deployment. Will load all certificates files it finds in the secret.
+
+```yaml
+certificates:
+  customCAs:
+  - secret: my-ca-1
+  - secret: my-ca-2
+```
+
+#### Secret
+Secret can be created with:
+
+```bash
+kubectl create secret generic my-ca-1 --from-file my-ca-1.crt
+```
+
+### TLS Certificate
+A web server TLS Certificate can be injected into the container with the
+following configuration. The certificate will be stored at the location
+specified in the certificateLocation value.
+
+```yaml
+certificates:
+  customCertificate:
+    certificateSecret: my-secret
+    certificateLocation: /ssl/server.pem
+    keyLocation: /ssl/key.pem
+    chainSecret:
+      name: my-cert-chain-secret
+      key: chain.pem
+```
+
+#### Secret
+The certificate tls secret can be created with:
+
+```bash
+kubectl create secret tls my-secret --cert tls.crt --key tls.key
+```
+
+The certificate chain is created with:
+```bash
+kubectl create secret generic my-ca-1 --from-file my-ca-1.crt
+```
+
 ## Upgrading
 
 ### To 6.0.0

bitnami/dokuwiki/templates/_certificates.tpl

@@ -0,0 +1,126 @@
+{{/* Templates for certificates injection */}}
+
+{{/*
+Return the proper Redmine image name
+*/}}
+{{- define "certificates.image" -}}
+{{- $registryName := default .Values.certificates.image.registry .Values.image.registry -}}
+{{- $repositoryName := .Values.certificates.image.repository -}}
+{{- $tag := .Values.certificates.image.tag | toString -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
+Also, we can't use a single if because lazy evaluation is not an option
+*/}}
+{{- if .Values.global }}
+    {{- if .Values.global.imageRegistry }}
+        {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
+    {{- else -}}
+        {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+    {{- end -}}
+{{- else -}}
+    {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "certificates.initContainer" -}}
+{{- if .Values.certificates.customCAs }}
+- name: certificates
+  image: {{ template "certificates.image" . }}
+  imagePullPolicy: {{ default .Values.image.pullPolicy .Values.certificates.image.pullPolicy }}
+  imagePullSecrets:
+  {{- range (default .Values.image.pullSecrets .Values.certificates.image.pullSecrets) }}
+    - name: {{ . }}
+  {{- end }}
+  command:
+  {{- if .Values.certificates.customCertificate.certificateSecret }}
+  - sh
+  - -c
+  - if command -v apk >/dev/null; then apk add --no-cache ca-certificates openssl && update-ca-certificates;
+    else apt-get update && apt-get install -y ca-certificates openssl; fi
+  {{- else }}
+  - sh
+  - -c
+  - if command -v apk >/dev/null; then apk add --no-cache ca-certificates openssl && update-ca-certificates;
+    else apt-get update && apt-get install -y ca-certificates openssl; fi
+    && openssl req -new -x509 -days 3650 -nodes -sha256
+       -subj "/CN=$(hostname)" -addext "subjectAltName = DNS:$(hostname)"
+       -out  /etc/ssl/certs/ssl-cert-snakeoil.pem
+       -keyout /etc/ssl/private/ssl-cert-snakeoil.key -extensions v3_req
+  {{- end }}
+  {{- if .Values.certificates.extraEnvVars }}
+  env:
+  {{- tpl (toYaml .Values.certificates.extraEnvVars) $ | nindent 2 }}
+  {{- end }}
+  volumeMounts:
+    - name: etc-ssl-certs
+      mountPath: /etc/ssl/certs
+      readOnly: false
+    - name: etc-ssl-private
+      mountPath: /etc/ssl/private
+      readOnly: false
+    - name: custom-ca-certificates
+      mountPath: /usr/local/share/ca-certificates
+      readOnly: true
+{{- end }}
+{{- end }}
+
+{{- define "certificates.volumes" -}}
+{{- if .Values.certificates.customCAs }}
+- name: etc-ssl-certs
+  emptyDir:
+    medium: "Memory"
+- name: etc-ssl-private
+  emptyDir:
+    medium: "Memory"
+- name: custom-ca-certificates
+  projected:
+    defaultMode: 0400
+    sources:
+    {{- range $index, $customCA := .Values.certificates.customCAs }}
+    - secret:
+        name: {{ $customCA.secret }}
+        # items not specified, will mount all keys
+    {{- end }}
+{{- end -}}
+{{- if .Values.certificates.customCertificate.certificateSecret }}
+- name: custom-certificate
+  secret:
+    secretName: {{ .Values.certificates.customCertificate.certificateSecret }}
+{{- if .Values.certificates.customCertificate.chainSecret }}
+- name: custom-certificate-chain
+  secret:
+    secretName: {{ .Values.certificates.customCertificate.chainSecret.name }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "certificates.volumeMount" -}}
+{{- if .Values.certificates.customCAs }}
+- name: etc-ssl-certs
+  mountPath: /etc/ssl/certs/
+  readOnly: false
+- name: etc-ssl-private
+  mountPath: /etc/ssl/private/
+  readOnly: false
+- name: custom-ca-certificates
+  mountPath: /usr/local/share/ca-certificates
+  readOnly: true
+{{- end -}}
+{{- if .Values.certificates.customCertificate.certificateSecret }}
+- name: custom-certificate
+  mountPath: {{ .Values.certificates.customCertificate.certificateLocation }}
+  subPath: tls.crt
+  readOnly: true
+- name: custom-certificate
+  mountPath: {{ .Values.certificates.customCertificate.keyLocation }}
+  subPath: tls.key
+  readOnly: true
+{{- if .Values.certificates.customCertificate.chainSecret }}
+- name: custom-certificate-chain
+  mountPath: {{ .Values.certificates.customCertificate.chainLocation }}
+  subPath: {{ .Values.certificates.customCertificate.chainSecret.key }}
+  readOnly: true
+{{- end }}
+{{- end -}}
+{{- end -}}

bitnami/dokuwiki/templates/deployment.yaml

@@ -45,6 +45,8 @@ spec:
       - ip: "127.0.0.1"
         hostnames:
         - "status.localhost"
+      initContainers:
+      {{- include "certificates.initContainer" . | indent 8 }}
       containers:
       - name: {{ template "dokuwiki.fullname" . }}
         image: {{ template "dokuwiki.image" . }}
@@ -93,6 +95,7 @@ spec:
         resources:
 {{ toYaml .Values.resources | indent 10 }}
         volumeMounts:
+        {{- include "certificates.volumeMount" . | indent 8 }}
         - name: dokuwiki-data
           mountPath: /bitnami/dokuwiki
 {{- if .Values.metrics.enabled }}
@@ -119,6 +122,7 @@ spec:
   {{ toYaml .Values.metrics.resources | indent 10 }}
 {{- end }}
       volumes:
+      {{- include "certificates.volumes" . | indent 6 }}
       - name: dokuwiki-data
       {{- if .Values.persistence.enabled }}
         persistentVolumeClaim:

bitnami/dokuwiki/values.yaml

@@ -209,3 +209,32 @@ metrics:
     ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
     ##
   # resources: {}
+
+# Add custom certificates and certificate authorities to redmine container
+certificates:
+  customCertificate:
+    certificateSecret: ""
+    chainSecret: {}
+    # name: secret-name
+    # key: secret-key
+    certificateLocation: /etc/ssl/certs/ssl-cert-snakeoil.pem
+    keyLocation: /etc/ssl/private/ssl-cert-snakeoil.key
+    chainLocation: /etc/ssl/certs/mychain.pem
+  customCA: []
+  # - secret: custom-CA
+  # - secret: more-custom-CAs
+  image:
+    registry: docker.io
+    repository: bitnami/minideb
+    tag: buster
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+    # pullPolicy:
+    # pullSecrets
+    #   - myRegistryKeySecretName
+  extraEnvVars: []
+  # - name: myvar
+  #   value: myval