feat(helm): allows setting the NODE_EXTRA_CA_CERTS variable (#6217)

--------- Co-authored-by: Radim Dostál <radim.dostal@tetanet.cz> Co-authored-by: Nicolas Giard <github@ngpixel.com>
2023-03-11 23:14:00 +01:00
parent 26b2839c6b
commit 12d777f18a
3 changed files with 43 additions and 0 deletions
--- a/dev/helm/README.md
+++ b/dev/helm/README.md
@@ -115,6 +115,7 @@ The following table lists the configurable parameters of the Wiki.js chart and t
 | `sideload.enabled`                   | Enable sideloading of locale files from git | `false`                                                    |
 | `sideload.repoURL`                   | Git repository URL containing locale files  | `https://github.com/Requarks/wiki-localization`            |
 | `sideload.env`                       | Environment variables for sideload Container | `{}`                                                      |
+| `nodeExtraCaCerts`                   | Trusted certificates path                   | `nil`                                                      |
 | `postgresql.enabled`                 | Deploy postgres server (see below)          | `true`                                                     |
 | `postgresql.postgresqlDatabase`        | Postgres database name                      | `wiki`                                                   |
 | `postgresql.postgresqlUser`            | Postgres username                           | `postgres`                                                   |
@@ -175,3 +176,38 @@ See the [Configuration](#configuration) section to configure the PVC or to disab
 ## Ingress

 This chart provides support for Ingress resource. If you have an available Ingress Controller such as Nginx or Traefik you maybe want to set `ingress.enabled` to true and add `ingress.hosts` for the URL. Then, you should be able to access the installation using that address.
+
+## Extra Trusted Certificates
+
+To append extra CA Certificates:
+
+1. Create a ConfigMap with CAs in PEM format, e.g.:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ca
+  namespace: your-wikijs-namespace
+data:
+  certs.pem: |-
+    -----BEGIN CERTIFICATE-----
+    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    -----END CERTIFICATE-----
+```
+
+2. Mount your CAs from the ConfigMap to the Wiki.js pod and set `nodeExtraCaCerts` helm variable. Insert the following lines to your Wiki.js `values.yaml`, e.g.:
+
+```yaml
+volumeMounts:
+  - name: ca
+    mountPath: /cas.pem
+    subPath: certs.pem
+
+volumes:
+  - name: ca
+    configMap:
+      name: ca
+
+nodeExtraCaCerts: "/cas.pem"
+```
--- a/dev/helm/templates/deployment.yaml
+++ b/dev/helm/templates/deployment.yaml
@@ -39,6 +39,10 @@ spec:
          image: "{{ .Values.image.repository }}:{{ default "latest" .Values.image.tag }}"
          imagePullPolicy: {{ default "IfNotPresent" .Values.image.imagePullPolicy }}
          env:
+            {{- if .Values.nodeExtraCaCerts }}
+            - name: NODE_EXTRA_CA_CERTS
+              value: {{ .Values.nodeExtraCaCerts }}
+            {{- end }}
            - name: DB_TYPE
              value: postgres
            {{- if (.Values.externalPostgresql).databaseURL }}
--- a/dev/helm/values.yaml
+++ b/dev/helm/values.yaml
@@ -113,6 +113,9 @@ sideload:
  #  - name: HTTPS_PROXY
  #    value: http://my.proxy.com:3128

+## Append extra trusted certificates for node process from extra volume via NODE_EXTRA_CA_CERTS variable
+# nodeExtraCaCerts: "/path/to/certs.pem"
+
 ## This will override the postgresql chart values
 # externalPostgresql:
 #   # note: ?sslmode=require => ?ssl=true