Skip to content

DEVOPS-3030-added-support-custom-ca #138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Sep 25, 2025
Merged

DEVOPS-3030-added-support-custom-ca #138

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
294c752
support custom CA certificate in the chart
yonik-lr Sep 16, 2025
d1f00d3
Merge branch 'main' into DEVOPS-3030
yonik-lr Sep 18, 2025
51fbabc
support `existingCaSecret` as well
yonik-lr Sep 21, 2025
2db6a70
add chart validation and step export ca secret to a new file
yonik-lr Sep 21, 2025
3d13478
get from customCaCertificate variable
yonik-lr Sep 21, 2025
33e64fb
add documentation
yonik-lr Sep 21, 2025
1bcbf0a
add data to docs.
yonik-lr Sep 25, 2025
3d49856
change ca secret logic
yonik-lr Sep 25, 2025
6bbb82c
remove rendered file
yonik-lr Sep 25, 2025
8dda2f8
check `deploy_secrets` using a function
yonik-lr Sep 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .pipelines/helm-chart-validation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,8 @@ steps:
password: test123
redis:
password: test123
customCa:
customCaCertificate: $(CUSTOM_CA_CERTIFICATE)
defaults:
dockerhub_config:
configContent: $(DOCKERHUB_CONFIG)
Expand Down Expand Up @@ -172,6 +174,27 @@ steps:
fi
displayName: 'Validate Templates'

- script: |
set -euo pipefail

echo "Verifying Keycloak custom CA volume mount in Helm template"

# Redirect output to file
helm template $(RELEASE_NAME) $(CHART_PATH) -f values.yaml --namespace $(NAMESPACE) > template_output.yaml 2>&1

KEYCLOAK_CONTAINER="${RELEASE_NAME}-keycloak"

# Extract volume mounts for container $(RELEASE_NAME)-keycloak from the rendered template file
VOLUME_MOUNTS=$(yq e ".spec.template.spec.containers[] | select(.name==\"$KEYCLOAK_CONTAINER\") | .volumeMounts[].name" template_output.yaml)

if echo "$VOLUME_MOUNTS" | grep -q "^custom-ca-certificate$"; then
echo "Found 'custom-ca-certificate' volume mount in Helm template as expected"
else
echo "Missing 'custom-ca-certificate' volume mount in Helm template"
exit 1
fi
displayName: 'Check Keycloak custom CA volume in Helm template'

- script: |
set -euo pipefail
kubectl create namespace $(NAMESPACE)
Expand Down
9 changes: 9 additions & 0 deletions chart/templates/custom-ca-certificate.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{{- if and .Values.secrets.customCa.customCaCertificate (not .Values.secrets.customCa.existingCaSecret) }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not inside secrets.yaml?

apiVersion: v1
kind: Secret
metadata:
name: {{ include "secrets.custom_ca_certificate.name" . }}
type: Opaque
data:
custom-ca.pem: {{ .Values.secrets.customCa.customCaCertificate }}
{{ end }}
25 changes: 22 additions & 3 deletions chart/templates/helpers/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -460,7 +460,6 @@ Usage:
{{- end -}}
{{- end -}}


{{- define "secrets.certificate.name" -}}
{{- if .Values.certificate.existing_cert -}}
{{ .Values.certificate.existing_cert }}
Expand Down Expand Up @@ -510,6 +509,28 @@ Usage:
{{- end -}}


{{- define "secrets.custom_ca_certificate.enabled" -}}
{{- if or .Values.secrets.customCa.customCaCertificate .Values.secrets.customCa.existingCaSecret -}}
true
{{- else -}}
false
{{- end -}}
{{- end -}}


{{- define "secrets.custom_ca_certificate.name" -}}
{{- if and .Values.secrets.customCa.customCaCertificate .Values.secrets.customCa.existingCaSecret -}}
{{- fail "You must set only one of secrets.customCa.customCaCertificate or secrets.customCa.existingCaSecret" -}}
{{- end -}}

{{- if .Values.secrets.customCa.existingCaSecret -}}
{{ .Values.secrets.customCa.existingCaSecret }}
{{- else -}}
{{ include "lightrun.fullname" . }}-custom-ca-certificate
{{- end -}}
{{- end -}}


{{/*
#####################
### JVM Heap size ###
Expand Down Expand Up @@ -898,5 +919,3 @@ Usage: {{ include "lightrun.datadogAnnotations" (dict "serviceName" "lightrun-be
}
{{- end }}
{{- end }}


12 changes: 12 additions & 0 deletions chart/templates/keycloak-statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,7 @@ spec:
.Values.general.internal_tls.enabled
.Values.deployments.keycloak.extraVolumeMounts
.Values.deployments.keycloak.asyncProfiler.enabled
(include "secrets.custom_ca_certificate.enabled" . | trim | eq "true")
}}
volumeMounts:
{{- include "lightrun-keycloak.volumeMounts.asyncProfiler" . | nindent 12 }}
Expand All @@ -127,6 +128,11 @@ spec:
mountPath: /opt
subPath: opt
{{- end }}
{{- if (include "secrets.custom_ca_certificate.enabled" . | trim | eq "true") }}
- name: custom-ca-certificate
mountPath: /opt/keycloak/conf/truststores
readOnly: true
{{- end }}
{{- if .Values.general.internal_tls.enabled }}
- name: internal-cert
mountPath: /etc/x509/https/
Expand Down Expand Up @@ -356,6 +362,7 @@ spec:
.Values.general.internal_tls.enabled
.Values.deployments.keycloak.extraVolumes
.Values.deployments.keycloak.asyncProfiler.enabled
(include "secrets.custom_ca_certificate.enabled" . | trim | eq "true")
}}
volumes:
{{- include "lightrun-keycloak.volumes.asyncProfiler" . | nindent 8 }}
Expand All @@ -368,6 +375,11 @@ spec:
emptyDir:
sizeLimit: {{ .Values.general.readOnlyRootFilesystem_tmpfs_sizeLimit }}
{{ end }}
{{- if (include "secrets.custom_ca_certificate.enabled" . | trim | eq "true") }}
- name: custom-ca-certificate
secret:
secretName: {{ include "secrets.custom_ca_certificate.name" . }}
{{ end }}
{{- if .Values.general.internal_tls.enabled }}
- name: internal-cert
secret:
Expand Down
2 changes: 1 addition & 1 deletion chart/templates/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,5 +89,5 @@ stringData:
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: {{ .Values.secrets.keycloak.password | quote }}
DB_USER: {{ .Values.secrets.db.user | quote }}
DB_PASSWORD: {{ .Values.secrets.db.password | quote}}
DB_PASSWORD: {{ .Values.secrets.db.password | quote }}
{{ end }}
6 changes: 6 additions & 0 deletions chart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -478,6 +478,12 @@ secrets:
# redis authentication.
# requires to enable auth in deployments.redis.auth.enabled by set to true
password: ""
customCa:
# Optional | If empty, will not be used
# Only *one* of `customCaCertificate` and `existingCaSecret` can be set at a time:
# Setting both will cause Helm to fail during rendering.
customCaCertificate: "" # Base64-encoded CA certificate content.
existingCaSecret: "" # Name of an existing Kubernetes secret containing the CA certificate.
license:
content: ""
signature: ""
Expand Down
39 changes: 39 additions & 0 deletions docs/advanced/custom_ca_certificate.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Custom CA Certificate


The `customCa` block allows you to provide a custom Certificate Authority (CA) certificate to the application. This is optional — if no values are provided, no custom CA will be used.


```yaml
secrets:
customCa:
customCaCertificate: "" # Base64-encoded CA certificate content.
existingCaSecret: "" # Name of an existing Kubernetes secret containing the CA certificate.
```

### Option 1: Provide the CA certificate directly

Use `customCaCertificate` to provide the base64-encoded content of your CA certificate.
A new Kubernetes Secret will be automatically created by the Helm chart.

`existingCaSecret` must not be set.

```yaml
secrets:
customCa:
customCaCertificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t..."
```

### Option 2: Use an existing Kubernetes Secret

Use `existingCaSecret` to reference an existing secret that contains your CA certificate.

`customCaCertificate` must not be set.


```yaml
secrets:
customCa:
existingCaSecret: "<my-custom-ca-secret>"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also mention that it should be base64 encoded, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added above in line 32

```