Merge pull request #610 from kubescape/feature/extra-certificate-mapping

Add support for mapping extra CA certificates in Kubescape Helm chart
kubescape · Feb 4, 2025 · faa0d13 · faa0d13
2 parents bdae2bf + e8c5822
commit faa0d13
Show file tree

Hide file tree

Showing 7 changed files with 54 additions and 2 deletions.
diff --git a/charts/kubescape-operator/README.md b/charts/kubescape-operator/README.md
@@ -94,6 +94,8 @@ However, we recommend that you give Kubescape no less than 500m CPU no matter th
 | global.proxySecretFile | string | `""` | Set proxy certificate / RootCA file content (not the file path) for all components to be used for proxy configured in global.httpsProxy |
 | global.overrideDefaultCaCertificates.enabled | bool | `false` | Use to enable custom CA Certificates |
 | global.overrideDefaultCaCertificates.caCertificates | string | `""` | Set the custom CA Certificates file in all container |
+| global.extraCaCertificates.enabled | bool | `false` | Use to enable mapping extra CA Certificate files |
+| global.extraCaCertificates.secretName | bool | `""` | Name of the secret that contents will be mapped to `/etc/ssl/certs` in each workload |
 | customScheduling.affinity | yaml |  | Use the `affinity` sub-section to define affinity rules that will apply to all of the workloads managed by the kubescape-operator |
 | customScheduling.nodeSelector | yaml | | Configure `nodeSelector` rules under the nodeSelector sub-section that will apply to all of the workloads managed by the kubescape-operator |
 | customScheduling.tolerations | yaml | | Define `tolerations` in the tolerations sub-section that will apply to all of the workloads managed by the kubescape-operator |
@@ -234,7 +236,7 @@ graph TB
     sync1("Synchronizer (In-cluster)")
     store1(Storage)
   end;
-  
+
   dashboard --> event --> masterSync
   masterSync .- sync1
   masterSync .- sync2

diff --git a/charts/kubescape-operator/templates/kubescape/deployment.yaml b/charts/kubescape-operator/templates/kubescape/deployment.yaml
@@ -203,6 +203,10 @@ spec:
         - name: custom-ca-certificates
           mountPath: /etc/ssl/certs/ca-certificates.crt
           subPath: ca-certificates.crt
+{{- end }}
+{{- if .Values.global.extraCaCertificates.enabled }}
+        - name: extra-ca-certificates
+          mountPath: /etc/ssl/certs/
 {{- end }}
       volumes:
       - name: {{ $components.cloudSecret.name }}
@@ -218,6 +222,11 @@ spec:
         secret:
           secretName: {{ $components.customCaCertificates.name }}
       {{- end }}
+      {{- if .Values.global.extraCaCertificates.enabled }}
+      - name: extra-ca-certificates
+        secret:
+          secretName: {{ .Values.global.extraCaCertificates.secretName }}
+      {{- end }}
       - name: {{ .Values.global.cloudConfig }}
         configMap:
           name: {{ .Values.global.cloudConfig }}

diff --git a/charts/kubescape-operator/templates/kubevuln/deployment.yaml b/charts/kubescape-operator/templates/kubevuln/deployment.yaml
@@ -129,6 +129,10 @@ spec:
             - name: custom-ca-certificates
               mountPath: /etc/ssl/certs/ca-certificates.crt
               subPath: ca-certificates.crt
+{{- end }}
+{{- if .Values.global.extraCaCertificates.enabled }}
+            - name: extra-ca-certificates
+              mountPath: /etc/ssl/certs/
 {{- end }}
       volumes:
         - name: {{ $components.cloudSecret.name }}
@@ -143,6 +147,11 @@ spec:
         - name: custom-ca-certificates
           secret:
             secretName: {{ $components.customCaCertificates.name }}
+      {{- end }}
+      {{- if .Values.global.extraCaCertificates.enabled }}
+        - name: extra-ca-certificates
+          secret:
+            secretName: {{ .Values.global.extraCaCertificates.secretName }}
       {{- end }}
         - name: tmp-dir
           emptyDir: {}

diff --git a/charts/kubescape-operator/templates/node-agent/daemonset.yaml b/charts/kubescape-operator/templates/node-agent/daemonset.yaml
@@ -57,7 +57,7 @@ spec:
       initContainers:
       - name: startup-jitter
         image: "busybox:latest"
-        command: 
+        command:
         - /bin/sh
         - -c
         - |
@@ -107,6 +107,11 @@ spec:
           secret:
             secretName: {{ $components.customCaCertificates.name }}
         {{- end }}
+        {{- if .Values.global.extraCaCertificates.enabled }}
+        - name: extra-ca-certificates
+          secret:
+            secretName: {{ .Values.global.extraCaCertificates.secretName }}
+        {{- end }}
       containers:
         {{- if $components.clamAV.enabled }}
         - name: {{ .Values.clamav.name }}
@@ -242,6 +247,11 @@ spec:
             mountPath: /etc/ssl/certs/ca-certificates.crt
             subPath: ca-certificates.crt
           {{- end }}
+          {{- if .Values.global.extraCaCertificates.enabled }}
+          - name: extra-ca-certificates
+            mountPath: /etc/ssl/certs/
+            subPath: {{ .Values.global.extraCaCertificates.secretName }}
+          {{- end }}
       nodeSelector:
       {{- if .Values.nodeAgent.nodeSelector }}
       {{- toYaml .Values.nodeAgent.nodeSelector | nindent 8 }}

diff --git a/charts/kubescape-operator/templates/operator/deployment.yaml b/charts/kubescape-operator/templates/operator/deployment.yaml
@@ -143,6 +143,10 @@ spec:
               mountPath: /etc/ssl/certs/ca-certificates.crt
               subPath: ca-certificates.crt
             {{- end }}
+            {{- if .Values.global.extraCaCertificates.enabled }}
+            - name: extra-ca-certificates
+              mountPath: /etc/ssl/certs/
+            {{- end }}
             {{- if eq .Values.capabilities.admissionController "enable" }}
             - name: tls-certs
               mountPath: /etc/certs
@@ -173,6 +177,11 @@ spec:
           secret:
             secretName: {{ $components.customCaCertificates.name }}
         {{- end }}
+        {{- if .Values.global.extraCaCertificates.enabled }}
+        - name: extra-ca-certificates
+          secret:
+            secretName: {{ .Values.global.extraCaCertificates.secretName }}
+        {{- end }}
         {{- if eq .Values.capabilities.admissionController "enable" }}
         - name: tls-certs
           secret:

diff --git a/charts/kubescape-operator/templates/synchronizer/deployment.yaml b/charts/kubescape-operator/templates/synchronizer/deployment.yaml
@@ -112,6 +112,11 @@ spec:
               mountPath: /etc/ssl/certs/ca-certificates.crt
               subPath: ca-certificates.crt
             {{- end }}
+            {{- if .Values.global.extraCaCertificates.enabled }}
+            - name: extra-ca-certificates
+              mountPath: /etc/ssl/certs/
+              subPath: {{ .Values.global.extraCaCertificates.secretName }}
+            {{- end }}
             - name: config
               mountPath: /etc/config/config.json
               readOnly: true
@@ -140,6 +145,11 @@ spec:
         - name: custom-ca-certificates
           secret:
             secretName: {{ $components.customCaCertificates.name }}
+      {{- end }}
+      {{- if .Values.global.extraCaCertificates.enabled }}
+        - name: extra-ca-certificates
+          secret:
+            secretName: {{ .Values.global.extraCaCertificates.secretName }}
       {{- end }}
         - name: {{ .Values.global.cloudConfig }}
           configMap:

diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml
@@ -201,6 +201,9 @@ global:
   overrideDefaultCaCertificates:
     enabled: false
     caCertificates: ""
+  extraCaCertificates:
+    enabled: false
+    secretName: ""
   openshift: # Openshift Security Context Constraint support
     scc:
       enabled: false