Merge pull request #108 from orkes-io/support-certificate-stores

Support certificate stores
orkes-io · Jan 19, 2024 · 6b0c095 · 6b0c095
2 parents e42a108 + 9ee4e9a
commit 6b0c095
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 2 deletions.
diff --git a/charts/orkes-conductor-standalone/Chart.yaml b/charts/orkes-conductor-standalone/Chart.yaml
@@ -4,5 +4,5 @@ description: Orkes Conductor Standalone (recommended only for testing and develo
 
 type: application
 
-version: 2.6.46
+version: 2.6.47
 appVersion: "2.6.46"
diff --git a/charts/orkes-conductor/Chart.yaml b/charts/orkes-conductor/Chart.yaml
@@ -4,5 +4,5 @@ description: Orkes Conductor
 
 type: application
 
-version: 2.6.46
+version: 2.6.47
 appVersion: "2.6.46"
diff --git a/charts/orkes-conductor/templates/deployment.yaml b/charts/orkes-conductor/templates/deployment.yaml
@@ -1,5 +1,6 @@
 {{- $securityEnabled := eq (toString .Values.security.enabled) "true" -}}
 {{- $clusterMode := eq (toString .Values.redis.clusterMode) "true" -}}
+{{- $enableCustomTrustStore := eq (toString .Values.enableCustomTrustStore) "true" -}}
 {{- if $securityEnabled -}}
   {{- $validation := .Values.security.defaultUserEmail | required "security.defaultUserEmail is required." -}}
   {{- $validation := .Values.security.defaultUserName | required "security.defaultUserName is required." -}}
@@ -330,6 +331,14 @@ spec:
               value: localhost
             - name: conductor.worker.http.block.ips
               value: {{ .Values.workers.blockIps | quote }}
+            {{- if $enableCustomTrustStore }}
+            - name: conductor.worker.http.customcerts.enabled
+              value: "true"
+            - name: conductor.worker.http.customcerts.path
+              value: {{ printf "/app/certificates/%s" .Values.jksFileName | quote }}
+            - name: conductor.worker.http.customcerts.password
+              value: {{ .Values.jksFilePassword | quote }}
+            {{- end }}
             - name: conductor.server.url
               value: http://{{ include "orkes-conductor.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:5000/api/
             {{- if $securityEnabled }}
@@ -344,6 +353,12 @@ spec:
                   fieldPath: status.podIP
           image: "{{ .Values.workerImage.repository }}:{{ .Values.workerImage.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if $enableCustomTrustStore }}
+          volumeMounts:
+            - name: custom-truststore-vol
+              mountPath: {{ printf "/app/certificates/%s" .Values.jksFileName | quote }}
+              subPath: {{ .Values.jksFileName | quote }}
+          {{- end }}
           name: {{ include "orkes-conductor-workers.fullname" . }}-workers
           resources:
             limits:
@@ -355,6 +370,15 @@ spec:
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
       dnsPolicy: ClusterFirst
+      {{- if $enableCustomTrustStore }}
+      volumes:
+        - name: custom-truststore-vol
+          configMap:
+            name: "custom-truststore-cm"
+            items:
+              - key: {{ .Values.jksFileName | quote }}
+                path: {{ .Values.jksFileName | quote }}
+      {{- end }}
       imagePullSecrets:
         - name: orkesregistry
       restartPolicy: Always

diff --git a/charts/orkes-conductor/values.yaml b/charts/orkes-conductor/values.yaml
@@ -93,6 +93,11 @@ imageCredentials:
   email: [email protected]
   password:
 
+enableCustomTrustStore: false
+# If you are using a custom trust store, provide the following variables
+# jksFileName:
+# jksFilePassword:
+
 security:
   allowedOrigins: "*"
   enabled: false