feat(deployment): support custom CAs (#964)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

deployment/chainloop/Chart.yaml

@@ -7,7 +7,7 @@ description: Chainloop is an open source software supply chain control plane, a
 
 type: application
 # Bump the patch (not minor, not major) version on each change in the Chart Source code
-version: 1.61.0
+version: 1.61.1
 # Do not update appVersion, this is handled automatically by the release process
 appVersion: v0.91.6
 

deployment/chainloop/README.md

@@ -399,6 +399,22 @@ controlplane:
       keyPass: "REDACTED"  
 ```
 
+### Insert custom Certificate Authorities (CAs)
+
+In some scenarios, you might want to add custom Certificate Authorities to the Chainloop deployment. Like in the instance where your OIDC provider uses a self-signed certificate. To do so, add the PEM-encoded CA certificate to the `customCAs` list in your `values.yaml` file like in the example below.
+
+```yaml
+  customCAs:
+    - |-
+      -----BEGIN CERTIFICATE-----
+      MIIFmDCCA4CgAwIBAgIQU9C87nMpOIFKYpfvOHFHFDANBgkqhkiG9w0BAQsFADBm
+      BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl
+      REDACTED
+      5CunuvCXmEQJHo7kGcViT7sETn6Jz9KOhvYcXkJ7po6d93A/jy4GKPIPnsKKNEmR
+      7DiA+/9Qdp9RBWJpTS9i/mDnJg1xvo8Xz49mrrgfmcAXTCJqXi24NatI3Oc=
+      -----END CERTIFICATE-----
+```
+
 ### Send exceptions to Sentry
 
 You can configure different sentry projects for both the controlplane and the artifact CAS
@@ -568,6 +584,7 @@ chainloop config save \
 | `controlplane.keylessSigning.fileCA.cert`                    | The PEM-encoded certificate of the file based CA         | `""`         |
 | `controlplane.keylessSigning.fileCA.key`                     | The PEM-encoded private key of the file based CA         | `""`         |
 | `controlplane.keylessSigning.fileCA.keyPass`                 | The secret key pass                                      | `""`         |
+| `controlplane.customCAs`                                     | List of custom CA certificates content                   | `[]`         |
 
 ### Artifact Content Addressable (CAS) API
 

deployment/chainloop/templates/controlplane/customcas.secret.yaml

@@ -0,0 +1,18 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- $customCAs := .Values.controlplane.customCAs }}
+{{- if (not (empty $customCAs)) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}-custom-cas
+  labels:
+    {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+data: 
+  {{- range $index, $pem := $customCAs }}
+  custom-{{ $index }}.crt: {{ $pem | b64enc | quote }}
+  {{- end -}}
+{{- end -}}

deployment/chainloop/templates/controlplane/deployment.yaml

@@ -97,6 +97,13 @@ spec:
             - name: gcp-secretmanager-serviceaccountkey
               mountPath: /gcp-secrets
             {{- end }}
+            {{- if (not (empty .Values.controlplane.customCAs)) }}
+            - name: custom-cas
+              # NOTE: /etc/ssl/certs already contains the system CA certs
+              # Let's use another known path https://go.dev/src/crypto/x509/root_linux.go
+              mountPath: /etc/pki/tls/certs
+              readOnly: true
+            {{- end }}
       volumes:
         - name: config
           projected:
@@ -105,6 +112,13 @@ spec:
                 name: {{ include "chainloop.controlplane.fullname" . }}
             - configMap:
                name: {{ include "chainloop.controlplane.fullname" . }}
+        {{- if (not (empty .Values.controlplane.customCAs)) }}
+        - name: custom-cas
+          projected:
+            sources:
+            - secret:
+               name: {{ include "chainloop.controlplane.fullname" . }}-custom-cas
+        {{- end }}
         # required for the plugins to store the socket files
         - name: tmp
           emptyDir: {}

deployment/chainloop/values.yaml

@@ -475,6 +475,10 @@ controlplane:
       key: ""
       keyPass: ""
 
+  ## Inject custom CA certificates to the controlplane container
+  ## @param controlplane.customCAs List of custom CA certificates content
+  customCAs: []
+
 ## @section Artifact Content Addressable (CAS) API
 ##################################
 #         Artifacts CAS          #