From fc5ecdd2043005531f4973cf3d2e980c93e88574 Mon Sep 17 00:00:00 2001 From: Ethan Mosbaugh Date: Thu, 29 May 2025 12:36:23 -0700 Subject: [PATCH 1/4] feat(ec): new PrivateCACert template function behavior --- docs/reference/template-functions-static-context.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/template-functions-static-context.md b/docs/reference/template-functions-static-context.md index 05c2ece913..7a95f9e45f 100644 --- a/docs/reference/template-functions-static-context.md +++ b/docs/reference/template-functions-static-context.md @@ -16,7 +16,7 @@ This topic provides a list of the KOTS template functions in the Static context. func PrivateCACert() string ``` -PrivateCACert returns the name of a ConfigMap that contains private CA certificates provided by the end user. For Embedded Cluster installations, these certificates are provided with the `--private-ca` flag for the `install` command. For KOTS installations, the user provides the ConfigMap using the `--private-ca-configmap` flag for the `install` command. +For KOTS installations, PrivateCACert returns the name of a ConfigMap that contains CA certificates provided by the end user using the `--private-ca-configmap` flag for the `install` command. For Embedded Cluster installations, the ConfigMap contains a single file which is the CA trust store from the host. You can use this template function to mount the specified ConfigMap so your containers can access the internet through enterprise proxies that issue their own TLS certificates in order to inspect traffic. From b736ef30f619e60cbdcd317118369efed2dcc703 Mon Sep 17 00:00:00 2001 From: Ethan Mosbaugh Date: Thu, 29 May 2025 12:52:25 -0700 Subject: [PATCH 2/4] Explain how we find the ca trust store on the host --- docs/reference/template-functions-static-context.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/template-functions-static-context.md b/docs/reference/template-functions-static-context.md index 7a95f9e45f..b399744225 100644 --- a/docs/reference/template-functions-static-context.md +++ b/docs/reference/template-functions-static-context.md @@ -16,7 +16,7 @@ This topic provides a list of the KOTS template functions in the Static context. func PrivateCACert() string ``` -For KOTS installations, PrivateCACert returns the name of a ConfigMap that contains CA certificates provided by the end user using the `--private-ca-configmap` flag for the `install` command. For Embedded Cluster installations, the ConfigMap contains a single file which is the CA trust store from the host. +For KOTS installations, PrivateCACert returns the name of a ConfigMap that contains CA certificates provided by the end user using the `--private-ca-configmap` flag to the `install` command. For Embedded Cluster installations, the ConfigMap contains the CA trust store from the host. The CA trust store is determined by first checking for the SSL_CERT_FILE environment variable, and if not set, searching common certificate paths, using the first valid certificate file found. You can use this template function to mount the specified ConfigMap so your containers can access the internet through enterprise proxies that issue their own TLS certificates in order to inspect traffic. From 4f62e273d7a46a965b044ea51f85a749e8da802e Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Thu, 29 May 2025 14:07:16 -0600 Subject: [PATCH 3/4] docs edits --- docs/reference/template-functions-static-context.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/reference/template-functions-static-context.md b/docs/reference/template-functions-static-context.md index b399744225..77084cf84e 100644 --- a/docs/reference/template-functions-static-context.md +++ b/docs/reference/template-functions-static-context.md @@ -16,12 +16,12 @@ This topic provides a list of the KOTS template functions in the Static context. func PrivateCACert() string ``` -For KOTS installations, PrivateCACert returns the name of a ConfigMap that contains CA certificates provided by the end user using the `--private-ca-configmap` flag to the `install` command. For Embedded Cluster installations, the ConfigMap contains the CA trust store from the host. The CA trust store is determined by first checking for the SSL_CERT_FILE environment variable, and if not set, searching common certificate paths, using the first valid certificate file found. +For KOTS installations, PrivateCACert returns the name of a ConfigMap that contains CA certificates provided by the end user with the `--private-ca-configmap` flag for the install command. For Embedded Cluster installations, the ConfigMap returned by PrivateCACert contains the CA trust store from the host. The CA trust store is determined by first checking for the SSL_CERT_FILE environment variable. If SSL_CERT_FILE is not set, KOTS then searches common certificate paths and uses the first valid certificate file found. You can use this template function to mount the specified ConfigMap so your containers can access the internet through enterprise proxies that issue their own TLS certificates in order to inspect traffic. :::note -This function will return the name of the ConfigMap even if the ConfigMap has no entries. If no ConfigMap exists, this function returns the empty string. +This function returns the name of the ConfigMap even if the ConfigMap has no entries. If no ConfigMap exists, this function returns the empty string. ::: ## Cluster Information Functions @@ -630,4 +630,4 @@ This can be useful when dealing with user-uploaded files that may include null b ```yaml repl{{ ConfigOptionData "my_file_upload" | YamlEscape }} -``` \ No newline at end of file +``` From 626d6aebe7004560c016f3b886302b0f93f3fa42 Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Thu, 29 May 2025 14:21:34 -0600 Subject: [PATCH 4/4] Update template-functions-static-context.md --- docs/reference/template-functions-static-context.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/template-functions-static-context.md b/docs/reference/template-functions-static-context.md index 77084cf84e..920edad600 100644 --- a/docs/reference/template-functions-static-context.md +++ b/docs/reference/template-functions-static-context.md @@ -16,7 +16,7 @@ This topic provides a list of the KOTS template functions in the Static context. func PrivateCACert() string ``` -For KOTS installations, PrivateCACert returns the name of a ConfigMap that contains CA certificates provided by the end user with the `--private-ca-configmap` flag for the install command. For Embedded Cluster installations, the ConfigMap returned by PrivateCACert contains the CA trust store from the host. The CA trust store is determined by first checking for the SSL_CERT_FILE environment variable. If SSL_CERT_FILE is not set, KOTS then searches common certificate paths and uses the first valid certificate file found. +For KOTS installations, PrivateCACert returns the name of a ConfigMap that contains CA certificates provided by the end user with the `--private-ca-configmap` flag for the install command. For Embedded Cluster installations, the ConfigMap returned by PrivateCACert contains the CA trust store from the host. Embedded Cluster determines the CA trust store by first checking for the SSL_CERT_FILE environment variable. If SSL_CERT_FILE is not set, Embedded Cluster then searches common certificate paths and uses the first valid certificate file found. You can use this template function to mount the specified ConfigMap so your containers can access the internet through enterprise proxies that issue their own TLS certificates in order to inspect traffic.