feat: add global certificate management for ZTVP applications

[minmzzhang]

Add ztvp-certificates chart for managing trusted CA certificates across all ZTVP applications with support for custom certificates via Kubernetes secret references.

Key features:

• Initial job for immediate certificate extraction on install
• Cronjob for periodic certificate rotation (daily at 2AM)
• Automatic rollout restart for consuming applications (labeled strategy)
• Auto-detects OpenShift ingress, service and proxy CA certificates
• Supports custom CA certificates via secretRef (primary + additional)
• Distributes certificates to target namespaces via ACM Policy

Certificate Sources:

• Primary custom CA via secretRef (customCA.secretRef)
• Additional certificates via extraValueFiles (overrides/values-ztvp-certificates.yaml)
• Auto-detected proxy CA from trusted-ca-bundle (openshift-config-managed)
• Auto-detected ingress CA from all IngressControllers (not just default)
• Auto-detected service CA from openshift-service-ca

Configuration:

• Use extraValueFiles for complex nested structures (additionalCertificates, rollout)
• Simple overrides via values-hub.yaml for flat key-value pairs

Chart deploys:

• Job/cronjob to extract and combine CA certificates
• ConfigMap with combined CA bundle (ztvp-trusted-ca)
• ACM Policy to distribute to target namespaces
• RBAC permissions for CA extraction

Applications can consume the CA bundle by:

• Mounting the ztvp-trusted-ca ConfigMap at /etc/pki/ca-trust/extracted/pem/
• Setting ZTVP_CA_BUNDLE environment variable
• Using standard SSL/TLS libraries that check system CA paths

[sabre1041]

Looking really good. A few comments

[sabre1041]

Recommend increasing these values. My cluster OOMKilled the container

[minmzzhang]

increased, this size mismatch was due to the addition of proxy CA extraction.

[sabre1041]

Is this because we do not set the execute bit on the file?

[minmzzhang]

The shell script was a helm template, which has the helm syntax inside, bash_exec cannot pass it. I've updated the filename to avoid this single file's bash_exec linter execution.

[mlorenzofr]

What I usually do in these cases is have a simple script and control the variables and conditions using environment variables. Another option is to have source files and import them depending on the environment

[mlorenzofr]

The FILTER_REGEX_EXCLUDE option also works for me

[mlorenzofr]

I think it might be interesting to extend the functionality to 2 additional components

External Secrets Operator

Currently, the ClusterSecretStore vault-backend has a configuration section where the CA it uses is specified:

       caProvider:
          key: ca.crt
          name: kube-root-ca.crt
          namespace: golang-external-secrets
          type: ConfigMap

This can be configured via an override in values-hub.yaml:

    golang-external-secrets:
      name: golang-external-secrets
      namespace: golang-external-secrets
      project: hub
      chart: golang-external-secrets
      chartVersion: 0.1.*
      overrides:
        - name: golangExternalSecrets.caProvider.hostCluster.name
          value: ztvp-trusted-ca
        - name: golangExternalSecrets.caProvider.hostCluster.key
          value: tls-ca-bundle.pem
        - name: golangExternalSecrets.caProvider.hostCluster.namespace
          value: openshift-config

Should we change it permanently if we adopt this solution?

Image registries (Quay)

The cluster can use image registries that use internal certificates. In this case, the configuration is done in the images.config.openshift.io resource.

apiVersion: config.openshift.io/v1
kind: Image
  name: cluster
spec:
  additionalTrustedCA:
    name: ztvp-registry-trusted-ca

The additionalTrustedCA attribute references a ConfigMap in the openshift-config namespace. The ConfigMap contains a list of the registry hostnames and trusted CAs:

apiVersion: v1
data:
  quay-registry-quay-quay-enterprise.apps.example.domain: |
    -----BEGIN CERTIFICATE-----
    ... ...
kind: ConfigMap
metadata:
  name: ztvp-registry-trusted-ca
  namespace: openshift-config

This functionality would allow configuring CRI-O on the nodes to download images from registries with internal certificates.

[mlorenzofr]

Instead of configuring the variables at the JVM level, I would do it using the environment variables that Quarkus has for this: QUARKUS_OIDC_TLS_TRUST_STORE_FILE and QUARKUS_OIDC_TLS_TRUST_STORE_PASSWORD.

We could add them to the charts/qtodo/templates/app-config-env.yaml file, like other Quarkus variables.

[minmzzhang]

Thank you @mlorenzofr , updated based on your suggestion that using Quarkus env variables is cleaner.

[mlorenzofr]

Perhaps I would create it under /run/secrets or /etc/pki instead of creating a directory in the root

[minmzzhang]

Thank you @mlorenzofr , updated the truststore to a more standard location based on your suggestion.

[mlorenzofr]

Good job, it works properly.

I'm adding a couple of small changes that I think would better align the solution with the style of other qtodo components.

[mlorenzofr]

Suggested change

	truststore:
	truststore:
	enabled: true