diff --git a/Dockerfile b/Dockerfile index dfa85a4..017efcf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,7 @@ ARG TARGETARCH COPY ./bin/code-marketplace-linux-$TARGETARCH /opt/code-marketplace FROM alpine:latest +RUN apk add ca-certificates COPY --chmod=755 --from=binaries /opt/code-marketplace /opt ENTRYPOINT [ "/opt/code-marketplace", "server" ] diff --git a/README.md b/README.md index beb2594..78da3a5 100644 --- a/README.md +++ b/README.md @@ -67,6 +67,10 @@ export ARTIFACTORY_TOKEN="my-token" The token will be used as the `Authorization` header with the value `Bearer `. +## Custom Certificate Authorities for Container Deployment + +If your artifactory server or extension download location is on a domain not signed by a default CA, then you will need to add those files either by volume mount or `docker cp` and then run `update-ca-certificates`. + ### Exposing the marketplace The marketplace must be put behind TLS otherwise code-server will reject diff --git a/helm/README.md b/helm/README.md index d4f2139..c67c693 100644 --- a/helm/README.md +++ b/helm/README.md @@ -54,6 +54,21 @@ $ kubectl exec -it "$POD_NAME" -- /opt/code-marketplace add https://github.com/V In the future it will be possible to use Artifactory for storing and retrieving extensions instead of a persistent volume. +## Adding custom certificate authorities + +If the location for retrieving extensions (or if using Artifactory storage) is not signed by a common CA, then create a secret in the deployed namespace: +``` +kubectl create secret -n $namespace generic all-cas --from-file="certificate1.pem"=/path/to/certificate1.pem \ + --from-file="certificate2.pem"=path/to/certificate2.pem \ + --from-file="certificate3.pem"=path/to/certificate3.pem +``` + +And then, set the certificates.secretName to match: + +```console +$ helm upgrade --install code-marketplace ./helm-chart --set certificates.secretName "all-cas" +``` + ## Uninstall To uninstall/delete the marketplace deployment: diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index f3be32a..7d95a64 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -30,6 +30,16 @@ spec: - name: extensions persistentVolumeClaim: claimName: {{ include "code-marketplace.fullname" . }} + {{- if .Values.certificates.secretName }} + - name: certs + secret: + secretName: {{ .Values.certificates.secretName }} + {{- end }} + {{- else if and .Values.persistence.artifactory.enabled .Values.certificates.secretName }} + volumes: + - name: certs + secret: + secretName: {{ .Values.certificates.secretName }} {{- end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} @@ -39,6 +49,13 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.certificates.secretName }} + lifecycle: + postStart: + exec: + command: + - update-ca-certificates + {{- end}} {{- if .Values.persistence.artifactory.enabled }} env: - name: "ARTIFACTORY_TOKEN" @@ -67,6 +84,14 @@ spec: volumeMounts: - name: extensions mountPath: /extensions + {{- if .Values.certificates.secretName }} + - name: certs + mountPath: /usr/local/share/ca-certificates/ + {{- end }} + {{- else if and .Values.persistence.artifactory.enabled .Values.certificates.secretName }} + volumeMounts: + - name: certs + mountPath: /usr/local/share/ca-certificates/ {{- end }} livenessProbe: httpGet: diff --git a/helm/values.yaml b/helm/values.yaml index 29bb4dd..8e3276b 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -93,3 +93,10 @@ persistence: repo: extensions # Size is ignored when using Artifactory. size: 100Gi + +# Create a secret with all additional certificate authorities, ex: +# kubectl create secret -n $namespace generic all-cas --from-file="certificate1.pem"=/path/to/certificate1.pem \ +# --from-file="certificate2.pem"=path/to/certificate2.pem \ +# --from-file="certificate3.pem"=path/to/certificate3.pem +certificates: + secretName: "" \ No newline at end of file