Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding support for custom CAs (issue #11). #12

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+52 −0
Open

Adding support for custom CAs (issue #11). #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ ARG TARGETARCH
COPY ./bin/code-marketplace-linux-$TARGETARCH /opt/code-marketplace

FROM alpine:latest
RUN apk add ca-certificates
COPY --chmod=755 --from=binaries /opt/code-marketplace /opt

ENTRYPOINT [ "/opt/code-marketplace", "server" ]
4 changes: 4 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ export ARTIFACTORY_TOKEN="my-token"
The token will be used as the `Authorization` header with the value `Bearer
<TOKEN>`.

## Custom Certificate Authorities for Container Deployment

If your artifactory server or extension download location is on a domain not signed by a default CA, then you will need to add those files either by volume mount or `docker cp` and then run `update-ca-certificates`.
Comment on lines +70 to +72
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor formatting suggestion (just some capitalization to match the other headings, wrapping, and one more heading level).

Suggested change
## Custom Certificate Authorities for Container Deployment
If your artifactory server or extension download location is on a domain not signed by a default CA, then you will need to add those files either by volume mount or `docker cp` and then run `update-ca-certificates`.
### Custom certificate authorities for container deployment
If your Artifactory server or extension download location is on a domain not
signed by a default CA, then you will need to add those files either by volume
mount or `docker cp` and then run `update-ca-certificates`.


### Exposing the marketplace

The marketplace must be put behind TLS otherwise code-server will reject
Expand Down
15 changes: 15 additions & 0 deletions helm/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,21 @@ $ kubectl exec -it "$POD_NAME" -- /opt/code-marketplace add https://github.com/V
In the future it will be possible to use Artifactory for storing and retrieving
extensions instead of a persistent volume.

## Adding custom certificate authorities

If the location for retrieving extensions (or if using Artifactory storage) is not signed by a common CA, then create a secret in the deployed namespace:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a bit of wrapping to match the rest:

Suggested change
If the location for retrieving extensions (or if using Artifactory storage) is not signed by a common CA, then create a secret in the deployed namespace:
If the location for retrieving extensions (or if using Artifactory storage) is
not signed by a common CA, then create a secret in the deployed namespace:

```
kubectl create secret -n $namespace generic all-cas --from-file="certificate1.pem"=/path/to/certificate1.pem \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking it might look nice if all the --from-file are on their own line.

Suggested change
kubectl create secret -n $namespace generic all-cas --from-file="certificate1.pem"=/path/to/certificate1.pem \
kubectl create secret -n $namespace generic all-cas \
--from-file="certificate1.pem"=/path/to/certificate1.pem \

--from-file="certificate2.pem"=path/to/certificate2.pem \
--from-file="certificate3.pem"=path/to/certificate3.pem
```

And then, set the certificates.secretName to match:

```console
$ helm upgrade --install code-marketplace ./helm-chart --set certificates.secretName "all-cas"
```

## Uninstall

To uninstall/delete the marketplace deployment:
Expand Down
25 changes: 25 additions & 0 deletions helm/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,16 @@ spec:
- name: extensions
persistentVolumeClaim:
claimName: {{ include "code-marketplace.fullname" . }}
{{- if .Values.certificates.secretName }}
- name: certs
secret:
secretName: {{ .Values.certificates.secretName }}
{{- end }}
{{- else if and .Values.persistence.artifactory.enabled .Values.certificates.secretName }}
volumes:
- name: certs
secret:
secretName: {{ .Values.certificates.secretName }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
Expand All @@ -39,6 +49,13 @@ spec:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.certificates.secretName }}
lifecycle:
postStart:
exec:
command:
- update-ca-certificates
{{- end}}
{{- if .Values.persistence.artifactory.enabled }}
env:
- name: "ARTIFACTORY_TOKEN"
Expand Down Expand Up @@ -67,6 +84,14 @@ spec:
volumeMounts:
- name: extensions
mountPath: /extensions
{{- if .Values.certificates.secretName }}
- name: certs
mountPath: /usr/local/share/ca-certificates/
{{- end }}
{{- else if and .Values.persistence.artifactory.enabled .Values.certificates.secretName }}
volumeMounts:
- name: certs
mountPath: /usr/local/share/ca-certificates/
{{- end }}
livenessProbe:
httpGet:
Expand Down
7 changes: 7 additions & 0 deletions helm/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,3 +93,10 @@ persistence:
repo: extensions
# Size is ignored when using Artifactory.
size: 100Gi

# Create a secret with all additional certificate authorities, ex:
# kubectl create secret -n $namespace generic all-cas --from-file="certificate1.pem"=/path/to/certificate1.pem \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# kubectl create secret -n $namespace generic all-cas --from-file="certificate1.pem"=/path/to/certificate1.pem \
# kubectl create secret -n $namespace generic all-cas \
# --from-file="certificate1.pem"=/path/to/certificate1.pem \

# --from-file="certificate2.pem"=path/to/certificate2.pem \
# --from-file="certificate3.pem"=path/to/certificate3.pem
certificates:
secretName: ""