Add Helm chart value to configure custom CA certificates (#173)

* Add Helm chart value to configure custom CA certificates
hashicorp · May 12, 2023 · 21d8779 · 21d8779
1 parent 3a2f9c0
commit 21d8779
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 0 deletions.
diff --git a/charts/terraform-cloud-operator/templates/ca_secret.yaml b/charts/terraform-cloud-operator/templates/ca_secret.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.customCAcertificates -}}
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-ca-certificates
+  namespace: {{ .Release.Namespace }}
+data:
+  ca-certificates: |-
+{{ .Files.Get .Values.customCAcertificates | indent 4 }}
+
+{{- end }}
diff --git a/charts/terraform-cloud-operator/templates/deployment.yaml b/charts/terraform-cloud-operator/templates/deployment.yaml
@@ -68,6 +68,12 @@ spec:
           - mountPath: /controller_manager_config.yaml
             name: manager-config
             subPath: controller_manager_config.yaml
+{{- if .Values.customCAcertificates }}
+          - name: ca-certificates
+            mountPath: /etc/ssl/certs/custom-ca-certificates.crt
+            subPath: ca-certificates
+            readOnly: true
+{{- end }}
         - name: kube-rbac-proxy
           image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
           imagePullPolicy: IfNotPresent
@@ -97,3 +103,8 @@ spec:
       - configMap:
           name: {{ .Release.Name }}-manager-config
         name: manager-config
+{{- if .Values.customCAcertificates }}
+      - configMap:
+          name: {{ .Release.Name }}-ca-certificates
+        name: ca-certificates
+{{- end }}
diff --git a/charts/terraform-cloud-operator/values.yaml b/charts/terraform-cloud-operator/values.yaml
@@ -39,3 +39,7 @@ controllers:
   workspace:
     # The number of the Workspace controller workers.
     workers: 1
+
+# Custom Certificate Authority bundle to validate API TLS certificates
+# Expects a path to a CRT file containing concatenated certificates
+customCAcertificates: ""
diff --git a/docs/installation.md b/docs/installation.md
@@ -49,6 +49,13 @@ If targeting a TFE instance rather than Terraform Cloud, set the API URL using t
   --set operator.tfeAddress="https://tfe-api.my-company.com"
 ```
 
+If the TFE instance uses a TLS certificate signed by a non-public authority or "Let's Encrypt", the chain of CAs that can validate 
+that TLS certificate should be installed with the operator by setting the `customCAcertificates` chart value:
+
+```
+  --set customCAcertificates=<path-to-CA-chain-file.crt>
+``` 
+
 ### Upgrade with options
 
 ```console