add helm config option to mount ca certs to cost model container #3760
Conversation
* add helm config option to mount ca certs to cost model container * update it to be configmap * shift from config map tp secret * nit fix
|
@mittal-ishaan Nice work! Because we are not creating a k8s secret on behalf of the user, can you please document this PR description with what the k8s secret needs to look like for |
| @@ -615,6 +621,10 @@ spec: | |||
| mountPath: /var/configs/etl/federated | |||
| readOnly: true | |||
| {{- end }} | |||
| {{- if .Values.kubecostModel.caCertsSecret }} | |||
| - name: ca-certs-secret | |||
| mountPath: /etc/pki/ca-trust/source/anchors | |||
There was a problem hiding this comment.
This is a good start, but are we sure this should be hard-coded? This mountPath should probably be a helm config? I think that different OS's will look at different paths for its trust store. For example /etc/ssl/certs, or /etc/pki/tls/certs, or /usr/local/share/ca-certificates/?
There was a problem hiding this comment.
Based on the information from the Fedora documentation and the user's request, for now, we only need to mount the certificate to /etc/pki/ca-trust/source/anchors. While other scenarios might require different mount paths in the future, this setup works well for our current needs. We can include it in the Helm config as the default for now but it might remain unused. thoughts?
There was a problem hiding this comment.
Ok, let's leave it hard-coded for now due to user-specific request. Let's make a task to update it in the future?
* add helm config option to mount ca certs to cost model container * update it to be configmap * shift from config map tp secret * nit fix
|
/cherry-pick v2.5 |
|
Cherry-pick failed with |
|
CP #3770 |
What does this PR change?
Adds help config option to mount custom cacerts config map to
/etc/pki/ca-trust/source/anchorsinside the cost model container.reference
https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/#_adding_new_certificates
https://jfrog.com/help/r/artifactory-how-to-add-custom-ssl-certificates-to-an-artifactory-pod-using-helm-charts/general-steps-to-fix-the-ssl-certificate-error
The user will need to have a secret in the release namespace before using this configuration.
you might want to create a secret with a command like:
Does this PR rely on any other PRs?
No
How does this PR impact users? (This is the kind of thing that goes in release notes!)
Users will now be able to add their custom ca certs to the cost model container
Links to Issues or tickets this PR addresses or fixes
https://kubecost.atlassian.net/browse/SUP-6432?focusedCommentId=136102
What risks are associated with merging this PR? What is required to fully test this PR?
No
How was this PR tested?
Added a ca cert secret and configured the added helm values. ca cert secret was mounted inside the cost-model container.
Have you made an update to documentation? If so, please provide the corresponding PR.