Support custom CA bundle for IAM

When a custom secret is provided and configured in caBundleSecretName, IAM components will be able to make HTTP requests that trust the given bundle for self-signed infrastructure. Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>
openfaas · Jan 25, 2024 · 75bf989 · 75bf989
1 parent f7ad2f2
commit 75bf989
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 0 deletions.
diff --git a/chart/openfaas/templates/dashboard-dep.yaml b/chart/openfaas/templates/dashboard-dep.yaml
@@ -40,6 +40,12 @@ spec:
       {{- end }}
       {{- end }}
 
+      {{- if .Values.caBundleSecretName }}
+      - name: ca-bundle
+        secret:
+          secretName: {{ .Values.caBundleSecretName }}
+      {{- end }}
+
       - name: license
         secret:
           secretName: openfaas-license
@@ -129,6 +135,12 @@ spec:
           mountPath: "/var/secrets/dashboard-jwt"
         {{- end }}
 
+        {{- if .Values.caBundleSecretName }}
+        - name: ca-bundle
+          readOnly: true
+          mountPath: "/var/secrets/ca-bundle"
+        {{- end }}
+
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

diff --git a/chart/openfaas/templates/oidc-plugin-dep.yaml b/chart/openfaas/templates/oidc-plugin-dep.yaml
@@ -31,6 +31,11 @@ spec:
       - name: issuer-key
         secret:
           secretName: issuer-key
+      {{- if .Values.caBundleSecretName }}
+      - name: ca-bundle
+        secret:
+          secretName: {{ .Values.caBundleSecretName }}
+      {{- end }}
       {{- if .Values.basic_auth }}
       - name: auth
         secret:
@@ -114,6 +119,13 @@ spec:
         - name: license
           readOnly: true
           mountPath: "/var/secrets/license"
+
+        {{- if .Values.caBundleSecretName }}
+        - name: ca-bundle
+          readOnly: true
+          mountPath: "/var/secrets/ca-bundle"
+        {{- end }}
+
         ports:
         - name: http
           containerPort: 8080

diff --git a/chart/openfaas/values.yaml b/chart/openfaas/values.yaml
@@ -30,6 +30,13 @@ psp: false
 # image pull policy for openfaas components, can change to `IfNotPresent` for an air-gapped environment
 openfaasImagePullPolicy: "IfNotPresent"
 
+# Optionally, give the name of a secret containing a CA bundle to be added to the 
+# OIDC plugin and OpenFaaS Dashboard components when a self-signed certificate is used
+#
+# kubectl create secret generic -n openfaas ca-bundle --from-file=ca.crt=./ca.crt
+#
+caBundleSecretName: ""       # Name of the secret containing the CA bundle for the OpenFaaS gateway
+
 functions:
   imagePullPolicy: "Always"    # Image pull policy for deployed functions, for OpenFaaS Pro you can also set: IfNotPresent and Never.
   httpProbe: true              # Setting to true will use HTTP for readiness and liveness probe on function pods