From dcdcd547450ce51f74df96143e9955fc4236888c Mon Sep 17 00:00:00 2001
From: Mike Ludwig <mludwig@mitre.org>
Date: Thu, 22 Oct 2020 10:25:57 -0400
Subject: [PATCH 1/1] support custom CA bundle for the api-server
 Arvados-DCO-1.1-Signed-off-by: Michael Ludwig
 <michael.david.ludwig@gmail.com>

---
 .../arvados/templates/api-server-deployment.yaml | 10 ++++++++++
 .../templates/custom-ca-bundle-configmap.yaml    | 16 ++++++++++++++++
 charts/arvados/values.yaml                       |  5 +++++
 3 files changed, 31 insertions(+)
 create mode 100644 charts/arvados/templates/custom-ca-bundle-configmap.yaml

diff --git a/charts/arvados/templates/api-server-deployment.yaml b/charts/arvados/templates/api-server-deployment.yaml
index 7b5bb5c..4f90fca 100644
--- a/charts/arvados/templates/api-server-deployment.yaml
+++ b/charts/arvados/templates/api-server-deployment.yaml
@@ -49,6 +49,11 @@ spec:
             - name: api-server-configmap
               mountPath: /etc/nginx/sites-enabled/api-server.conf
               subPath: nginx.conf
+            {{- if .Values.customCABundle }}
+            - name: custom-ca-bundle-volume
+              mountPath: /etc/ssl/certs/ca-certificates.crt
+              subPath: custom-ca-bundle.pem
+            {{- end }}
         - name: arvados-controller
           image: "cure/arvados-runtime"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -86,3 +91,8 @@ spec:
         - name: nginx-configmap
           configMap:
             name: arvados-api-server-https-configmap
+        {{- if .Values.customCABundle }}
+        - name: custom-ca-bundle-volume
+          configMap:
+            name: custom-ca-bundle-configmap
+        {{- end }}
diff --git a/charts/arvados/templates/custom-ca-bundle-configmap.yaml b/charts/arvados/templates/custom-ca-bundle-configmap.yaml
new file mode 100644
index 0000000..580b4d9
--- /dev/null
+++ b/charts/arvados/templates/custom-ca-bundle-configmap.yaml
@@ -0,0 +1,16 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: custom-ca-bundle-configmap
+  labels:
+    app: {{ template "arvados.name" . }}
+    chart: {{ template "arvados.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+  custom-ca-bundle.pem: |
+{{ .Values.customCABundle | indent 4 }}
diff --git a/charts/arvados/values.yaml b/charts/arvados/values.yaml
index 724cfd8..e17804c 100644
--- a/charts/arvados/values.yaml
+++ b/charts/arvados/values.yaml
@@ -58,3 +58,8 @@ arvados:
       arvados: 2.0.2
       arvadosCLI: 2.0.2
       arvadosLoginSync: 2.0.2
+
+# A custom bundle of CA certificates to use.
+# Useful for corporate networks with TLS proxies.
+# Set it by using the --set-file Helm argument.
+customCABundle: ""
-- 
2.30.2