atlassian · bianchi2 · Aug 9, 2024 · Aug 7, 2024 · Aug 8, 2024 · Aug 9, 2024
@@ -523,40 +523,70 @@ readinessProbe:
 
 ## :material-certificate: Self Signed Certificates
 
-To add self signed certificates to the default Java truststore, follow the below steps.
+There are 2 ways to add self-signed certificates to Java truststore: from a single secret or multiple secrets.
 
-* Create a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/){.external} containing base64-encoded certificate(s). Here's an example [kubectl command](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#use-source-files){.external} to create a secret from 2 local files:
-
-```shell
-kubectl create secret generic dev-certificates \
-    --from-file=stg.crt=./stg.crt \
-    --from-file=dev.crt=./dev.crt -n $namespace
-```
-
-The resulting secret will have the following data:
-
-```yaml
-data:
-  stg.crt: base64encodedstgcrt
-  dev.crt: base64encodeddevcrt
-```
-
-!!!info "You can have as many keys (certificates) in the secret as required. All keys will be mounted as files to `/tmp/crt` in the container and imported into Java truststore. In the example above, certificates will be mounted as `/tmp/crt/stg.crt` and `/tmp/crt/dev.crt`. File extension in the secret keys does not matter as long as the file is a valid certificate."
-
-* Provide the secret name in Helm values:
+=== "From a single secret"
+    * Create a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/){.external} containing base64-encoded certificate(s). Here's an example [kubectl command](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#use-source-files){.external} to create a secret from 2 local files:
+
+    ```shell
+    kubectl create secret generic dev-certificates \
+        --from-file=stg.crt=./stg.crt \
+        --from-file=dev.crt=./dev.crt -n $namespace
+    ```
+
+    The resulting secret will have the following data:
+
+    ```yaml
+    data:
+      stg.crt: base64encodedstgcrt
+      dev.crt: base64encodeddevcrt
+    ```
+
+    !!!info "You can have as many keys (certificates) in the secret as required. All keys will be mounted as files to `/tmp/crt` in the container and imported into Java truststore. In the example above, certificates will be mounted as `/tmp/crt/stg.crt` and `/tmp/crt/dev.crt`. File extension in the secret keys does not matter as long as the file is a valid certificate."
+
+    * Provide the secret name in Helm values (unlike the case with multiple secrets you don't need to provide secret keys):
+
+    ```yaml
+    jira:
+      additionalCertificates:
+         secretName: dev-certificates
+    ```
+=== "From multiple secrets"
+    * Create 2 [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/){.external} containing base64-encoded certificate(s). Here's an example [kubectl command](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#use-source-files){.external} to create 2 secrets from local files (the first one with 2 certificates/keys and the second one with just one):
+
+    ```shell
+    kubectl create secret generic dev-certificates \
+        --from-file=stg.crt=./stg.crt \
+        --from-file=dev.crt=./dev.crt -n $namespace
 
-```yaml
-jira:
-  additionalCertificates:
-     secretName: dev-certificates
-```
+    kubectl create secret generic root-ca \
+        --from-file=ca.crt=./ca.crt -n $namespace
+    ```
+    !!!info "You can have as many keys (certificates) in the secrets, however, you will need to list the keys you'd like to get mounted. All keys will be mounted as files to `/tmp/crt` in the container and imported into Java truststore."
+
+    * Provide the list of secrets and their keys in Helm values:
+
+    ```yaml
+    jira:
+      additionalCertificates:
+        secretList:
+          - name: dev-certificates
+            keys:
+              - stg.crt
+              - dev.crt
+          - name: root-ca
+            keys:
+              - ca.crt
+    ```
+    To allow having identical keys in different secrets, filenames will have the following format: `<secret-name>-<key>`, so
+    files will get mounted as `/tmp/crt/dev-certificates-stg.crt`, `/tmp/crt/dev-certificates-dev.crt` and `/tmp/crt/root-ca-ca.crt`
+    and imported to Java truststore with the same aliases.
 
 The product Helm chart will add additional `volumeMounts` and `volumes` to the pod(s), as well as an extra init container that will:
 
 * copy the default Java cacerts to a runtime volume shared between the init container and the main container at `/var/ssl`
-* run [keytool -import](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html){.external} to import all certificates in `/tmp/crt` mounted from `dev-certificates` secret to `/var/ssl/cacerts`
-
-`-Djavax.net.ssl.trustStore=/var/ssl/cacerts` system property will be automatically added to `JVM_SUPPORT_RECOMMENDED_ARGS` environment variable.
+* run [keytool -import](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html){.external} to import all certificates in `/tmp/crt` mounted from secret(s) to `/var/ssl/cacerts`
+* `-Djavax.net.ssl.trustStore=/var/ssl/cacerts` system property will be automatically added to `JVM_SUPPORT_RECOMMENDED_ARGS` environment variable.
 
 If necessary, it is possible to override the default `keytool -import` command:
 
@@ -583,4 +613,4 @@ Helm values are mounted to be included to the [support.zip](https://confluence.a
 
 Analytics json is a subset of `values.yaml` and contains selected Helm values that are sent as an analytics event and written to analytics logs, if analytics is enabled in the product. Analytics values are purely informational and contain information on how Helm charts are used.
 
-You can find the complete list of analytics values in `_helpers.tpl`, `<product>.analyticsJson`.
+You can find the complete list of analytics values in `_helpers.tpl`, `<product>.analyticsJson`.
@@ -34,7 +34,9 @@ Kubernetes: `>=1.21.x-0`
 | bamboo.accessLog.localHomeSubPath | string | `"log"` | The subdirectory within the local-home volume where access logs should be stored.  |
 | bamboo.accessLog.mountPath | string | `"/opt/atlassian/bamboo/logs"` | The path within the Bamboo container where the local-home volume should be mounted in order to capture access logs.  |
 | bamboo.additionalBundledPlugins | list | `[]` | Specifies a list of additional Bamboo plugins that should be added to the Bamboo container. Note plugins installed via this method will appear as bundled plugins rather than user plugins. These should be specified in the same manner as the 'additionalLibraries' property. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/  NOTE: only .jar files can be loaded using this approach. OBR's can be extracted (unzipped) to access the associated .jar  An alternative to this method is to install the plugins via "Manage Apps" in the product system administration UI.  |
-| bamboo.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates  |
+| bamboo.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretList":null,"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates  |
+| bamboo.additionalCertificates.secretList | string | `nil` | A list of secrets with their respective keys holding certificates to be added to the Java truststore. It is mandatory to specify which keys from secret data need to be mounted as files to the init container.  |
+| bamboo.additionalCertificates.secretName | string | `nil` | Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data will be treated as certificates to be added to Java truststore. If defined, this takes precedence over secretList.  |
 | bamboo.additionalEnvironmentVariables | list | `[]` | Defines any additional environment variables to be passed to the Bamboo container. See https://hub.docker.com/r/atlassian/bamboo for supported variables.  |
 | bamboo.additionalJvmArgs | list | `[]` | Specifies a list of additional arguments that can be passed to the Bamboo JVM, e.g. system properties.  |
 | bamboo.additionalLibraries | list | `[]` | Specifies a list of additional Java libraries that should be added to the Bamboo container. Each item in the list should specify the name of the volume that contains the library, as well as the name of the library file within that volume's root directory. Optionally, a subDirectory field can be included to specify which directory in the volume contains the library file. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/  |

@@ -285,12 +285,20 @@ For each additional plugin declared, generate a volume mount that injects that l
 {{- with .Values.volumes.additional }}
 {{- toYaml . | nindent 0 }}
 {{- end }}
-{{- if .Values.bamboo.additionalCertificates.secretName }}
+{{- if or .Values.bamboo.additionalCertificates.secretName .Values.bamboo.additionalCertificates.secretList }}
 - name: keystore
   emptyDir: {}
+{{- if .Values.bamboo.additionalCertificates.secretName }}
 - name: certs
   secret:
     secretName: {{ .Values.bamboo.additionalCertificates.secretName }}
+{{- else }}
+{{- range .Values.bamboo.additionalCertificates.secretList }}
+- name: {{ .name }}
+  secret:
+    secretName: {{ .name }}
+{{- end }}
+{{- end }}
 {{- end }}
 {{- if or .Values.atlassianAnalyticsAndSupport.analytics.enabled .Values.atlassianAnalyticsAndSupport.helmValues.enabled }}
 - name: helm-values

@@ -74,15 +74,26 @@ spec:
           command: ["sh", "-c", {{ include "bamboo.sharedHome.permissionFix.command" . | quote }}]
         {{- end }}
         {{- include "common.jmx.initContainer" . | nindent 8 }}
-        {{- if .Values.bamboo.additionalCertificates.secretName }}
+        {{- if or .Values.bamboo.additionalCertificates.secretName .Values.bamboo.additionalCertificates.secretList }}
         - name: import-certs
           image: {{ include "bamboo.image" . | quote }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           volumeMounts:
             - name: keystore
               mountPath: /var/ssl
+          {{- if.Values.bamboo.additionalCertificates.secretName }}
             - name: certs
               mountPath: /tmp/crt
+          {{- else }}
+          {{- range .Values.bamboo.additionalCertificates.secretList }}
+            {{- $secretName := .name }}
+            {{- range .keys }}
+            - name: {{ $secretName }}
+              mountPath: /tmp/crt/{{$secretName}}-{{ . }}
+              subPath: {{ . }}
+            {{- end }}
+          {{- end }}
+          {{- end }}
           command: ["/bin/bash"]
           args: ["-c", {{ include "bamboo.addCrtToKeystoreCmd" . }}]
           resources:

@@ -971,7 +971,21 @@ bamboo:
   # -- Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates
   #
   additionalCertificates:
+    # -- Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data
+    # will be treated as certificates to be added to Java truststore. If defined, this takes precedence over secretList.
+    #
     secretName:
+    # -- A list of secrets with their respective keys holding certificates to be added to the Java truststore.
+    # It is mandatory to specify which keys from secret data need to be mounted as files to the init container.
+    #
+    secretList:
-    secretList:
+    secretList: []
-    secretList:
+    secretList: []
+    #- name: self-signed-ca
+    #  keys:
+    #    - ca.crt
+    #    - intermediate.crt
+    #- name: stg-intermediate
+    #  keys:
+    #    - stg.crt
     customCmd:
     initContainer:
       resources: {}

@@ -34,7 +34,9 @@ Kubernetes: `>=1.21.x-0`
 | atlassianAnalyticsAndSupport.analytics.enabled | bool | `true` | Mount ConfigMap with selected Helm chart values as a JSON which DC products will read and send analytics events to Atlassian data pipelines  |
 | atlassianAnalyticsAndSupport.helmValues.enabled | bool | `true` | Mount ConfigMap with selected Helm chart values as a YAML file which can be optionally including to support.zip  |
 | bitbucket.additionalBundledPlugins | list | `[]` | Specifies a list of additional Bitbucket plugins that should be added to the Bitbucket container. Note plugins installed via this method will appear as bundled plugins rather than user plugins. These should be specified in the same manner as the 'additionalLibraries' property. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/  NOTE: only .jar files can be loaded using this approach. OBR's can be extracted (unzipped) to access the associated .jar  An alternative to this method is to install the plugins via "Manage Apps" in the product system administration UI.  |
-| bitbucket.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates  |
+| bitbucket.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretList":null,"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates  |
+| bitbucket.additionalCertificates.secretList | string | `nil` | A list of secrets with their respective keys holding certificates to be added to the Java truststore. It is mandatory to specify which keys from secret data need to be mounted as files to the init container.  |
+| bitbucket.additionalCertificates.secretName | string | `nil` | Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data will be treated as certificates to be added to Java truststore. If defined, this takes precedence over secretList.  |
 | bitbucket.additionalEnvironmentVariables | list | `[]` | Defines any additional environment variables to be passed to the Bitbucket container. See https://hub.docker.com/r/atlassian/bitbucket for supported variables.  |
 | bitbucket.additionalJvmArgs | list | `[]` | Specifies a list of additional arguments that can be passed to the Bitbucket JVM, e.g. system properties.  |
 | bitbucket.additionalLibraries | list | `[]` | Specifies a list of additional Java libraries that should be added to the Bitbucket container. Each item in the list should specify the name of the volume that contains the library, as well as the name of the library file within that volume's root directory. Optionally, a subDirectory field can be included to specify which directory in the volume contains the library file. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/  |
@@ -64,7 +66,9 @@ Kubernetes: `>=1.21.x-0`
 | bitbucket.livenessProbe.initialDelaySeconds | int | `60` | Time to wait before starting the first probe  |
 | bitbucket.livenessProbe.periodSeconds | int | `5` | How often (in seconds) the Bitbucket container liveness probe will run  |
 | bitbucket.livenessProbe.timeoutSeconds | int | `1` | Number of seconds after which the probe times out  |
-| bitbucket.mesh.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates  |
+| bitbucket.mesh.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretList":null,"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates  |
+| bitbucket.mesh.additionalCertificates.secretList | string | `nil` | A list of secrets with their respective keys holding certificates to be added to the Java truststore. It is mandatory to specify which keys from secret data need to be mounted as files to the init container.  |
+| bitbucket.mesh.additionalCertificates.secretName | string | `nil` | Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data will be treated as certificates to be added to Java truststore. If defined, this takes precedence over secretList.  |
 | bitbucket.mesh.additionalEnvironmentVariables | object | `{}` | Defines any additional environment variables to be passed to the Bitbucket mesh containers.  |
 | bitbucket.mesh.additionalFiles | string | `nil` | Additional existing ConfigMaps and Secrets not managed by Helm that should be mounted into service container  |
 | bitbucket.mesh.additionalInitContainers | object | `{}` | Additional initContainer definitions that will be added to all Bitbucket pods  |

@@ -315,12 +315,20 @@ Define additional hosts here to allow template overrides when used as a sub char
 {{- with .Values.volumes.additional }}
 {{- toYaml . | nindent 0 }}
 {{- end }}
-{{- if .Values.bitbucket.additionalCertificates.secretName }}
+{{- if or .Values.bitbucket.additionalCertificates.secretName .Values.bitbucket.additionalCertificates.secretList }}
 - name: keystore
   emptyDir: {}
+{{- if .Values.bitbucket.additionalCertificates.secretName }}
 - name: certs
   secret:
     secretName: {{ .Values.bitbucket.additionalCertificates.secretName }}
+{{- else }}
+{{- range .Values.bitbucket.additionalCertificates.secretList }}
+- name: {{ .name }}
+  secret:
+    secretName: {{ .name }}
+{{- end }}
+{{- end }}
 {{- end }}
 {{- if or .Values.atlassianAnalyticsAndSupport.analytics.enabled .Values.atlassianAnalyticsAndSupport.helmValues.enabled }}
 - name: helm-values

@@ -63,15 +63,26 @@ spec:
           {{- end }}
           {{- end }}
         {{- end }}
-        {{- if .Values.bitbucket.mesh.additionalCertificates.secretName }}
+        {{- if or .Values.bitbucket.mesh.additionalCertificates.secretName .Values.bitbucket.mesh.additionalCertificates.secretList }}
         - name: import-certs
           image: {{ .Values.bitbucket.mesh.image.repository }}:{{ .Values.bitbucket.mesh.image.tag }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           volumeMounts:
             - name: keystore
               mountPath: /var/ssl
+          {{- if.Values.bitbucket.mesh.additionalCertificates.secretName }}
             - name: certs
               mountPath: /tmp/crt
+          {{- else }}
+          {{- range .Values.bitbucket.mesh.additionalCertificates.secretList }}
+            {{- $secretName := .name }}
+            {{- range .keys }}
+            - name: {{ $secretName }}
+              mountPath: /tmp/crt/{{$secretName}}-{{ . }}
+              subPath: {{ . }}
+            {{- end }}
+          {{- end }}
+          {{- end }}
           command: ["/bin/bash"]
           args: ["-c", {{ include "bitbucketMesh.addCrtToKeystoreCmd" . }}]
           resources:
@@ -183,12 +194,20 @@ spec:
               - key: {{ .key }}
                 path: {{ .key }}
         {{ end }}
-        {{- if .Values.bitbucket.mesh.additionalCertificates.secretName }}
+        {{- if or .Values.bitbucket.mesh.additionalCertificates.secretName .Values.bitbucket.mesh.additionalCertificates.secretList }}
         - name: keystore
           emptyDir: {}
+        {{- if .Values.bitbucket.mesh.additionalCertificates.secretName }}
         - name: certs
           secret:
             secretName: {{ .Values.bitbucket.mesh.additionalCertificates.secretName }}
+        {{- else }}
+        {{- range .Values.bitbucket.mesh.additionalCertificates.secretList }}
+        - name: {{ .name }}
+          secret:
+            secretName: {{ .name }}
+        {{- end }}
+        {{- end }}
         {{- end }}
         {{ include "common.jmx.config.volume" . | nindent 8 }}
   {{ include "bitbucket.mesh.volumeClaimTemplates" . | nindent 2 }}