chore: add external ca certificate

charts/anynines-klutch/ci/basic-values.yaml

@@ -11,7 +11,7 @@ backupManager:
 
 oidc:
   ingress:
-    host: dex.a9s.cwrau.wtf
+    host: oidc.a9s.cwrau.wtf
 
 ingress:
   host: klutch.a9s.cwrau.wtf

charts/anynines-klutch/templates/anynines-kube-bind/deployment.yaml

@@ -19,6 +19,7 @@ spec:
     spec:
       serviceAccountName: {{ include "common.names.fullname" . }}
       automountServiceAccountToken: true
+      enableServiceLinks: false
       containers:
         - name: anynines-backend
           image: {{ include "common.images.image" (dict "imageRoot" .Values.global.kubebind.image "global" .Values.global) }}
@@ -33,7 +34,9 @@ spec:
             - --listen-address=0.0.0.0:9443
             - --cookie-signing-key=$(COOKIE-SIGNING-KEY)
             - --cookie-encryption-key=$(COOKIE-ENCRYPTION-KEY)
+            # TODO: a9s will look into just talking to klutch instead of the k8s API
             - --external-address={{ .Values.kubernetes.externalAddress }}
+            - --external-ca-file=/cert/ca.crt
           ports:
             - containerPort: 9443
               name: https
@@ -46,7 +49,7 @@ spec:
                   name: {{ printf "%s-oidc" (include "common.names.fullname" .) }}
                   key: kube-bind-client-secret
             - name: OIDC-ISSUER-URL
-              value: {{ printf "https://%s" .Values.oidc.ingress.host }}
+              value: {{ printf "https://%s/realms/%s" .Values.oidc.ingress.host (include "anynines-klutch.oidc.realm" (dict)) }}
             - name: OIDC-CALLBACK-URL
               value: {{ printf "https://%s/callback" .Values.ingress.host }}
             - name: COOKIE-SIGNING-KEY
@@ -66,3 +69,10 @@ spec:
             requests:
               cpu: "100m"
               memory: 256Mi
+          volumeMounts:
+            - mountPath: /cert
+              name: certificate
+      volumes:
+        - name: certificate
+          secret:
+            secretName: {{ printf "%s-kubernetes-ca-certificate" (include "common.names.fullname" .) }}

charts/anynines-klutch/templates/anynines-kube-bind/secret-kubernetes-ca.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-kubernetes-ca-certificate" (include "common.names.fullname" .) }}
+  namespace: {{ .Release.Namespace }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+type: Generic
+stringData:
+  ca.crt: {{ .Values.kubernetes.caCertificate | quote }}

charts/anynines-klutch/templates/oidc/_helpers.tpl

@@ -0,0 +1,3 @@
+{{- define "anynines-klutch.oidc.realm" -}}
+a9s
+{{- end -}}

charts/anynines-klutch/templates/oidc/keycloak.yaml

@@ -69,7 +69,7 @@ spec:
         a9s.yaml: |
           enabled: true
           registrationAllowed: false
-          realm: a9s
+          realm: {{ include "anynines-klutch.oidc.realm" (dict) }}
           displayName: a9s platform
           clients:
             - clientId: kube-bind

charts/anynines-klutch/values.schema.json

@@ -105,6 +105,9 @@
       "properties": {
         "externalAddress": {
           "type": "string"
+        },
+        "caCertificate": {
+          "type": "string"
         }
       },
       "required": [