feat(common): Add support for using custom CAs with Volsync (#40000)

**Description**

Allows connecting volsync to an S3 API that uses a self-signed  cert.

Thiis is useful if you are self-hosting an S3 server and you are
exposing it via a self-signed certificate.

In my case this was needed because I am using the LAN IP of the server
and my Let's encrypt cert does not have it as one of its SANs. To avoid
making a LAN IP part of the cert history, I am instead using a
self-signed cert with the IP set up as SAN.

⚒️ Fixes  # <!--(issue)-->

**⚙️ Type of change**

- [X] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code
- [X] 📜 Documentation Changes

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

I rendered the authentik chart with the new common changes and deployed
it manually to my cluster.

What I have tested:

- Output is identical to `master` when `customCA` is unset
- When `customCA` is set to a non-empty string:
- `ReplicationDestination` and `ReplicationSource` resources correctly
render the `customCA` section
- An opaque secret with a single field (`ca.crt`) and name
`<chart-full-name>-volsync-ca-<credentials-name>` is correctly rendered
- The chart installs correctly with `kubectl apply -f
rendered-chart.yml`
- The volsync backup job prints "Using custom CA" and then succeeds in
creating a volume backup of the `blueprints` volume on my self-hosted S3
server with a self-signed cert
 
  
**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [X] ⚖️ My code follows the style guidelines of this project
- [X] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [X] 📄 I have made changes to the documentation
- [X] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [X] ⬆️ I increased versions for any altered app according to semantic
versioning
- [X] I made sure the title starts with `feat(chart-name):`,
`fix(chart-name):`, `chore(chart-name):`, `docs(chart-name):` or
`fix(docs):`

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

---------

Signed-off-by: Alfred Göppel <43101280+alfi0812@users.noreply.github.com>
Co-authored-by: Alfred Göppel <43101280+alfi0812@users.noreply.github.com>
This commit is contained in:
astro-stan
2025-09-28 10:29:16 +01:00
committed by GitHub
parent 91e77e4ed9
commit fc31ef5436
9 changed files with 218 additions and 3 deletions
-1
View File
@@ -37,4 +37,3 @@ sources:
- https://github.com/trueforge-org/truecharts/tree/master/charts/library/common-test
type: application
version: 1.0.0
@@ -350,3 +350,78 @@ tests:
fsGroup: 568
runAsUser: 568
runAsGroup: 568
- it: should generate correct spec with customCA
set:
persistence:
destbackup:
enabled: true
type: pvc
mountPath: /backedup
volsync:
- name: mybackup1
type: restic
credentials: mys3
dest:
enabled: true
src:
enabled: false
credentials:
mys3:
type: s3
url: https://s3.some-url
bucket: some-bucket
encrKey: some-key
accessKey: some-access-key
secretKey: some-secret-key
customCA: |-
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- documentIndex: &secretCaDoc 1
isKind:
of: Secret
- documentIndex: *secretCaDoc
isAPIVersion:
of: v1
- documentIndex: *secretCaDoc
equal:
path: metadata.name
value: test-release-name-common-test-volsync-ca-mys3
- documentIndex: *secretCaDoc
equal:
path: stringData
value:
ca.crt: |-
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
- documentIndex: &replicationCaDestDoc 2
isKind:
of: ReplicationDestination
- documentIndex: *replicationCaDestDoc
isAPIVersion:
of: volsync.backube/v1alpha1
- documentIndex: *replicationCaDestDoc
equal:
path: spec
value:
trigger:
manual: restore-once
restic:
repository: test-release-name-common-test-destbackup-volsync-mybackup1
customCA:
secretName: test-release-name-common-test-volsync-ca-mys3
key: ca.crt
copyMethod: Snapshot
cleanupTempPVC: false
cleanupCachePVC: false
cacheCapacity: 10Gi
capacity: 100Gi
accessModes:
- ReadWriteOnce
moverSecurityContext:
fsGroup: 568
runAsUser: 568
runAsGroup: 568
@@ -339,3 +339,89 @@ tests:
matchRegex:
path: spec.restic.unlock
pattern: "^[0-9]{14}$"
- it: should generate correct spec with customCA
set:
persistence:
srcbackup:
enabled: true
type: pvc
mountPath: /backedup
volsync:
- name: mybackup1
type: restic
credentials: mys3
dest:
enabled: false
src:
enabled: true
credentials:
mys3:
type: s3
url: http://some-url
bucket: some-bucket
encrKey: some-key
accessKey: some-access-key
secretKey: some-secret-key
customCA: |-
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- documentIndex: &secretCaDoc 1
isKind:
of: Secret
- documentIndex: *secretCaDoc
isAPIVersion:
of: v1
- documentIndex: *secretCaDoc
equal:
path: metadata.name
value: test-release-name-common-test-volsync-ca-mys3
- documentIndex: *secretCaDoc
equal:
path: stringData
value:
ca.crt: |-
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
- documentIndex: &replicationCaDestDoc 2
isKind:
of: ReplicationSource
- documentIndex: *replicationCaDestDoc
isAPIVersion:
of: volsync.backube/v1alpha1
- documentIndex: *replicationCaDestDoc
isSubset:
path: spec
content:
sourcePVC: test-release-name-common-test-srcbackup
trigger:
schedule: "0 0 * * *"
- documentIndex: *replicationCaDestDoc
isSubset:
path: spec.restic
content:
repository: test-release-name-common-test-srcbackup-volsync-mybackup1
customCA:
secretName: test-release-name-common-test-volsync-ca-mys3
key: ca.crt
copyMethod: Snapshot
pruneIntervalDays: 7
retain:
hourly: 6
daily: 5
weekly: 4
monthly: 3
yearly: 1
accessModes:
- ReadWriteOnce
moverSecurityContext:
fsGroup: 568
runAsUser: 568
runAsGroup: 568
- documentIndex: *replicationCaDestDoc
matchRegex:
path: spec.restic.unlock
pattern: "^[0-9]{14}$"
+1 -2
View File
@@ -50,5 +50,4 @@ sources:
- https://hub.docker.com/_/
- https://hub.docker.com/r/mikefarah/yq
type: library
version: 28.20.1
version: 28.21.0
@@ -55,6 +55,11 @@ spec:
manual: restore-once
{{ $volsyncData.type }}:
repository: {{ $volsyncData.repository }}
{{- if $volsyncData.customCA }}
customCA:
secretName: {{ $volsyncData.customCA }}
key: ca.crt
{{- end }}
copyMethod: {{ $copyMethod }}
capacity: {{ $capacity }}
{{- if eq $copyMethod "Direct" }}
@@ -53,6 +53,11 @@ spec:
schedule: {{ $schedule }}
{{ $volsyncData.type }}:
repository: {{ $volsyncData.repository }}
{{- if $volsyncData.customCA }}
customCA:
secretName: {{ $volsyncData.customCA }}
key: ca.crt
{{- end }}
copyMethod: {{ $volsyncData.copyMethod | default "Snapshot" }}
pruneIntervalDays: {{ $volsyncData.src.pruneIntervalDays | default 7 }}
unlock: {{ now | date "20060102150405" | quote }}
@@ -128,6 +128,25 @@
) -}}
{{- include "tc.v1.common.class.secret" (dict "rootCtx" $ "objectData" $volsyncSecretData) -}}
{{/* Create Custom CA Secret for VolSync */}}
{{- if $credentials.customCA -}}
{{- $volsyncCASecretName := printf "%s-volsync-ca-%s" (include "tc.v1.common.lib.chart.names.fullname" $ ) $volsync.credentials -}}
{{- $_ := set $volsyncData "customCA" $volsyncCASecretName -}}
{{- $volsyncCASecretData := (dict
"name" $volsyncCASecretName
"labels" ($volsync.labels | default dict)
"annotations" ($volsync.annotations | default dict)
"data" (dict
"ca.crt" $credentials.customCA
)
) -}}
{{- include "tc.v1.common.class.secret" (dict "rootCtx" $ "objectData" $volsyncCASecretData) -}}
{{- end -}}
{{/* Create VolSync resources*/}}
{{- if $srcEnabled -}}
{{- include "tc.v1.common.class.replicationsource" (dict "rootCtx" $ "objectData" $objectData "volsyncData" $volsyncData) -}}
+3
View File
@@ -282,6 +282,9 @@ credentials:
# mys3:
# type: s3
# url: ""
# ## Provide a custom certificate authority in cases where the URL endpoint
# ## uses a self-signed certificate
# customCA: ""
# path: ""
# bucket: ""
# accessKey: ""
@@ -106,6 +106,30 @@ credentials:
---
#### `customCA`
Define a custom CA certificate to be used when connecting to the endpoint
defined by `url` over HTTPS.
| | |
| ---------- | ------------------------------------------------------------- |
| Key | `credentials.$name.customCA` |
| Type | `string` |
| Required | ❌ |
| Helm `tpl` | ❌ |
| Example | `-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----` |
```yaml
credentials:
credentials-name:
customCA: |-
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
```
---
#### `path`
Define the optional path-override of the credentials