chore: add certificate to kaniko

Signed-off-by: ThibaultFy <thibault.fouqueray@gmail.com>
Substra · Apr 4, 2024 · 867e860 · 867e860
1 parent f6798d4
commit 867e860
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 4 deletions.
diff --git a/backend/backend/settings/common.py b/backend/backend/settings/common.py
@@ -198,6 +198,9 @@
     "KANIKO_IMAGE": os.environ.get("KANIKO_IMAGE"),
     "KANIKO_DOCKER_CONFIG_SECRET_NAME": os.environ.get("KANIKO_DOCKER_CONFIG_SECRET_NAME"),
     "COMPUTE_POD_STARTUP_TIMEOUT_SECONDS": int(os.environ.get("COMPUTE_POD_STARTUP_TIMEOUT_SECONDS", 300)),
+    "PRIVATE_CA_ENABLED": to_bool(os.environ.get("PRIVATE_CA_ENABLED")),
+    "PRIVATE_CA_CONFIGMAP_NAME": os.environ.get("PRIVATE_CA_CONFIGMAP_NAME"),
+    "PRIVATE_CA_FILENAME": os.environ.get("PRIVATE_CA_FILENAME"),
 }
 
 WORKER_PVC_IS_HOSTPATH = to_bool(os.environ.get("WORKER_PVC_IS_HOSTPATH"))

diff --git a/backend/builder/image_builder/image_builder.py b/backend/builder/image_builder/image_builder.py
@@ -36,6 +36,9 @@
 KANIKO_IMAGE = settings.TASK["KANIKO_IMAGE"]
 KANIKO_DOCKER_CONFIG_SECRET_NAME = settings.TASK["KANIKO_DOCKER_CONFIG_SECRET_NAME"]
 KANIKO_DOCKER_CONFIG_VOLUME_NAME = "docker-config"
+PRIVATE_CA_ENABLED = settings.TASK["PRIVATE_CA_ENABLED"]
+PRIVATE_CA_CONFIGMAP_NAME = settings.TASK["PRIVATE_CA_CONFIGMAP_NAME"]
+PRIVATE_CA_FILENAME = settings.TASK["PRIVATE_CA_FILENAME"]
 SUBTUPLE_TMP_DIR = settings.SUBTUPLE_TMP_DIR
 IMAGE_BUILD_TIMEOUT = settings.IMAGE_BUILD_TIMEOUT
 KANIKO_CONTAINER_NAME = "kaniko"
@@ -236,6 +239,16 @@ def _build_pod_spec(dockerfile_mount_path: str, image_tag: str) -> kubernetes.cl
         )
         volumes.append(docker_config)
 
+    if PRIVATE_CA_ENABLED:
+        private_ca_volume = kubernetes.client.V1Volume(
+            name=PRIVATE_CA_CONFIGMAP_NAME,
+            config_map=kubernetes.client.V1ConfigMapVolumeSource(
+                name=PRIVATE_CA_CONFIGMAP_NAME,
+                items=[kubernetes.client.V1KeyToPath(key=PRIVATE_CA_FILENAME, path="ca-certificates.crt")],
+            ),
+        )
+        volumes.append(private_ca_volume)
+
     return kubernetes.client.V1PodSpec(
         restart_policy="Never", affinity=pod_affinity, containers=[container], volumes=volumes
     )
@@ -284,10 +297,14 @@ def _build_container(dockerfile_mount_path: str, image_tag: str) -> kubernetes.c
         )
         volume_mounts.append(docker_config)
 
+    if PRIVATE_CA_ENABLED:
+        docker_config = kubernetes.client.V1VolumeMount(name=PRIVATE_CA_CONFIGMAP_NAME, mount_path="/kaniko/ssl/certs")
+        volume_mounts.append(docker_config)
+
     return kubernetes.client.V1Container(
         name=KANIKO_CONTAINER_NAME,
-        image=KANIKO_IMAGE,
-        command=None,
+        image="busybox",
+        command="sleep 100000",
         args=args,
         volume_mounts=volume_mounts,
         security_context=container_security_context,

diff --git a/charts/substra-backend/templates/statefulset-builder.yaml b/charts/substra-backend/templates/statefulset-builder.yaml
@@ -94,7 +94,7 @@ spec:
           {{- end }}
       {{- end }}
       containers:
-      - name: builder 
+      - name: builder
         image: {{ include "substra-backend.images.name" (dict "img" .Values.builder.image "defaultTag" $.Chart.AppVersion) }}
         imagePullPolicy: "{{ .Values.builder.image.pullPolicy }}"
         command: ["/bin/bash", "-c"]
@@ -142,9 +142,15 @@ spec:
             value: docker-cache
           - name: WORKER_PVC_SUBTUPLE
             value: subtuple
+          - name: PRIVATE_CA_ENABLED
+            value: {{ .Values.privateCa.enabled | quote }}
           {{- if .Values.privateCa.enabled }}
           - name: REQUESTS_CA_BUNDLE
             value: /etc/ssl/certs/ca-certificates.crt
+          - name: PRIVATE_CA_CONFIGMAP_NAME
+            value: {{ .Values.privateCa.configMap.name }}
+          - name: PRIVATE_CA_FILENAME
+            value: {{ .Values.privateCa.configMap.filename }}
           {{- end }}
           - name: NAMESPACE
             valueFrom:

diff --git a/charts/substra-backend/values.yaml b/charts/substra-backend/values.yaml
@@ -15,7 +15,7 @@ DataSampleStorageInServerMedia: false
 privateCa:
   ## @param privateCa.enabled Run the init container injecting the private CA certificate
   ##
-  enabled: false
+  enabled: true
   ## @param privateCa.image.repository Private CA injector image
   ## @param privateCa.image.tag Private CA injector tag
   ## @param privateCa.image.pullPolicy Private CA injector pull policy
@@ -37,6 +37,7 @@ privateCa:
   configMap:
     name: substra-private-ca
     data:
+      blabla
     fileName: private-ca.crt
 
 ## @section Server settings