From c02beb12f0e0acbba80e32a07e6174c20cdae14a Mon Sep 17 00:00:00 2001
From: Nicolas DUBUT <nicolas.dubut@groupe-nehs.com>
Date: Fri, 11 Nov 2022 21:30:57 +0100
Subject: [PATCH 1/2] fix: handle self-signed CA into Vouch proxy
 https://github.com/vouch/vouch-proxy/issues/145

---
 charts/vouch/Chart.yaml                  |  2 +-
 charts/vouch/templates/ca-configmap.yaml | 11 +++++++++++
 charts/vouch/templates/deployment.yaml   | 22 ++++++++++++++++++++++
 charts/vouch/values.yaml                 |  8 ++++++++
 4 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 charts/vouch/templates/ca-configmap.yaml

diff --git a/charts/vouch/Chart.yaml b/charts/vouch/Chart.yaml
index b8a1caf..b0a32c2 100644
--- a/charts/vouch/Chart.yaml
+++ b/charts/vouch/Chart.yaml
@@ -2,7 +2,7 @@
 apiVersion: v2
 type: application
 appVersion: "0.36"
-version: 3.1.0
+version: 3.2.0
 name: vouch
 description: An SSO and OAuth login solution for nginx using the auth_request module.
 icon: https://avatars0.githubusercontent.com/u/45102943?s=200&v=4
diff --git a/charts/vouch/templates/ca-configmap.yaml b/charts/vouch/templates/ca-configmap.yaml
new file mode 100644
index 0000000..15cd81c
--- /dev/null
+++ b/charts/vouch/templates/ca-configmap.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.additionalCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "vouch.fullname" . }}-ca
+  labels:
+{{ include "vouch.labels" . | indent 4 }}
+data:
+  ca.crt: |
+{{ .Values.additionalCA | indent 4}}
+{{- end }}
diff --git a/charts/vouch/templates/deployment.yaml b/charts/vouch/templates/deployment.yaml
index cb1f2b9..e58bb7a 100644
--- a/charts/vouch/templates/deployment.yaml
+++ b/charts/vouch/templates/deployment.yaml
@@ -106,16 +106,38 @@ spec:
           volumeMounts:
           - name: data
             mountPath: /data
+          {{- if .Values.additionalCA }}
+          - name: merge-ca
+            mountPath: /etc/ssl/certs/
+          {{- end }}
           - name: config
             mountPath: /config
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+      {{- if .Values.additionalCA }}
+      initContainers:
+        - name: merge-ca
+          image: alpine
+          command: [ '/bin/sh', '-c', 'cp /etc/ssl/certs/ca-certificates.crt /CA && cat /ca-map/ca.crt >> /CA/ca-certificates.crt' ]
+          volumeMounts:
+            - name: ca-configmap
+              mountPath: /ca-map
+            - name: merge-ca
+              mountPath: /CA
+      {{- end }}
       volumes:
       - name: config
         secret:
           secretName: {{ if .Values.existingSecretName }}{{ .Values.existingSecretName }}{{- else }}{{ template "vouch.fullname" . }}{{- end }}
       - name: data
         emptyDir: {}
+      {{- if .Values.additionalCA }}
+      - name: ca-configmap
+        configMap:
+          name: {{ include "vouch.fullname" . }}-ca
+      - name: merge-ca
+        emptyDir: {}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/vouch/values.yaml b/charts/vouch/values.yaml
index 886acc1..e09f677 100644
--- a/charts/vouch/values.yaml
+++ b/charts/vouch/values.yaml
@@ -131,3 +131,11 @@ existingSecretName: ""
 #   - name: HTTPS_PROXY
 #     value: "https://example.com"
 extraEnvVars: []
+
+# allow to add a new CA for Vouch proxy, for example when using a self-signed CA in your company
+# put your CA as a raw value
+# additionalCA: |
+#    -----BEGIN CERTIFICATE-----
+#    MIIFYDCCA0igAwIBAgIUbblUcUL4T5C[...]
+#    -----END CERTIFICATE-----
+additionalCA: ""

From 70c71a8bd258fa75503575d1b2dddc6df71bd012 Mon Sep 17 00:00:00 2001
From: Nicolas DUBUT <nicolas.dubut@groupe-nehs.com>
Date: Fri, 11 Nov 2022 21:30:57 +0100
Subject: [PATCH 2/2] fix: handle self-signed CA into Vouch proxy
 https://github.com/vouch/vouch-proxy/issues/145

---
 charts/vouch/Chart.yaml                  |  2 +-
 charts/vouch/README.md                   |  3 +++
 charts/vouch/templates/ca-configmap.yaml | 11 +++++++++++
 charts/vouch/templates/deployment.yaml   | 22 ++++++++++++++++++++++
 charts/vouch/values.yaml                 |  8 ++++++++
 5 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 charts/vouch/templates/ca-configmap.yaml

diff --git a/charts/vouch/Chart.yaml b/charts/vouch/Chart.yaml
index b8a1caf..b0a32c2 100644
--- a/charts/vouch/Chart.yaml
+++ b/charts/vouch/Chart.yaml
@@ -2,7 +2,7 @@
 apiVersion: v2
 type: application
 appVersion: "0.36"
-version: 3.1.0
+version: 3.2.0
 name: vouch
 description: An SSO and OAuth login solution for nginx using the auth_request module.
 icon: https://avatars0.githubusercontent.com/u/45102943?s=200&v=4
diff --git a/charts/vouch/README.md b/charts/vouch/README.md
index 4b71770..2183409 100644
--- a/charts/vouch/README.md
+++ b/charts/vouch/README.md
@@ -1,5 +1,8 @@
 ## Changelog
 
+3.2.0
+  * Add an option to set extra self-signed CA files
+
 3.1.0
   * Add extraEnvVars option to add env variables to the vouch deployment
 
diff --git a/charts/vouch/templates/ca-configmap.yaml b/charts/vouch/templates/ca-configmap.yaml
new file mode 100644
index 0000000..15cd81c
--- /dev/null
+++ b/charts/vouch/templates/ca-configmap.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.additionalCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "vouch.fullname" . }}-ca
+  labels:
+{{ include "vouch.labels" . | indent 4 }}
+data:
+  ca.crt: |
+{{ .Values.additionalCA | indent 4}}
+{{- end }}
diff --git a/charts/vouch/templates/deployment.yaml b/charts/vouch/templates/deployment.yaml
index cb1f2b9..e58bb7a 100644
--- a/charts/vouch/templates/deployment.yaml
+++ b/charts/vouch/templates/deployment.yaml
@@ -106,16 +106,38 @@ spec:
           volumeMounts:
           - name: data
             mountPath: /data
+          {{- if .Values.additionalCA }}
+          - name: merge-ca
+            mountPath: /etc/ssl/certs/
+          {{- end }}
           - name: config
             mountPath: /config
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+      {{- if .Values.additionalCA }}
+      initContainers:
+        - name: merge-ca
+          image: alpine
+          command: [ '/bin/sh', '-c', 'cp /etc/ssl/certs/ca-certificates.crt /CA && cat /ca-map/ca.crt >> /CA/ca-certificates.crt' ]
+          volumeMounts:
+            - name: ca-configmap
+              mountPath: /ca-map
+            - name: merge-ca
+              mountPath: /CA
+      {{- end }}
       volumes:
       - name: config
         secret:
           secretName: {{ if .Values.existingSecretName }}{{ .Values.existingSecretName }}{{- else }}{{ template "vouch.fullname" . }}{{- end }}
       - name: data
         emptyDir: {}
+      {{- if .Values.additionalCA }}
+      - name: ca-configmap
+        configMap:
+          name: {{ include "vouch.fullname" . }}-ca
+      - name: merge-ca
+        emptyDir: {}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/vouch/values.yaml b/charts/vouch/values.yaml
index 886acc1..e09f677 100644
--- a/charts/vouch/values.yaml
+++ b/charts/vouch/values.yaml
@@ -131,3 +131,11 @@ existingSecretName: ""
 #   - name: HTTPS_PROXY
 #     value: "https://example.com"
 extraEnvVars: []
+
+# allow to add a new CA for Vouch proxy, for example when using a self-signed CA in your company
+# put your CA as a raw value
+# additionalCA: |
+#    -----BEGIN CERTIFICATE-----
+#    MIIFYDCCA0igAwIBAgIUbblUcUL4T5C[...]
+#    -----END CERTIFICATE-----
+additionalCA: ""