Support for custom CA certs

charts/datahub-executor-worker/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: datahub-executor-worker
 description: A Helm chart for datahub-executor-worker
 type: application
-version: 0.0.6
+version: 0.0.7
 appVersion: 0.0.1
 maintainers:
   - name: DataHub

charts/datahub-executor-worker/templates/statefulset.yaml

@@ -59,10 +59,40 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       volumes:
+      {{- with .Values.extraCaCerts }}
+          - name: ca-certs
+            emptyDir: {}
+      {{- range $key, $value := . }}
+          - name: {{ $key }}
+            secret:
+              secretName: {{ $value }}
+      {{- end }}
+      {{- end }}
       {{- if .Values.extraVolumes }}
         {{ toYaml .Values.extraVolumes | nindent 8 }}
       {{- end }}
       initContainers:
+      {{- if .Values.extraCaCerts }}
+        - name: install-ca-certs
+          image: "{{ .Values.image.repository }}:{{ required "image tag is required" .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["/bin/bash", "-c"]
+          args:
+            - update-ca-certificates && cp -Lr /etc/ssl/certs/. /mnt/ca-certs/
+          securityContext:
+            privileged: true
+            runAsUser: 0
+          volumeMounts:
+            - name: ca-certs
+              mountPath: /mnt/ca-certs
+            {{- with .Values.extraCaCerts -}}
+            {{ range $key, $value := . }}
+            - mountPath: "/usr/local/share/ca-certificates/{{ $key }}"
+              name: {{ $key | quote }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
+      {{- end }}
       {{- if .Values.extraInitContainers }}
       {{- .Values.extraInitContainers | toYaml | nindent 6 }}
       {{- end }}
@@ -109,10 +139,20 @@ spec:
               value: {{ .Values.global.datahub.executor.ingestions.signal_poll_interval | quote }}
             - name: DATAHUB_EXECUTOR_MONITORS_MAX_WORKERS
               value: {{ .Values.global.datahub.executor.monitors.max_workers | quote }}
+          {{- if .Values.extraCaCerts }}
+            - name: REQUESTS_CA_BUNDLE
+              value: /etc/ssl/certs/ca-certificates.crt
+            - name: SSL_CERT_FILE
+              value: /etc/ssl/certs/ca-certificates.crt
+          {{- end }}
           {{- if .Values.extraEnvs }}
             {{ toYaml .Values.extraEnvs | nindent 12 }}
           {{- end }}
           volumeMounts:
+            {{- if .Values.extraCaCerts }}
+            - name: ca-certs
+              mountPath: /etc/ssl/certs
+            {{- end }}
           {{- if .Values.persistentVolume.enabled }}
             - name: executor-storage-volume
               mountPath: {{ .Values.persistentVolume.mountPath }}

charts/datahub-executor-worker/values.yaml

@@ -18,7 +18,8 @@ revisionHistoryLimit: 1
 
 image:
   # GCP: us-docker.pkg.dev/acryl-prod/datahub/datahub-executor
-  repository: 795586375822.dkr.ecr.us-west-2.amazonaws.com/datahub-executor
+  #repository: 795586375822.dkr.ecr.us-west-2.amazonaws.com/datahub-executor
+  repository: ecr-proxy.gcp-use1-saas-01-prod.gcp.acryl.io/datahub-executor
   pullPolicy: Always
   tag: v0.3.5.13-acryl
 
@@ -63,14 +64,17 @@ extraVolumeMounts: []
 
 extraInitContainers: []
 
+extraCaCerts:
+  gsk-secrets: gsk-certs
+
 extraLabels: {}
 
 extraPodLabels: {}
 
 resources:
   requests:
     memory: "8Gi"
-    cpu: "4"
+    cpu: "2"
 
 nodeSelector: {}