add-oidc-ca-file (#170)

* add-oidc-ca-file * add-oidc-ca-file * changelog * lines
giantswarm · Nov 29, 2022 · 0b3b7c4 · 0b3b7c4
1 parent efad962
commit 0b3b7c4
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,8 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Added
+### Add
 
+- Add option to specify oidc CA PEM in order to autheticate againts OIDC with custom CA.
 - Add option to configure containerd registry authentication for `docker.io`.
 
 ## [0.18.0] - 2022-11-24

diff --git a/helm/cluster-aws/files/etc/ssl/certs/oidc.pem b/helm/cluster-aws/files/etc/ssl/certs/oidc.pem
@@ -0,0 +1,3 @@
+{{- if ne .Values.oidc.caPem "" -}}
+{{ .Values.oidc.caPem }}
+{{- end -}}
diff --git a/helm/cluster-aws/templates/_control_plane.tpl b/helm/cluster-aws/templates/_control_plane.tpl
@@ -66,8 +66,8 @@ spec:
           oidc-client-id: {{ .clientId }}
           oidc-username-claim: {{ .usernameClaim }}
           oidc-groups-claim: {{ .groupsClaim }}
-          {{- if .caFile }}
-          oidc-ca-file: {{ .caFile }}
+          {{- if ne .caPem "" }}
+          oidc-ca-file: /etc/ssl/certs/oidc.pem
           {{- end }}
           {{- end }}
           {{- end }}
@@ -121,6 +121,7 @@ spec:
       networking:
         serviceSubnet: {{ .Values.network.serviceCIDR }}
     files:
+    {{- include "oidcFiles" . | nindent 4 }}
     {{- include "sshFiles" . | nindent 4 }}
     {{- include "diskFiles" . | nindent 4 }}
     {{- include "irsaFiles" . | nindent 4 }}

diff --git a/helm/cluster-aws/templates/_helpers.tpl b/helm/cluster-aws/templates/_helpers.tpl
@@ -47,6 +47,14 @@ room for such suffix.
 {{- .Values.clusterName | default (.Release.Name | replace "." "-" | trunc 47 | trimSuffix "-") -}}
 {{- end -}}
 
+{{- define "oidcFiles" -}}
+{{- if ne .Values.oidc.caPem "" }}
+- path: /etc/ssl/certs/oidc.pem
+  permissions: "0600"
+  encoding: base64
+  content: {{ tpl ($.Files.Get "files/etc/ssl/certs/oidc.pem") . | b64enc }}
+{{- end }}
+{{- end -}}
 
 {{- define "sshFiles" -}}
 - path: /etc/ssh/trusted-user-ca-keys.pem

diff --git a/helm/cluster-aws/values.schema.json b/helm/cluster-aws/values.schema.json
@@ -172,7 +172,7 @@
         "oidc": {
             "type": "object",
             "properties": {
-                "caFile": {
+                "caPem": {
                     "type": "string"
                 },
                 "clientId": {

diff --git a/helm/cluster-aws/values.yaml b/helm/cluster-aws/values.yaml
@@ -80,7 +80,7 @@ ami: ""
 
 oidc:
   issuerUrl: ""
-  caFile: ""
+  caPem: ""
   clientId: ""
   usernameClaim: ""
   groupsClaim: ""