Adding support for custom CAs (issue #11).

Dockerfile

@@ -5,6 +5,7 @@ ARG TARGETARCH
 COPY ./bin/code-marketplace-linux-$TARGETARCH /opt/code-marketplace
 
 FROM alpine:latest
+RUN apk add ca-certificates
 COPY --chmod=755 --from=binaries /opt/code-marketplace /opt
 
 ENTRYPOINT [ "/opt/code-marketplace", "server" ]

README.md

@@ -67,6 +67,10 @@ export ARTIFACTORY_TOKEN="my-token"
 The token will be used as the `Authorization` header with the value `Bearer
 <TOKEN>`.
 
+## Custom Certificate Authorities for Container Deployment
+
+If your artifactory server or extension download location is on a domain not signed by a default CA, then you will need to add those files either by volume mount or `docker cp` and then run `update-ca-certificates`.
+
 ### Exposing the marketplace
 
 The marketplace must be put behind TLS otherwise code-server will reject

helm/README.md

@@ -54,6 +54,21 @@ $ kubectl exec -it "$POD_NAME" -- /opt/code-marketplace add https://github.com/V
 In the future it will be possible to use Artifactory for storing and retrieving
 extensions instead of a persistent volume.
 
+## Adding custom certificate authorities
+
+If the location for retrieving extensions (or if using Artifactory storage) is not signed by a common CA, then create a secret in the deployed namespace:
+```
+kubectl create secret -n $namespace generic all-cas --from-file="certificate1.pem"=/path/to/certificate1.pem \
+ --from-file="certificate2.pem"=path/to/certificate2.pem \
+ --from-file="certificate3.pem"=path/to/certificate3.pem
+```
+
+And then, set the certificates.secretName to match:
+
+```console
+$ helm upgrade --install code-marketplace ./helm-chart --set certificates.secretName "all-cas"
+```
+
 ## Uninstall
 
 To uninstall/delete the marketplace deployment:

helm/templates/deployment.yaml

@@ -30,6 +30,16 @@ spec:
         - name: extensions
           persistentVolumeClaim:
             claimName: {{ include "code-marketplace.fullname" . }}
+        {{- if .Values.certificates.secretName }}
+        - name: certs
+          secret:
+            secretName: {{ .Values.certificates.secretName }}
+        {{- end }}
+      {{- else if and .Values.persistence.artifactory.enabled .Values.certificates.secretName }}
+      volumes:
+        - name: certs
+          secret:
+            secretName: {{ .Values.certificates.secretName }}
       {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -39,6 +49,13 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.certificates.secretName }}
+          lifecycle:           
+            postStart:             
+              exec:               
+                command:              
+                  - update-ca-certificates
+          {{- end}}
           {{- if .Values.persistence.artifactory.enabled }}
           env:
             - name: "ARTIFACTORY_TOKEN"
@@ -67,6 +84,14 @@ spec:
           volumeMounts:
             - name: extensions
               mountPath: /extensions
+            {{- if .Values.certificates.secretName }}
+            - name: certs
+              mountPath: /usr/local/share/ca-certificates/
+            {{- end }}
+          {{- else if and .Values.persistence.artifactory.enabled .Values.certificates.secretName }}
+          volumeMounts:
+            - name: certs
+              mountPath: /usr/local/share/ca-certificates/
           {{- end }}
           livenessProbe:
             httpGet:

helm/values.yaml

@@ -93,3 +93,10 @@ persistence:
     repo: extensions
   # Size is ignored when using Artifactory.
   size: 100Gi
+
+# Create a secret with all additional certificate authorities, ex:
+# kubectl create secret -n $namespace generic all-cas --from-file="certificate1.pem"=/path/to/certificate1.pem \
+# --from-file="certificate2.pem"=path/to/certificate2.pem \
+# --from-file="certificate3.pem"=path/to/certificate3.pem
+certificates:
+  secretName: ""