allow to use proxy https with replicated

chart/Chart.lock

@@ -10,6 +10,6 @@ dependencies:
   version: 16.13.2
 - name: replicated
   repository: oci://registry.replicated.com/library
-  version: 1.0.0-beta.27
-digest: sha256:9c862fa3c5cf653ba48808f102964cf52c6e0a78d6e1c08e97cddfb4b3fdef11
-generated: "2024-08-21T09:58:10.6497+02:00"
+  version: 1.0.0-beta.28
+digest: sha256:041f1be2e72b712ed2b717f6876592037e2ee3d09c0187a7233daed674cac386
+generated: "2024-09-24T10:24:55.243047525+02:00"

chart/Chart.yaml

@@ -18,7 +18,7 @@ dependencies:
     version: 16.x.x
   - name: replicated
     repository: oci://registry.replicated.com/library
-    version: 1.0.0-beta.27
+    version: 1.0.0-beta.28
     condition: replicated.enabled
 description: CARTO Location Intelligence Platform. Unlock the power of spatial analysis in the cloud
 engine: gotpl

chart/README.md

@@ -1561,16 +1561,17 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md
 
 ### External proxy configuration
 
-| Name                                  | Description                                                                              | Value   |
-| ------------------------------------- | ---------------------------------------------------------------------------------------- | ------- |
-| `externalProxy.enabled`               | Whether the APIs will use an external proxy or not                                       | `false` |
-| `externalProxy.host`                  | Proxy host                                                                               | `""`    |
-| `externalProxy.port`                  | Proxy port                                                                               | `""`    |
-| `externalProxy.type`                  | Proxy type. Only HTTP and HTTPS proxies are supported                                    | `""`    |
-| `externalProxy.excludedDomains`       | List of domains that should not be proxied                                               | `[]`    |
-| `externalProxy.sslRejectUnauthorized` | Whether or not verify the HTTPS proxy SSL certificate                                    | `true`  |
-| `externalProxy.sslCA`                 | CA for the proxy SSL certificate in case is self-signed or signed by a not well-known CA | `""`    |
-| `externalProxy.connectionString`      | Connection string to the proxy                                                           | `""`    |
+| Name                                  | Description                                                                                                                     | Value   |
+| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `externalProxy.enabled`               | Whether the APIs will use an external proxy or not                                                                              | `false` |
+| `externalProxy.host`                  | Proxy host                                                                                                                      | `""`    |
+| `externalProxy.port`                  | Proxy port                                                                                                                      | `""`    |
+| `externalProxy.type`                  | Proxy type. Only HTTP and HTTPS proxies are supported                                                                           | `""`    |
+| `externalProxy.excludedDomains`       | List of domains that should not be proxied                                                                                      | `[]`    |
+| `externalProxy.sslRejectUnauthorized` | Whether or not verify the HTTPS proxy SSL certificate                                                                           | `true`  |
+| `externalProxy.sslCA`                 | CA for the proxy SSL certificate in case is self-signed or signed by a not well-known CA                                        | `""`    |
+| `externalProxy.sslCAConfigmapName`    | Configmap Name in which the CA for the proxy SSL certificate is stored, in case is self-signed or signed by a not well-known CA | `""`    |
+| `externalProxy.connectionString`      | Connection string to the proxy                                                                                                  | `""`    |
 
 ### Upgrade Check pre hook parameters
 

chart/templates/_commonChecks.tpl

@@ -85,7 +85,7 @@ Return common collectors for preflights and support-bundle
               - name: REDIS_TLS_CA__FILE_PATH
                 value: {{ include "carto.redis.configMapMountAbsolutePath" . }}
               {{- end }}
-              {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+              {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
               - name: PROXY_SSL_CA__FILE_CONTENT
                 value: {{ .Values.externalProxy.sslCA | b64enc | quote }}
               - name: PROXY_SSL_CA__FILE_PATH
@@ -120,7 +120,7 @@ Return common collectors for preflights and support-bundle
                 mountPath: {{ include "carto.redis.configMapMountDir" . }}
                 readOnly: false
               {{- end }}
-              {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+              {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
               - name: proxy-ssl-ca
                 mountPath: {{ include "carto.proxy.configMapMountDir" . }}
                 readOnly: false
@@ -168,7 +168,7 @@ Return common collectors for preflights and support-bundle
                 mountPath: {{ include "carto.redis.configMapMountDir" . }}
                 readOnly: true
               {{- end }}
-              {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+              {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
               - name: proxy-ssl-ca
                 mountPath: {{ include "carto.proxy.configMapMountDir" . }}
                 readOnly: true
@@ -197,7 +197,7 @@ Return common collectors for preflights and support-bundle
             emptyDir:
               sizeLimit: 8Mi
           {{- end }}
-          {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+          {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
           - name: proxy-ssl-ca
             emptyDir:
               sizeLimit: 1Mi

chart/templates/_helpers.tpl

@@ -1399,7 +1399,11 @@ Return the proxy connection string if the config does not include the complete U
 Get the proxy config map name
 */}}
 {{- define "carto.proxy.configMapName" -}}
+{{- if .Values.externalProxy.sslCA -}}
 {{- printf "%s-%s" .Release.Name "externalproxy" -}}
+{{- else if .Values.externalProxy.sslCAConfigmapName -}}
+{{- printf "%s" .Values.externalProxy.sslCAConfigmapName -}}
+{{- end -}}
 {{- end -}}
 
 {{/*

chart/templates/cdn-invalidator-sub/deployment.yaml

@@ -173,7 +173,7 @@ spec:
             - name: gcp-default-service-account-key
               mountPath: {{ include "carto.google.secretMountDir" . }}
               readOnly: true
-            {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+            {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
             - name: proxy-ssl-ca
               mountPath: {{ include "carto.proxy.configMapMountDir" . }}
               readOnly: true
@@ -191,7 +191,7 @@ spec:
             items:
               - key: {{ include "carto.google.secretKey" . }}
                 path: {{ include "carto.google.secretMountFilename" . }}
-        {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+        {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
         - name: proxy-ssl-ca
           configMap:
             name: {{ include "carto.proxy.configMapName" . }}

chart/templates/import-api/deployment.yaml

@@ -206,7 +206,7 @@ spec:
               mountPath: {{ include "carto.redis.configMapMountDir" . }}
               readOnly: true
             {{- end }}
-            {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+            {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
             - name: proxy-ssl-ca
               mountPath: {{ include "carto.proxy.configMapMountDir" . }}
               readOnly: true
@@ -242,7 +242,7 @@ spec:
           configMap:
             name: {{ include "carto.redis.configMapName" . }}
         {{- end }}
-        {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+        {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
         - name: proxy-ssl-ca
           configMap:
             name: {{ include "carto.proxy.configMapName" . }}

chart/templates/import-worker/deployment.yaml

@@ -187,7 +187,7 @@ spec:
               mountPath: {{ include "carto.postgresql.configMapMountDir" . }}
               readOnly: true
             {{- end }}
-            {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+            {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
             - name: proxy-ssl-ca
               mountPath: {{ include "carto.proxy.configMapMountDir" . }}
               readOnly: true
@@ -220,7 +220,7 @@ spec:
           configMap:
             name: {{ include "carto.postgresql.configMapName" . }}
         {{- end }}
-        {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+        {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
         - name: proxy-ssl-ca
           configMap:
             name: {{ include "carto.proxy.configMapName" . }}

chart/templates/lds-api/deployment.yaml

@@ -201,7 +201,7 @@ spec:
               mountPath: {{ include "carto.redis.configMapMountDir" . }}
               readOnly: true
             {{- end }}
-            {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+            {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
             - name: proxy-ssl-ca
               mountPath: {{ include "carto.proxy.configMapMountDir" . }}
               readOnly: true
@@ -229,7 +229,7 @@ spec:
           configMap:
             name: {{ include "carto.redis.configMapName" . }}
         {{- end }}
-        {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+        {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
         - name: proxy-ssl-ca
           configMap:
             name: {{ include "carto.proxy.configMapName" . }}

chart/templates/maps-api/deployment.yaml

@@ -205,7 +205,7 @@ spec:
               mountPath: {{ include "carto.redis.configMapMountDir" . }}
               readOnly: true
             {{- end }}
-            {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+            {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
             - name: proxy-ssl-ca
               mountPath: {{ include "carto.proxy.configMapMountDir" . }}
               readOnly: true
@@ -247,7 +247,7 @@ spec:
           configMap:
             name: {{ include "carto.redis.configMapName" . }}
         {{- end }}
-        {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+        {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
         - name: proxy-ssl-ca
           configMap:
             name: {{ include "carto.proxy.configMapName" . }}

chart/templates/sql-worker/deployment.yaml

@@ -176,7 +176,7 @@ spec:
               mountPath: {{ include "carto.postgresql.configMapMountDir" . }}
               readOnly: true
             {{- end }}
-            {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+            {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
             - name: proxy-ssl-ca
               mountPath: {{ include "carto.proxy.configMapMountDir" . }}
               readOnly: true
@@ -213,7 +213,7 @@ spec:
           configMap:
             name: {{ include "carto.postgresql.configMapName" . }}
         {{- end }}
-        {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+        {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
         - name: proxy-ssl-ca
           configMap:
             name: {{ include "carto.proxy.configMapName" . }}

chart/templates/workspace-api/deployment.yaml

@@ -291,7 +291,7 @@ spec:
               mountPath: {{ include "carto.redis.configMapMountDir" . }}
               readOnly: true
             {{- end }}
-            {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+            {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
             - name: proxy-ssl-ca
               mountPath: {{ include "carto.proxy.configMapMountDir" . }}
               readOnly: true
@@ -333,7 +333,7 @@ spec:
           configMap:
             name: {{ include "carto.redis.configMapName" . }}
         {{- end }}
-        {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+        {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
         - name: proxy-ssl-ca
           configMap:
             name: {{ include "carto.proxy.configMapName" . }}

chart/templates/workspace-subscriber/deployment.yaml

@@ -179,7 +179,7 @@ spec:
               mountPath: {{ include "carto.redis.configMapMountDir" . }}
               readOnly: true
             {{- end }}
-            {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+            {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
             - name: proxy-ssl-ca
               mountPath: {{ include "carto.proxy.configMapMountDir" . }}
               readOnly: true
@@ -213,7 +213,7 @@ spec:
           configMap:
             name: {{ include "carto.redis.configMapName" . }}
         {{- end }}
-        {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
+        {{- if and .Values.externalProxy.enabled (or .Values.externalProxy.sslCA .Values.externalProxy.sslCAConfigmapName) }}
         - name: proxy-ssl-ca
           configMap:
             name: {{ include "carto.proxy.configMapName" . }}

chart/values.yaml

@@ -4908,6 +4908,8 @@ externalProxy:
   sslRejectUnauthorized: true
   ## @param externalProxy.sslCA CA for the proxy SSL certificate in case is self-signed or signed by a not well-known CA
   sslCA: ""
+  ## @param externalProxy.sslCAConfigmapName Configmap Name in which the CA for the proxy SSL certificate is stored, in case is self-signed or signed by a not well-known CA
+  sslCAConfigmapName: ""
   ## @param externalProxy.connectionString Connection string to the proxy
   connectionString: ""
 

manifests/kots-app.yaml

@@ -23,7 +23,7 @@ spec:
     - deployment/carto-workspace-api
     - deployment/carto-workspace-subscriber
     - deployment/carto-workspace-www
-  minKotsVersion: 1.117.1
+  minKotsVersion: 1.117.3
   additionalImages:
     - gcr.io/carto-onprem-artifacts/tenant-requirements-checker:2024.4.17-rc.7
 ---

manifests/kots-config.yaml

@@ -654,19 +654,18 @@ spec:
           when: '{{repl and (ConfigOptionEquals "externalProxyEnabled" "1") (not (empty HTTPProxy)) }}'
           value: "repl{{ NoProxy }}"
           readonly: true
-        - name: externalHttpsProxySslCa
-          title: Proxy SSL CA
-          when: '{{repl and (ConfigOptionEquals "externalProxyEnabled" "1") (ConfigOptionEquals "externalProxyType" "https") }}'
-          type: file
-          help_text: |-
-            If the proxy certificate is signed by a custom CA, such CA must be included here, but if it's signed by a well known CA, there is no need to add it here.
         - name: externalHttpsProxySslCertificateCheck
           title: SSL certificate checks
           type: bool
           when: '{{repl and (ConfigOptionEquals "externalProxyEnabled" "1") (ConfigOptionEquals "externalProxyType" "https") }}'
           default: "0"
           help_text: |-
             Specify if CARTO Self-hosted should check if the proxy certificate is valid or not.
+        - name: externalProxyCAConfigmapName
+          hidden: true
+          type: text
+          value: 'repl{{ PrivateCACert }}'
+          readonly: true
 
         ## SSO
         - name: ssoEnabled

manifests/kots-helm.yaml

@@ -356,8 +356,7 @@ spec:
           connectionString: '{{repl ConfigOption "externalProxyHost" }}'
           excludedDomains: '{{repl ConfigOption "externalProxyExcludedDomains" }}'
           sslRejectUnauthorized: repl{{ if ConfigOptionEquals "externalHttpsProxySslCertificateCheck" "0"}}falserepl{{ else }}truerepl{{ end }}
-          sslCA: |
-            repl{{ ConfigOptionData "externalHttpsProxySslCa" | nindent 12 }}
+          sslCAConfigmapName: '{{repl ConfigOption "externalProxyCAConfigmapName" }}'
     - when: '{{repl ConfigOptionEquals "ssoEnabled" "1"}}'
       recursiveMerge: true
       values: