oracle-cne · mgianatagh · Nov 22, 2024 · Nov 22, 2024 · Nov 22, 2024 · Nov 22, 2024
diff --git a/charts/oci-capi-0.15.0/templates/auth-config.yaml b/charts/oci-capi-0.15.0/templates/auth-config.yaml
@@ -21,4 +21,6 @@ data:
     .Values.authConfig.useInstancePrincipal | b64enc | quote }}
   user: {{ required "authConfig.user is required" .Values.authConfig.user | b64enc
     | quote }}
+  pcaCerts: {{ required "authConfig.pcaCerts is required" .Values.authConfig.pcaCerts | b64enc |
+    quote }}
 type: Opaque
diff --git a/charts/oci-capi-0.15.0/templates/deployment.yaml b/charts/oci-capi-0.15.0/templates/deployment.yaml
@@ -35,6 +35,10 @@ spec:
               - key: node-role.kubernetes.io/master
                 operator: Exists
             weight: 10
+{{- if .Values.initContainers }}
+      initContainers:
+        {{ toYaml .Values.initContainers | nindent 8 }}
+{{- end }}
       containers:
       - args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }}
         command:
@@ -86,6 +90,9 @@ spec:
         - mountPath: /etc/oci
           name: auth-config-dir
           readOnly: true
+{{- if .Values.volumeMounts }}
+      {{ toYaml .Values.volumeMounts | nindent 8 }}
+{{- end }}
       securityContext:
         runAsNonRoot: true
         seccompProfile:
@@ -105,3 +112,6 @@ spec:
       - name: auth-config-dir
         secret:
           secretName: {{ include "oci-capi.fullname" . }}-auth-config
+{{- if .Values.volumes }}
+      {{ toYaml .Values.volumes | nindent 6 }}
+{{- end }}
diff --git a/charts/oci-capi-0.15.0/templates/scripts-config.yaml b/charts/oci-capi-0.15.0/templates/scripts-config.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "oci-capi.fullname" . }}-scripts
+  namespace: {{ .Release.Namespace }}
+  labels:
+    cluster.x-k8s.io/provider: infrastructure-oci
+    clusterctl.cluster.x-k8s.io: ""
+  {{- include "oci-capi.labels" . | nindent 4 }}
+data:
+  update-ca-trust-store.sh: |
+    #! /bin/bash
+    #
+    # Copyright (c) 2024, Oracle and/or its affiliates.
+    # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+    CERT_FILE=${1}
+    BASE_OUTPUT_PATH=${2}
+
+    # Copy the additional certs to update area
+    cp ${CERT_FILE} /usr/share/pki/ca-trust-source/anchors/certs.pem
+
+    # Update the CA trust store
+    update-ca-trust
+
+    # Copy the updated certs to the emptyDir shared between the containers
+    mkdir -p ${BASE_OUTPUT_PATH}/etc/pki/ca-trust/extracted/openssl
+    cp /etc/pki/ca-trust/extracted/openssl/* ${BASE_OUTPUT_PATH}/etc/pki/ca-trust/extracted/openssl
+
+    mkdir -p ${BASE_OUTPUT_PATH}/etc/pki/ca-trust/extracted/pem
+    cp /etc/pki/ca-trust/extracted/pem/* ${BASE_OUTPUT_PATH}/etc/pki/ca-trust/extracted/pem
diff --git a/charts/oci-capi-0.15.0/values.yaml b/charts/oci-capi-0.15.0/values.yaml
@@ -6,6 +6,7 @@ authConfig:
   tenancy: ""
   useInstancePrincipal: ""
   user: ""
+  pcaCerts: ""
 controllerManager:
   manager:
     args:
@@ -62,3 +63,12 @@ proxy:
   httpsProxy:
   httpProxy:
   noProxy:
+
+# initContainers configuration for deployment
+initContainers: []
+
+# Additional volumes to mount for the container
+volumeMounts: []
+
+# Additional volumes to mount for the pod
+volumes: []