[SDO-2806] Support proxy on CH Agent (#113)

* Add Truststore support

* Make secret optional

* Update chart minor version

* Better Name for initContainer

* Make Truststore password same as cert

Author: gm-cht

charts/cloudhealth-collector/Chart.yaml

@@ -5,7 +5,7 @@ apiVersion: v2
 name: cloudhealth-collector
 description: A Helm chart for CloudHealth's Kubernetes Collector Agent
 type: application
-version: 4.4.1
+version: 4.5.0
 appVersion: "5.2.0"
 home: https://cloudhealth.vmware.com/
 icon: https://d1fto35gcfffzn.cloudfront.net/images/Tanzu-Logomark.svg

charts/cloudhealth-collector/templates/deployment.yaml

@@ -32,6 +32,26 @@ spec:
       securityContext: {{- toYaml . | nindent 8 }}
       {{- end }}
       priorityClassName: {{ .Values.priorityClassName }}
+      {{- if .Values.proxy.sslCert }}
+      initContainers:
+        - name: "{{ .Chart.Name }}-pem-to-truststore"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          env:
+            - name: ca_bundle
+              value: {{ .Values.proxy.caBundlePath }}
+            - name: truststore_jks
+              value: {{ .Values.proxy.truststorePath }}
+            - name: truststore_pwd
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "cloudhealth-collector.secretName" . }}
+                  key: certPassword    
+          command: ['/bin/bash']
+          args: ['-c', "csplit -z -f crt- $ca_bundle '/-----BEGIN CERTIFICATE-----/' '{*}' && for file in crt-*; do keytool -import -noprompt -keystore $truststore_jks -file $file -storepass $truststore_pwd -alias service-$file; done"]
+          volumeMounts:
+            - name: truststore-volume
+              mountPath: /etc/ssl/certs 
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -69,6 +89,10 @@ spec:
               value: {{ .Values.collectionIntervalSecs | quote }}
             - name: CHT_JVM_MEM
               value: {{ .Values.jvmMemory }}
+            {{- if .Values.proxy.sslCert }}
+            - name: JAVA_OPTS
+              value: {{ .Values.proxy.params }}
+            {{- end }}
             {{- range .Values.customEnvVars}}
             - name: {{ .name }}
               value: {{ .value }}
@@ -101,4 +125,8 @@ spec:
       volumes:
         - name: tmpfs
           emptyDir: {}
+        {{- if .Values.proxy.sslCert }}
+        - name: truststore-volume
+          emptyDir: {}
+        {{- end }}
       {{- end }}

charts/cloudhealth-collector/templates/secrets.yaml

@@ -13,4 +13,7 @@ metadata:
 type: Opaque
 data:
   apiToken:  {{ .Values.apiToken | b64enc | quote }}
+  {{- if .Values.proxy.sslCert }}
+  certPassword:  {{ .Values.proxy.certPassword | quote }}
+  {{- end }}
 {{- end }}

charts/cloudhealth-collector/values.yaml

@@ -65,6 +65,14 @@ containerSecurityContext: {
   capabilities: {drop: [all]}
 }
 
+proxy:
+  sslCert: false
+  #-Dhttps.proxyHost=$PROXY_SERVER -Dhttps.proxyPort=$PROXY_PORT -Dhttps.nonProxyHosts=kubernetes.default.svc -Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
+  params: ""
+  certPassword: ""
+  caBundlePath: "/etc/ssl/certs/bundle.pem"
+  truststorePath: "/etc/ssl/certs/truststore.jks"
+
 resources:
   limits:
     cpu: 1000m