diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 2f836614a..9e0fccaa5 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -20,7 +20,7 @@ jobs: with: version: v3.4.0 - - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: 3.7 diff --git a/charts/cluster/README.md b/charts/cluster/README.md index a7a1401ab..af047fba9 100644 --- a/charts/cluster/README.md +++ b/charts/cluster/README.md @@ -125,6 +125,8 @@ refer to the [CloudNativePG Documentation](https://cloudnative-pg.io/documentat | backups.data.jobs | int | `2` | Number of data files to be archived or restored in parallel. | | backups.destinationPath | string | `""` | Overrides the provider specific default path. Defaults to: S3: s3:// Azure: https://..core.windows.net/ Google: gs:// | | backups.enabled | bool | `false` | You need to configure backups manually, so backups are disabled by default. | +| backups.endpointCA | object | `{"create":false,"key":"","name":"","value":""}` | Specifies a CA bundle to validate a privately signed certificate. | +| backups.endpointCA.create | bool | `false` | Creates a secret with the given value if true, otherwise uses an existing secret. | | backups.endpointURL | string | `""` | Overrides the provider specific default endpoint. Defaults to: S3: https://s3..amazonaws.com" | | backups.google.applicationCredentials | string | `""` | | | backups.google.bucket | string | `""` | | @@ -191,6 +193,8 @@ refer to the [CloudNativePG Documentation](https://cloudnative-pg.io/documentat | recovery.backupName | string | `""` | Backup Recovery Method | | recovery.clusterName | string | `""` | Object Store Recovery Method | | recovery.destinationPath | string | `""` | Overrides the provider specific default path. Defaults to: S3: s3:// Azure: https://..core.windows.net/ Google: gs:// | +| recovery.endpointCA | object | `{"create":false,"key":"","name":"","value":""}` | Specifies a CA bundle to validate a privately signed certificate. | +| recovery.endpointCA.create | bool | `false` | Creates a secret with the given value if true, otherwise uses an existing secret. | | recovery.endpointURL | string | `""` | Overrides the provider specific default endpoint. Defaults to: S3: https://s3..amazonaws.com" Leave empty if using the default S3 endpoint | | recovery.google.applicationCredentials | string | `""` | | | recovery.google.bucket | string | `""` | | diff --git a/charts/cluster/templates/_barman_object_store.tpl b/charts/cluster/templates/_barman_object_store.tpl index 96278f11a..f002800e5 100644 --- a/charts/cluster/templates/_barman_object_store.tpl +++ b/charts/cluster/templates/_barman_object_store.tpl @@ -4,6 +4,12 @@ endpointURL: {{ .scope.endpointURL }} {{- end }} +{{- if or (.scope.endpointCA.create) (.scope.endpointCA.name) }} + endpointCA: + name: {{ .chartFullname }}-ca-bundle + key: ca-bundle.crt +{{- end }} + {{- if .scope.destinationPath }} destinationPath: {{ .scope.destinationPath }} {{- end }} diff --git a/charts/cluster/templates/ca-bundle.yaml b/charts/cluster/templates/ca-bundle.yaml new file mode 100644 index 000000000..12991c163 --- /dev/null +++ b/charts/cluster/templates/ca-bundle.yaml @@ -0,0 +1,9 @@ +{{- if .Values.backups.endpointCA.create }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.backups.endpointCA.name | default (printf "%s-ca-bundle" (include "cluster.fullname" .)) | quote }} +data: + {{ .Values.backups.endpointCA.key | default "ca-bundle.crt" | quote }}: {{ .Values.backups.endpointCA.value }} + +{{- end }} diff --git a/charts/cluster/values.schema.json b/charts/cluster/values.schema.json index 216d17a81..0c7c1bbe0 100644 --- a/charts/cluster/values.schema.json +++ b/charts/cluster/values.schema.json @@ -54,6 +54,23 @@ "enabled": { "type": "boolean" }, + "endpointCA": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + } + }, "endpointURL": { "type": "string" }, @@ -338,6 +355,23 @@ "destinationPath": { "type": "string" }, + "endpointCA": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + } + }, "endpointURL": { "type": "string" }, diff --git a/charts/cluster/values.yaml b/charts/cluster/values.yaml index 950660ecf..bff9d2202 100644 --- a/charts/cluster/values.yaml +++ b/charts/cluster/values.yaml @@ -41,6 +41,13 @@ recovery: # S3: https://s3..amazonaws.com" # Leave empty if using the default S3 endpoint endpointURL: "" + # -- Specifies a CA bundle to validate a privately signed certificate. + endpointCA: + # -- Creates a secret with the given value if true, otherwise uses an existing secret. + create: false + name: "" + key: "" + value: "" # -- Overrides the provider specific default path. Defaults to: # S3: s3:// # Azure: https://..core.windows.net/ @@ -187,6 +194,13 @@ backups: # -- Overrides the provider specific default endpoint. Defaults to: # S3: https://s3..amazonaws.com" endpointURL: "" # Leave empty if using the default S3 endpoint + # -- Specifies a CA bundle to validate a privately signed certificate. + endpointCA: + # -- Creates a secret with the given value if true, otherwise uses an existing secret. + create: false + name: "" + key: "" + value: "" # -- Overrides the provider specific default path. Defaults to: # S3: s3://