From 608c24569c5449f70f94f033c6cd41399ea018f8 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Mon, 2 Mar 2026 14:42:41 +0100 Subject: [PATCH 01/18] feat: allow custom CAs to be used when mounting csi-rclone volumes --- .../templates/_certificates-env.tpl | 16 +++++++++++ .../_certificates-init-container.tpl | 13 +++++++++ .../templates/_certificates-volume-mounts.tpl | 26 +++++++++++++++++ .../templates/_certificates-volumes.tpl | 28 +++++++++++++++++++ deploy/csi-rclone/values.yaml | 14 ++++++++++ 5 files changed, 97 insertions(+) create mode 100644 deploy/csi-rclone/templates/_certificates-env.tpl create mode 100644 deploy/csi-rclone/templates/_certificates-init-container.tpl create mode 100644 deploy/csi-rclone/templates/_certificates-volume-mounts.tpl create mode 100644 deploy/csi-rclone/templates/_certificates-volumes.tpl diff --git a/deploy/csi-rclone/templates/_certificates-env.tpl b/deploy/csi-rclone/templates/_certificates-env.tpl new file mode 100644 index 0000000..e21d9bb --- /dev/null +++ b/deploy/csi-rclone/templates/_certificates-env.tpl @@ -0,0 +1,16 @@ +{{- define "certificates.env.python" -}} +- name: REQUESTS_CA_BUNDLE + value: /etc/ssl/certs/ca-certificates.crt +- name: SSL_CERT_FILE + value: /etc/ssl/certs/ca-certificates.crt +{{- end -}} + +{{- define "certificates.env.grpc" -}} +- name: GRPC_DEFAULT_SSL_ROOTS_FILE_PATH + value: /etc/ssl/certs/ca-certificates.crt +{{- end -}} + +{{- define "certificates.env.nodejs" -}} +- name: NODE_EXTRA_CA_CERTS + value: /etc/ssl/certs/ca-certificates.crt +{{- end -}} diff --git a/deploy/csi-rclone/templates/_certificates-init-container.tpl b/deploy/csi-rclone/templates/_certificates-init-container.tpl new file mode 100644 index 0000000..a11cf00 --- /dev/null +++ b/deploy/csi-rclone/templates/_certificates-init-container.tpl @@ -0,0 +1,13 @@ +{{- define "certificates.initContainer" -}} +{{- $customCAsEnabled := .Values.global.certificates.customCAs -}} +- name: init-certificates + image: "{{ .Values.global.certificates.image.repository }}:{{ .Values.global.certificates.image.tag }}" + securityContext: + {{- toYaml .Values.securityContext | nindent 4 }} + volumeMounts: + - name: etc-ssl-certs + mountPath: /etc/ssl/certs/ + - name: custom-ca-certs + mountPath: /usr/local/share/ca-certificates + readOnly: true +{{- end -}} diff --git a/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl b/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl new file mode 100644 index 0000000..bb51b66 --- /dev/null +++ b/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl @@ -0,0 +1,26 @@ +{{- define "certificates.volumeMounts.system" -}} +- name: etc-ssl-certs + mountPath: /etc/ssl/certs/ + readOnly: true +{{- end -}} + +{{- define "certificates.volumeMounts.openjdk14" -}} +- name: etc-ssl-certs + mountPath: /opt/openjdk-14/lib/security/cacerts + subPath: java/cacerts + readOnly: true +{{- end -}} + +{{- define "certificates.volumeMounts.javaCertsGeneral" -}} +- name: etc-ssl-certs + mountPath: /etc/ssl/certs/java/cacerts + subPath: java/cacerts + readOnly: true +{{- end -}} + +{{- define "certificates.volumeMounts.openjdk17" -}} +- name: etc-ssl-certs + mountPath: /opt/java/openjdk/lib/security/cacerts + subPath: java/cacerts + readOnly: true +{{- end -}} diff --git a/deploy/csi-rclone/templates/_certificates-volumes.tpl b/deploy/csi-rclone/templates/_certificates-volumes.tpl new file mode 100644 index 0000000..b9c000d --- /dev/null +++ b/deploy/csi-rclone/templates/_certificates-volumes.tpl @@ -0,0 +1,28 @@ +{{- define "certificatesForMounts.volumes" -}} +{{- $customCAsEnabled := .Values.global.certificates.customCAs -}} +{{- $customCAsForMountsEnabled := .Values.global.certificates.customCAsForDataConnectorMounts -}} +- name: etc-ssl-certs + emptyDir: + medium: "Memory" +- name: custom-ca-certs + projected: + defaultMode: 0444 + sources: + - secret: + name: {{ include "renku.CASecretName" . }} + items: + - key: tls.crt + path: {{ include "renku.CASecretName" . }}-internal-communication-ca.crt + {{- if $customCAsEnabled }} + {{- range $customCA := .Values.global.certificates.customCAs }} + - secret: + name: {{ $customCA.secret }} + {{- end -}} + {{- end -}} + {{- if $customCAsForMountsEnabled }} + {{- range $customCA := .Values.global.certificates.customCAsForDataConnectorMounts }} + - secret: + name: {{ $customCA.secret }} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/deploy/csi-rclone/values.yaml b/deploy/csi-rclone/values.yaml index acbad32..37a019f 100644 --- a/deploy/csi-rclone/values.yaml +++ b/deploy/csi-rclone/values.yaml @@ -47,6 +47,7 @@ csiControllerRclone: port: 9090 pathPrefix: # /metrics pollPeriod: # 30s + replicas: 1 serviceAccount: annotations: {} @@ -106,6 +107,19 @@ csiNodepluginRclone: # value: "32M" # - name: "transfers" # value: "8" + ## Specify the name of a existing K8s secrets that contains the certificate + ## if you would like to use custom CAs. The key for the secret + ## should have the .crt extension otherwise it is ignored. The + ## keys across all secrets are mounted as files in one location so + ## the keys across all secrets have to be unique. + certificates: + image: + repository: renku/certificates + tag: "0.0.2" + customCAs: [] + # - secret: + customCAsForDataConnectorMounts: [] + # - secret: serviceAccount: annotations: {} nodeSelector: {} From ade2413331ba5b15494076b05d98103fd3ccf582 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Thu, 12 Jun 2025 09:05:27 +0200 Subject: [PATCH 02/18] build: add action to build the container image (dev) --- .github/workflows/build.yaml | 71 ++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/build.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 0000000..bf5d40a --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,71 @@ +name: Build dev version + +on: + push: + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + CHART_NAME: ${{ github.repository }}/helm-chart + +defaults: + run: + shell: bash + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + build-image: + runs-on: ubuntu-24.04 + outputs: + image: ${{ steps.docker_image.outputs.image }} + image_repository: ${{ steps.docker_image.outputs.image_repository }} + image_tag: ${{ steps.docker_image.outputs.image_tag }} + permissions: + contents: read + packages: write + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Docker image metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: type=sha + # - name: Extract Docker image name + # id: docker_image + # env: + # IMAGE_TAGS: ${{ steps.meta.outputs.tags }} + # run: | + # IMAGE=$(echo "$IMAGE_TAGS" | cut -d" " -f1) + # IMAGE_REPOSITORY=$(echo "$IMAGE" | cut -d":" -f1) + # IMAGE_TAG=$(echo "$IMAGE" | cut -d":" -f2) + # echo "image=$IMAGE" >> "$GITHUB_OUTPUT" + # echo "image_repository=$IMAGE_REPOSITORY" >> "$GITHUB_OUTPUT" + # echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT" + # - name: Set up Docker buildx + # uses: docker/setup-buildx-action@v3 + # - name: Set up Docker + # uses: docker/login-action@v3 + # with: + # registry: ${{ env.REGISTRY }} + # username: ${{ github.actor }} + # password: ${{ secrets.GITHUB_TOKEN }} + # - name: Build and push Docker image + # uses: docker/build-push-action@v6 + # with: + # context: . + # push: true + # tags: ${{ steps.meta.outputs.tags }} + # labels: ${{ steps.meta.outputs.labels }} + # cache-from: type=registry,ref=${{ steps.docker_image.outputs.image_repository }}:buildcache + # cache-to: type=registry,ref=${{ steps.docker_image.outputs.image_repository }}:buildcache,mode=max + +# TODO: add job to build and push the helm chart if needed (manual trigger) From 90362c987e6852f28b43f089698fbc86c0d789a7 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 10:57:31 +0100 Subject: [PATCH 03/18] wip --- .github/workflows/build.yaml | 42 +++++++++++++++++++++++++----------- 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index bf5d40a..e1ad702 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -39,17 +39,15 @@ jobs: with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: type=sha - # - name: Extract Docker image name - # id: docker_image - # env: - # IMAGE_TAGS: ${{ steps.meta.outputs.tags }} - # run: | - # IMAGE=$(echo "$IMAGE_TAGS" | cut -d" " -f1) - # IMAGE_REPOSITORY=$(echo "$IMAGE" | cut -d":" -f1) - # IMAGE_TAG=$(echo "$IMAGE" | cut -d":" -f2) - # echo "image=$IMAGE" >> "$GITHUB_OUTPUT" - # echo "image_repository=$IMAGE_REPOSITORY" >> "$GITHUB_OUTPUT" - # echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT" + - name: Extract Docker image name + id: docker_image + run: | + IMAGE=$(echo '${{ steps.meta.outputs.json }}' | jq -cr '.tags[0]') + IMAGE_REPOSITORY=$(echo "$IMAGE" | cut -d":" -f1) + IMAGE_TAG=$(echo "$IMAGE" | cut -d":" -f2) + echo "image=$IMAGE" >> "$GITHUB_OUTPUT" + echo "image_repository=$IMAGE_REPOSITORY" >> "$GITHUB_OUTPUT" + echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT" # - name: Set up Docker buildx # uses: docker/setup-buildx-action@v3 # - name: Set up Docker @@ -68,4 +66,24 @@ jobs: # cache-from: type=registry,ref=${{ steps.docker_image.outputs.image_repository }}:buildcache # cache-to: type=registry,ref=${{ steps.docker_image.outputs.image_repository }}:buildcache,mode=max -# TODO: add job to build and push the helm chart if needed (manual trigger) + publish-chart: + needs: [build-image] + runs-on: ubuntu-24.04 + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Setup Python + uses: actions/setup-python@v4 + with: + python-version: 3.11 + - name: Setup Helm + uses: azure/setup-helm@v3 + with: + token: ${{secrets.GITHUB_TOKEN }} + - name: Install chartpress + run: pip install chartpress + - name: Setup Helm push + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin From af2309748e4b5e5b20084bfe9c7ef2246002dc01 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 11:17:49 +0100 Subject: [PATCH 04/18] wip --- .github/workflows/build.yaml | 23 +++++++++++++++++++---- chartpress.yaml | 1 + 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e1ad702..6110107 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -33,12 +33,28 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Setup Python + uses: actions/setup-python@v4 + with: + python-version: 3.11 + - name: Install chartpress + run: pip install chartpress + - name: Get image tag from chartpress + id: chartpress + run: | + CHARTPRESS_TAG=$(chartpress --list-images | head -n1 | cut -d":" -f2) + echo "CHARTPRESS_TAG=${CHARTPRESS_TAG}" + echo "chartpress_tag=${CHARTPRESS_TAG}" >> "$GITHUB_OUTPUT" - name: Docker image metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: type=sha + tags: | + type=raw,value=${{ steps.chartpress.outputs.chartpress_tag }} + type=sha - name: Extract Docker image name id: docker_image run: | @@ -79,11 +95,10 @@ jobs: with: python-version: 3.11 - name: Setup Helm - uses: azure/setup-helm@v3 - with: - token: ${{secrets.GITHUB_TOKEN }} + uses: azure/setup-helm@v4 - name: Install chartpress run: pip install chartpress - name: Setup Helm push run: | echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin + diff --git a/chartpress.yaml b/chartpress.yaml index ffb3e0b..fabc065 100644 --- a/chartpress.yaml +++ b/chartpress.yaml @@ -3,6 +3,7 @@ charts: imagePrefix: renku/ resetTag: "" resetVersion: 0.2.0 + baseVersion: 0.7.0-0.dev repo: git: SwissDataScienceCenter/helm-charts published: https://swissdatasciencecenter.github.io/helm-charts From 458354d58071d96e6af165d9d85e6577ccb40cc4 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 11:23:03 +0100 Subject: [PATCH 05/18] wip --- .github/workflows/build.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6110107..9d2f836 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -59,8 +59,11 @@ jobs: id: docker_image run: | IMAGE=$(echo '${{ steps.meta.outputs.json }}' | jq -cr '.tags[0]') + echo "IMAGE=${IMAGE}" IMAGE_REPOSITORY=$(echo "$IMAGE" | cut -d":" -f1) + echo "IMAGE_REPOSITORY=${IMAGE_REPOSITORY}" IMAGE_TAG=$(echo "$IMAGE" | cut -d":" -f2) + echo "IMAGE_TAG=${IMAGE_TAG}" echo "image=$IMAGE" >> "$GITHUB_OUTPUT" echo "image_repository=$IMAGE_REPOSITORY" >> "$GITHUB_OUTPUT" echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT" @@ -101,4 +104,25 @@ jobs: - name: Setup Helm push run: | echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin + - name: Update chart + run: | + helm dep update deploy/csi-rclone + chartpress --no-build --image-prefix "${{ needs.build-image.outputs.image_repository }}/" --tag "${{ needs.build-image.outputs.image_tag }}" + helm lint deploy/csi-rclone + # - name: Publish chart + # - name: Publish chart + # env: + # DOCKER_USERNAME: ${{ secrets.RENKU_DOCKER_USERNAME }} + # DOCKER_PASSWORD: ${{ secrets.RENKU_DOCKER_PASSWORD }} + # GITHUB_TOKEN: ${{ secrets.RENKUBOT_GITHUB_TOKEN }} + # run: | + # git config --global user.email "renku@datascience.ch" + # git config --global user.name "Renku Bot" + # export TAG=$(echo ${GITHUB_REF} |cut -d/ -f3) + # docker buildx create --name multiarch --use + # docker buildx inspect --bootstrap + # helm dep update deploy/csi-rclone + # chartpress --tag $TAG --platform linux/amd64 --platform linux/arm64 --builder docker-buildx + # helm lint deploy/csi-rclone + # chartpress --tag $TAG --platform linux/amd64 --platform linux/arm64 --builder docker-buildx --push --publish-chart From 973a249bd82b5a0e08ce6e2f528656fca73c23e3 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 11:32:55 +0100 Subject: [PATCH 06/18] wip: try to publish --- .github/workflows/build.yaml | 59 ++++++++++++++---------------------- 1 file changed, 23 insertions(+), 36 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9d2f836..a7a0e83 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -7,7 +7,7 @@ on: env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} - CHART_NAME: ${{ github.repository }}/helm-chart + CHART_NAME: ${{ github.repository }}/helm-chart-dev defaults: run: @@ -67,23 +67,23 @@ jobs: echo "image=$IMAGE" >> "$GITHUB_OUTPUT" echo "image_repository=$IMAGE_REPOSITORY" >> "$GITHUB_OUTPUT" echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT" - # - name: Set up Docker buildx - # uses: docker/setup-buildx-action@v3 - # - name: Set up Docker - # uses: docker/login-action@v3 - # with: - # registry: ${{ env.REGISTRY }} - # username: ${{ github.actor }} - # password: ${{ secrets.GITHUB_TOKEN }} - # - name: Build and push Docker image - # uses: docker/build-push-action@v6 - # with: - # context: . - # push: true - # tags: ${{ steps.meta.outputs.tags }} - # labels: ${{ steps.meta.outputs.labels }} - # cache-from: type=registry,ref=${{ steps.docker_image.outputs.image_repository }}:buildcache - # cache-to: type=registry,ref=${{ steps.docker_image.outputs.image_repository }}:buildcache,mode=max + - name: Set up Docker buildx + uses: docker/setup-buildx-action@v3 + - name: Set up Docker + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and push Docker image + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=registry,ref=${{ steps.docker_image.outputs.image_repository }}:buildcache + cache-to: type=registry,ref=${{ steps.docker_image.outputs.image_repository }}:buildcache,mode=max publish-chart: needs: [build-image] @@ -107,22 +107,9 @@ jobs: - name: Update chart run: | helm dep update deploy/csi-rclone - chartpress --no-build --image-prefix "${{ needs.build-image.outputs.image_repository }}/" --tag "${{ needs.build-image.outputs.image_tag }}" + chartpress --no-build --image-prefix "${{ env.REGISTRY }}/" --tag "${{ needs.build-image.outputs.image_tag }}" helm lint deploy/csi-rclone - # - name: Publish chart - - # - name: Publish chart - # env: - # DOCKER_USERNAME: ${{ secrets.RENKU_DOCKER_USERNAME }} - # DOCKER_PASSWORD: ${{ secrets.RENKU_DOCKER_PASSWORD }} - # GITHUB_TOKEN: ${{ secrets.RENKUBOT_GITHUB_TOKEN }} - # run: | - # git config --global user.email "renku@datascience.ch" - # git config --global user.name "Renku Bot" - # export TAG=$(echo ${GITHUB_REF} |cut -d/ -f3) - # docker buildx create --name multiarch --use - # docker buildx inspect --bootstrap - # helm dep update deploy/csi-rclone - # chartpress --tag $TAG --platform linux/amd64 --platform linux/arm64 --builder docker-buildx - # helm lint deploy/csi-rclone - # chartpress --tag $TAG --platform linux/amd64 --platform linux/arm64 --builder docker-buildx --push --publish-chart + - name: Publish chart + run: | + helm package deploy/csi-rclone + helm push "csi-rclone-${{ needs.build-image.outputs.image_tag }}.tgz" "oci://${{ env.REGISTRY }}/${{ env.CHART_NAME }}" From cb2faab560b713ebf9877127bf3f1f30447d9aac Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 11:36:30 +0100 Subject: [PATCH 07/18] fix oci repository? --- .github/workflows/build.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a7a0e83..37300b2 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -7,7 +7,6 @@ on: env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} - CHART_NAME: ${{ github.repository }}/helm-chart-dev defaults: run: @@ -112,4 +111,4 @@ jobs: - name: Publish chart run: | helm package deploy/csi-rclone - helm push "csi-rclone-${{ needs.build-image.outputs.image_tag }}.tgz" "oci://${{ env.REGISTRY }}/${{ env.CHART_NAME }}" + helm push "csi-rclone-${{ needs.build-image.outputs.image_tag }}.tgz" "oci://${{ needs.build-image.outputs.image_repository }}/helm-chart-dev" From 293cce0b6027276a44753f8a03079ba13ee99b0e Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 11:48:30 +0100 Subject: [PATCH 08/18] fix? --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 37300b2..5de029c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -111,4 +111,4 @@ jobs: - name: Publish chart run: | helm package deploy/csi-rclone - helm push "csi-rclone-${{ needs.build-image.outputs.image_tag }}.tgz" "oci://${{ needs.build-image.outputs.image_repository }}/helm-chart-dev" + helm push "csi-rclone-${{ needs.build-image.outputs.image_tag }}.tgz" "oci://${{ needs.build-image.outputs.image_repository }}/helm-charts-dev" From fa99f624126cbc7962a82379768053f738e3a471 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 11:49:59 +0100 Subject: [PATCH 09/18] empty commit From abdec5f7980be1b9c26c699faddb4c21159f2f07 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 11:56:44 +0100 Subject: [PATCH 10/18] allow package write --- .github/workflows/build.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 5de029c..ebdf637 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -87,6 +87,9 @@ jobs: publish-chart: needs: [build-image] runs-on: ubuntu-24.04 + permissions: + contents: read + packages: write steps: - name: Checkout uses: actions/checkout@v4 From 47afd128ba981ae1540f0f12fbbecb02660a603b Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 13:10:08 +0100 Subject: [PATCH 11/18] fix image --- .github/workflows/build.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index ebdf637..5f9d7ba 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -7,6 +7,7 @@ on: env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} + CHART_REPO: helm-charts-dev defaults: run: @@ -26,6 +27,7 @@ jobs: image: ${{ steps.docker_image.outputs.image }} image_repository: ${{ steps.docker_image.outputs.image_repository }} image_tag: ${{ steps.docker_image.outputs.image_tag }} + image_registry: $${{ steps.docker_image.outputs.image_registry }} permissions: contents: read packages: write @@ -59,13 +61,16 @@ jobs: run: | IMAGE=$(echo '${{ steps.meta.outputs.json }}' | jq -cr '.tags[0]') echo "IMAGE=${IMAGE}" - IMAGE_REPOSITORY=$(echo "$IMAGE" | cut -d":" -f1) + IMAGE_REPOSITORY=$(echo "$IMAGE" | cut -d':' -f1) echo "IMAGE_REPOSITORY=${IMAGE_REPOSITORY}" - IMAGE_TAG=$(echo "$IMAGE" | cut -d":" -f2) + IMAGE_TAG=$(echo "$IMAGE" | cut -d':' -f2) echo "IMAGE_TAG=${IMAGE_TAG}" + IMAGE_REGISTRY=$(echo "${IMAGE_REPOSITORY}" | rev | cut -d'/' -f2- | rev) + echo "IMAGE_REGISTRY=${IMAGE_REGISTRY}" echo "image=$IMAGE" >> "$GITHUB_OUTPUT" echo "image_repository=$IMAGE_REPOSITORY" >> "$GITHUB_OUTPUT" echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT" + echo "image_registry=$IMAGE_REGISTRY" >> "$GITHUB_OUTPUT" - name: Set up Docker buildx uses: docker/setup-buildx-action@v3 - name: Set up Docker @@ -109,9 +114,9 @@ jobs: - name: Update chart run: | helm dep update deploy/csi-rclone - chartpress --no-build --image-prefix "${{ env.REGISTRY }}/" --tag "${{ needs.build-image.outputs.image_tag }}" + chartpress --no-build --image-prefix "${{ needs.build-image.outputs.image_registry }}/" --tag "${{ needs.build-image.outputs.image_tag }}" helm lint deploy/csi-rclone - name: Publish chart run: | helm package deploy/csi-rclone - helm push "csi-rclone-${{ needs.build-image.outputs.image_tag }}.tgz" "oci://${{ needs.build-image.outputs.image_repository }}/helm-charts-dev" + helm push "csi-rclone-${{ needs.build-image.outputs.image_tag }}.tgz" "oci://${{ needs.build-image.outputs.image_repository }}/${{ env.CHART_REPO }}" From 06f827677931dc9b2ecbb93cabb9eeef3ab47f6e Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 13:15:29 +0100 Subject: [PATCH 12/18] fix? --- .github/workflows/build.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 5f9d7ba..3997302 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -27,7 +27,7 @@ jobs: image: ${{ steps.docker_image.outputs.image }} image_repository: ${{ steps.docker_image.outputs.image_repository }} image_tag: ${{ steps.docker_image.outputs.image_tag }} - image_registry: $${{ steps.docker_image.outputs.image_registry }} + image_prefix: $${{ steps.docker_image.outputs.image_prefix }} permissions: contents: read packages: write @@ -65,12 +65,12 @@ jobs: echo "IMAGE_REPOSITORY=${IMAGE_REPOSITORY}" IMAGE_TAG=$(echo "$IMAGE" | cut -d':' -f2) echo "IMAGE_TAG=${IMAGE_TAG}" - IMAGE_REGISTRY=$(echo "${IMAGE_REPOSITORY}" | rev | cut -d'/' -f2- | rev) - echo "IMAGE_REGISTRY=${IMAGE_REGISTRY}" + IMAGE_PREFIX="$(echo "${IMAGE_REPOSITORY}" | rev | cut -d'/' -f2- | rev)/" + echo "IMAGE_PREFIX=${IMAGE_PREFIX}" echo "image=$IMAGE" >> "$GITHUB_OUTPUT" echo "image_repository=$IMAGE_REPOSITORY" >> "$GITHUB_OUTPUT" echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT" - echo "image_registry=$IMAGE_REGISTRY" >> "$GITHUB_OUTPUT" + echo "image_prefix=$IMAGE_PREFIX" >> "$GITHUB_OUTPUT" - name: Set up Docker buildx uses: docker/setup-buildx-action@v3 - name: Set up Docker @@ -114,7 +114,7 @@ jobs: - name: Update chart run: | helm dep update deploy/csi-rclone - chartpress --no-build --image-prefix "${{ needs.build-image.outputs.image_registry }}/" --tag "${{ needs.build-image.outputs.image_tag }}" + chartpress --no-build --image-prefix "${{ needs.build-image.outputs.image_prefix }}" --tag "${{ needs.build-image.outputs.image_tag }}" helm lint deploy/csi-rclone - name: Publish chart run: | From 30530f4d150cf794dbfde3ade59eb4190dab205a Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 13:19:29 +0100 Subject: [PATCH 13/18] fix --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3997302..7d73d32 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -27,7 +27,7 @@ jobs: image: ${{ steps.docker_image.outputs.image }} image_repository: ${{ steps.docker_image.outputs.image_repository }} image_tag: ${{ steps.docker_image.outputs.image_tag }} - image_prefix: $${{ steps.docker_image.outputs.image_prefix }} + image_prefix: ${{ steps.docker_image.outputs.image_prefix }} permissions: contents: read packages: write From a2e2c833c329d061a57a2e15c5c4f9c12aefeb97 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 13:31:35 +0100 Subject: [PATCH 14/18] add volumes and volume mounts --- .../templates/_certificates-init-container.tpl | 8 ++++++-- .../templates/_certificates-volumes.tpl | 15 ++++++--------- .../templates/csi-nodeplugin-rclone.yaml | 4 ++++ deploy/csi-rclone/values.yaml | 1 - 4 files changed, 16 insertions(+), 12 deletions(-) diff --git a/deploy/csi-rclone/templates/_certificates-init-container.tpl b/deploy/csi-rclone/templates/_certificates-init-container.tpl index a11cf00..6713f14 100644 --- a/deploy/csi-rclone/templates/_certificates-init-container.tpl +++ b/deploy/csi-rclone/templates/_certificates-init-container.tpl @@ -1,13 +1,17 @@ {{- define "certificates.initContainer" -}} -{{- $customCAsEnabled := .Values.global.certificates.customCAs -}} +{{- $customCAsEnabled := .Values.csiNodepluginRclone.certificates.customCAs -}} +{{- $customCAsForMountsEnabled := .Values.csiNodepluginRclone.certificates.customCAsForDataConnectorMounts -}} + - name: init-certificates - image: "{{ .Values.global.certificates.image.repository }}:{{ .Values.global.certificates.image.tag }}" + image: "{{ .Values.csiNodepluginRclone.certificates.image.repository }}:{{ .Values.csiNodepluginRclone.certificates.image.tag }}" securityContext: {{- toYaml .Values.securityContext | nindent 4 }} volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs/ + {{- if or $customCAsEnabled $customCAsForMountsEnabled -}} - name: custom-ca-certs mountPath: /usr/local/share/ca-certificates readOnly: true + {{- end -}} {{- end -}} diff --git a/deploy/csi-rclone/templates/_certificates-volumes.tpl b/deploy/csi-rclone/templates/_certificates-volumes.tpl index b9c000d..fd7cc5f 100644 --- a/deploy/csi-rclone/templates/_certificates-volumes.tpl +++ b/deploy/csi-rclone/templates/_certificates-volumes.tpl @@ -1,28 +1,25 @@ {{- define "certificatesForMounts.volumes" -}} -{{- $customCAsEnabled := .Values.global.certificates.customCAs -}} -{{- $customCAsForMountsEnabled := .Values.global.certificates.customCAsForDataConnectorMounts -}} +{{- $customCAsEnabled := .Values.csiNodepluginRclone.certificates.customCAs -}} +{{- $customCAsForMountsEnabled := .Values.csiNodepluginRclone.certificates.customCAsForDataConnectorMounts -}} - name: etc-ssl-certs emptyDir: medium: "Memory" +{{- if or $customCAsEnabled $customCAsForMountsEnabled -}} - name: custom-ca-certs projected: defaultMode: 0444 sources: - - secret: - name: {{ include "renku.CASecretName" . }} - items: - - key: tls.crt - path: {{ include "renku.CASecretName" . }}-internal-communication-ca.crt {{- if $customCAsEnabled }} - {{- range $customCA := .Values.global.certificates.customCAs }} + {{- range $customCA := .Values.csiNodepluginRclone.certificates.customCAs }} - secret: name: {{ $customCA.secret }} {{- end -}} {{- end -}} {{- if $customCAsForMountsEnabled }} - {{- range $customCA := .Values.global.certificates.customCAsForDataConnectorMounts }} + {{- range $customCA := .Values.csiNodepluginRclone.certificates.customCAsForDataConnectorMounts }} - secret: name: {{ $customCA.secret }} {{- end -}} {{- end -}} {{- end -}} +{{- end -}} diff --git a/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml b/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml index 7615eba..e71e9b7 100644 --- a/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml +++ b/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml @@ -20,6 +20,8 @@ spec: spec: serviceAccountName: {{ include "chart.fullname" . }}-nodeplugin dnsPolicy: ClusterFirstWithHostNet + initContainers: + {{- include "certificates.initContainer" . | nindent 8 }} containers: - name: node-driver-registrar args: @@ -143,6 +145,7 @@ spec: name: pods-mount-dir - mountPath: /var/lib/rclone name: cache-dir + {{- include "certificates.volumeMounts.system" . | nindent 8 }} {{- with .Values.csiNodepluginRclone.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} @@ -170,3 +173,4 @@ spec: name: registration-dir - name: cache-dir emptyDir: {} + {{- include "certificatesForMounts.volumes" . | nindent 6 }} diff --git a/deploy/csi-rclone/values.yaml b/deploy/csi-rclone/values.yaml index 37a019f..ebf474a 100644 --- a/deploy/csi-rclone/values.yaml +++ b/deploy/csi-rclone/values.yaml @@ -47,7 +47,6 @@ csiControllerRclone: port: 9090 pathPrefix: # /metrics pollPeriod: # 30s - replicas: 1 serviceAccount: annotations: {} From b6d0201f950dde57cde52525b452313940b2b855 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 13:53:40 +0100 Subject: [PATCH 15/18] name prefix, weird templating behavior --- deploy/csi-rclone/templates/_certificates-env.tpl | 6 +++--- .../csi-rclone/templates/_certificates-init-container.tpl | 3 +-- .../csi-rclone/templates/_certificates-volume-mounts.tpl | 8 ++++---- deploy/csi-rclone/templates/_certificates-volumes.tpl | 2 +- deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml | 6 +++--- 5 files changed, 12 insertions(+), 13 deletions(-) diff --git a/deploy/csi-rclone/templates/_certificates-env.tpl b/deploy/csi-rclone/templates/_certificates-env.tpl index e21d9bb..7b94d62 100644 --- a/deploy/csi-rclone/templates/_certificates-env.tpl +++ b/deploy/csi-rclone/templates/_certificates-env.tpl @@ -1,16 +1,16 @@ -{{- define "certificates.env.python" -}} +{{- define "csiRcloneCertificates.env.python" -}} - name: REQUESTS_CA_BUNDLE value: /etc/ssl/certs/ca-certificates.crt - name: SSL_CERT_FILE value: /etc/ssl/certs/ca-certificates.crt {{- end -}} -{{- define "certificates.env.grpc" -}} +{{- define "csiRcloneCertificates.env.grpc" -}} - name: GRPC_DEFAULT_SSL_ROOTS_FILE_PATH value: /etc/ssl/certs/ca-certificates.crt {{- end -}} -{{- define "certificates.env.nodejs" -}} +{{- define "csiRcloneCertificates.env.nodejs" -}} - name: NODE_EXTRA_CA_CERTS value: /etc/ssl/certs/ca-certificates.crt {{- end -}} diff --git a/deploy/csi-rclone/templates/_certificates-init-container.tpl b/deploy/csi-rclone/templates/_certificates-init-container.tpl index 6713f14..e49de5c 100644 --- a/deploy/csi-rclone/templates/_certificates-init-container.tpl +++ b/deploy/csi-rclone/templates/_certificates-init-container.tpl @@ -1,7 +1,6 @@ -{{- define "certificates.initContainer" -}} +{{- define "csiRcloneCertificates.initContainer" -}} {{- $customCAsEnabled := .Values.csiNodepluginRclone.certificates.customCAs -}} {{- $customCAsForMountsEnabled := .Values.csiNodepluginRclone.certificates.customCAsForDataConnectorMounts -}} - - name: init-certificates image: "{{ .Values.csiNodepluginRclone.certificates.image.repository }}:{{ .Values.csiNodepluginRclone.certificates.image.tag }}" securityContext: diff --git a/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl b/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl index bb51b66..75e5369 100644 --- a/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl +++ b/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl @@ -1,24 +1,24 @@ -{{- define "certificates.volumeMounts.system" -}} +{{- define "csiRcloneCertificates.volumeMounts.system" -}} - name: etc-ssl-certs mountPath: /etc/ssl/certs/ readOnly: true {{- end -}} -{{- define "certificates.volumeMounts.openjdk14" -}} +{{- define "csiRcloneCertificates.volumeMounts.openjdk14" -}} - name: etc-ssl-certs mountPath: /opt/openjdk-14/lib/security/cacerts subPath: java/cacerts readOnly: true {{- end -}} -{{- define "certificates.volumeMounts.javaCertsGeneral" -}} +{{- define "csiRcloneCertificates.volumeMounts.javaCertsGeneral" -}} - name: etc-ssl-certs mountPath: /etc/ssl/certs/java/cacerts subPath: java/cacerts readOnly: true {{- end -}} -{{- define "certificates.volumeMounts.openjdk17" -}} +{{- define "csiRcloneCertificates.volumeMounts.openjdk17" -}} - name: etc-ssl-certs mountPath: /opt/java/openjdk/lib/security/cacerts subPath: java/cacerts diff --git a/deploy/csi-rclone/templates/_certificates-volumes.tpl b/deploy/csi-rclone/templates/_certificates-volumes.tpl index fd7cc5f..d67e2ec 100644 --- a/deploy/csi-rclone/templates/_certificates-volumes.tpl +++ b/deploy/csi-rclone/templates/_certificates-volumes.tpl @@ -1,4 +1,4 @@ -{{- define "certificatesForMounts.volumes" -}} +{{- define "csiRcloneCertificatesForMounts.volumes" -}} {{- $customCAsEnabled := .Values.csiNodepluginRclone.certificates.customCAs -}} {{- $customCAsForMountsEnabled := .Values.csiNodepluginRclone.certificates.customCAsForDataConnectorMounts -}} - name: etc-ssl-certs diff --git a/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml b/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml index e71e9b7..8c76cdb 100644 --- a/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml +++ b/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml @@ -21,7 +21,7 @@ spec: serviceAccountName: {{ include "chart.fullname" . }}-nodeplugin dnsPolicy: ClusterFirstWithHostNet initContainers: - {{- include "certificates.initContainer" . | nindent 8 }} + {{- include "csiRcloneCertificates.initContainer" . | nindent 8 }} containers: - name: node-driver-registrar args: @@ -145,7 +145,7 @@ spec: name: pods-mount-dir - mountPath: /var/lib/rclone name: cache-dir - {{- include "certificates.volumeMounts.system" . | nindent 8 }} + {{- include "csiRcloneCertificates.volumeMounts.system" . | nindent 8 }} {{- with .Values.csiNodepluginRclone.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} @@ -173,4 +173,4 @@ spec: name: registration-dir - name: cache-dir emptyDir: {} - {{- include "certificatesForMounts.volumes" . | nindent 6 }} + {{- include "csiRcloneCertificatesForMounts.volumes" . | nindent 6 }} From 2983e0f7621d63bef06fa1b4f2f072ccfe505acc Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 14:22:42 +0100 Subject: [PATCH 16/18] fix? --- deploy/csi-rclone/templates/_certificates-init-container.tpl | 2 -- 1 file changed, 2 deletions(-) diff --git a/deploy/csi-rclone/templates/_certificates-init-container.tpl b/deploy/csi-rclone/templates/_certificates-init-container.tpl index e49de5c..efd8e10 100644 --- a/deploy/csi-rclone/templates/_certificates-init-container.tpl +++ b/deploy/csi-rclone/templates/_certificates-init-container.tpl @@ -3,8 +3,6 @@ {{- $customCAsForMountsEnabled := .Values.csiNodepluginRclone.certificates.customCAsForDataConnectorMounts -}} - name: init-certificates image: "{{ .Values.csiNodepluginRclone.certificates.image.repository }}:{{ .Values.csiNodepluginRclone.certificates.image.tag }}" - securityContext: - {{- toYaml .Values.securityContext | nindent 4 }} volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs/ From 9365e6338a07f179cab65d329da143a8981646c1 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Tue, 3 Mar 2026 14:45:51 +0100 Subject: [PATCH 17/18] fix chomping --- deploy/csi-rclone/templates/_certificates-init-container.tpl | 2 +- deploy/csi-rclone/templates/_certificates-volumes.tpl | 2 +- deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy/csi-rclone/templates/_certificates-init-container.tpl b/deploy/csi-rclone/templates/_certificates-init-container.tpl index efd8e10..d8b6b1a 100644 --- a/deploy/csi-rclone/templates/_certificates-init-container.tpl +++ b/deploy/csi-rclone/templates/_certificates-init-container.tpl @@ -6,7 +6,7 @@ volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs/ - {{- if or $customCAsEnabled $customCAsForMountsEnabled -}} + {{- if or $customCAsEnabled $customCAsForMountsEnabled }} - name: custom-ca-certs mountPath: /usr/local/share/ca-certificates readOnly: true diff --git a/deploy/csi-rclone/templates/_certificates-volumes.tpl b/deploy/csi-rclone/templates/_certificates-volumes.tpl index d67e2ec..9657a88 100644 --- a/deploy/csi-rclone/templates/_certificates-volumes.tpl +++ b/deploy/csi-rclone/templates/_certificates-volumes.tpl @@ -4,7 +4,7 @@ - name: etc-ssl-certs emptyDir: medium: "Memory" -{{- if or $customCAsEnabled $customCAsForMountsEnabled -}} +{{- if or $customCAsEnabled $customCAsForMountsEnabled }} - name: custom-ca-certs projected: defaultMode: 0444 diff --git a/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml b/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml index 8c76cdb..3d68cfe 100644 --- a/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml +++ b/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml @@ -21,7 +21,7 @@ spec: serviceAccountName: {{ include "chart.fullname" . }}-nodeplugin dnsPolicy: ClusterFirstWithHostNet initContainers: - {{- include "csiRcloneCertificates.initContainer" . | nindent 8 }} + {{- include "csiRcloneCertificates.initContainer" . | nindent 6 }} containers: - name: node-driver-registrar args: From 5342da095c54e3a0ae36be8ee12f0c33294217c0 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Wed, 4 Mar 2026 09:15:41 +0100 Subject: [PATCH 18/18] remove unused templates --- .../templates/_certificates-env.tpl | 16 -------------- .../templates/_certificates-volume-mounts.tpl | 21 ------------------- 2 files changed, 37 deletions(-) delete mode 100644 deploy/csi-rclone/templates/_certificates-env.tpl diff --git a/deploy/csi-rclone/templates/_certificates-env.tpl b/deploy/csi-rclone/templates/_certificates-env.tpl deleted file mode 100644 index 7b94d62..0000000 --- a/deploy/csi-rclone/templates/_certificates-env.tpl +++ /dev/null @@ -1,16 +0,0 @@ -{{- define "csiRcloneCertificates.env.python" -}} -- name: REQUESTS_CA_BUNDLE - value: /etc/ssl/certs/ca-certificates.crt -- name: SSL_CERT_FILE - value: /etc/ssl/certs/ca-certificates.crt -{{- end -}} - -{{- define "csiRcloneCertificates.env.grpc" -}} -- name: GRPC_DEFAULT_SSL_ROOTS_FILE_PATH - value: /etc/ssl/certs/ca-certificates.crt -{{- end -}} - -{{- define "csiRcloneCertificates.env.nodejs" -}} -- name: NODE_EXTRA_CA_CERTS - value: /etc/ssl/certs/ca-certificates.crt -{{- end -}} diff --git a/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl b/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl index 75e5369..9d83c10 100644 --- a/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl +++ b/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl @@ -3,24 +3,3 @@ mountPath: /etc/ssl/certs/ readOnly: true {{- end -}} - -{{- define "csiRcloneCertificates.volumeMounts.openjdk14" -}} -- name: etc-ssl-certs - mountPath: /opt/openjdk-14/lib/security/cacerts - subPath: java/cacerts - readOnly: true -{{- end -}} - -{{- define "csiRcloneCertificates.volumeMounts.javaCertsGeneral" -}} -- name: etc-ssl-certs - mountPath: /etc/ssl/certs/java/cacerts - subPath: java/cacerts - readOnly: true -{{- end -}} - -{{- define "csiRcloneCertificates.volumeMounts.openjdk17" -}} -- name: etc-ssl-certs - mountPath: /opt/java/openjdk/lib/security/cacerts - subPath: java/cacerts - readOnly: true -{{- end -}}