Fixes: mosip/esignet#1878 Add company-internal CA extension point to eSignet Helm chart

[Ivanmeneges]

Summary

Adds first-class Helm support for trusting a company-internal CA in eSignet deployments, addressing the gap where only the development-oriented enable_insecure workaround existed.

Changes

Helm chart (helm/esignet)

• New customCA values block to mount a Secret/ConfigMap with PEM-encoded root/intermediate CA certificate(s)
• Init container imports the CA bundle into the Java cacerts truststore before the app starts
• Wired previously unused extraVolumes / extraVolumeMounts extension points in the deployment template
• Added extraInitContainers for additional custom init hooks
• Validation prevents using customCA and enable_insecure together

Deploy scripts

• New shared deploy/configure_tls_trust.sh helper used by eSignet install scripts
• Install flow now offers three TLS trust options:
  1. Public SSL (default)
  2. Development self-signed (enable_insecure)
  3. Company internal CA (customCA)

Documentation

• Updated helm/esignet/README.md with usage examples
• Added commented customCA samples in deploy values files

Usage

kubectl -n esignet create secret generic company-internal-ca \
  --from-file=ca.crt=/path/to/company-ca-bundle.pem

helm upgrade --install esignet mosip/esignet \
  --set customCA.enabled=true \
  --set customCA.secretName=company-internal-ca

Notes

• enable_insecure remains available for dev/self-signed environments but is mutually exclusive with customCA
• Supports PEM bundles containing multiple certificates (root + intermediate)
• OIDC UI is unchanged (nginx-based; no Java truststore requirement)

  

Summary by CodeRabbit

• New Features
  • Added TLS trust configuration with three modes: default public CAs, a development “insecure” workaround, or trusting company-internal CAs via a custom CA init step that imports PEMs into the Java truststore.
  • Added support for optional custom CA source from a Secret or ConfigMap, plus an extension point to add extra init containers.
• Bug Fixes
  • Improved chart value validation, including enforcing mutual exclusivity between the “insecure” and custom CA options.
• Documentation
  • Updated Helm docs with a new “TLS trust configuration” section, including examples and creation steps for the CA Secret.

[coderabbitai]

Walkthrough

Adds an interactive TLS trust helper and integrates it into installer scripts; extends Helm chart values and templates to support an optional company-internal CA bundle (Secret/ConfigMap), an init container that builds a Java truststore from PEMs, and deployment wiring to mount the truststore and CA bundle.

Changes

Custom Company CA Trust Support

Layer / File(s)	Summary
TLS Trust Configuration CLI Helper deploy/configure_tls_trust.sh	New interactive Bash function configure_tls_trust(namespace) prompts for TLS mode (default, insecure, custom CA), checks/creates a Kubernetes Secret from a PEM bundle when chosen, and exports TRUST_HELM_ARGS for Helm installs.
Installer Script Integration deploy/esignet/install.sh, deploy/esignet-with-plugins/install.sh, deploy/esignet/values.yaml, deploy/esignet-with-plugins/values.yaml	Installer scripts now source the shared TLS helper and call configure_tls_trust "$NS" to compute $TRUST_HELM_ARGS, then pass those args to Helm; deploy-level values.yaml files include commented customCA examples.
Helm Values Schema and Documentation helm/esignet/values.yaml, helm/esignet/README.md	Adds extraInitContainers and a customCA values block (enable, Secret/ConfigMap, mountPath, aliasPrefix, javaHome, keystorePassword, initContainerImage). README documents three TLS modes, examples, mutual exclusivity, and extension points.
Helm Template Validation Helpers helm/esignet/templates/_helpers.tpl	New helpers: esignet.truststoreRequired, esignet.customCAInitImage, and esignet.validateValues.customCA; esignet.validateValues now includes custom CA validation messages.
Custom CA Init Container Implementation helm/esignet/templates/custom-ca-initcontainer.yaml	New named template esignet.customCAInitContainer copies Java cacerts to a writable keystore, validates and splits a PEM bundle, imports certificates via keytool with aliases, fails if none imported, and wires writable cacerts and read-only CA bundle mounts.
Deployment Template Integration helm/esignet/templates/deployment.yaml	Deployment now validates values at render start, conditionally renders the custom CA init container when enabled, uses esignet.truststoreRequired to mount cacerts at configured Java home, adds company-ca-bundle volume from Secret/ConfigMap, and preserves extension hooks (extraVolumeMounts, extraVolumes, extraInitContainers).

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant InstallerScript as Installer Script
  participant TLSHelper as configure_tls_trust
  participant Kubectl
  participant HelmChart as Helm Chart
  participant JavaService as Java Service

  User->>InstallerScript: Run install.sh
  InstallerScript->>TLSHelper: source and call configure_tls_trust($NS)
  User->>TLSHelper: Select TLS mode
  alt Custom CA Mode
    TLSHelper->>Kubectl: Check Secret exists
    alt Secret missing
      User->>TLSHelper: Provide PEM CA bundle path
      TLSHelper->>Kubectl: Create CA Secret in namespace
    end
    TLSHelper-->>InstallerScript: TRUST_HELM_ARGS with customCA
  else Insecure Mode
    TLSHelper-->>InstallerScript: TRUST_HELM_ARGS with enable_insecure=true
  else Default Mode
    TLSHelper-->>InstallerScript: TRUST_HELM_ARGS (empty)
  end
  InstallerScript->>HelmChart: helm install/upgrade with $TRUST_HELM_ARGS
  HelmChart->>JavaService: render/init customCA init container
  JavaService->>JavaService: init container builds truststore and imports certs

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• No direct support for use of company-internal CA #1878: Implements requested company-internal CA support and new init/volume extension hooks described in the issue.

Poem

🐰 I hopped in to fetch the PEM so fine,
I split the bundle, one cert at a time,
Keytool danced and aliases grew,
The truststore woke — HTTPS anew,
Hop hop, secure connections — that's divine!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title clearly matches the main change: adding a company-internal CA extension point to the eSignet Helm chart.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/internal-ca-helm-extension-403f

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deploy/configure_tls_trust.sh`:
- Around line 27-39: The script enables customCA by setting TRUST_HELM_ARGS with
customCA.enabled and customCA.secretName but doesn't validate or propagate
customCA.secretKey; update deploy/configure_tls_trust.sh to check the existing
Secret (variable ca_secret in the script) for the expected key (default "ca.crt"
or a user-provided key), fail with an informative message if the key is missing,
and append --set customCA.secretKey=<key> to TRUST_HELM_ARGS when setting
customCA.enabled=true so the Helm chart's init container (which reads
customCA.secretKey) can find the PEM bundle.

In `@helm/esignet/templates/_helpers.tpl`:
- Around line 73-82: In the template defined by
"esignet.validateValues.customCA" add a validation branch that detects when
.Values.customCA.enabled is true AND both .Values.customCA.secretName and
.Values.customCA.configMapName are non-empty, and emit an error message
indicating that both cannot be set simultaneously (explain that Secret takes
precedence and one must be removed); update the conditional logic alongside the
existing checks for missing names and enable_insecure to ensure this new
mutually-exclusive check runs when customCA.enabled is true.
- Around line 52-54: esignet.validateValues must actively block invalid flag
combinations and be invoked during chart rendering: update the validate function
(esignet.validateValues) to call {{ failf }} when .Values.enable_insecure and
.Values.customCA.enabled are both true (or otherwise enforce a single source of
truth), then include a call to that helper from top-level templates (e.g.,
deployment.yaml and other rendered templates) so validation runs; additionally,
change the init container rendering logic so the enable_insecure init container
(the initContainers block that copies /cacerts) is only rendered when
.Values.enable_insecure is true AND .Values.customCA.enabled is false, or alter
its copy behavior to avoid overwriting the cacerts volume when
customCAInitContainer is enabled, referencing the customCAInitContainer, the
initContainers block, and the cacerts volume to locate the code to change.

In `@helm/esignet/values.yaml`:
- Around line 527-549: The values.yaml default for customCA.javaHome may not
match the Java installation in the main app image, causing the init container to
mount/update the wrong truststore; update either by adding a clear comment near
customCA.javaHome (and mention mountPath and that it must match the main
container JAVA_HOME) or add a runtime validation step in the init container
entrypoint (the init container that uses initContainerImage and writes to {{
.Values.customCA.javaHome }}/lib/security/cacerts) to check that
$JAVA_HOME/lib/security/cacerts exists at the target mountPath and exit with a
clear error if not found so the mismatch is detected early.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 80f08999-cf89-4492-a069-9b0aae7e3b6a

📥 Commits

Reviewing files that changed from the base of the PR and between 9ed9e02 and 31fd675.

📒 Files selected for processing (10)

• deploy/configure_tls_trust.sh
• deploy/esignet-with-plugins/install.sh
• deploy/esignet-with-plugins/values.yaml
• deploy/esignet/install.sh
• deploy/esignet/values.yaml
• helm/esignet/README.md
• helm/esignet/templates/_helpers.tpl
• helm/esignet/templates/custom-ca-initcontainer.yaml
• helm/esignet/templates/deployment.yaml
• helm/esignet/values.yaml

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@helm/esignet/templates/custom-ca-initcontainer.yaml`:
- Line 18: The cp command copying "${JAVA_HOME}/lib/security/cacerts" to
"${KEYSTORE}" can fail with an opaque "No such file or directory" when
customCA.javaHome is wrong; update the initContainer command that contains cp
"${JAVA_HOME}/lib/security/cacerts" "${KEYSTORE}" to first test for the source
file and exit with a descriptive error that includes the resolved
JAVA_HOME/customCA.javaHome (e.g., if [ -f "${JAVA_HOME}/lib/security/cacerts"
]; then cp ...; else echo "ERROR: Java cacerts not found at
${JAVA_HOME}/lib/security/cacerts — ensure customCA.javaHome matches the Java
installation in the image" >&2; exit 1; fi), so operators see the bad javaHome
value and can fix values.yaml.

In `@helm/esignet/templates/deployment.yaml`:
- Around line 75-80: Call the existing validation template and add a runtime
guard so both init containers cannot be rendered together: invoke the
esignet.validateValues template near the top of deployment.yaml (before any
conditional init-container logic) and modify the enable_insecure init-container
block (the include of "common.tplvalues.render" for .Values.initContainers) to
only render when .Values.enable_insecure is true AND .Values.customCA.enabled is
false; also update the esignet.validateValues helper in _helpers.tpl to
return/throw a failure (not just print) when customCA.enabled and
enable_insecure are both true so Helm install/upgrade fails early.

In `@helm/esignet/values.yaml`:
- Around line 371-373: The default value for extraInitContainers is currently an
empty map ({}) but must be an array; update the values.yaml entry named
extraInitContainers to be an empty list ([]) so templates that call
common.tplvalues.render on extraInitContainers produce a YAML list of init
containers instead of a dict, avoiding invalid Kubernetes manifests when
rendering initContainers.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3ccde635-a505-4632-b21d-183ba2977da5

📥 Commits

Reviewing files that changed from the base of the PR and between 31fd675 and 8a8e13a.

📒 Files selected for processing (10)

• deploy/configure_tls_trust.sh
• deploy/esignet-with-plugins/install.sh
• deploy/esignet-with-plugins/values.yaml
• deploy/esignet/install.sh
• deploy/esignet/values.yaml
• helm/esignet/README.md
• helm/esignet/templates/_helpers.tpl
• helm/esignet/templates/custom-ca-initcontainer.yaml
• helm/esignet/templates/deployment.yaml
• helm/esignet/values.yaml

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

helm/esignet/templates/_helpers.tpl (1)

52-54: ⚠️ Potential issue | 🔴 Critical

esignet.truststoreRequired returns a truthy string even when both conditions are false.

The include function in Helm templates always returns a string. When the helper evaluates or .Values.enable_insecure .Values.customCA.enabled with both values false, the result is stringified to "false". In Helm's if control structure, any non-empty string—including "false"—evaluates as true. This causes if include "esignet.truststoreRequired" . in deployment.yaml to incorrectly render the cacerts volume mount even when neither insecure mode nor custom CA is enabled.

Suggested fix

 {{- define "esignet.truststoreRequired" -}}
-{{- or .Values.enable_insecure .Values.customCA.enabled -}}
+{{- if or .Values.enable_insecure .Values.customCA.enabled -}}true{{- end -}}
 {{- end -}}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@helm/esignet/templates/_helpers.tpl` around lines 52 - 54, The
esignet.truststoreRequired helper template returns a stringified boolean which
causes incorrect evaluation in Helm if conditions. When both enable_insecure and
customCA.enabled are false, the result is the non-empty string "false" which
evaluates as true in Helm's if block. Modify the esignet.truststoreRequired
template to return a non-empty string (like "true") when the or condition is
true, and return an empty string when the condition is false by wrapping the or
expression in an if block that outputs a value only when the condition evaluates
to true.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deploy/configure_tls_trust.sh`:
- Around line 29-35: The jsonpath syntax {.data.${ca_secret_key}} in the kubectl
commands at lines 29 and 34 fails for Secret keys containing dots (such as the
default ca.crt) because kubectl treats dots as object navigation operators
rather than literal key characters. Replace both jsonpath expressions with
bracket notation {.data['${ca_secret_key}']} which safely accesses map keys with
special characters including dots, ensuring the Secret key lookups work
correctly regardless of whether the key contains dots.

---

Outside diff comments:
In `@helm/esignet/templates/_helpers.tpl`:
- Around line 52-54: The esignet.truststoreRequired helper template returns a
stringified boolean which causes incorrect evaluation in Helm if conditions.
When both enable_insecure and customCA.enabled are false, the result is the
non-empty string "false" which evaluates as true in Helm's if block. Modify the
esignet.truststoreRequired template to return a non-empty string (like "true")
when the or condition is true, and return an empty string when the condition is
false by wrapping the or expression in an if block that outputs a value only
when the condition evaluates to true.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a4b1fd17-80c9-488f-ba95-e93e818534a4

📥 Commits

Reviewing files that changed from the base of the PR and between 8a8e13a and a9735c8.

📒 Files selected for processing (5)

• deploy/configure_tls_trust.sh
• helm/esignet/templates/_helpers.tpl
• helm/esignet/templates/custom-ca-initcontainer.yaml
• helm/esignet/templates/deployment.yaml
• helm/esignet/values.yaml