Use a custom CA file for r10k control repo

[cpiment]

In my use case the control repo is in a private repository which is cloned via HTTPS. The Gitlab instance where the repo lives is behind a reverse proxy which serves the repositories, and that reverser proxy has a certificate issued by an internal CA.

In order for r10k to retrieve the repository, I have had to configure the netrc file, which was already present in the chart but not documented (#211), and find a way for r10k to handle the custom CA of my Gitlab instance.

This PR adds two new configuration settings:

• r10k.code.viaHttps.customCa.cert.value: A multiline file where the custom CA certificate chain can be stored in PEM format. This certificate is stored inside the r10k-code-secret within the cert key.
• r10k.code.viaHttps.customCa.existingSecret: A secret reference which must store the certificate chain in PEM format inside the cert key

The certificate is mounted as ~/code-certs/ca.pem file in the container where r10k is running and then this command is launched in the entry point of the container:

git config --global http."{{ template "r10k.code.viaHttps.customCa.repoUrl" .}}".sslCAInfo ~/code-certs/ca.pem

The template r10k.code.viaHttps.customCa.repoUrl extracts the base URL from the puppetserver.puppeturl, so git can check if the TLS certificate from the HTTPS repository matches the custom CA.

I have bumped the version and changelog of the chart, but it you need more changes or me to modify anything, please contact me.

[Xtigyro]

@cpiment Truly awesome PR! Thank you! 🥇

[cpiment]

@cpiment Truly awesome PR! Thank you! 🥇

Thank you for the chart!

[Xtigyro]

@cpiment Wanna be one of the official maintainers? We're a team of three people at present.

[cpiment]

Hi @Xtigyro! Thanks for the offering, I'm really flattered! However, I've never used helm before this chart and I don't know many things about developing and testing charts so I don't know if I would be a very good maintainer. I think I will try to contribute and learn for some time before taking that step, if that's OK with you.

[Xtigyro]

@cpiment Sure - and thank you once more!

[vibe]

@cpiment @Xtigyro
This PR breaks the chart even if viaHTTPS (for example when using viaSsh instead) is not provided due to default values.

r10k-code.config.yaml needs to be updated, line 54.

{{- if or .Values.r10k.code.viaHttps.customCa.existingSecret .Values.r10k.code.viaHttps.customCa.cert.value }}

[Xtigyro]

@vibe Thanks!

@cpiment Could you please fix that?

FYI: @ldaneliukas @davidphay

[cpiment]

Sorry about the bug, I tested the suggested change in my environment and it seems to work fine, thanks for reporting!