Trust custom CA bundle for outgoing caching connections (#9427)

amisstea · web-flow · commit 0ad826c38bf0 · 2025-12-08T15:37:47.000Z
* Fix namespace for squid component

Signed-off-by: Alex Misstear &lt;amisstea@redhat.com&gt;

* Trust custom CA bundle for outgoing caching connections

Signed-off-by: Alex Misstear &lt;amisstea@redhat.com&gt;

---------

Signed-off-by: Alex Misstear &lt;amisstea@redhat.com&gt;
diff --git a/argo-cd-apps/base/member/infra-deployments/squid/squid.yaml b/argo-cd-apps/base/member/infra-deployments/squid/squid.yaml
@@ -30,7 +30,7 @@ spec:
         repoURL: https://github.com/redhat-appstudio/infra-deployments.git
         targetRevision: main
       destination:
-        namespace: proxy
+        namespace: caching
         server: '{{server}}'
       syncPolicy:
         automated:
diff --git a/components/squid/base/kustomization.yaml b/components/squid/base/kustomization.yaml
@@ -3,3 +3,4 @@ kind: Kustomization
 
 resources:
 - rbac.yaml
+- trusted-ca-configmap.yaml
diff --git a/components/squid/base/trusted-ca-configmap.yaml b/components/squid/base/trusted-ca-configmap.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: trusted-ca
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
diff --git a/components/squid/development/squid-helm-generator.yaml b/components/squid/development/squid-helm-generator.yaml
@@ -44,3 +44,16 @@ valuesInline:
       - ^https://quayio-production-s3\.s3[a-z0-9.-]*\.amazonaws\.com/sha256/.+/[a-f0-9]{64}
     size: 192
     maxObjectSize: 128
+  tlsOutgoingOptions:
+    caFile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+  volumes:
+    - name: trusted-ca
+      configMap:
+        name: trusted-ca
+        items:
+          - key: ca-bundle.crt
+            path: tls-ca-bundle.pem
+  volumeMounts:
+    - name: trusted-ca
+      mountPath: /etc/pki/ca-trust/extracted/pem
+      readOnly: true
diff --git a/components/squid/staging/squid-helm-generator.yaml b/components/squid/staging/squid-helm-generator.yaml
@@ -44,3 +44,16 @@ valuesInline:
       - ^https://quayio-production-s3\.s3[a-z0-9.-]*\.amazonaws\.com/sha256/.+/[a-f0-9]{64}
     size: 1536
     maxObjectSize: 256
+  tlsOutgoingOptions:
+    caFile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+  volumes:
+    - name: trusted-ca
+      configMap:
+        name: trusted-ca
+        items:
+          - key: ca-bundle.crt
+            path: tls-ca-bundle.pem
+  volumeMounts:
+    - name: trusted-ca
+      mountPath: /etc/pki/ca-trust/extracted/pem
+      readOnly: true

Original file line number	Diff line number	Diff line change
`@@ -3,3 +3,4 @@ kind: Kustomization`
`3`	`3`
`4`	`4`	`resources:`
`5`	`5`	`- rbac.yaml`
	`6`	`+- trusted-ca-configmap.yaml`