From 48d7922521923b05f26ee28b95b00c62ede6afc4 Mon Sep 17 00:00:00 2001 From: Alex Kantor Date: Wed, 15 Apr 2026 10:15:25 +0100 Subject: [PATCH 1/8] feat(k8s-reporter): add extraVolumes, extraVolumeMounts, extraEnvVars, customCA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds two layers of support for customers running the k8s-reporter behind a TLS-inspecting proxy that requires a corporate CA bundle: 1. Generic escape hatch — extraVolumes, extraVolumeMounts, extraEnvVars following Bitnami / prometheus-community naming conventions. 2. customCA convenience wrapper — single config block that mounts the CA via subPath into /etc/ssl/certs/ so Go's stdlib picks it up additively alongside the system bundle (avoids the SSL_CERT_FILE footgun that would otherwise replace the system CAs). The Kosli CLI is Go and uses net/http's default transport; no CLI changes are needed because crypto/x509 reads /etc/ssl/certs/ automatically. Refs kosli-dev/cli#776 Co-Authored-By: Claude Opus 4.6 --- charts/k8s-reporter/Chart.yaml | 2 +- charts/k8s-reporter/README.md | 60 +++++++++++++++++++++- charts/k8s-reporter/README.md.gotmpl | 2 + charts/k8s-reporter/_templates.gotmpl | 53 +++++++++++++++++++ charts/k8s-reporter/templates/cronjob.yaml | 20 ++++++++ charts/k8s-reporter/values.yaml | 42 +++++++++++++++ docs.kosli.com/content/helm/_index.md | 60 +++++++++++++++++++++- 7 files changed, 236 insertions(+), 3 deletions(-) diff --git a/charts/k8s-reporter/Chart.yaml b/charts/k8s-reporter/Chart.yaml index 8b1d76c7a..4fece5f6f 100644 --- a/charts/k8s-reporter/Chart.yaml +++ b/charts/k8s-reporter/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.1.0 +version: 2.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/k8s-reporter/README.md b/charts/k8s-reporter/README.md index 3d2a12b63..99a2189b3 100644 --- a/charts/k8s-reporter/README.md +++ b/charts/k8s-reporter/README.md @@ -4,7 +4,7 @@ title: Kubernetes Reporter Helm Chart # k8s-reporter -![Version: 2.1.0](https://img.shields.io/badge/Version-2.1.0-informational?style=flat-square) +![Version: 2.2.0](https://img.shields.io/badge/Version-2.2.0-informational?style=flat-square) A Helm chart for installing the Kosli K8S reporter as a cronjob. The chart allows you to create a Kubernetes cronjob and all its necessary RBAC to report running images to Kosli at a given cron schedule. @@ -96,11 +96,69 @@ helm upgrade kosli-reporter kosli/k8s-reporter -f values.yaml helm uninstall kosli-reporter ``` +## Running behind a TLS-inspecting proxy (corporate / custom CA bundle) + +If your network sits behind a TLS-inspecting appliance (Zscaler, Netskope, Palo Alto, etc.) that re-signs HTTPS traffic with a certificate not trusted by any public CA, you need to make the appliance's CA bundle available to the reporter. + +The chart offers two ways to do this. Use whichever fits your deployment flow. + +### Option 1 — `customCA` convenience wrapper (recommended for the common case) + +1. Create a Secret containing the corporate CA certificate (PEM format, single cert or bundle): + +```shell {.command} +kubectl create secret generic corporate-ca-bundle --from-file=ca.crt=/path/to/corporate-ca.crt +``` + +2. Enable the wrapper in `values.yaml`: + +```yaml +customCA: + enabled: true + secretName: corporate-ca-bundle + key: ca.crt +``` + +The chart mounts the certificate as a single file at `/etc/ssl/certs/kosli-custom-ca.crt` using `subPath`. Go's standard library reads it automatically alongside the system CA bundle — no `SSL_CERT_FILE` env var is needed (and the wrapper deliberately does not set one; setting `SSL_CERT_FILE` would replace the system bundle and break trust for any public CAs your bundle does not include). + +### Option 2 — generic `extraVolumes` / `extraVolumeMounts` / `extraEnvVars` + +Use these when you need a non-default mount path, a ConfigMap instead of a Secret, multiple volumes, or any other shape the wrapper does not cover: + +```yaml +extraVolumes: + - name: corporate-ca + secret: + secretName: corporate-ca-bundle + +extraVolumeMounts: + - name: corporate-ca + mountPath: /etc/ssl/certs/corporate + readOnly: true +``` + +Note: if you mount the CA outside `/etc/ssl/certs/` and set `SSL_CERT_FILE` via `extraEnvVars`, your bundle must include the public CAs you also need to trust — Go uses only that file when `SSL_CERT_FILE` is set. + +### Pod Security Standards + +Both options use `secret`-backed volumes, which are permitted under the Pod Security Standards `restricted` profile. `hostPath` mounts are not permitted under that profile and should not be used here. + +### Cluster-wide alternative + +If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/trust/trust-manager/) to distribute a corporate CA bundle into a well-known ConfigMap in every namespace, point `extraVolumes` / `extraVolumeMounts` at that ConfigMap instead of creating a per-namespace Secret. + ## Configurations | Key | Type | Default | Description | |-----|------|---------|-------------| | concurrencyPolicy | string | `"Replace"` | specifies how to treat concurrent executions of a Job that is created by this CronJob | | cronSchedule | string | `"*/5 * * * *"` | the cron schedule at which the reporter is triggered to report to Kosli | +| customCA | object | `{"enabled":false,"key":"ca.crt","secretName":""}` | convenience wrapper for mounting a corporate / custom CA bundle into the reporter's trust store. When enabled, the chart creates a Secret-backed volume and mounts the CA file into /etc/ssl/certs/ using subPath so it is picked up additively by Go's standard library alongside the system CA bundle (no SSL_CERT_FILE env var needed; setting it would replace the system bundle and is the footgun this wrapper hides). The Secret itself must be created out-of-band, e.g.: kubectl create secret generic corporate-ca-bundle --from-file=ca.crt=/path/to/corporate-ca.crt | +| customCA.enabled | bool | `false` | enable mounting a corporate/custom CA bundle into the trust store | +| customCA.key | string | `"ca.crt"` | key within the Secret that holds the PEM-formatted CA certificate (single cert or multi-cert PEM bundle) | +| customCA.secretName | string | `""` | name of an existing Secret in the same namespace containing the CA bundle | +| extraEnvVars | list | `[]` | additional environment variables to inject into the reporter container. List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. Use this when you need valueFrom (secretKeyRef / configMapKeyRef) or want a structure beyond simple key=value. For simple key=value pairs you can also use the `env:` map above. | +| extraVolumeMounts | list | `[]` | additional container-level volumeMounts for the reporter container. Rendered verbatim into the container spec alongside the chart's own mounts. | +| extraVolumes | list | `[]` | additional Pod-level volumes to attach to the reporter pod. Rendered verbatim into the Pod spec alongside the chart's own volumes. Use together with `extraVolumeMounts` to mount Secrets, ConfigMaps, or other volumes into the container. | | failedJobsHistoryLimit | int | `1` | specifies the number of failed finished jobs to keep | | fullnameOverride | string | `""` | overrides the fullname used for the created k8s resources. It has higher precedence than `nameOverride` | | image.pullPolicy | string | `"IfNotPresent"` | the kosli reporter image pull policy | diff --git a/charts/k8s-reporter/README.md.gotmpl b/charts/k8s-reporter/README.md.gotmpl index 71035bdec..c6c82ee37 100644 --- a/charts/k8s-reporter/README.md.gotmpl +++ b/charts/k8s-reporter/README.md.gotmpl @@ -17,6 +17,8 @@ title: Kubernetes Reporter Helm Chart {{ template "extra.uninstall" . }} +{{ template "extra.customCA" . }} + {{ template "extra.valuesHeader" . }} {{ template "chart.valuesTable" . }} diff --git a/charts/k8s-reporter/_templates.gotmpl b/charts/k8s-reporter/_templates.gotmpl index a8cd8fa04..359bb7139 100644 --- a/charts/k8s-reporter/_templates.gotmpl +++ b/charts/k8s-reporter/_templates.gotmpl @@ -98,6 +98,59 @@ helm uninstall kosli-reporter ``` {{- end }} +{{ define "extra.customCA" -}} +## Running behind a TLS-inspecting proxy (corporate / custom CA bundle) + +If your network sits behind a TLS-inspecting appliance (Zscaler, Netskope, Palo Alto, etc.) that re-signs HTTPS traffic with a certificate not trusted by any public CA, you need to make the appliance's CA bundle available to the reporter. + +The chart offers two ways to do this. Use whichever fits your deployment flow. + +### Option 1 — `customCA` convenience wrapper (recommended for the common case) + +1. Create a Secret containing the corporate CA certificate (PEM format, single cert or bundle): + +```shell {.command} +kubectl create secret generic corporate-ca-bundle --from-file=ca.crt=/path/to/corporate-ca.crt +``` + +2. Enable the wrapper in `values.yaml`: + +```yaml +customCA: + enabled: true + secretName: corporate-ca-bundle + key: ca.crt +``` + +The chart mounts the certificate as a single file at `/etc/ssl/certs/kosli-custom-ca.crt` using `subPath`. Go's standard library reads it automatically alongside the system CA bundle — no `SSL_CERT_FILE` env var is needed (and the wrapper deliberately does not set one; setting `SSL_CERT_FILE` would replace the system bundle and break trust for any public CAs your bundle does not include). + +### Option 2 — generic `extraVolumes` / `extraVolumeMounts` / `extraEnvVars` + +Use these when you need a non-default mount path, a ConfigMap instead of a Secret, multiple volumes, or any other shape the wrapper does not cover: + +```yaml +extraVolumes: + - name: corporate-ca + secret: + secretName: corporate-ca-bundle + +extraVolumeMounts: + - name: corporate-ca + mountPath: /etc/ssl/certs/corporate + readOnly: true +``` + +Note: if you mount the CA outside `/etc/ssl/certs/` and set `SSL_CERT_FILE` via `extraEnvVars`, your bundle must include the public CAs you also need to trust — Go uses only that file when `SSL_CERT_FILE` is set. + +### Pod Security Standards + +Both options use `secret`-backed volumes, which are permitted under the Pod Security Standards `restricted` profile. `hostPath` mounts are not permitted under that profile and should not be used here. + +### Cluster-wide alternative + +If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/trust/trust-manager/) to distribute a corporate CA bundle into a well-known ConfigMap in every namespace, point `extraVolumes` / `extraVolumeMounts` at that ConfigMap instead of creating a per-namespace Secret. +{{- end }} + {{ define "extra.valuesHeader" -}} ## Configurations {{- end }} diff --git a/charts/k8s-reporter/templates/cronjob.yaml b/charts/k8s-reporter/templates/cronjob.yaml index a3fc7bb9f..0712bdaa6 100644 --- a/charts/k8s-reporter/templates/cronjob.yaml +++ b/charts/k8s-reporter/templates/cronjob.yaml @@ -27,6 +27,14 @@ spec: - name: environments-config configMap: name: {{ include "reporter.fullname" . }}-environments-config + {{- if .Values.customCA.enabled }} + - name: custom-ca + secret: + secretName: {{ required "customCA.secretName is required when customCA.enabled is true" .Values.customCA.secretName }} + {{- end }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 10 }} + {{- end }} containers: - name: reporter image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -35,6 +43,15 @@ spec: - name: environments-config mountPath: /config readOnly: true + {{- if .Values.customCA.enabled }} + - name: custom-ca + mountPath: /etc/ssl/certs/kosli-custom-ca.crt + subPath: {{ .Values.customCA.key }} + readOnly: true + {{- end }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- if .Values.reporterConfig.securityContext }} securityContext: {{- if hasKey .Values.reporterConfig.securityContext "allowPrivilegeEscalation" }} @@ -65,6 +82,9 @@ spec: - name: {{ $key }} value: {{ $value }} {{ end }} + {{- with .Values.extraEnvVars }} + {{- toYaml . | nindent 14 }} + {{- end }} args: - snapshot - k8s diff --git a/charts/k8s-reporter/values.yaml b/charts/k8s-reporter/values.yaml index ca1742e82..488a157e5 100644 --- a/charts/k8s-reporter/values.yaml +++ b/charts/k8s-reporter/values.yaml @@ -86,6 +86,48 @@ reporterConfig: # env: # KOSLI_HOST: https://.kosli.com +# -- additional environment variables to inject into the reporter container. +# List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. +# Use this when you need valueFrom (secretKeyRef / configMapKeyRef) or want a structure beyond simple key=value. +# For simple key=value pairs you can also use the `env:` map above. +extraEnvVars: [] + # - name: SSL_CERT_FILE + # value: /etc/ssl/certs/corporate/ca.crt + # - name: MY_SECRET + # valueFrom: + # secretKeyRef: + # name: my-secret + # key: token + +# -- additional Pod-level volumes to attach to the reporter pod. +# Rendered verbatim into the Pod spec alongside the chart's own volumes. +# Use together with `extraVolumeMounts` to mount Secrets, ConfigMaps, or other volumes into the container. +extraVolumes: [] + # - name: corporate-ca + # secret: + # secretName: corporate-ca-bundle + +# -- additional container-level volumeMounts for the reporter container. +# Rendered verbatim into the container spec alongside the chart's own mounts. +extraVolumeMounts: [] + # - name: corporate-ca + # mountPath: /etc/ssl/certs/corporate + # readOnly: true + +# -- convenience wrapper for mounting a corporate / custom CA bundle into the reporter's trust store. +# When enabled, the chart creates a Secret-backed volume and mounts the CA file into /etc/ssl/certs/ +# using subPath so it is picked up additively by Go's standard library alongside the system CA bundle +# (no SSL_CERT_FILE env var needed; setting it would replace the system bundle and is the footgun this wrapper hides). +# The Secret itself must be created out-of-band, e.g.: +# kubectl create secret generic corporate-ca-bundle --from-file=ca.crt=/path/to/corporate-ca.crt +customCA: + # -- enable mounting a corporate/custom CA bundle into the trust store + enabled: false + # -- name of an existing Secret in the same namespace containing the CA bundle + secretName: "" + # -- key within the Secret that holds the PEM-formatted CA certificate (single cert or multi-cert PEM bundle) + key: "ca.crt" + # -- any custom annotations to be added to the cronjob podAnnotations: {} diff --git a/docs.kosli.com/content/helm/_index.md b/docs.kosli.com/content/helm/_index.md index 3d2a12b63..99a2189b3 100644 --- a/docs.kosli.com/content/helm/_index.md +++ b/docs.kosli.com/content/helm/_index.md @@ -4,7 +4,7 @@ title: Kubernetes Reporter Helm Chart # k8s-reporter -![Version: 2.1.0](https://img.shields.io/badge/Version-2.1.0-informational?style=flat-square) +![Version: 2.2.0](https://img.shields.io/badge/Version-2.2.0-informational?style=flat-square) A Helm chart for installing the Kosli K8S reporter as a cronjob. The chart allows you to create a Kubernetes cronjob and all its necessary RBAC to report running images to Kosli at a given cron schedule. @@ -96,11 +96,69 @@ helm upgrade kosli-reporter kosli/k8s-reporter -f values.yaml helm uninstall kosli-reporter ``` +## Running behind a TLS-inspecting proxy (corporate / custom CA bundle) + +If your network sits behind a TLS-inspecting appliance (Zscaler, Netskope, Palo Alto, etc.) that re-signs HTTPS traffic with a certificate not trusted by any public CA, you need to make the appliance's CA bundle available to the reporter. + +The chart offers two ways to do this. Use whichever fits your deployment flow. + +### Option 1 — `customCA` convenience wrapper (recommended for the common case) + +1. Create a Secret containing the corporate CA certificate (PEM format, single cert or bundle): + +```shell {.command} +kubectl create secret generic corporate-ca-bundle --from-file=ca.crt=/path/to/corporate-ca.crt +``` + +2. Enable the wrapper in `values.yaml`: + +```yaml +customCA: + enabled: true + secretName: corporate-ca-bundle + key: ca.crt +``` + +The chart mounts the certificate as a single file at `/etc/ssl/certs/kosli-custom-ca.crt` using `subPath`. Go's standard library reads it automatically alongside the system CA bundle — no `SSL_CERT_FILE` env var is needed (and the wrapper deliberately does not set one; setting `SSL_CERT_FILE` would replace the system bundle and break trust for any public CAs your bundle does not include). + +### Option 2 — generic `extraVolumes` / `extraVolumeMounts` / `extraEnvVars` + +Use these when you need a non-default mount path, a ConfigMap instead of a Secret, multiple volumes, or any other shape the wrapper does not cover: + +```yaml +extraVolumes: + - name: corporate-ca + secret: + secretName: corporate-ca-bundle + +extraVolumeMounts: + - name: corporate-ca + mountPath: /etc/ssl/certs/corporate + readOnly: true +``` + +Note: if you mount the CA outside `/etc/ssl/certs/` and set `SSL_CERT_FILE` via `extraEnvVars`, your bundle must include the public CAs you also need to trust — Go uses only that file when `SSL_CERT_FILE` is set. + +### Pod Security Standards + +Both options use `secret`-backed volumes, which are permitted under the Pod Security Standards `restricted` profile. `hostPath` mounts are not permitted under that profile and should not be used here. + +### Cluster-wide alternative + +If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/trust/trust-manager/) to distribute a corporate CA bundle into a well-known ConfigMap in every namespace, point `extraVolumes` / `extraVolumeMounts` at that ConfigMap instead of creating a per-namespace Secret. + ## Configurations | Key | Type | Default | Description | |-----|------|---------|-------------| | concurrencyPolicy | string | `"Replace"` | specifies how to treat concurrent executions of a Job that is created by this CronJob | | cronSchedule | string | `"*/5 * * * *"` | the cron schedule at which the reporter is triggered to report to Kosli | +| customCA | object | `{"enabled":false,"key":"ca.crt","secretName":""}` | convenience wrapper for mounting a corporate / custom CA bundle into the reporter's trust store. When enabled, the chart creates a Secret-backed volume and mounts the CA file into /etc/ssl/certs/ using subPath so it is picked up additively by Go's standard library alongside the system CA bundle (no SSL_CERT_FILE env var needed; setting it would replace the system bundle and is the footgun this wrapper hides). The Secret itself must be created out-of-band, e.g.: kubectl create secret generic corporate-ca-bundle --from-file=ca.crt=/path/to/corporate-ca.crt | +| customCA.enabled | bool | `false` | enable mounting a corporate/custom CA bundle into the trust store | +| customCA.key | string | `"ca.crt"` | key within the Secret that holds the PEM-formatted CA certificate (single cert or multi-cert PEM bundle) | +| customCA.secretName | string | `""` | name of an existing Secret in the same namespace containing the CA bundle | +| extraEnvVars | list | `[]` | additional environment variables to inject into the reporter container. List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. Use this when you need valueFrom (secretKeyRef / configMapKeyRef) or want a structure beyond simple key=value. For simple key=value pairs you can also use the `env:` map above. | +| extraVolumeMounts | list | `[]` | additional container-level volumeMounts for the reporter container. Rendered verbatim into the container spec alongside the chart's own mounts. | +| extraVolumes | list | `[]` | additional Pod-level volumes to attach to the reporter pod. Rendered verbatim into the Pod spec alongside the chart's own volumes. Use together with `extraVolumeMounts` to mount Secrets, ConfigMaps, or other volumes into the container. | | failedJobsHistoryLimit | int | `1` | specifies the number of failed finished jobs to keep | | fullnameOverride | string | `""` | overrides the fullname used for the created k8s resources. It has higher precedence than `nameOverride` | | image.pullPolicy | string | `"IfNotPresent"` | the kosli reporter image pull policy | From 2f4529a2a71b2fb4352cfc1e1ccadd63f4b1a934 Mon Sep 17 00:00:00 2001 From: Alex Kantor Date: Wed, 15 Apr 2026 10:19:54 +0100 Subject: [PATCH 2/8] review fixes: defaultMode, x509 keyword, value-table cleanup, env deprecation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses parallel review feedback on PR #777: - Add explicit defaultMode: 0644 to customCA Secret volume so the permission posture is self-documenting for auditors. - Tighten the docs description of Go's cert-pool loading: it's two independent passes (cert file + dir scan), not one unified scan. - Add the literal "x509: certificate signed by unknown authority" string to the docs section so customers searching the error message find it. - Replace the SSL_CERT_FILE example in the extraEnvVars block with HTTPS_PROXY — SSL_CERT_FILE is the documented footgun and shouldn't be the first thing copy-pasters see. - Shorten the customCA parent comment so the helm-docs values table reads cleanly; defer detail to the README section. - Mark the existing `env:` map as DEPRECATED in favour of extraEnvVars to remove cross-reference confusion. Both still work. Refs kosli-dev/cli#776 Co-Authored-By: Claude Opus 4.6 --- charts/k8s-reporter/README.md | 10 ++++++---- charts/k8s-reporter/_templates.gotmpl | 6 ++++-- charts/k8s-reporter/templates/cronjob.yaml | 1 + charts/k8s-reporter/values.yaml | 17 +++++++---------- docs.kosli.com/content/helm/_index.md | 10 ++++++---- 5 files changed, 24 insertions(+), 20 deletions(-) diff --git a/charts/k8s-reporter/README.md b/charts/k8s-reporter/README.md index 99a2189b3..d98bdc10f 100644 --- a/charts/k8s-reporter/README.md +++ b/charts/k8s-reporter/README.md @@ -98,7 +98,7 @@ helm uninstall kosli-reporter ## Running behind a TLS-inspecting proxy (corporate / custom CA bundle) -If your network sits behind a TLS-inspecting appliance (Zscaler, Netskope, Palo Alto, etc.) that re-signs HTTPS traffic with a certificate not trusted by any public CA, you need to make the appliance's CA bundle available to the reporter. +If your network sits behind a TLS-inspecting appliance (Zscaler, Netskope, Palo Alto, etc.) that re-signs HTTPS traffic with a corporate CA certificate, the reporter will fail with `x509: certificate signed by unknown authority`. To fix this, make the appliance's CA bundle available to the reporter. The chart offers two ways to do this. Use whichever fits your deployment flow. @@ -119,7 +119,9 @@ customCA: key: ca.crt ``` -The chart mounts the certificate as a single file at `/etc/ssl/certs/kosli-custom-ca.crt` using `subPath`. Go's standard library reads it automatically alongside the system CA bundle — no `SSL_CERT_FILE` env var is needed (and the wrapper deliberately does not set one; setting `SSL_CERT_FILE` would replace the system bundle and break trust for any public CAs your bundle does not include). +The chart mounts the certificate as a single file at `/etc/ssl/certs/kosli-custom-ca.crt` using `subPath`. Go's standard library on Linux loads CA roots in two independent passes — it reads the system bundle file (e.g. `/etc/ssl/certs/ca-certificates.crt`) and **also** scans `/etc/ssl/certs/` for additional certificate files. The mounted file is picked up by the directory scan and added to the trust store alongside the system roots, so no `SSL_CERT_FILE` env var is needed. + +The wrapper deliberately does **not** set `SSL_CERT_FILE`. Setting it would replace the system bundle entirely with the customer's file, breaking trust for any public CAs the bundle does not include. ### Option 2 — generic `extraVolumes` / `extraVolumeMounts` / `extraEnvVars` @@ -152,11 +154,11 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t |-----|------|---------|-------------| | concurrencyPolicy | string | `"Replace"` | specifies how to treat concurrent executions of a Job that is created by this CronJob | | cronSchedule | string | `"*/5 * * * *"` | the cron schedule at which the reporter is triggered to report to Kosli | -| customCA | object | `{"enabled":false,"key":"ca.crt","secretName":""}` | convenience wrapper for mounting a corporate / custom CA bundle into the reporter's trust store. When enabled, the chart creates a Secret-backed volume and mounts the CA file into /etc/ssl/certs/ using subPath so it is picked up additively by Go's standard library alongside the system CA bundle (no SSL_CERT_FILE env var needed; setting it would replace the system bundle and is the footgun this wrapper hides). The Secret itself must be created out-of-band, e.g.: kubectl create secret generic corporate-ca-bundle --from-file=ca.crt=/path/to/corporate-ca.crt | +| customCA | object | `{"enabled":false,"key":"ca.crt","secretName":""}` | convenience wrapper for mounting a corporate / custom CA bundle. See the "Running behind a TLS-inspecting proxy" section of the README for usage. | | customCA.enabled | bool | `false` | enable mounting a corporate/custom CA bundle into the trust store | | customCA.key | string | `"ca.crt"` | key within the Secret that holds the PEM-formatted CA certificate (single cert or multi-cert PEM bundle) | | customCA.secretName | string | `""` | name of an existing Secret in the same namespace containing the CA bundle | -| extraEnvVars | list | `[]` | additional environment variables to inject into the reporter container. List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. Use this when you need valueFrom (secretKeyRef / configMapKeyRef) or want a structure beyond simple key=value. For simple key=value pairs you can also use the `env:` map above. | +| extraEnvVars | list | `[]` | additional environment variables to inject into the reporter container. List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. Supports plain values and valueFrom (secretKeyRef / configMapKeyRef). Note: entries here are appended after the chart's own env entries; on duplicate names the later entry wins. | | extraVolumeMounts | list | `[]` | additional container-level volumeMounts for the reporter container. Rendered verbatim into the container spec alongside the chart's own mounts. | | extraVolumes | list | `[]` | additional Pod-level volumes to attach to the reporter pod. Rendered verbatim into the Pod spec alongside the chart's own volumes. Use together with `extraVolumeMounts` to mount Secrets, ConfigMaps, or other volumes into the container. | | failedJobsHistoryLimit | int | `1` | specifies the number of failed finished jobs to keep | diff --git a/charts/k8s-reporter/_templates.gotmpl b/charts/k8s-reporter/_templates.gotmpl index 359bb7139..5ce980faf 100644 --- a/charts/k8s-reporter/_templates.gotmpl +++ b/charts/k8s-reporter/_templates.gotmpl @@ -101,7 +101,7 @@ helm uninstall kosli-reporter {{ define "extra.customCA" -}} ## Running behind a TLS-inspecting proxy (corporate / custom CA bundle) -If your network sits behind a TLS-inspecting appliance (Zscaler, Netskope, Palo Alto, etc.) that re-signs HTTPS traffic with a certificate not trusted by any public CA, you need to make the appliance's CA bundle available to the reporter. +If your network sits behind a TLS-inspecting appliance (Zscaler, Netskope, Palo Alto, etc.) that re-signs HTTPS traffic with a corporate CA certificate, the reporter will fail with `x509: certificate signed by unknown authority`. To fix this, make the appliance's CA bundle available to the reporter. The chart offers two ways to do this. Use whichever fits your deployment flow. @@ -122,7 +122,9 @@ customCA: key: ca.crt ``` -The chart mounts the certificate as a single file at `/etc/ssl/certs/kosli-custom-ca.crt` using `subPath`. Go's standard library reads it automatically alongside the system CA bundle — no `SSL_CERT_FILE` env var is needed (and the wrapper deliberately does not set one; setting `SSL_CERT_FILE` would replace the system bundle and break trust for any public CAs your bundle does not include). +The chart mounts the certificate as a single file at `/etc/ssl/certs/kosli-custom-ca.crt` using `subPath`. Go's standard library on Linux loads CA roots in two independent passes — it reads the system bundle file (e.g. `/etc/ssl/certs/ca-certificates.crt`) and **also** scans `/etc/ssl/certs/` for additional certificate files. The mounted file is picked up by the directory scan and added to the trust store alongside the system roots, so no `SSL_CERT_FILE` env var is needed. + +The wrapper deliberately does **not** set `SSL_CERT_FILE`. Setting it would replace the system bundle entirely with the customer's file, breaking trust for any public CAs the bundle does not include. ### Option 2 — generic `extraVolumes` / `extraVolumeMounts` / `extraEnvVars` diff --git a/charts/k8s-reporter/templates/cronjob.yaml b/charts/k8s-reporter/templates/cronjob.yaml index 0712bdaa6..1be61c768 100644 --- a/charts/k8s-reporter/templates/cronjob.yaml +++ b/charts/k8s-reporter/templates/cronjob.yaml @@ -31,6 +31,7 @@ spec: - name: custom-ca secret: secretName: {{ required "customCA.secretName is required when customCA.enabled is true" .Values.customCA.secretName }} + defaultMode: 0644 {{- end }} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 10 }} diff --git a/charts/k8s-reporter/values.yaml b/charts/k8s-reporter/values.yaml index 488a157e5..773134c0b 100644 --- a/charts/k8s-reporter/values.yaml +++ b/charts/k8s-reporter/values.yaml @@ -82,17 +82,18 @@ reporterConfig: # Omit this field for OpenShift environments to allow automatic UID assignment runAsUser: 1000 +# DEPRECATED: prefer `extraEnvVars` below. Retained for backward compatibility. # Uncomment the env variable below and replace , if you are on a single tenant Kosli instance # env: # KOSLI_HOST: https://.kosli.com # -- additional environment variables to inject into the reporter container. # List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. -# Use this when you need valueFrom (secretKeyRef / configMapKeyRef) or want a structure beyond simple key=value. -# For simple key=value pairs you can also use the `env:` map above. +# Supports plain values and valueFrom (secretKeyRef / configMapKeyRef). +# Note: entries here are appended after the chart's own env entries; on duplicate names the later entry wins. extraEnvVars: [] - # - name: SSL_CERT_FILE - # value: /etc/ssl/certs/corporate/ca.crt + # - name: HTTPS_PROXY + # value: http://proxy.corp:8080 # - name: MY_SECRET # valueFrom: # secretKeyRef: @@ -114,12 +115,8 @@ extraVolumeMounts: [] # mountPath: /etc/ssl/certs/corporate # readOnly: true -# -- convenience wrapper for mounting a corporate / custom CA bundle into the reporter's trust store. -# When enabled, the chart creates a Secret-backed volume and mounts the CA file into /etc/ssl/certs/ -# using subPath so it is picked up additively by Go's standard library alongside the system CA bundle -# (no SSL_CERT_FILE env var needed; setting it would replace the system bundle and is the footgun this wrapper hides). -# The Secret itself must be created out-of-band, e.g.: -# kubectl create secret generic corporate-ca-bundle --from-file=ca.crt=/path/to/corporate-ca.crt +# -- convenience wrapper for mounting a corporate / custom CA bundle. See the +# "Running behind a TLS-inspecting proxy" section of the README for usage. customCA: # -- enable mounting a corporate/custom CA bundle into the trust store enabled: false diff --git a/docs.kosli.com/content/helm/_index.md b/docs.kosli.com/content/helm/_index.md index 99a2189b3..d98bdc10f 100644 --- a/docs.kosli.com/content/helm/_index.md +++ b/docs.kosli.com/content/helm/_index.md @@ -98,7 +98,7 @@ helm uninstall kosli-reporter ## Running behind a TLS-inspecting proxy (corporate / custom CA bundle) -If your network sits behind a TLS-inspecting appliance (Zscaler, Netskope, Palo Alto, etc.) that re-signs HTTPS traffic with a certificate not trusted by any public CA, you need to make the appliance's CA bundle available to the reporter. +If your network sits behind a TLS-inspecting appliance (Zscaler, Netskope, Palo Alto, etc.) that re-signs HTTPS traffic with a corporate CA certificate, the reporter will fail with `x509: certificate signed by unknown authority`. To fix this, make the appliance's CA bundle available to the reporter. The chart offers two ways to do this. Use whichever fits your deployment flow. @@ -119,7 +119,9 @@ customCA: key: ca.crt ``` -The chart mounts the certificate as a single file at `/etc/ssl/certs/kosli-custom-ca.crt` using `subPath`. Go's standard library reads it automatically alongside the system CA bundle — no `SSL_CERT_FILE` env var is needed (and the wrapper deliberately does not set one; setting `SSL_CERT_FILE` would replace the system bundle and break trust for any public CAs your bundle does not include). +The chart mounts the certificate as a single file at `/etc/ssl/certs/kosli-custom-ca.crt` using `subPath`. Go's standard library on Linux loads CA roots in two independent passes — it reads the system bundle file (e.g. `/etc/ssl/certs/ca-certificates.crt`) and **also** scans `/etc/ssl/certs/` for additional certificate files. The mounted file is picked up by the directory scan and added to the trust store alongside the system roots, so no `SSL_CERT_FILE` env var is needed. + +The wrapper deliberately does **not** set `SSL_CERT_FILE`. Setting it would replace the system bundle entirely with the customer's file, breaking trust for any public CAs the bundle does not include. ### Option 2 — generic `extraVolumes` / `extraVolumeMounts` / `extraEnvVars` @@ -152,11 +154,11 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t |-----|------|---------|-------------| | concurrencyPolicy | string | `"Replace"` | specifies how to treat concurrent executions of a Job that is created by this CronJob | | cronSchedule | string | `"*/5 * * * *"` | the cron schedule at which the reporter is triggered to report to Kosli | -| customCA | object | `{"enabled":false,"key":"ca.crt","secretName":""}` | convenience wrapper for mounting a corporate / custom CA bundle into the reporter's trust store. When enabled, the chart creates a Secret-backed volume and mounts the CA file into /etc/ssl/certs/ using subPath so it is picked up additively by Go's standard library alongside the system CA bundle (no SSL_CERT_FILE env var needed; setting it would replace the system bundle and is the footgun this wrapper hides). The Secret itself must be created out-of-band, e.g.: kubectl create secret generic corporate-ca-bundle --from-file=ca.crt=/path/to/corporate-ca.crt | +| customCA | object | `{"enabled":false,"key":"ca.crt","secretName":""}` | convenience wrapper for mounting a corporate / custom CA bundle. See the "Running behind a TLS-inspecting proxy" section of the README for usage. | | customCA.enabled | bool | `false` | enable mounting a corporate/custom CA bundle into the trust store | | customCA.key | string | `"ca.crt"` | key within the Secret that holds the PEM-formatted CA certificate (single cert or multi-cert PEM bundle) | | customCA.secretName | string | `""` | name of an existing Secret in the same namespace containing the CA bundle | -| extraEnvVars | list | `[]` | additional environment variables to inject into the reporter container. List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. Use this when you need valueFrom (secretKeyRef / configMapKeyRef) or want a structure beyond simple key=value. For simple key=value pairs you can also use the `env:` map above. | +| extraEnvVars | list | `[]` | additional environment variables to inject into the reporter container. List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. Supports plain values and valueFrom (secretKeyRef / configMapKeyRef). Note: entries here are appended after the chart's own env entries; on duplicate names the later entry wins. | | extraVolumeMounts | list | `[]` | additional container-level volumeMounts for the reporter container. Rendered verbatim into the container spec alongside the chart's own mounts. | | extraVolumes | list | `[]` | additional Pod-level volumes to attach to the reporter pod. Rendered verbatim into the Pod spec alongside the chart's own volumes. Use together with `extraVolumeMounts` to mount Secrets, ConfigMaps, or other volumes into the container. | | failedJobsHistoryLimit | int | `1` | specifies the number of failed finished jobs to keep | From 1cfc5247eefa55b03c6f8169d29151e74ab236fb Mon Sep 17 00:00:00 2001 From: Alex Kantor Date: Wed, 15 Apr 2026 10:20:47 +0100 Subject: [PATCH 3/8] revert env deprecation; document env and extraEnvVars as siblings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Backing out the env-map deprecation from the previous commit — that was scope creep beyond the customCA feature, made without auditing who relies on env: today or whether the team wants to phase it out. Instead: surface env: in the helm-docs values table (it was previously invisible because the values.yaml entry was fully commented out) and describe env: vs extraEnvVars as sibling options. Behaviour unchanged — env: {} is functionally identical to the previous fully-commented form. Co-Authored-By: Claude Opus 4.6 --- charts/k8s-reporter/README.md | 1 + charts/k8s-reporter/values.yaml | 11 +++++++---- docs.kosli.com/content/helm/_index.md | 1 + 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/charts/k8s-reporter/README.md b/charts/k8s-reporter/README.md index d98bdc10f..fb36d904b 100644 --- a/charts/k8s-reporter/README.md +++ b/charts/k8s-reporter/README.md @@ -158,6 +158,7 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t | customCA.enabled | bool | `false` | enable mounting a corporate/custom CA bundle into the trust store | | customCA.key | string | `"ca.crt"` | key within the Secret that holds the PEM-formatted CA certificate (single cert or multi-cert PEM bundle) | | customCA.secretName | string | `""` | name of an existing Secret in the same namespace containing the CA bundle | +| env | object | `{}` | map of plain environment variables to inject into the reporter container. For value-only key=value pairs. Use `extraEnvVars` below if you need `valueFrom` (secretKeyRef / configMapKeyRef) or any other structured env entry. Example for a single tenant Kosli instance: env: KOSLI_HOST: https://.kosli.com | | extraEnvVars | list | `[]` | additional environment variables to inject into the reporter container. List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. Supports plain values and valueFrom (secretKeyRef / configMapKeyRef). Note: entries here are appended after the chart's own env entries; on duplicate names the later entry wins. | | extraVolumeMounts | list | `[]` | additional container-level volumeMounts for the reporter container. Rendered verbatim into the container spec alongside the chart's own mounts. | | extraVolumes | list | `[]` | additional Pod-level volumes to attach to the reporter pod. Rendered verbatim into the Pod spec alongside the chart's own volumes. Use together with `extraVolumeMounts` to mount Secrets, ConfigMaps, or other volumes into the container. | diff --git a/charts/k8s-reporter/values.yaml b/charts/k8s-reporter/values.yaml index 773134c0b..cec03e068 100644 --- a/charts/k8s-reporter/values.yaml +++ b/charts/k8s-reporter/values.yaml @@ -82,10 +82,13 @@ reporterConfig: # Omit this field for OpenShift environments to allow automatic UID assignment runAsUser: 1000 -# DEPRECATED: prefer `extraEnvVars` below. Retained for backward compatibility. -# Uncomment the env variable below and replace , if you are on a single tenant Kosli instance -# env: -# KOSLI_HOST: https://.kosli.com +# -- map of plain environment variables to inject into the reporter container. +# For value-only key=value pairs. Use `extraEnvVars` below if you need `valueFrom` +# (secretKeyRef / configMapKeyRef) or any other structured env entry. +# Example for a single tenant Kosli instance: +# env: +# KOSLI_HOST: https://.kosli.com +env: {} # -- additional environment variables to inject into the reporter container. # List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. diff --git a/docs.kosli.com/content/helm/_index.md b/docs.kosli.com/content/helm/_index.md index d98bdc10f..fb36d904b 100644 --- a/docs.kosli.com/content/helm/_index.md +++ b/docs.kosli.com/content/helm/_index.md @@ -158,6 +158,7 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t | customCA.enabled | bool | `false` | enable mounting a corporate/custom CA bundle into the trust store | | customCA.key | string | `"ca.crt"` | key within the Secret that holds the PEM-formatted CA certificate (single cert or multi-cert PEM bundle) | | customCA.secretName | string | `""` | name of an existing Secret in the same namespace containing the CA bundle | +| env | object | `{}` | map of plain environment variables to inject into the reporter container. For value-only key=value pairs. Use `extraEnvVars` below if you need `valueFrom` (secretKeyRef / configMapKeyRef) or any other structured env entry. Example for a single tenant Kosli instance: env: KOSLI_HOST: https://.kosli.com | | extraEnvVars | list | `[]` | additional environment variables to inject into the reporter container. List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. Supports plain values and valueFrom (secretKeyRef / configMapKeyRef). Note: entries here are appended after the chart's own env entries; on duplicate names the later entry wins. | | extraVolumeMounts | list | `[]` | additional container-level volumeMounts for the reporter container. Rendered verbatim into the container spec alongside the chart's own mounts. | | extraVolumes | list | `[]` | additional Pod-level volumes to attach to the reporter pod. Rendered verbatim into the Pod spec alongside the chart's own volumes. Use together with `extraVolumeMounts` to mount Secrets, ConfigMaps, or other volumes into the container. | From b44df210a4a1c36053d3eec0e71cb1f5dc7cf640 Mon Sep 17 00:00:00 2001 From: Alex Kantor Date: Wed, 15 Apr 2026 10:26:43 +0100 Subject: [PATCH 4/8] address Claude bot review on PR #777 - Add `required` guard on customCA.key to prevent the silent empty-subPath footgun (an empty subPath causes K8s to mount the whole Secret as a directory at the mountPath, which would break Go trying to read it as a cert file). - Tighten the env range loop with `{{- end }}` so the rendered env block doesn't carry a trailing blank line before extraEnvVars. Co-Authored-By: Claude Opus 4.6 --- charts/k8s-reporter/templates/cronjob.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/k8s-reporter/templates/cronjob.yaml b/charts/k8s-reporter/templates/cronjob.yaml index 1be61c768..a0e438c4e 100644 --- a/charts/k8s-reporter/templates/cronjob.yaml +++ b/charts/k8s-reporter/templates/cronjob.yaml @@ -47,7 +47,7 @@ spec: {{- if .Values.customCA.enabled }} - name: custom-ca mountPath: /etc/ssl/certs/kosli-custom-ca.crt - subPath: {{ .Values.customCA.key }} + subPath: {{ required "customCA.key is required when customCA.enabled is true" .Values.customCA.key }} readOnly: true {{- end }} {{- with .Values.extraVolumeMounts }} @@ -82,7 +82,7 @@ spec: {{- range $key, $value := .Values.env }} - name: {{ $key }} value: {{ $value }} - {{ end }} + {{- end }} {{- with .Values.extraEnvVars }} {{- toYaml . | nindent 14 }} {{- end }} From bb206acb98ab8ee0ab00bdeb3b8f2a2e7729c59a Mon Sep 17 00:00:00 2001 From: Alex Kantor Date: Wed, 15 Apr 2026 10:28:41 +0100 Subject: [PATCH 5/8] restore env: comment as instruction (not example) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reverting the editorial framing in the env: comment. The original comment was a directive for single-tenant Kosli instances, not an example. Also dropping the extraEnvVars cross-reference — that was scope creep added without justification. Co-Authored-By: Claude Opus 4.6 --- charts/k8s-reporter/README.md | 2 +- charts/k8s-reporter/values.yaml | 4 +--- docs.kosli.com/content/helm/_index.md | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/charts/k8s-reporter/README.md b/charts/k8s-reporter/README.md index fb36d904b..a23739340 100644 --- a/charts/k8s-reporter/README.md +++ b/charts/k8s-reporter/README.md @@ -158,7 +158,7 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t | customCA.enabled | bool | `false` | enable mounting a corporate/custom CA bundle into the trust store | | customCA.key | string | `"ca.crt"` | key within the Secret that holds the PEM-formatted CA certificate (single cert or multi-cert PEM bundle) | | customCA.secretName | string | `""` | name of an existing Secret in the same namespace containing the CA bundle | -| env | object | `{}` | map of plain environment variables to inject into the reporter container. For value-only key=value pairs. Use `extraEnvVars` below if you need `valueFrom` (secretKeyRef / configMapKeyRef) or any other structured env entry. Example for a single tenant Kosli instance: env: KOSLI_HOST: https://.kosli.com | +| env | object | `{}` | map of plain environment variables to inject into the reporter container. If you are on a single-tenant Kosli instance, set KOSLI_HOST: env: KOSLI_HOST: https://.kosli.com | | extraEnvVars | list | `[]` | additional environment variables to inject into the reporter container. List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. Supports plain values and valueFrom (secretKeyRef / configMapKeyRef). Note: entries here are appended after the chart's own env entries; on duplicate names the later entry wins. | | extraVolumeMounts | list | `[]` | additional container-level volumeMounts for the reporter container. Rendered verbatim into the container spec alongside the chart's own mounts. | | extraVolumes | list | `[]` | additional Pod-level volumes to attach to the reporter pod. Rendered verbatim into the Pod spec alongside the chart's own volumes. Use together with `extraVolumeMounts` to mount Secrets, ConfigMaps, or other volumes into the container. | diff --git a/charts/k8s-reporter/values.yaml b/charts/k8s-reporter/values.yaml index cec03e068..fdb278742 100644 --- a/charts/k8s-reporter/values.yaml +++ b/charts/k8s-reporter/values.yaml @@ -83,9 +83,7 @@ reporterConfig: runAsUser: 1000 # -- map of plain environment variables to inject into the reporter container. -# For value-only key=value pairs. Use `extraEnvVars` below if you need `valueFrom` -# (secretKeyRef / configMapKeyRef) or any other structured env entry. -# Example for a single tenant Kosli instance: +# If you are on a single-tenant Kosli instance, set KOSLI_HOST: # env: # KOSLI_HOST: https://.kosli.com env: {} diff --git a/docs.kosli.com/content/helm/_index.md b/docs.kosli.com/content/helm/_index.md index fb36d904b..a23739340 100644 --- a/docs.kosli.com/content/helm/_index.md +++ b/docs.kosli.com/content/helm/_index.md @@ -158,7 +158,7 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t | customCA.enabled | bool | `false` | enable mounting a corporate/custom CA bundle into the trust store | | customCA.key | string | `"ca.crt"` | key within the Secret that holds the PEM-formatted CA certificate (single cert or multi-cert PEM bundle) | | customCA.secretName | string | `""` | name of an existing Secret in the same namespace containing the CA bundle | -| env | object | `{}` | map of plain environment variables to inject into the reporter container. For value-only key=value pairs. Use `extraEnvVars` below if you need `valueFrom` (secretKeyRef / configMapKeyRef) or any other structured env entry. Example for a single tenant Kosli instance: env: KOSLI_HOST: https://.kosli.com | +| env | object | `{}` | map of plain environment variables to inject into the reporter container. If you are on a single-tenant Kosli instance, set KOSLI_HOST: env: KOSLI_HOST: https://.kosli.com | | extraEnvVars | list | `[]` | additional environment variables to inject into the reporter container. List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. Supports plain values and valueFrom (secretKeyRef / configMapKeyRef). Note: entries here are appended after the chart's own env entries; on duplicate names the later entry wins. | | extraVolumeMounts | list | `[]` | additional container-level volumeMounts for the reporter container. Rendered verbatim into the container spec alongside the chart's own mounts. | | extraVolumes | list | `[]` | additional Pod-level volumes to attach to the reporter pod. Rendered verbatim into the Pod spec alongside the chart's own volumes. Use together with `extraVolumeMounts` to mount Secrets, ConfigMaps, or other volumes into the container. | From e6ea356cccbed1d3734177069e888cbc4f774ee5 Mon Sep 17 00:00:00 2001 From: Marko Bevc Date: Wed, 15 Apr 2026 10:50:06 +0100 Subject: [PATCH 6/8] Apply suggestions from code review Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> --- charts/k8s-reporter/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/k8s-reporter/values.yaml b/charts/k8s-reporter/values.yaml index fdb278742..fccaf9dbc 100644 --- a/charts/k8s-reporter/values.yaml +++ b/charts/k8s-reporter/values.yaml @@ -83,7 +83,7 @@ reporterConfig: runAsUser: 1000 # -- map of plain environment variables to inject into the reporter container. -# If you are on a single-tenant Kosli instance, set KOSLI_HOST: +# For a single-tenant Kosli instance, set KOSLI_HOST to https://.kosli.com. # env: # KOSLI_HOST: https://.kosli.com env: {} From f2af5bfac4a38d8670f07ab5050448529e3e2800 Mon Sep 17 00:00:00 2001 From: Alex Kantor Date: Wed, 15 Apr 2026 11:07:28 +0100 Subject: [PATCH 7/8] address remaining Claude bot review on PR #777 Picking up safe-to-fix nits regardless of strict scope: - Quote customCA.secretName and subPath, matching the pattern used for cronSchedule and image fields. mbevc1 also asked for this. - Quote $value in the env range so user-supplied values containing YAML special chars (colons, brackets) render safely. - Tighten the podLabels range with `{{- end }}` for consistency with the env-range fix in commit b44df210. Pre-existing whitespace nit, not introduced by this PR, but cheap to fix while I'm here. - Collapse the env: helm-docs comment to a single line so it reads cleanly in the rendered values table (the multi-line YAML example collapsed badly after helm-docs concatenation). Co-Authored-By: Claude Opus 4.6 --- charts/k8s-reporter/README.md | 2 +- charts/k8s-reporter/templates/cronjob.yaml | 8 ++++---- charts/k8s-reporter/values.yaml | 2 -- docs.kosli.com/content/helm/_index.md | 2 +- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/charts/k8s-reporter/README.md b/charts/k8s-reporter/README.md index a23739340..5161b8713 100644 --- a/charts/k8s-reporter/README.md +++ b/charts/k8s-reporter/README.md @@ -158,7 +158,7 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t | customCA.enabled | bool | `false` | enable mounting a corporate/custom CA bundle into the trust store | | customCA.key | string | `"ca.crt"` | key within the Secret that holds the PEM-formatted CA certificate (single cert or multi-cert PEM bundle) | | customCA.secretName | string | `""` | name of an existing Secret in the same namespace containing the CA bundle | -| env | object | `{}` | map of plain environment variables to inject into the reporter container. If you are on a single-tenant Kosli instance, set KOSLI_HOST: env: KOSLI_HOST: https://.kosli.com | +| env | object | `{}` | map of plain environment variables to inject into the reporter container. For a single-tenant Kosli instance, set KOSLI_HOST to https://.kosli.com. | | extraEnvVars | list | `[]` | additional environment variables to inject into the reporter container. List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. Supports plain values and valueFrom (secretKeyRef / configMapKeyRef). Note: entries here are appended after the chart's own env entries; on duplicate names the later entry wins. | | extraVolumeMounts | list | `[]` | additional container-level volumeMounts for the reporter container. Rendered verbatim into the container spec alongside the chart's own mounts. | | extraVolumes | list | `[]` | additional Pod-level volumes to attach to the reporter pod. Rendered verbatim into the Pod spec alongside the chart's own volumes. Use together with `extraVolumeMounts` to mount Secrets, ConfigMaps, or other volumes into the container. | diff --git a/charts/k8s-reporter/templates/cronjob.yaml b/charts/k8s-reporter/templates/cronjob.yaml index a0e438c4e..49e0bedd2 100644 --- a/charts/k8s-reporter/templates/cronjob.yaml +++ b/charts/k8s-reporter/templates/cronjob.yaml @@ -20,7 +20,7 @@ spec: labels: {{- range $key, $value := .Values.podLabels }} {{ $key }}: {{ $value }} - {{ end }} + {{- end }} spec: serviceAccountName: {{ include "reporter.serviceAccountName" . }} volumes: @@ -30,7 +30,7 @@ spec: {{- if .Values.customCA.enabled }} - name: custom-ca secret: - secretName: {{ required "customCA.secretName is required when customCA.enabled is true" .Values.customCA.secretName }} + secretName: {{ required "customCA.secretName is required when customCA.enabled is true" .Values.customCA.secretName | quote }} defaultMode: 0644 {{- end }} {{- with .Values.extraVolumes }} @@ -47,7 +47,7 @@ spec: {{- if .Values.customCA.enabled }} - name: custom-ca mountPath: /etc/ssl/certs/kosli-custom-ca.crt - subPath: {{ required "customCA.key is required when customCA.enabled is true" .Values.customCA.key }} + subPath: {{ required "customCA.key is required when customCA.enabled is true" .Values.customCA.key | quote }} readOnly: true {{- end }} {{- with .Values.extraVolumeMounts }} @@ -81,7 +81,7 @@ spec: key: {{ .Values.kosliApiToken.secretKey | default "token" }} {{- range $key, $value := .Values.env }} - name: {{ $key }} - value: {{ $value }} + value: {{ $value | quote }} {{- end }} {{- with .Values.extraEnvVars }} {{- toYaml . | nindent 14 }} diff --git a/charts/k8s-reporter/values.yaml b/charts/k8s-reporter/values.yaml index fccaf9dbc..a13f74495 100644 --- a/charts/k8s-reporter/values.yaml +++ b/charts/k8s-reporter/values.yaml @@ -84,8 +84,6 @@ reporterConfig: # -- map of plain environment variables to inject into the reporter container. # For a single-tenant Kosli instance, set KOSLI_HOST to https://.kosli.com. -# env: -# KOSLI_HOST: https://.kosli.com env: {} # -- additional environment variables to inject into the reporter container. diff --git a/docs.kosli.com/content/helm/_index.md b/docs.kosli.com/content/helm/_index.md index a23739340..5161b8713 100644 --- a/docs.kosli.com/content/helm/_index.md +++ b/docs.kosli.com/content/helm/_index.md @@ -158,7 +158,7 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t | customCA.enabled | bool | `false` | enable mounting a corporate/custom CA bundle into the trust store | | customCA.key | string | `"ca.crt"` | key within the Secret that holds the PEM-formatted CA certificate (single cert or multi-cert PEM bundle) | | customCA.secretName | string | `""` | name of an existing Secret in the same namespace containing the CA bundle | -| env | object | `{}` | map of plain environment variables to inject into the reporter container. If you are on a single-tenant Kosli instance, set KOSLI_HOST: env: KOSLI_HOST: https://.kosli.com | +| env | object | `{}` | map of plain environment variables to inject into the reporter container. For a single-tenant Kosli instance, set KOSLI_HOST to https://.kosli.com. | | extraEnvVars | list | `[]` | additional environment variables to inject into the reporter container. List of {name, value} or {name, valueFrom} entries, rendered verbatim into the container env. Supports plain values and valueFrom (secretKeyRef / configMapKeyRef). Note: entries here are appended after the chart's own env entries; on duplicate names the later entry wins. | | extraVolumeMounts | list | `[]` | additional container-level volumeMounts for the reporter container. Rendered verbatim into the container spec alongside the chart's own mounts. | | extraVolumes | list | `[]` | additional Pod-level volumes to attach to the reporter pod. Rendered verbatim into the Pod spec alongside the chart's own volumes. Use together with `extraVolumeMounts` to mount Secrets, ConfigMaps, or other volumes into the container. | From 6679f6eb6448623cf06a2b6396e9fd665d1d0ac1 Mon Sep 17 00:00:00 2001 From: Alex Kantor Date: Wed, 15 Apr 2026 11:14:40 +0100 Subject: [PATCH 8/8] quote podLabels values; fix double-space typo in range loops MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Same fix as the env value quoting in f2af5bfa, applied to podLabels for consistency. Also fixes the double-space typo (`:= .Values.`) in both range loops — harmless cosmetic carry-over from the original template. Co-Authored-By: Claude Opus 4.6 --- charts/k8s-reporter/templates/cronjob.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/k8s-reporter/templates/cronjob.yaml b/charts/k8s-reporter/templates/cronjob.yaml index 49e0bedd2..b54f6e7be 100644 --- a/charts/k8s-reporter/templates/cronjob.yaml +++ b/charts/k8s-reporter/templates/cronjob.yaml @@ -18,8 +18,8 @@ spec: template: metadata: labels: - {{- range $key, $value := .Values.podLabels }} - {{ $key }}: {{ $value }} + {{- range $key, $value := .Values.podLabels }} + {{ $key }}: {{ $value | quote }} {{- end }} spec: serviceAccountName: {{ include "reporter.serviceAccountName" . }} @@ -79,7 +79,7 @@ spec: secretKeyRef: name: {{ required ".Values.kosliApiToken.secretName is required." .Values.kosliApiToken.secretName }} key: {{ .Values.kosliApiToken.secretKey | default "token" }} - {{- range $key, $value := .Values.env }} + {{- range $key, $value := .Values.env }} - name: {{ $key }} value: {{ $value | quote }} {{- end }}