fix(nginx): mount bundle_cacert volumes in nginx sidecar containers

[amasolov]

Summary

• Follow-up to PR fix(eda-api): mount bundle_cacert volumes in gunicorn container #342: mount ca-trust-extracted and bundle-cacert volumes in the nginx sidecar containers within both the API and event-stream deployments when bundle_cacert_secret is configured
• Ensures the custom CA trust store is consistently available across all containers in the pod, matching daphne, gunicorn, and the worker containers

Test plan

• Deploy EDA with bundle_cacert_secret set and verify the nginx container has the CA trust mounts
• Verify existing CI tests pass

Made with Cursor

AAP-75755

Summary by CodeRabbit

• New Features
  • Enhanced deployment configurations with support for custom CA certificate management and secure connections. When enabled, custom certificate authority bundles are automatically mounted and trusted within API and event stream service containers, facilitating secure HTTPS connections to external services, internal endpoints, and third-party integrations that use private, custom, or self-signed SSL/TLS certificates.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds conditional CA trust bundle volume mounts to the nginx containers in both the eda-api and eda-event-stream Kubernetes Deployment templates. When the bundle_ca_crt variable is set, both templates now mount the extracted CA trust directory and the bundle certificate secret file into the appropriate container paths.

Changes

CA Trust Bundle Volume Mounts

Layer / File(s)	Summary
Conditional CA trust bundle mounts in nginx containers roles/eda/templates/eda-api.deployment.yaml.j2, roles/eda/templates/eda-event-stream.deployment.yaml.j2	Both deployment templates add a conditional {% if bundle_ca_crt %} block to mount the extracted CA trust directory (/etc/pki/ca-trust/extracted) from the ca-trust-extracted volume and mount the bundle-ca.crt file (read-only) from the bundle certificate secret into the nginx container's CA anchors path when enabled.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding conditional mounts of bundle_cacert volumes to nginx sidecar containers in both deployment templates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[amasolov]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.