Enabling TLS while using external certificates
ddieruf opened this issue · comments
In my case I wanted to enableTls: true
and was using a ClusterIssuer of letsencrypt-prod. When the certificate secret was created (ie: the certificate was issued) the values of tls.crt
and tls.key
were present in the secret. But this helm chart is expecting an additional value of ca.crt
within the secret for components like heartbeat (example).
According to this cert-manager issue it is a common desire to have this third value. The use of feature-gates while deploying cert-manager was discussed but things didn't line up enough for me to go this route.
Within the issue there was a workaround that extracts the intermediates & ca from the tls.crt
chain and patches the new value in the secret. This seemed to solve my issue.
kubectl patch secret \
-n <namespace> <secret name> \
-p="{\"data\":{\"ca.crt\": \"$(kubectl get secret \
-n <namespace> <secret name> \
-o json -o=jsonpath="{.data.tls\.crt}" \
| base64 -d | awk 'f;/-----END CERTIFICATE-----/{f=1}' - | base64 -w 0)\"}}"
I should also include the note that this newly patched secret was then used in the helm values as:
tls:
ssCaCert:
tlsSecretName: pulsar.my-domain.com-tls
Which seemed a little odd that I had to include this value in an area that is meant for a self-signed CA cert.
I'm also hitting this problem. bastion and pulsarheartbeat deployments don't finish.
pulsar 3s Warning FailedMount pod/pulsar-luna-useast1-staging-bastion-85d4448f9b-zmdrv Unable to attach or mount volumes: unmounted volumes=[certs], unattached volumes=[token-public-key token-admin token-superuser certs kube-api-access-827fp token-private-key]: timed out waiting for the condition
pulsar 14s Warning FailedMount pod/pulsar-luna-useast1-staging-pulsarheartbeat-778d59bb64-xqpxc Unable to attach or mount volumes: unmounted volumes=[certs], unattached volumes=[config-volume certs kube-api-access-lrxb9]: timed out waiting for the condition
usually there's a condition {{- if or .Values.secrets .Values.createCertificates.selfSigned.enabled .Values.createCertificates.selfSignedPerComponent.enabled }}
before assuming that there's a ca.crt available.
This logic is missing from helm-chart-sources/pulsar/templates/bastion/bastion-deployment.yaml and helm-chart-sources/pulsar/templates/pulsar-heartbeat/pulsar-heartbeat-deployment.yaml
I noticed that @MMirelli attempted to address this with MMirelli/pulsar-helm-chart@3683615 and MMirelli/pulsar-helm-chart@0c3a6e1
There's a fix in #233
Nice! I'll try it out.