search

Oteemo / charts

Helm chart repository
https://oteemo.github.io/charts
MIT License
181 stars 234 forks source link

[sonarqube] cacerts are not secrets #171

Open TJM opened 3 years ago

TJM commented 3 years ago

While I really do appreciate that you built the ability to mount the cacerts into the charts. I would have preferred if you had used a "ConfigMap" instead of a "Secret" as secrets have to be base64 encoded, which just makes them a PITB to deal with.

Any objections to offering the ability to use a ConfigMap instead of a Secret here?

tsiddique commented 3 years ago

@TJM When secrets are mounted to the pod they are decoded inside the container. See here for more info: https://kubernetes.io/docs/concepts/configuration/secret/#consuming-secret-values-from-volumes

Are you seeing a specific issue that's caused by having cacerts mounted as secrets?

TJM commented 3 years ago

Thanks for responding @tsiddique

I actually found out that I can use stringData: instead of data: and then I don't need to base64 encode the certs and deal with the 9 mile long lines. I can just use the filename.pem: | (and indent the PEM cert), like so...

apiVersion: v1
kind: Secret
metadata:
  name: trusted-certs
  namespace: sonarqube
stringData:
  corp_ca.pem: |
    -----BEGIN CERTIFICATE-----
    MIIEazCCA1OgAwIBAgIQJD/j6/TMSJdDUuqpjc4N2DANBgkqhkiG9w0BAQsFADBF
    MRQwEgYKCZImiZPyLGQBGRYEQ29ycDEWMBQGCgmSJomT8ixkARkWBkRBVklUQTEV
   ...
   uw66QU23YySllRVRhRAQKrIWldZTzJma4NC+Upt+hQ==
    -----END CERTIFICATE-----

Still, there is nothing secret about CA Certs, as they are public keys. They could just as easily be added as a configMap. It was mostly a suggestion for a future improvement, add the capability to mount a configMap instead of a secret for the cacerts.