Open TJM opened 3 years ago
@TJM When secrets are mounted to the pod they are decoded inside the container. See here for more info: https://kubernetes.io/docs/concepts/configuration/secret/#consuming-secret-values-from-volumes
Are you seeing a specific issue that's caused by having cacerts mounted as secrets?
Thanks for responding @tsiddique
I actually found out that I can use stringData:
instead of data:
and then I don't need to base64 encode the certs and deal with the 9 mile long lines. I can just use the filename.pem: |
(and indent the PEM cert), like so...
apiVersion: v1
kind: Secret
metadata:
name: trusted-certs
namespace: sonarqube
stringData:
corp_ca.pem: |
-----BEGIN CERTIFICATE-----
MIIEazCCA1OgAwIBAgIQJD/j6/TMSJdDUuqpjc4N2DANBgkqhkiG9w0BAQsFADBF
MRQwEgYKCZImiZPyLGQBGRYEQ29ycDEWMBQGCgmSJomT8ixkARkWBkRBVklUQTEV
...
uw66QU23YySllRVRhRAQKrIWldZTzJma4NC+Upt+hQ==
-----END CERTIFICATE-----
Still, there is nothing secret about CA Certs, as they are public keys. They could just as easily be added as a configMap. It was mostly a suggestion for a future improvement, add the capability to mount a configMap instead of a secret for the cacerts.
While I really do appreciate that you built the ability to mount the cacerts into the charts. I would have preferred if you had used a "ConfigMap" instead of a "Secret" as secrets have to be base64 encoded, which just makes them a PITB to deal with.
Any objections to offering the ability to use a ConfigMap instead of a Secret here?