search

SolaceProducts / pubsubplus-kubernetes-helm-quickstart

Quickstart to launch a Solace PubSub+ Software Event Broker in Kubernetes using Helm
Apache License 2.0
32 stars 44 forks source link

TLS secret setup is not working OOTB #131

Closed lwyic closed 1 year ago

lwyic commented 1 year ago

I've tried deploying PS+ to EKS using this HelmChart. I did bump into issues with the TLS setup. In the docs, it is written tnat I need to create a k8s secrets.yaml for the cert (both the key and cert are in base64 .pem format). The issue, however, is that k8s will decode the bas364 and make the cert and key binary. That seems to be the behaviour for secrets. Then as init.sh will simply cancat the binary version of the cert and key into a single file, the resultant file will not be recognized by the broker at all.

The same applies to startup-broker.sh. It simply concat the two binary files together and put the result into the JSON request (SEMP) which actually expects base64 encoded format.

The fixes I made... First of all, when creating the secrets for the cert and key, I need to use "stringData" instead of "data". Then k8s will NOT decode the base64 but just store the base64 as-is in the generated cert and key file. Still it won't work as the "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----", "-----BEGIN PRIVATE KEY----", "-----END PRIVATE KEY----" are missing...

So, in the end, I need to change the init.sh and startup-broker scripts to add back those BEGIN/END tag to make it work...

Have I done anything wrong?

bczoma commented 1 year ago

Hi @lwyic , this is supposed to work without modifying init.sh or the startup script. For a working example refer to the example in the test script: https://github.com/SolaceProducts/pubsubplus-kubernetes-helm-quickstart/blob/master/.github/workflows/build-test.yml#L86-L87

lwyic commented 1 year ago

Oh... I guess I know what problem I bumped into... I was not using the "kubectl create secrets command". Instead, I was creating my own yaml to provision the secret. What I did was: I opened the .PEM file and cut out the base64 part without the "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----" lines. The correct way is to base64 encode the whole .PEM content and put the resultant base64 text into the "tls.crt" field in the secrets yaml.... same for the "tls.key"... then it would work... should we put some more explanation on how to create the tls secrets yaml file?

bczoma commented 1 year ago

Great @lwyic, that makes sense. Closing this then.