Open paul42 opened 2 years ago
I'm doing more testing, but @style95 was able to help me in the openwhisk slack -
essentially you have to pass your Chained Cert
which is the leaf cert and all the previous certs leading back to the CA to nginx
whisk:
auth:
guest: newlyGeneratedetc:etc
system: newlyGeneratedetc:etc
ingress:
apiHostName: <Domain with cert>
apiHostPort: 443
apiHostProto: https
type: Standard
domain: <Domain with cert>
annotations:
kubernetes.io/ingress.class: nginx
tls:
secretname: ow-tls
create: false
enabled: true
invoker:
kubernetes:
replicaCount: 2
containerFactory:
impl: "kubernetes"
k8s:
persistence:
enabled: true
hasDefaultStorageClass: false
explicitStorageClass: openebs-hostpath
nginx:
httpsNodePort: 31002
certificate:
external: true
cert_file: ".crt that is same as domain and contains certs leading back to CA"
key_file: ".key that is same as domain"
I'm still testing to see what the right helm values are, but I'm able to do a wsk action list
without the cert warning
I'm no k8s/Helm pro but FWIW: the Helm Nginx template nginx-pod.yaml
does a volumeMount of a TLS-secret named owdev-nginx
containing a generated base64-encoded self-signed certificate/key that nginx uses at /etc/nginx/certs
. I generated the base64 versions of my own chained-cert/decoded-key using IE: cat my-chained-cert.crt | base64 -w 0
and used the outputs to replace the generated cert/key in the owdev-nginx
secret using IE: kubectl edit secret owdev-nginx --namespace openwhisk
and the API works fine with no errors. here are some other methods for updating a secret.
So far I've gotten ingress to work properly, creating a TLS secret in kubernetes and using that in the standard ingress, but how do I keep the
wsk
cli from having an issue with it?wsk property get
shows my local info and then has this error at the end:I know over in the wsk cli docs there is a section on client cert but they don't mention where or how to edit the
openwhisk_client_ca_cert
it doesn't appear to be a setting onwsk
cli and searching the openwhisk codebase in github only reveals the documentation notes (searching this codebase in github reveals zero hits) is there an easy way to use my certificate that I generated before (using an internal CA) so I don't have to pass-i
to the cli?Thanks again, sorry for the deluge of questions!