billimek
commented
4 years ago @runecalico can you please rebase this against the master branch, or submit the changes as a new branch in your fork (also rebased/merged with master in this repo)?
Closed runecalico closed 4 years ago
billimek
commented
4 years ago @runecalico can you please rebase this against the master branch, or submit the changes as a new branch in your fork (also rebased/merged with master in this repo)?
runecalico
commented
4 years ago ah so that's how you are supposed to keep the fork in sync for the PR's. I didn't know that. Thanks.
onedr0p
commented
4 years ago @runecalico very interesting how you solved the SSL issue. I have an issue opened in kube-plex that requested guidance on that. https://github.com/munnerz/kube-plex/issues/81 - linking it here.
I should be able to try this out once I migrate over to the new chart.
runecalico
commented
4 years ago Thank you. I don't know if this specific method will work if you are using an ingress controller to terminate the SSL as this method was specifically about adding it to your plex preferences. I also recently realized that I should be setting the uid/gid on the pfx file to either the plex default or whatever the plex_uid/gid values are set to. It doesn't look to affect plex using the PFX, but it's still a good practice to keep the owner/group consistent. Hopefully this can work for you.
A good addition would be to add the ability to convert it to pfx and then add it as a secret back to kubernetes, but that's quite a bit more work (for me), then I am willing to undertake. That might help with ingress controllers etc.
onedr0p
commented
4 years ago I use nginx-ingress and by your explanation doesn't seem like it would work? I thought this was generic enough for cert-manager. In any case I'll have to try it out sometime.
runecalico
commented
4 years ago My apologies, I made some assumptions which I didn't communicate when I mentioned the ingress controller.
My assumption is that if you are using an Ingress controller, that it would be able to use the kubernetes certificate secret created by cert-manager directly(as a volume mounted secret), and not require any conversion to the pkcs format. As pkcsmangler is really just for Plex which requires a pcks formatted secret which is currently not support by cert-manager (in a non-experimental way).
I would agree with your statement that you could use an init container process like this one should you need a pkcs (or really any other different cert format) instead of what is natively supported by cert-manager.
Special notes for your reviewer:
A few things in this v1.3.0 update 1 - Added an option to enable an Init Script that will convert an ssl crt/key (as normally supplied by cert-manager) to pks format, copy it to a directory under /config and optionally set PLEX preferences related to certificate use. The pks password is added as a secret, the init scipt is added as a configmap. 2 - normalized verbiage to enabled vs a mix of enable and enabled in value.yaml 3 - In the recent releases http and https all use 32400, so this release only uses the single port for the service, and only 32400 is exposed in the container. 4 - function getPref added to 41-plex-preferences to fix an error in the script. 5 -
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]
[radarr])