search

concourse / concourse-chart

Helm chart to install Concourse
Apache License 2.0
146 stars 176 forks source link

custom secret when secret.enabled=false not working #312

Open DrummyFloyd opened 2 years ago

DrummyFloyd commented 2 years ago

hi , i'm trying to set my own certificates for syslog/openldap/vault .. etc etc (all my certs are managed by cert-manger + vault )

but when i set secret.enabled=false

i can't use my certificates.because all secret need to be in an all in one secret concourse-web thre is a way do to in another way? EDIT: possible wokroud would be to create a projected volumes with all the secret when secrets.enabled=false with all the wanted secrets. or maybe th epossibility to overwrite them with our secret ? (path)

this is my value.yaml

concourse:
  web:
    tls:
      enabled: true
    externalUrl: http://concourse.192.168.1.0.nip.io
    kubernetes:
      enabled: false
      createTeamNamespaces: false
      keepNamespaces: false
    clusterName: test
    syslog:
      enabled: true
      useCaCert: true
      address: "0.0.0.0:514"
      transport: tls
  # web:
  #   syslogSecretsPath: "/concourse-syslog/ca.cert"
  #   additionalVolumeMounts:
  #     - name: new-syslog-keys
  #       mountPath: /concourse-syslog
  #   additionalVolumes:
  #     - name: new-syslog-keys
  #       secret:
  #         secretName: concourse-tls-certificate
  #         items:
  #           - key: ca.crt
  #             path: ca.cert
  #           - key: tls.key
  #             path: tls.key

  ingress:
    enabled: true
    hosts:
      - "concourse.192.168.1.0.nip.io"

    annotations:
      kubernetes.io/ingress.class: "nginx"
      nginx.ingress.kubernetes.io/ssl-redirect: "false"

  worker:
    garden:
      dnsProxyEnable: true
secrets:
  create: false # if flase need to create all the keys.. ssh /tls /cets/ etc
    webTlsCert: tata
    webTlsCaCert: toto
  # syslogCaCert: "/concourse-syslog/ca.cert"
  # localUsers: "test:test"
certificates:
  tlsCerts:
    enabled: true
    organizations:
      - company
    certDuration: 1h
    certRenewBefore: 30m
    secretTplAnnotations:
      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "vault,default" # Control destination namespaces
      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces
      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "vault,default" # Control auto-reflection namespaces

even if i override the value webTlsC* i've got always the same value in manifest 

            - name: CONCOURSE_TLS_CERT
              value: "/concourse-web-tls/client.cert"
            - name: CONCOURSE_TLS_KEY
              value: "/concourse-web-tls/client.key"
            - name: CONCOURSE_TLS_CA_CERT
              value: "/concourse-web-tls/ca.cert"
Events:
  Type     Reason       Age               From               Message
  ----     ------       ----              ----               -------
  Normal   Scheduled    21s               default-scheduler  Successfully assigned concourse/concourse-web-65f47fdd5-5dz48 to jmonnet-pas-toucher
  Warning  FailedMount  6s (x6 over 21s)  kubelet            MountVolume.SetUp failed for volume "auth-keys" : secret "concourse-web" not found
  Warning  FailedMount  6s (x6 over 21s)  kubelet            MountVolume.SetUp failed for volume "concourse-keys" : secret "concourse-web" not found
  Warning  FailedMount  6s (x6 over 21s)  kubelet            MountVolume.SetUp failed for volume "syslog-keys" : secret "concourse-web" not found