Closed MMirelli closed 2 years ago
Heartbeat and bastion components appear to mount self-signed certs even when deploying in TLS CertManager mode (SelfSigned disabled).
When deploying with the following values
helm --set "secrets='',createCertificates.selfSigned.enabled=false,createCertificates.selfSignedPerComponent.enabled=false" install ...
The command returns:
broker-0 $ env | grep "tlsTrustCertsFilePath" tlsTrustCertsFilePath=/etc/ssl/certs/ca-certificates.crt
Hinting that the trustCertsStore is /etc/ssl/certs/ca-certificates.crt.
trustCertsStore
/etc/ssl/certs/ca-certificates.crt
However, bastion and heartbeat pods are still mounting a secret and extracting the certs from there.
https://github.com/datastax/pulsar-helm-chart/blob/dff358c9ce9e23ac3050b3eee31912a352b86ec1/helm-chart-sources/pulsar/templates/bastion/bastion-deployment.yaml#L91-L98
https://github.com/datastax/pulsar-helm-chart/blob/dff358c9ce9e23ac3050b3eee31912a352b86ec1/helm-chart-sources/pulsar/templates/pulsar-heartbeat/pulsar-heartbeat-deployment.yaml#L64-L71
In this scenario, to my understanding, heartbeat and bastion pods should only use the CM signed certificate: /etc/ssl/certs/ca-certificates.crt, so there is no need to mount external k8s secrets containing self signed TLS certificates.
Heartbeat and bastion components appear to mount self-signed certs even when deploying in TLS CertManager mode (SelfSigned disabled).
When deploying with the following values
The command returns:
Hinting that the
trustCertsStoreis/etc/ssl/certs/ca-certificates.crt.However, bastion and heartbeat pods are still mounting a secret and extracting the certs from there.
https://github.com/datastax/pulsar-helm-chart/blob/dff358c9ce9e23ac3050b3eee31912a352b86ec1/helm-chart-sources/pulsar/templates/bastion/bastion-deployment.yaml#L91-L98
https://github.com/datastax/pulsar-helm-chart/blob/dff358c9ce9e23ac3050b3eee31912a352b86ec1/helm-chart-sources/pulsar/templates/pulsar-heartbeat/pulsar-heartbeat-deployment.yaml#L64-L71
In this scenario, to my understanding, heartbeat and bastion pods should only use the CM signed certificate:
/etc/ssl/certs/ca-certificates.crt, so there is no need to mount external k8s secrets containing self signed TLS certificates.