Closed ddieruf closed 2 years ago
I should also include the note that this newly patched secret was then used in the helm values as:
tls:
ssCaCert:
tlsSecretName: pulsar.my-domain.com-tls
Which seemed a little odd that I had to include this value in an area that is meant for a self-signed CA cert.
I'm also hitting this problem. bastion and pulsarheartbeat deployments don't finish.
pulsar 3s Warning FailedMount pod/pulsar-luna-useast1-staging-bastion-85d4448f9b-zmdrv Unable to attach or mount volumes: unmounted volumes=[certs], unattached volumes=[token-public-key token-admin token-superuser certs kube-api-access-827fp token-private-key]: timed out waiting for the condition
pulsar 14s Warning FailedMount pod/pulsar-luna-useast1-staging-pulsarheartbeat-778d59bb64-xqpxc Unable to attach or mount volumes: unmounted volumes=[certs], unattached volumes=[config-volume certs kube-api-access-lrxb9]: timed out waiting for the condition
usually there's a condition {{- if or .Values.secrets .Values.createCertificates.selfSigned.enabled .Values.createCertificates.selfSignedPerComponent.enabled }}
before assuming that there's a ca.crt available.
This logic is missing from helm-chart-sources/pulsar/templates/bastion/bastion-deployment.yaml and helm-chart-sources/pulsar/templates/pulsar-heartbeat/pulsar-heartbeat-deployment.yaml
I noticed that @MMirelli attempted to address this with https://github.com/MMirelli/pulsar-helm-chart/commit/36836155d83a427598c06da3d48e1acb140f54bf and https://github.com/MMirelli/pulsar-helm-chart/commit/0c3a6e12cc7843af8f2d329bfbdbcca1ae32ddc8
There's a fix in #233
Nice! I'll try it out.
In my case I wanted to
enableTls: true
and was using a ClusterIssuer of letsencrypt-prod. When the certificate secret was created (ie: the certificate was issued) the values oftls.crt
andtls.key
were present in the secret. But this helm chart is expecting an additional value ofca.crt
within the secret for components like heartbeat (example).According to this cert-manager issue it is a common desire to have this third value. The use of feature-gates while deploying cert-manager was discussed but things didn't line up enough for me to go this route.
Within the issue there was a workaround that extracts the intermediates & ca from the
tls.crt
chain and patches the new value in the secret. This seemed to solve my issue.