Enabling TLS while using external certificates

datastax / pulsar-helm-chart

Apache Pulsar Helm chart

Apache License 2.0

46 stars 38 forks source link

Enabling TLS while using external certificates #220

Closed ddieruf closed 2 years ago

ddieruf commented 2 years ago

In my case I wanted to enableTls: true and was using a ClusterIssuer of letsencrypt-prod. When the certificate secret was created (ie: the certificate was issued) the values of tls.crt and tls.key were present in the secret. But this helm chart is expecting an additional value of ca.crt within the secret for components like heartbeat (example).

According to this cert-manager issue it is a common desire to have this third value. The use of feature-gates while deploying cert-manager was discussed but things didn't line up enough for me to go this route.

Within the issue there was a workaround that extracts the intermediates & ca from the tls.crt chain and patches the new value in the secret. This seemed to solve my issue.

kubectl patch secret \
  -n <namespace> <secret name> \
  -p="{\"data\":{\"ca.crt\": \"$(kubectl get secret \
  -n <namespace> <secret name> \
  -o json -o=jsonpath="{.data.tls\.crt}" \
  | base64 -d | awk 'f;/-----END CERTIFICATE-----/{f=1}' - | base64 -w 0)\"}}"

ddieruf commented 2 years ago

I should also include the note that this newly patched secret was then used in the helm values as:

tls:
  ssCaCert:
    tlsSecretName: pulsar.my-domain.com-tls

Which seemed a little odd that I had to include this value in an area that is meant for a self-signed CA cert.

lhotari commented 2 years ago

I'm also hitting this problem. bastion and pulsarheartbeat deployments don't finish.

pulsar      3s          Warning   FailedMount         pod/pulsar-luna-useast1-staging-bastion-85d4448f9b-zmdrv            Unable to attach or mount volumes: unmounted volumes=[certs], unattached volumes=[token-public-key token-admin token-superuser certs kube-api-access-827fp token-private-key]: timed out waiting for the condition
pulsar      14s         Warning   FailedMount         pod/pulsar-luna-useast1-staging-pulsarheartbeat-778d59bb64-xqpxc    Unable to attach or mount volumes: unmounted volumes=[certs], unattached volumes=[config-volume certs kube-api-access-lrxb9]: timed out waiting for the condition

usually there's a condition {{- if or .Values.secrets .Values.createCertificates.selfSigned.enabled .Values.createCertificates.selfSignedPerComponent.enabled }} before assuming that there's a ca.crt available. This logic is missing from helm-chart-sources/pulsar/templates/bastion/bastion-deployment.yaml and helm-chart-sources/pulsar/templates/pulsar-heartbeat/pulsar-heartbeat-deployment.yaml

I noticed that @MMirelli attempted to address this with https://github.com/MMirelli/pulsar-helm-chart/commit/36836155d83a427598c06da3d48e1acb140f54bf and https://github.com/MMirelli/pulsar-helm-chart/commit/0c3a6e12cc7843af8f2d329bfbdbcca1ae32ddc8

lhotari commented 2 years ago

There's a fix in #233

ddieruf commented 2 years ago

Nice! I'll try it out.