search

jaegertracing / helm-charts

Helm Charts for Jaeger backend
Apache License 2.0
254 stars 338 forks source link

[Bug]: would like to disable cert-manager, but I still check Cert when starting the service #492

Open shicli opened 11 months ago

shicli commented 11 months ago

What happened?

I am deploying the jaeger-operator1.47.0 through helm-charts1.46.0 and would like to disable cert-manager as we have our own TLS service. But I disabled them in Value, but I still check Cert when starting the service. May I know how to handle this change?

Disable webhooks and certificates via values.yaml

certs:
  issuer:
    create: false
    name: ""
  certificate:
    create: false
    namespace: "" 
    secretName: ""
    issuerKind: Issuer

webhooks:
  mutatingWebhook:
    create: false
  validatingWebhook:
    create: false
    port: 9443
  service:
    annotations: {}
    create: false
    name: ""

Expected behavior

I disabled them in Value, but I still check Cert when starting the service. May I know how to handle this change?

Relevant log output

  Warning  FailedMount  50s (x10 over 5m)    kubelet            MountVolume.SetUp failed for volume "cert" : secret "jaeger-operator-service-cert" not found
  Warning  FailedMount  42s (x2 over 2m57s)  kubelet            Unable to attach or mount volumes: unmounted volumes=[cert], unattached volumes=[cert kube-api-access-7bkf8]: timed out waiting for the condition

Version (please complete the following information):

helm-charts1.46.0 jaeger-operator1.47.0 Kubernetes v1.23 liunx

helm install jaeger jaeger-operator -n observability
shicli commented 11 months ago

@czomo @mjnagel ,I am deploying Jaeger-operator 1.47 through helm-chart 1.46 and I would like to disable certificate manager as we have our own TLS platform. is it feasible? During deployment, it was found that even if valus is set to false, pod startup still looks for certs, resulting in pod startup failure.

klinch0 commented 7 months ago

solution:

1)

cat <<EOF | cfssl genkey - | cfssljson -bare server
{
  "hosts": [
    "kubernetes.default.svc.cluster.local",
    "10.96.0.1"
  ],
  "key": {
    "algo": "ecdsa",
    "size": 256
  }
}
EOF

2)

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: kubernetes.default
spec:
  request: $(cat server.csr | base64 | tr -d '\n')
  signerName: example.com/serving
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

2.1) kubectl certificate approve test-kube-api

3)

cat <<EOF | cfssl gencert -initca - | cfssljson -bare ca
{
  "CN": "My Example Signer",
  "key": {
    "algo": "rsa",
    "size": 2048
  }
}
EOF

4)

echo "
{
    "signing": {
        "default": {
            "usages": [
                "digital signature",
                "key encipherment",
                "server auth"
            ],
            "expiry": "876000h",
            "ca_constraint": {
                "is_ca": false
            }
        }
    }
}
" >> server-signing-config.json

5)

kubectl get csr kubernetes.default -o jsonpath='{.spec.request}' | \
  base64 --decode | \
  cfssl sign -ca ca.pem -ca-key ca-key.pem -config server-signing-config.json - | \
  cfssljson -bare ca-signed-server

6)

kubectl get csr kubernetes.default -o json | \
jq '.status.certificate = "'$(base64 ca-signed-server.pem | tr -d '\n')'"' | \
kubectl replace --raw /apis/certificates.k8s.io/v1/certificatesigningrequests/kubernetes.default/status -f -

7)

kubectl get csr kubernetes.default -o jsonpath='{.status.certificate}' \
    | base64 --decode > server.crt

8)

kubectl create secret tls jaeger-operator-service-cert --cert server.crt --key server-key.pem
shicli commented 3 months ago

@klinch0 thx