[Feature Request] Installing Temporal in Kubernetes with TLS certs in existing secret/configmap.

bwgit824 commented 4 months ago

Hello.

I'm installing Temporal in Kubernetes via the helm chart (https://github.com/temporalio/helm-charts/tree/master) and I want to set up TLS. I see the TLS settings here https://github.com/temporalio/helm-charts/blob/master/charts/temporal/values.yaml (server.config.tls). I generate certificates as in this https://github.com/temporalio/samples-server/tree/main/tls/tls-simple example. But I don't understand how to take them from the existing kubernetes secret/configmap. There are additionalVolumes и additionalVolumeMounts in the same values.yaml, but I do not know the correct syntax to add to the installation command. The current .gitlab-ci.yml command is like this:

script:

git clone https://github.com/temporalio/helm-charts
cd helm-charts/charts/temporal
helm dependencies update
helm upgrade --install -f values/values.postgresql.yaml $RELEASENAME --namespace=$NS --create-namespace --set server.replicaCount=2 --set prometheus.enabled=false --set grafana.enabled=false --set elasticsearch.enabled=false --set server.config.persistence.default.sql.user=USER --set server.config.persistence.default.sql.existingSecret=FIRSTSECRET --set server.config.persistence.default.sql.host=HOST --set server.config.persistence.default.sql.port=PORT --set server.config.persistence.default.sql.database=FIRSTDATABASE --set server.config.persistence.visibility.sql.user=USER --set server.config.persistence.visibility.sql.existingSecret=SECONDSECRET --set server.config.persistence.visibility.sql.host=HOST --set server.config.persistence.visibility.sql.port=PORT --set server.config.persistence.visibility.sql.database=SECONDDATABASE --set web.image.tag=2.24.0 --set server.config.tls.frontend.server.certFile=/certs/server.crt --set server.config.tls.frontend.server.keyFile=/certs/server.key --set server.config.tls.frontend.server.requireClientAuth=true --set server.config.tls.frontend.server.clientCaFiles=/certs/ca.crt --set server.config.tls.frontend.client.serverName=SERVERNAME . --timeout 900s

How can I add an existing secret/configmap here and attach it to a Temporal?

Thanks.

wrbbz commented 4 months ago

Hi! My suggstion to you - use one values.yaml file for all Helm Chart configuration.

In my case, I'm using existing cert files like this:

....
server:
  additionalVolumeMounts:
    - name: temporal-tls
      mountPath: /some/path/for/tls
  additionalVolumes:
    - name: temporal-tls
      secret:
        defaultMode: 420
        secretName: yourTlsSecretName
  config:
    tls:
      frontend:
        server:
          keyFile: /some/path/for/tls/tls.key
          certFile: /some/path/for/tls/tls.cert
        client:
          serverName: SERVERNAME

That should do the trick

robholland commented 1 month ago

This looks like a valid solution to your question, I shall close the issue. Please re-open if this does not solve the issue.

temporalio / helm-charts

[Feature Request] Installing Temporal in Kubernetes with TLS certs in existing secret/configmap. #473