search

wandb / helm-charts

Our official helm charts for deploying wandb into k8s
MIT License
18 stars 8 forks source link

fix: Fix CACert value reference #195

Closed flamarion closed 2 months ago

flamarion commented 2 months ago

This may fix the injection of custom CA to the wandb-app if the intention is to make the certs a global config.

If the idea is to make it local to app only I can move it to the correct chart.

helm dependency build ./charts/operator-wandb
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "metrics-server" chart repository
...Successfully got an update from the "descheduler" chart repository
...Successfully got an update from the "ceph-csi" chart repository
...Successfully got an update from the "ingress-nginx" chart repository
...Successfully got an update from the "cert-manager-webhook-pdns" chart repository
...Successfully got an update from the "hashicorp" chart repository
...Successfully got an update from the "seldon-charts" chart repository
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "istio" chart repository
...Successfully got an update from the "argo" chart repository
...Successfully got an update from the "grafana" chart repository
...Successfully got an update from the "wandb" chart repository
...Successfully got an update from the "prometheus-community" chart repository
...Successfully got an update from the "flyteorg" chart repository
...Successfully got an update from the "gitlab" chart repository
...Successfully got an update from the "datawire" chart repository
...Successfully got an update from the "bitnami" chart repository
Update Complete. _Happy Helming!_
Saving 14 charts
Downloading redis from repo https://charts.bitnami.com/bitnami
Downloading kafka from repo https://charts.bitnami.com/bitnami
Deleting outdated charts

Upgrade the deployment

helm upgrade \
>     --install wandb \
>     ./charts/operator-wandb -f wandb-app.yaml
Release "wandb" has been upgraded. Happy Helming!
NAME: wandb
LAST DEPLOYED: Thu Aug  1 14:24:34 2024
NAMESPACE: default
STATUS: deployed
REVISION: 4
TEST SUITE: None

Results:

Before

Defaulted container "app" out of: app, init-db (init)
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
*** Running /etc/my_init.d/01_enable-services.sh...
*** Found custom SSL certifcates, updating root trust...
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
*** Enabling production mode
*** Enabling external weave server pool
*** Running /etc/my_init.d/02_load-settings.sh...

After

Defaulted container "app" out of: app, init-db (init)
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
*** Running /etc/my_init.d/01_enable-services.sh...
*** Found custom SSL certifcates, updating root trust...
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
rehash: warning: skipping customCA0.pem,it does not contain exactly one certificate or CRL
2 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
*** Enabling production mode
*** Enabling external weave server pool
*** Running /etc/my_init.d/02_load-settings.sh...

Internal test

 kubectl exec -ti wandb-app-db989bf67-tgqrd -- bash
Defaulted container "app" out of: app, init-db (init)

wandb@wandb-app-db989bf67-tgqrd:~$ curl -v https://git.home.lab
*   Trying 192.168.10.60:443...
* Connected to git.home.lab (192.168.10.60) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
[....]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.home.lab
*  start date: Jul  9 15:56:40 2024 GMT
*  expire date: Jul  8 15:57:40 2029 GMT
*  subjectAltName: host "git.home.lab" matched cert's "*.home.lab"
*  issuer: O=HomeLab; CN=HomeLab Intermediate CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x55f161a24eb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: git.home.lab
> user-agent: curl/7.81.0
flamarion commented 2 months ago

This is how the configuration looks like in the yaml

[...]
global:
  bucket:
[...]
  customCACerts:
  - |
    -----BEGIN CERTIFICATE-----
    MIIBnDCCAUKgAwIBAgIRALt+/LEb2TdSeCVlVAFfucMwCgYIKoZIzj0EAwIwLDEQ
    MA4GA1UEChMHSG9tZUxhYjEYMBYGA1UEAxMPSG9tZUxhYiBSb290IENBMB4XDTI0
    MDQwMTA4MjgzMFoXDTM0MDMzMDA4MjgzMFowLDEQMA4GA1UEChMHSG9tZUxhYjEY
    MBYGA1UEAxMPSG9tZUxhYiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
    QgAEqXGk4+Op8IpZo0bvVHp7/+bh2dUB0lsKS/s2k5sFnwDdn5U2dGuEf/ThphdY
    kXu96J8QLLi3ajyU1t3AqDxXiqNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB
    /wQIMAYBAf8CAQEwHQYDVR0OBBYEFACUX+y7e6joNWYggsMo8O+0mWLYMAoGCCqG
    SM49BAMCA0gAMEUCIQDejznNXCMUfBo1eIrjiVFhwuJgyQRaqMI149div72V2QIg
    P5GD+5I+02yEp58Cwxd5Bj2CvyQwTjTO4hiVl1Xd0M0=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBxTCCAWugAwIBAgIRAMXl8L4i99gapX+WGdpqaJcwCgYIKoZIzj0EAwIwLDEQ
    MA4GA1UEChMHSG9tZUxhYjEYMBYGA1UEAxMPSG9tZUxhYiBSb290IENBMB4XDTI0
    MDQwMTA4MjgzMVoXDTM0MDMzMDA4MjgzMVowNDEQMA4GA1UEChMHSG9tZUxhYjEg
    MB4GA1UEAxMXSG9tZUxhYiBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggq
    hkjOPQMBBwNCAAQDzmSJjNVT2eqxpCn/Zsb+RaskgIDEPRRNrAjwuL5IJ3XZjvGC
    MaWcPQHhxG5aIWfmIX83zAYRKYXUZcYfnYuJo2YwZDAOBgNVHQ8BAf8EBAMCAQYw
    EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUK+moK4nZYvpNpqfvz/7m5wKU
    zgYwHwYDVR0jBBgwFoAUAJRf7Lt7qOg1ZiCCwyjw77SZYtgwCgYIKoZIzj0EAwID
    SAAwRQIhAIzXZMW44l6XMf9Nf4TxTevK8vE4Ic6E8UFqsCcILdXjAiA7iTluM0IU
    aIgJYVqKxXt25blH/VyBRzvNhViesfkNUQ==
    -----END CERTIFICATE-----
  host: https://wandb.home.lab
[...]
flamarion commented 2 months ago

I fixed the error message so both root and intermediate certs were added separately.

  customCACerts:
  - |
    -----BEGIN CERTIFICATE-----
    MIIBnDCCAUKgAwIBAgIRALt+/LEb2TdSeCVlVAFfucMwCgYIKoZIzj0EAwIwLDEQ
    MA4GA1UEChMHSG9tZUxhYjEYMBYGA1UEAxMPSG9tZUxhYiBSb290IENBMB4XDTI0
    MDQwMTA4MjgzMFoXDTM0MDMzMDA4MjgzMFowLDEQMA4GA1UEChMHSG9tZUxhYjEY
    MBYGA1UEAxMPSG9tZUxhYiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
    QgAEqXGk4+Op8IpZo0bvVHp7/+bh2dUB0lsKS/s2k5sFnwDdn5U2dGuEf/ThphdY
    kXu96J8QLLi3ajyU1t3AqDxXiqNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB
    /wQIMAYBAf8CAQEwHQYDVR0OBBYEFACUX+y7e6joNWYggsMo8O+0mWLYMAoGCCqG
    SM49BAMCA0gAMEUCIQDejznNXCMUfBo1eIrjiVFhwuJgyQRaqMI149div72V2QIg
    P5GD+5I+02yEp58Cwxd5Bj2CvyQwTjTO4hiVl1Xd0M0=
    -----END CERTIFICATE-----
  - |
    -----BEGIN CERTIFICATE-----
    MIIBxTCCAWugAwIBAgIRAMXl8L4i99gapX+WGdpqaJcwCgYIKoZIzj0EAwIwLDEQ
    MA4GA1UEChMHSG9tZUxhYjEYMBYGA1UEAxMPSG9tZUxhYiBSb290IENBMB4XDTI0
    MDQwMTA4MjgzMVoXDTM0MDMzMDA4MjgzMVowNDEQMA4GA1UEChMHSG9tZUxhYjEg
    MB4GA1UEAxMXSG9tZUxhYiBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggq
    hkjOPQMBBwNCAAQDzmSJjNVT2eqxpCn/Zsb+RaskgIDEPRRNrAjwuL5IJ3XZjvGC
    MaWcPQHhxG5aIWfmIX83zAYRKYXUZcYfnYuJo2YwZDAOBgNVHQ8BAf8EBAMCAQYw
    EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUK+moK4nZYvpNpqfvz/7m5wKU
    zgYwHwYDVR0jBBgwFoAUAJRf7Lt7qOg1ZiCCwyjw77SZYtgwCgYIKoZIzj0EAwID
    SAAwRQIhAIzXZMW44l6XMf9Nf4TxTevK8vE4Ic6E8UFqsCcILdXjAiA7iTluM0IU
    aIgJYVqKxXt25blH/VyBRzvNhViesfkNUQ==
    -----END CERTIFICATE-----

Logs are much better now :) 

Defaulted container "app" out of: app, init-db (init)
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
*** Running /etc/my_init.d/01_enable-services.sh...
*** Found custom SSL certifcates, updating root trust...
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
3 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
*** Enabling production mode
*** Enabling external weave server pool