Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Install from chart to k8s with TLS #52

Open
xed0 opened this issue Oct 19, 2022 · 2 comments
Open

Install from chart to k8s with TLS #52

xed0 opened this issue Oct 19, 2022 · 2 comments

Comments

@xed0
Copy link

xed0 commented Oct 19, 2022

Hi,
Going through the installation instructions and chart templates, I find no option for enabling TLS in the application but only on ingress.
What are the steps required to enable TLS in the application? If it's unnecessary or impossible, how can I enable TLS for the ingress while the application is still only listening on 8080 (HTTP)?
Thanks
@Th4n05
Copy link

Th4n05 commented Feb 9, 2023

Hi,
as i can see, the only way to enable TLS without ingress is to create a volume, copy cert, key on it, create chart with extraArgs --tls-key=path-to-tls-key & --tls-cert=path-to-tls-cert.
If you have found a better solution please let me know.

@volker-raschek
Copy link

Hi @xed0,
there are also the environment variables TLS_CERT, TLS_KEY and TLS_CA_CERT available.

I've defined an certificate via the cert-manager to mount the tls certificate and private key into the container filesystem via extraVolumes and extraVolumeMounts. Additionally, I've defined the TLS_* environment variables.

env:
  open:
    TLS_CERT: /etc/chartmuseum/tls/tls.crt
    TLS_KEY: /etc/chartmuseum/tls/tls.key
    TLS_CA_CERT: /etc/chartmuseum/tls/ca.crt
    
deployment:
  annotations: {}
  labels: {}
  extraVolumes:
  - name: chartmuseum-tls
    secret:
      secretName: chartmuseum-tls
  extraVolumeMounts:
  - name: chartmuseum-tls
    mountPath: /etc/chartmuseum/tls

This works, but the probes are now a problem. It's possible to change the scheme to https, but the application wants that the client, in this case the kubelet, to authenticate via TLS, which is not possible, because the kubelet does not have a valid TLS certificate.

{"L":"INFO","T":"2024-12-03T11:41:32.658Z","M":"Starting ChartMuseum","host":"0.0.0.0","port":8080}
2024/12/03 11:41:42 http: TLS handshake error from 10.244.7.1:55340: tls: client didn't provide a certificate
2024/12/03 11:41:42 http: TLS handshake error from 10.244.7.1:55338: tls: client didn't provide a certificate
2024/12/03 11:41:42 http: TLS handshake error from 10.244.7.1:55344: tls: client didn't provide a certificate

Other applications, for example gitea, use in cases of TLS authentication / encryption a unix socket probe. The helm chart does not provide a feature to customize the kind of probe. For this reason it is not possible.

@cbuto, can you take care of it and provide a feature to customize the kind of probe?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@volker-raschek @Th4n05 @xed0