Helm chart secured cluster services - make ca.cert value + service-ca secret optional #7415
Comments
nikotih
changed the title
|
Hey @nikotih, thanks for the report. We agree and created a ticket in our internal tracking system https://issues.redhat.com/browse/ROX-19104 for this issue. If you want to take a stab yourself, a PR would also be welcome ;-) |
|
Thanks @stehessel Just found out our validating webhook was not working with "placeholder" ca.cert I presume you already know that, but just wanted to share. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi guys,
According to readme ca.cert is required but it does not make sense:
https://github.com/stackrox/helm-charts/blob/main/4.1.2/secured-cluster-services/README.md#deployment-with-pre-created-secrets
If you don't want Helm to manage your Kubernetes secrets, you can deploy the Secured Cluster Services chart without creating secrets. However, it requires that you always specify the StackRox CA certificate while installing or upgrading the Helm chart.
Enforcement comes from:
https://github.com/stackrox/helm-charts/blob/main/4.1.2/secured-cluster-services/templates/service-ca.yaml#L16
However:
a) admission controller deployment mounts it as optional
https://github.com/stackrox/helm-charts/blob/main/4.1.2/secured-cluster-services/templates/admission-controller.yaml#L138
b) admission controller first reads "tls" secret and only then falls back to service-ca secret
https://github.com/stackrox/stackrox/blob/master/sensor/admission-control/certs.go#L19
So we end up providing "placeholder" to ca.cert and then creating "tls" secrets outside of helm chart and it works just fine.
The text was updated successfully, but these errors were encountered: