You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you don't want Helm to manage your Kubernetes secrets, you can deploy the Secured Cluster Services chart without creating secrets. However, it requires that you always specify the StackRox CA certificate while installing or upgrading the Helm chart.
So we end up providing "placeholder" to ca.cert and then creating "tls" secrets outside of helm chart and it works just fine.
The text was updated successfully, but these errors were encountered:
nikotih
changed the title
Helm secured cluster services - make ca.cert value + service-ca secret optional
Helm chart secured cluster services - make ca.cert value + service-ca secret optional
Aug 11, 2023
thanks for the report. We agree and created a ticket in our internal tracking system https://issues.redhat.com/browse/ROX-19104 for this issue. If you want to take a stab yourself, a PR would also be welcome ;-)
Hi guys,
According to readme ca.cert is required but it does not make sense:
https://github.com/stackrox/helm-charts/blob/main/4.1.2/secured-cluster-services/README.md#deployment-with-pre-created-secrets
If you don't want Helm to manage your Kubernetes secrets, you can deploy the Secured Cluster Services chart without creating secrets. However, it requires that you always specify the StackRox CA certificate while installing or upgrading the Helm chart.
Enforcement comes from:
https://github.com/stackrox/helm-charts/blob/main/4.1.2/secured-cluster-services/templates/service-ca.yaml#L16
However:
a) admission controller deployment mounts it as optional
https://github.com/stackrox/helm-charts/blob/main/4.1.2/secured-cluster-services/templates/admission-controller.yaml#L138
b) admission controller first reads "tls" secret and only then falls back to service-ca secret
https://github.com/stackrox/stackrox/blob/master/sensor/admission-control/certs.go#L19
So we end up providing "placeholder" to ca.cert and then creating "tls" secrets outside of helm chart and it works just fine.
The text was updated successfully, but these errors were encountered: