Hello, I found many issues when manipulating TLS. The secret fields in
|
tls: |
|
## @param tls.enabled Is tls enabled ? |
|
enabled: false |
|
## @param tls.caBundle pem format CA collection |
|
caBundle: true |
|
## @param tls.insecureSkipVerify |
|
insecureSkipVerify: false |
|
## @param tls.certManager [object] Use of a cluster certManager configuration |
|
certManager: |
|
## @param tls.certManager.enabled [default: true] Use of a cluster cert manager |
|
enabled: true |
|
# -- Use existing issuer to sign certificates. Leave empty to generate a self-signed issuer |
|
issuerRef: {} |
|
# name: "" |
|
# kind: "ClusterIssuer" |
|
# -- Add annotations and/or labels to generated secret |
|
## @param tls.certManager.secretTemplate [object] secret configuration |
|
secretTemplate: |
|
## @param tls.certManager.secretTemplate.annotations [object] add annotation to generated secret |
|
annotations: {} |
|
## @param tls.certManager.secretTemplate.labels [object] add annotation to generated labels |
|
labels: {} |
|
# -- duration for Certificate resources |
|
## @param tls.certManager.duration [string] validity duration of certificate (golang duration string) |
|
duration: 2160h # 90d |
|
# -- renewBefore for Certificate resources |
|
## @param tls.certManager.renewBefore [string] duration before a certificate’s expiry when cert-manager should start renewing it. |
|
renewBefore: 720h # 30d |
|
bouncer: |
|
## @param tls.bouncer.secret [string] Name of the Kubernetes Secret containing TLS materials for the bouncer |
|
secret: "{{ .Release.Name }}-bouncer-tls" |
|
reflector: |
|
## @param tls.bouncer.reflector.namespaces [array] List of namespaces from which the bouncer will watch and sync Secrets/ConfigMaps. |
|
namespaces: [] |
|
agent: |
|
## @param tls.agent.tlsClientAuth [default: true] Enables mutual TLS authentication for the agent when connecting to LAPI. |
|
tlsClientAuth: true |
|
## @param tls.agent.secret [string] Name of the Secret holding the agent’s TLS certificate and key. |
|
secret: "{{ .Release.Name }}-agent-tls" |
|
reflector: |
|
## @param tls.agent.reflector.namespaces [array] Namespaces where the agent’s TLS Secret can be reflected/synced. |
|
namespaces: [] |
|
appsec: |
|
## @param tls.appsec.tlsClientAuth [default: true] Enables mutual TLS authentication for the agent when connecting to LAPI. |
|
tlsClientAuth: true |
|
## @param tls.appsec.secret [string] Name of the Secret holding the agent’s TLS certificate and key. |
|
secret: "{{ .Release.Name }}-agent-tls" |
|
reflector: |
|
## @param tls.appsec.reflector.namespaces [array] Namespaces where the agent’s TLS Secret can be reflected/synced. |
|
namespaces: [] |
|
lapi: |
|
## @param tls.lapi.secret [string] Name of the Secret holding the lapidary's’s TLS certificate and key. |
|
secret: "{{ .Release.Name }}-lapi-tls" |
|
reflector: |
|
## @param tls.lapi.reflector.namespaces [array] Namespaces where the LAPI TLS Secret can be reflected/synced. |
|
namespaces: [] |
|
# If you want to specify secrets that will be used for all your crowdsec-agents |
are unused.
The secret names are also hardcoded:
|
secretName: {{ .Release.Name }}-agent-tls |
|
duration: {{ .Values.tls.certManager.duration }} |
|
secretName: {{ .Release.Name }}-appsec-server-tls |
|
duration: {{ .Values.tls.certManager.duration }} |
|
secretName: {{ .Release.Name }}-bouncer-tls |
|
duration: {{ .Values.tls.certManager.duration }} |
|
secretName: {{ .Release.Name }}-lapi-tls |
|
duration: {{ .Values.tls.certManager.duration }} |
|
{{- if .Values.tls.enabled }} |
|
- name: crowdsec-lapi-tls |
|
secret: |
|
secretName: {{ .Release.Name }}-lapi-tls |
|
- name: crowdsec-agent-tls |
|
secret: |
|
secretName: {{ .Release.Name }}-agent-tls |
|
{{- end }} |
It should be {{ tpl .Values.tls.<component>.secret $ }} in the secretName.
Additionally, when enabling tls and disabling agent, the lapi is still looking for an agent certificate. It should be wrapped between {{ if .Values.agent.enabled }}:
|
- name: crowdsec-agent-tls |
|
secret: |
|
secretName: {{ .Release.Name }}-agent-tls |
|
{{- end }} |
NB: I'm also using Appsec, I would probably like to also select the Appsec client tls certificate to be mounted on lapi instead of the agent tls certificate which doesn't exist.
I found this other issue about the different allowed OU which was already reported #239
Hello, I found many issues when manipulating TLS. The
secretfields inhelm-charts/charts/crowdsec/values.yaml
Lines 157 to 213 in 46af5f3
are unused.
The secret names are also hardcoded:
helm-charts/charts/crowdsec/templates/tls/agent-certificate.yaml
Lines 9 to 10 in 46af5f3
helm-charts/charts/crowdsec/templates/tls/appsec-certificate.yaml
Lines 47 to 48 in 46af5f3
helm-charts/charts/crowdsec/templates/tls/bouncer-certificate.yaml
Lines 9 to 10 in 46af5f3
helm-charts/charts/crowdsec/templates/tls/lapi-certificate.yaml
Lines 12 to 13 in 46af5f3
helm-charts/charts/crowdsec/templates/lapi-deployment.yaml
Lines 304 to 311 in 46af5f3
It should be
{{ tpl .Values.tls.<component>.secret $ }}in thesecretName.Additionally, when enabling
tlsand disablingagent, the lapi is still looking for an agent certificate. It should be wrapped between{{ if .Values.agent.enabled }}:helm-charts/charts/crowdsec/templates/lapi-deployment.yaml
Lines 308 to 311 in 46af5f3
NB: I'm also using Appsec, I would probably like to also select the Appsec client tls certificate to be mounted on
lapiinstead of the agent tls certificate which doesn't exist.I found this other issue about the different allowed OU which was already reported #239