[bitnami/mongodb] Adding tls.pemChainIncluded value to support wider range of TLS certificates #16731
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ill allow secrets which contain certificates to only need the tls.key and tls.crt attributes. The assumption is that the tls.crt attribute contains a certificate chain. The generate-tls-certs initilization container will then split the certificate chain, using the first certificate as the leafnode and use in combination with tls.key for the /certs/mongodb.pem file. The remaining certificates in the chain will be placed in the /certs/mongodb-ca-cert file as the intermediary nodes. This supports the usage of cert-manager.io as there are cases where the secret returned by this controller do not include the ca.crt file. Signed-off-by: Douglas Thomson <[email protected]>
dgomezleon
requested changes
May 19, 2023
Returning original indentation and removing changes out of scope. Signed-off-by: Douglas Thomson <[email protected]>
|
@dgomezleon - The amendments have been made. Thank you for the review. |
Signed-off-by: David Gomez <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of the change
Adding the option tls.pemChainIncluded to values.
When enabled this treats the
tls.crtattribute as a certificate chain, with the assumption that the first certificate is the leaf node, and the remaining certificates are the intermediaries.The generate-tls-certs init container will then split this file, using the leaf node and tls.key for the /certs/mongodb.pem file and the remaining certificates for the /certs/mongodb-ca-cert file.
Benefits
This will enable users to use a wider range of certificates. Specifically ACME validated certificates from cert-manager which do not return the
ca.crtattribute in the secret.Possible drawbacks
Depending on how mutual TLS is configured, and how the cert manager is configured, the pem chain may not be suitable / or easily constructed in such an order.
It will also perform this file operation on all certificates when supplying multiple for replicasets or hidden nodes.
I feel that is a user is using certificates from different sources for each node then they have bigger problems to worry about!
Applicable issues
Additional information
This is mimicking a change to the Kafa chart #9422
Checklist
Chart.yamlaccording to semver. This is not necessary when the changes only affect README.md files.README.mdusing readme-generator-for-helm