Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Internal TLS certificate are mounted in the wrong path #100

Open
cgiraldo opened this issue Feb 14, 2025 · 0 comments
Open

Internal TLS certificate are mounted in the wrong path #100

cgiraldo opened this issue Feb 14, 2025 · 0 comments

Comments

@cgiraldo
Copy link

cgiraldo commented Feb 14, 2025
edited
Loading

Related with #80

Passbolt container Image uses /etc/ssl/certs/certificate.crt and /etc/ssl/certs/certificate.key (see contents of /etc/nginx/snippets/passbolt-ssl.conf file).

However helm chart mount internal tls certificate in '/etc/ssl/certs/passbolt/server.crt' and '/etc/ssl/certs/passbolt/server-key.pem'.

charts-passbolt/templates/deployment.yaml

Line 148 in 4bde003

- mountPath: /etc/ssl/certs/passbolt

Since It is common to use tls.key and tls.crt as the keys in kubernetes tls secrets, I propose to use a projected volume to be able to mount the kubernetes secret in the target path: /etc/ssl/certs/certificate.crt and /etc/ssl/certs/certificate.key

example:

    volumeMounts:
            - mountPath: /etc/ssl/certs/certificate.crt
              name: sec-tls
              readOnly: true
              subPath: certificate.crt
            - mountPath: /etc/ssl/certs/certificate.key
              name: sec-tls
              readOnly: true
              subPath: certificate.key
...
      volumes:
      - name: sec-tls
        projected:
          defaultMode: 420
          sources:
          - secret:
              items:
              - key: tls.crt
                path: certificate.crt
              name: {{ include "passbolt.container.tls.secretName" (dict "name" $Name "tls" .Values.app.tls ) }}
          - secret:
              items:
              - key: tls.key
                path: certificate.key
              name: {{ include "passbolt.container.tls.secretName" (dict "name" $Name "tls" .Values.app.tls ) }}

The helper that generate the internal-certs must also be updated to use tls.crtand tls.key.

charts-passbolt/templates/_helpers.tpl

Lines 267 to 268 in 4bde003

server.crt: {{ $cert.Cert | b64enc }}
server-key.pem: {{ $cert.Key | b64enc }}

With this changes, I was able to deploy passbolt with GatewayAPI TLSPassthrough and an external certificate provided by cert-manager.

If you found it a good solution I can make a pull-request with the changes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cgiraldo