'helm - provide file as a cert

I am defining the path to the certs: root path

  • certs (folder)
  • templates (folder)

value.yaml

tlsSecret:
  enabled: true
  secrets:
    - name: ca-secret
      key: values.schema.json
      certificate: ./certs/client-ca.crt
    - name: envoy-secret
      key: ./certs/server.key
      certificate: ./certs/server.crt

sec.yaml

{{- if .Values.tlsSecret.enabled }}
{{- range .Values.tlsSecret.secrets }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ .name }}
  labels:
    {{- include "envoy-edge.labels" $ | nindent 4 }}
type: kubernetes.io/tls
data:
  tls.crt: {{ .certificate | b64enc }}
  tls.key: |-
    {{ $.Files.Get .key | b64enc }}
---
{{- end }}
{{- end }}

I am not able to use the file. Seems that files.get doesn't import the file.

google-kubernetes-enginekubernetes-helm


Solution 1:[1]

A few questions:

  1. Is values.schema.json also a file? Is it a file in the root directory?
  2. Does tls.crt in sec want to read the content of the file and then encode it or directly encode the input string?

Notice:

  1. If values.schema.json is a file in the root directory, then this file cannot be accessed by File.Get, because it contains the keyword values, so it will be ignored. If you want to access, you need to change its file name, such as changing to schema.json
  2. Do not add ./ when writing the path, just write the relative path directly. For example, ./certs/server.crt should be written as certs/server.crt.

Demo:

tree:

.
??? Chart.yaml
??? certs
?   ??? client-ca.crt
?   ??? server.crt
?   ??? server.key
??? schema.json
??? templates
?   ??? NOTES.txt
?   ??? _helpers.tpl
?   ??? configmap.yaml
?   ??? deployment.yaml
?   ??? sec.yaml
??? values.yaml

values.yaml

tlsSecret:
  enabled: true
  secrets:
    - name: ca-secret
      key: schema.json
      certificate: certs/client-ca.crt
    - name: envoy-secret
      key: certs/server.key
      certificate: ./certs/server.crt

sec.yaml

---
{{- if .Values.tlsSecret.enabled }}
{{- range .Values.tlsSecret.secrets }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ .name }}
type: kubernetes.io/tls
data:
  k: {{ .key }}
  tls.crt: {{ .certificate | b64enc }}
  tls.key: |-
    {{ $.Files.Get .key | b64enc }}
---
{{- end }}
{{- end }}

certs/server.key

123

schema.json

{"1":1}

output:

---
apiVersion: v1
kind: Secret
metadata:
  name: ca-secret
type: kubernetes.io/tls
data:
  tls.crt: Y2VydHMvY2xpZW50LWNhLmNydA==
  tls.key: |-
    eyIxIjoxfQ==
---
apiVersion: v1
kind: Secret
metadata:
  name: envoy-secret
type: kubernetes.io/tls
data:
  tls.crt: Li9jZXJ0cy9zZXJ2ZXIuY3J0
  tls.key: |-
    MTIz

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 z.x

Related Questions

how to keep GKE cluster nodes in different regions?

Deploying a Keycloak HA cluster to kubernetes | Pods are not discovering each other

Volume not persistent in Google Cloud

Kubernetes cluster default timezone?

Kubernetes: Exclude Node from default scheduling

Issuing certificate as Secret does not exist

GKE metrics comparsion

kubectl exec/logs on GKE returns "remote error: tls: internal error"

cert-manager HTTP01 certificate challenge is inaccessible when rewrite-target is enabled

Why a pod can't connect to on-premise network

How to create more than one cluster in minikube

How do I get logs from all pods of a Kubernetes replication controller?

`docker-credential-gcloud` not in system PATH

How to deploy container using docker-compose to google cloud?

How to ensure every kubernetes node running 2 or more pods?