public/nplus
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
master
nplus/samples/certificates/README.md
Andreas Ahmann 0bd2038c86 Public Information
2025-01-24 16:18:47 +01:00

36 lines
2.1 KiB
Markdown
Raw Permalink Blame History

# (auto-) certificates and the pitfalls of *.this*
*nplus* will automatically generate certificates for your ingress. It either uses an issuer like *cert-manager* or generates a *self-signed-certificate*.
In your production environment though, you might want to take more control over the certificate generation process and don't leave it to *nplus* to automatically take care of it.
In that case, you want to switch the automation *off*.
To do so, you need to understand what is happening internally:
- if `.this.ingress.issuer` is set, the chart requests this issuer to generate a tls secret with the name `.this.ingress.secret`
by creating a certificate resource with the name of the domain `.this.ingress.domain`
- else, so no issuer is set, the chart checks wether the flag `.this.ingress.createSelfSignedCertificate` is set to `true` and
generates a tls secret with the name `.this.ingress.secret`
- else, so neither issuer nor createSelfSignedCertificate are set, the charts will not generate anything
The way how `.this` works is, that it gathers the key from `.Values.global.environment`, `.Values.global` and then `.Values` and flattens them merged into `.this`so that you can set your values
on different levels.
However, the *merge* function overwrites non exising values and also boolean `true` overwrites a boolean `false`, not just the nil values. So to make sure we still can cancel functionality
by setting `null`or `false`, there is a forth merge which is set to forcefully overwrite existing keys: `override`, which can also be set on *environment*, *global* or on the *component* level.
So the correct way to cancel the generation process is to force the issuer to null (which will cancel the *cert-manager* generation) and also force `createSelfSignedCertificate` to false (to cancel the *self-signed-certificate* generation):
```yaml
global:
override:
ingress:
enabled: true
secret: myCertificate
issuer: null
createSelfSignedCertificate: false
```
This makes sure, you will get an ingress, that uses the tls certificate in the secret `myCertificate` for encryption and does not generate anything.
Reference in New Issue View Git Blame Copy Permalink