public/nplus
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
0bd2038c86a6dee3270856c2c1e2dc6a9c6cdee9
nplus/samples/certificates
History
Andreas Ahmann 0bd2038c86 Public Information
2025-01-24 16:18:47 +01:00
..
README.md
Public Information
2025-01-24 16:18:47 +01:00
values.yaml
Public Information
2025-01-24 16:18:47 +01:00

README.md

(auto-) certificates and the pitfalls of .this

nplus will automatically generate certificates for your ingress. It either uses an issuer like cert-manager or generates a self-signed-certificate.

In your production environment though, you might want to take more control over the certificate generation process and don't leave it to nplus to automatically take care of it. In that case, you want to switch the automation off.

To do so, you need to understand what is happening internally:

  • if .this.ingress.issuer is set, the chart requests this issuer to generate a tls secret with the name .this.ingress.secret
    by creating a certificate resource with the name of the domain .this.ingress.domain
  • else, so no issuer is set, the chart checks wether the flag .this.ingress.createSelfSignedCertificate is set to true and generates a tls secret with the name .this.ingress.secret
  • else, so neither issuer nor createSelfSignedCertificate are set, the charts will not generate anything

The way how .this works is, that it gathers the key from .Values.global.environment, .Values.global and then .Values and flattens them merged into .thisso that you can set your values on different levels.

However, the merge function overwrites non exising values and also boolean true overwrites a boolean false, not just the nil values. So to make sure we still can cancel functionality by setting nullor false, there is a forth merge which is set to forcefully overwrite existing keys: override, which can also be set on environment, global or on the component level.

So the correct way to cancel the generation process is to force the issuer to null (which will cancel the cert-manager generation) and also force createSelfSignedCertificate to false (to cancel the self-signed-certificate generation):

global:
  override:
    ingress:
      enabled: true
      secret: myCertificate
      issuer: null
      createSelfSignedCertificate: false

This makes sure, you will get an ingress, that uses the tls certificate in the secret myCertificate for encryption and does not generate anything.