2.1 KiB
(auto-) certificates and the pitfalls of .this
nplus will automatically generate certificates for your ingress. It either uses an issuer like cert-manager or generates a self-signed-certificate.
In your production environment though, you might want to take more control over the certificate generation process and don't leave it to nplus to automatically take care of it. In that case, you want to switch the automation off.
To do so, you need to understand what is happening internally:
- if
.this.ingress.issueris set, the chart requests this issuer to generate a tls secret with the name.this.ingress.secret
by creating a certificate resource with the name of the domain.this.ingress.domain - else, so no issuer is set, the chart checks wether the flag
.this.ingress.createSelfSignedCertificateis set totrueand generates a tls secret with the name.this.ingress.secret - else, so neither issuer nor createSelfSignedCertificate are set, the charts will not generate anything
The way how .this works is, that it gathers the key from .Values.global.environment, .Values.global and then .Values and flattens them merged into .thisso that you can set your values
on different levels.
However, the merge function overwrites non exising values and also boolean true overwrites a boolean false, not just the nil values. So to make sure we still can cancel functionality
by setting nullor false, there is a forth merge which is set to forcefully overwrite existing keys: override, which can also be set on environment, global or on the component level.
So the correct way to cancel the generation process is to force the issuer to null (which will cancel the cert-manager generation) and also force createSelfSignedCertificate to false (to cancel the self-signed-certificate generation):
global:
override:
ingress:
enabled: true
secret: myCertificate
issuer: null
createSelfSignedCertificate: false
This makes sure, you will get an ingress, that uses the tls certificate in the secret myCertificate for encryption and does not generate anything.