[TLS-CM] Heartbeat and bastion mount k8s secrets containing TLS CA certs although CertManager is enabled
Closed this issue · 0 comments
MMirelli commented
Heartbeat and bastion components appear to mount self-signed certs even when deploying in TLS CertManager mode (SelfSigned disabled).
When deploying with the following values
helm --set "secrets='',createCertificates.selfSigned.enabled=false,createCertificates.selfSignedPerComponent.enabled=false" install ...
The command returns:
broker-0 $ env | grep "tlsTrustCertsFilePath"
tlsTrustCertsFilePath=/etc/ssl/certs/ca-certificates.crt
Hinting that the trustCertsStore
is /etc/ssl/certs/ca-certificates.crt
.
However, bastion and heartbeat pods are still mounting a secret and extracting the certs from there.
In this scenario, to my understanding, heartbeat and bastion pods should only use the CM signed certificate: /etc/ssl/certs/ca-certificates.crt
, so there is no need to mount external k8s secrets containing self signed TLS certificates.