zrok helm chart : configmap "ziti-controller-ctrl-plane-cas" not found

Question

zrok helm chart : configmap "ziti-controller-ctrl-plane-cas" not found

Opened this issue 3 months ago · 4 comments

Hi,

Thank you for your amazing work !

I am trying to deploy a self zrok instance using the zrok helm chart alone.
I explored the repo and found that there is no templates or scripts creating this configMap. Is the zrok helm chart not self-sufficient ?

Answer 1 · 2024-10-11T14:31:16.000Z

You're welcome! I'm glad you found it useful.

You've stumbled upon a chart dependency that's less than obvious. I'll take this issue as a prompt to make it easier to figure out from the README.

The zrok chart uses a ConfigMap you provide by name to configure itself to trust the OpenZiti controller's certificate.

If you are self-hosting the OpenZiti controller in the same cluster, you can point the zrok charts values to the ConfigMap provided by the ziti-controller chart. It contains a bundle of root CA certs.

If there's no ziti-controller release in the same cluster, you can compose a configmap that satisfies the zrok chart's requirement. Let me know if you'd prefer that approach, have a ziti-controller release with the trust bundle ConfigMap, or would prefer to bypass cert verification.

Answer 2 · 2024-10-11T14:42:57.000Z

e.g., if you DO have a ziti-controller release in your cluster named "myziti1" then the existing trust bundle ConfigMap is named "myziti1-ctrl-plane-cas" and is, by default, propagated to all K8S namespaces.

helm upgrade --install --set ziti.ca_cert_configmap="myziti1-ctrl-plane-cas"

If, perchance, you customized the ziti-controller value ctrlPlaneCasBundle.namespaceSelector, and the zrok chart is in a different namespace than ziti-controller, then it's also necessary to label the zrok namespace according to your custom namespace selector to trigger the trust bundle ConfigMap propagating to the zrok namespace.

Answer 3 · 2024-10-11T15:30:50.000Z

Thanks @qrkourier for your quick anwser !

OK I see, I overlooked the templates, I though zrok helm chart was a combination of "older" charts and include a controller instance. I understand now.

I can deploy a ziti-controller in the same namespace. But by curiousity, how could I create this configMap without the controller generating it ?

Thank you for mentioning the expected names, I will take a close look once the controller is deployed.

Let me know if I can help providing feedback or repo files used for this "minimal" deployment.

Answer 4 · 2024-10-11T16:27:43.000Z

If your zrok is in a different cluster than the ziti-controller then you would need create a ConfigMap manifest. The data would have a key=value map where the key is the value of zrok chart input value ziti.ca_cert_file. The default key is ctrl-plane-cas.crt, and its value is a PEM bundle of trusted root certs.

The easiest way would be to copy the manifest from the ziti-controller's cluster to the cluster where zrok is installed, but you can fetch the root CA bundle from any Ziti controller like this.

curl -sSk https://myziti.example.com/.well-known/est/cacerts \
| base64 -d \
| openssl pkcs7 -inform DER -outform PEM -print_certs

Example ConfigMap manifest:

apiVersion: v1
kind: ConfigMap
metadata:
  name: ziti-controller-ctrl-plane-cas
  namespace: myzrokns
data:
  ctrl-plane-cas.crt: |
    -----BEGIN CERTIFICATE-----
    MIIBkzCCATqgAwIBAgIQUmXpQT+/UvXW1rZIb1tZgjAKBggqhkjOPQQDAjAqMSgw
    JgYDVQQDEx96aXRpLWNvbnRyb2xsZXItY3RybC1wbGFuZS1yb290MB4XDTI0MTAx
    MDE3MjI0MVoXDTM0MTAxODE3MjI0MVowKjEoMCYGA1UEAxMfeml0aS1jb250cm9s
    bGVyLWN0cmwtcGxhbmUtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPx8
    S/ztKtk2KPPOZYcyUG0OTWZfsL4/UpA4D1+DMroX+7+IZMnJyQMq1fsYVc60v2GT
    s1sSOocthmjV5S7m5bOjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD
    AQH/MB0GA1UdDgQWBBSDrzUjjQzkwGPwiWoVbVkkcPda2zAKBggqhkjOPQQDAgNH
    ADBEAiAPafMlRcjaaib0f9vwV1Kk3Y5BlohbtvszNcHtkjvTGAIgKEcZLjHAegvA
    U00YjJ1gCjcSLdhzk8lEUcMmjiQ3+E8=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBkzCCATqgAwIBAgIQUmXpQT+/UvXW1rZIb1tZgjAKBggqhkjOPQQDAjAqMSgw
    JgYDVQQDEx96aXRpLWNvbnRyb2xsZXItY3RybC1wbGFuZS1yb290MB4XDTI0MTAx
    MDE3MjI0MVoXDTM0MTAxODE3MjI0MVowKjEoMCYGA1UEAxMfeml0aS1jb250cm9s
    bGVyLWN0cmwtcGxhbmUtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPx8
    S/ztKtk2KPPOZYcyUG0OTWZfsL4/UpA4D1+DMroX+7+IZMnJyQMq1fsYVc60v2GT
    s1sSOocthmjV5S7m5bOjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD
    AQH/MB0GA1UdDgQWBBSDrzUjjQzkwGPwiWoVbVkkcPda2zAKBggqhkjOPQQDAgNH
    ADBEAiAPafMlRcjaaib0f9vwV1Kk3Y5BlohbtvszNcHtkjvTGAIgKEcZLjHAegvA
    U00YjJ1gCjcSLdhzk8lEUcMmjiQ3+E8=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBiDCCAS6gAwIBAgIQNjKZncHOdyAbG3ms/d45/DAKBggqhkjOPQQDAjAkMSIw
    IAYDVQQDExl6aXRpLWNvbnRyb2xsZXItZWRnZS1yb290MB4XDTI0MTAxMDE3MjI0
    NFoXDTM0MTAxODE3MjI0NFowJDEiMCAGA1UEAxMZeml0aS1jb250cm9sbGVyLWVk
    Z2Utcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABM2H/P3R2iy3Pl5tShNn
    1qCm13t1ZKiutHOtm8D+w9APUWEKso8PAx8rSwSqjJnVy4P0yy7sAiydut/OFXZV
    GDejQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
    BBQk4Z1HGY9rbVdnjuesR3pC2BdsuzAKBggqhkjOPQQDAgNIADBFAiEA/6b4GD/7
    ZZ96UbuaOtojpvvUS1Qn12+jimSUpTMxpI8CIA7ortUs54jQ7yIQwjW8GKf2rMtd
    pS4Da841DaCiL+Ka
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBiDCCAS6gAwIBAgIQNjKZncHOdyAbG3ms/d45/DAKBggqhkjOPQQDAjAkMSIw
    IAYDVQQDExl6aXRpLWNvbnRyb2xsZXItZWRnZS1yb290MB4XDTI0MTAxMDE3MjI0
    NFoXDTM0MTAxODE3MjI0NFowJDEiMCAGA1UEAxMZeml0aS1jb250cm9sbGVyLWVk
    Z2Utcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABM2H/P3R2iy3Pl5tShNn
    1qCm13t1ZKiutHOtm8D+w9APUWEKso8PAx8rSwSqjJnVy4P0yy7sAiydut/OFXZV
    GDejQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
    BBQk4Z1HGY9rbVdnjuesR3pC2BdsuzAKBggqhkjOPQQDAgNIADBFAiEA/6b4GD/7
    ZZ96UbuaOtojpvvUS1Qn12+jimSUpTMxpI8CIA7ortUs54jQ7yIQwjW8GKf2rMtd
    pS4Da841DaCiL+Ka
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBhzCCAS2gAwIBAgIRAOw396jdV5172urwG2JXKDowCgYIKoZIzj0EAwIwIzEh
    MB8GA1UEAxMYeml0aS1jb250cm9sbGVyLXdlYi1yb290MB4XDTI0MTAxMDE3MjI0
    NFoXDTM0MTAxODE3MjI0NFowIzEhMB8GA1UEAxMYeml0aS1jb250cm9sbGVyLXdl
    Yi1yb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElFgrKTeQ4J4dRom/DXOh
    0U5/aNBD1XXOhEgC99xjFj05k8xgua86oF7XDz1g8Jl3oU7EcnJvwNrvh7lJIggx
    0KNCMEAwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
    FM/6PhcNpwHzlpjUmVRNE7NLMZPmMAoGCCqGSM49BAMCA0gAMEUCIDNzle8W60rm
    ibQJq4uVGGImxkAu79HisLdUbKGpWrieAiEAyPJqLzLMLKyu1JqgYOVKWkhn2Ykg
    ACyhgyfS9RoSJ6Y=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBhzCCAS2gAwIBAgIRAOw396jdV5172urwG2JXKDowCgYIKoZIzj0EAwIwIzEh
    MB8GA1UEAxMYeml0aS1jb250cm9sbGVyLXdlYi1yb290MB4XDTI0MTAxMDE3MjI0
    NFoXDTM0MTAxODE3MjI0NFowIzEhMB8GA1UEAxMYeml0aS1jb250cm9sbGVyLXdl
    Yi1yb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElFgrKTeQ4J4dRom/DXOh
    0U5/aNBD1XXOhEgC99xjFj05k8xgua86oF7XDz1g8Jl3oU7EcnJvwNrvh7lJIggx
    0KNCMEAwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
    FM/6PhcNpwHzlpjUmVRNE7NLMZPmMAoGCCqGSM49BAMCA0gAMEUCIDNzle8W60rm
    ibQJq4uVGGImxkAu79HisLdUbKGpWrieAiEAyPJqLzLMLKyu1JqgYOVKWkhn2Ykg
    ACyhgyfS9RoSJ6Y=
    -----END CERTIFICATE-----