How should the TLS configuration of Chart version 1.7.0 be used?
Closed this issue · 5 comments
The first question:
the secret I generated through the following command is mounted under /usr/local/certs/
through secretMounts, but this command generates .key
and .crt
files instead of .pem file
, how do I generate a .pem
file?
kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
The second question:
I successfully mounted the PEM file into the Pod by my own means, and the trino is also running normally, but how can I access the trino externally? The existing service points to the port 8080
. I set the service to NodePort and then accessed it in the browser to display Web Interface is Disabled
. So I added a service-external, pointed its port to 8443
, and the page could not be opened normally, so which step went wrong?
This is my chart file, please help me, thank you very much
trino-363.zip
Hi @kqkdChen ,
if you just need HTTPS enabled, pls try this:
- create a tls secret (example here: https://kubernetes.github.io/ingress-nginx/user-guide/tls/)
- enable ingress setting hostname and tls secret name
- enable processForwarded
After this you should be able to access Trino trough the hostname (you should have a dns record pointing to the ingress controller or simply use /etc/hosts ).
Hi @kqkdChen , if you just need HTTPS enabled, pls try this:
- create a tls secret (example here: https://kubernetes.github.io/ingress-nginx/user-guide/tls/)
- enable ingress setting hostname and tls secret name
- enable processForwarded
After this you should be able to access Trino trough the hostname (you should have a dns record pointing to the ingress controller or simply use /etc/hosts ).
I tried this method, because the development machine does not allow to modify the hosts file, so the client cannot forward the request to the back-end service through ingress, and after ingress is configured with tls, it seems that only the request can be forwarded through the domain name, and through ip Can not. I remember that nginx can be accessed via ip https, such as https://192.168.1.100
, or what kind of configuration ingress needs to be able to achieve this way instead of having to pass the domain name to enable https access
In this case you must not use Ingress because the virtualhost is needed by design.
As alternative you can setup this part enabling httpServer:
| secretMounts | list | `[]` | |
| server.config.http.port | int | `8080` | |
| server.config.httpsServer.enabled | bool | `false` | |
| server.config.httpsServer.keystore.key | string | `""` | |
| server.config.httpsServer.keystore.path | string | `"/usr/local/certs/clustercoord.pem"` | |
| server.config.httpsServer.port | int | `8443` | |
after this setup you should be able to do a kubectl port forward of the service itself and access it.
I'm not sure I got why we need an eternal service; it should be enough to setup the service itself so I don't see any added value on this but I may be wrong.