How should the TLS configuration of Chart version 1.7.0 be used?

Question

How should the TLS configuration of Chart version 1.7.0 be used?

Closed this issue 3 years ago · 5 comments

The first question:
the secret I generated through the following command is mounted under /usr/local/certs/ through secretMounts, but this command generates .key and .crt files instead of .pem file , how do I generate a .pem file?
kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}

The second question:
I successfully mounted the PEM file into the Pod by my own means, and the trino is also running normally, but how can I access the trino externally? The existing service points to the port 8080. I set the service to NodePort and then accessed it in the browser to display Web Interface is Disabled. So I added a service-external, pointed its port to 8443, and the page could not be opened normally, so which step went wrong?

This is my chart file, please help me, thank you very much
trino-363.zip

Answer 1 · 2021-11-03T07:07:29.000Z

Hi @kqkdChen ,
if you just need HTTPS enabled, pls try this:

create a tls secret (example here: https://kubernetes.github.io/ingress-nginx/user-guide/tls/)
enable ingress setting hostname and tls secret name
enable processForwarded

After this you should be able to access Trino trough the hostname (you should have a dns record pointing to the ingress controller or simply use /etc/hosts ).

Answer 2 · 2021-11-03T07:17:30.000Z

Hi @kqkdChen , if you just need HTTPS enabled, pls try this:

create a tls secret (example here: https://kubernetes.github.io/ingress-nginx/user-guide/tls/)

enable ingress setting hostname and tls secret name

enable processForwarded

After this you should be able to access Trino trough the hostname (you should have a dns record pointing to the ingress controller or simply use /etc/hosts ).

I tried this method, because the development machine does not allow to modify the hosts file, so the client cannot forward the request to the back-end service through ingress, and after ingress is configured with tls, it seems that only the request can be forwarded through the domain name, and through ip Can not. I remember that nginx can be accessed via ip https, such as https://192.168.1.100, or what kind of configuration ingress needs to be able to achieve this way instead of having to pass the domain name to enable https access

Answer 3 · 2021-11-03T07:47:09.000Z

In this case you must not use Ingress because the virtualhost is needed by design.
As alternative you can setup this part enabling httpServer:

 | secretMounts | list | `[]` |  |
 | server.config.http.port | int | `8080` |  |
 | server.config.httpsServer.enabled | bool | `false` |  |
 | server.config.httpsServer.keystore.key | string | `""` |  |
 | server.config.httpsServer.keystore.path | string | `"/usr/local/certs/clustercoord.pem"` |  |
 | server.config.httpsServer.port | int | `8443` |  |

after this setup you should be able to do a kubectl port forward of the service itself and access it.

Answer 4 · 2021-11-03T09:32:06.000Z

I just solved the problem by mistake, I had tried this way earlier, but the page was not accessible until I added https and it was accessible successfully. I suggest adding a service-external.yaml specifically for exposing services.

Answer 5 · 2021-11-23T13:47:07.000Z

I'm not sure I got why we need an eternal service; it should be enough to setup the service itself so I don't see any added value on this but I may be wrong.