capsule-proxy icon indicating copy to clipboard operation
capsule-proxy copied to clipboard
verified publisher icon projectcapsule

helm chart (cert-manager) does not support wildcards

Open pepordev opened this issue 1 year ago • 3 comments

Bug description

When enabling cert-manager for certificates, if you add a wildcard to the dns extra configuration it fails with

Error: YAML parse error on capsule-proxy/templates/certmanager.yaml: error converting YAML to JSON: yaml: line 8: did not find expected alphabetic or numeric character
helm.go:84: [debug] error converting YAML to JSON: yaml: line 8: did not find expected alphabetic or numeric character
YAML parse error on capsule-proxy/templates/certmanager.yaml
helm.sh/helm/v3/pkg/releaseutil.(*manifestFile).sort
	helm.sh/helm/v3/pkg/releaseutil/manifest_sorter.go:146
helm.sh/helm/v3/pkg/releaseutil.SortManifests
	helm.sh/helm/v3/pkg/releaseutil/manifest_sorter.go:106
helm.sh/helm/v3/pkg/action.(*Configuration).renderResources
	helm.sh/helm/v3/pkg/action/action.go:168
helm.sh/helm/v3/pkg/action.(*Install).RunWithContext
	helm.sh/helm/v3/pkg/action/install.go:312
main.runInstall
	helm.sh/helm/v3/cmd/helm/install.go:314
main.newTemplateCmd.func2
	helm.sh/helm/v3/cmd/helm/template.go:95
github.com/spf13/cobra.(*Command).execute
	github.com/spf13/[email protected]/command.go:983
github.com/spf13/cobra.(*Command).ExecuteC
	github.com/spf13/[email protected]/command.go:1115
github.com/spf13/cobra.(*Command).Execute
	github.com/spf13/[email protected]/command.go:1039
main.main
	helm.sh/helm/v3/cmd/helm/helm.go:83
runtime.main
	runtime/proc.go:271
runtime.goexit
	runtime/asm_arm64.s:1222

How to reproduce

use values:

certManager:
  generateCertificates: true
  issuer:
    kind: Issuer
  certificate:
    includeInternalServiceNames: true
    dnsNames:
    - "*-proxy.capsule-system.svc"

Expected behavior

It shoudl generate the certificate object with the proper wildcard in there

Additional context

  • Capsule-Proxy version: 0.7.1
  • Helm Chart version: 0.7.1
  • Kubernetes version: 1.28.9

pepordev avatar Sep 12 '24 08:09 pepordev

I think this is not supported in Cert Manager, since the wildcard support is allowed only for DNS01 challenges.

prometherion avatar Sep 12 '24 08:09 prometherion

I think this is not supported in Cert Manager, since the wildcard support is allowed only for DNS01 challenges.

Hi! i think quoting won't break any dns name, eitherway i did a test with a certificate and it works as expected

Issuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: self-signed
spec:
  selfSigned: {}

Certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-serving-cert
spec:
  dnsNames:
  - capsule-proxy
  - capsule-proxy.capsule-system.svc
  - '*-proxy.capsule-system.svc'
  issuerRef:
    kind: ClusterIssuer
    name: self-signed
  secretName: test-cert
  subject:
    organizations:
    - clastix.io
status:
  conditions:
  - lastTransitionTime: "2024-09-13T06:20:01Z"
    message: Certificate is up to date and has not expired
    observedGeneration: 1
    reason: Ready
    status: "True"
    type: Ready
  notAfter: "2024-12-12T06:20:01Z"
  notBefore: "2024-09-13T06:20:01Z"
  renewalTime: "2024-11-12T06:20:01Z"
  revision: 1

pepordev avatar Sep 13 '24 06:09 pepordev

Thanks for testing it! 🚀

prometherion avatar Sep 13 '24 07:09 prometherion