Skip to content

fix(module): base64 encoding for custom certificate Secret template #1297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 4, 2025
Merged

fix(module): base64 encoding for custom certificate Secret template #1297

merged 2 commits into from
Aug 4, 2025

Conversation

diafour
Copy link
Member

@diafour diafour commented Jul 31, 2025
edited
Loading

Description

Override helm_lib_module_https_copy_custom_certificate template from the helm-lib, add base64 for Secret fields.

Why do we need it, and what problem does it solve?

Fix of regression after rewrite copy_custom_certificate in Go. helm-lib expects base64 encoded certificates in values, but common hook returns raw strings.

Custom certificate specified in ModuleConfig/global in spec.settings.modules.https.customCertificate.secretName leads to this error:

helm upgrade failed: cannot patch "ingress-tls-customcertificate" with kind Secret ... invalid value: "{ ... \"data\":{\"tls.crt\":\"-----BEGIN CERTIFICATE----....

What is the expected result?

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: module
type: fix
summary: Fix helm template to be compatible with CustomCertificate https mode.

@diafour diafour requested review from fl64 and Isteb4k as code owners July 31, 2025 12:22
@diafour diafour added this to the v0.24.0 milestone Jul 31, 2025
@diafour
++ check optional ca.crt field
da85c89 
Signed-off-by: Ivan Mikheykin <[email protected]>
@diafour
Copy link
Member Author

diafour commented Aug 4, 2025

Tested in cluster with global self-signed certificate and VirtualImage type Upload:

openssl s_client -showcerts -servername virtualization.CLUSTER_DOMAIN -connect virtualization.CLUSTER_DOMAIN:443 </dev/null
Connecting to aa.bbb.cc.ddd
CONNECTED(00000005)
depth=0 C=RU, CN=*.CLUSTER_DOMAIN
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=RU, CN=*.CLUSTER_DOMAIN
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C=RU, CN=*.CLUSTER_DOMAIN
verify return:1
---
Certificate chain
 0 s:C=RU, CN=*.CLUSTER_DOMAIN
   i:C=RU, CN=CLUSTER_DOMAIN
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  4 10:05:24 2025 GMT; NotAfter: Jul 26 10:05:24 2026 GMT
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
---
Server certificate
subject=C=RU, CN=*.CLUSTER_DOMAIN
issuer=C=RU, CN=CLUSTER_DOMAIN
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1458 bytes and written 422 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
DONE

@diafour diafour merged commit a67d32c into main Aug 4, 2025
28 of 29 checks passed
@diafour diafour deleted the fix/module/global-custom-certificate-patch-secret-problem branch August 4, 2025 10:27
@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request Aug 4, 2025
Merged
@diafour
Copy link
Member Author

diafour commented Aug 4, 2025

/backport v0.23.1

github-actions bot pushed a commit that referenced this pull request Aug 4, 2025
@diafour
fix(module): base64 encoding for custom certificate Secret template (#…
1bf2f2c 
…1297)

* fix(module): base64 encoding for custom certificate Secret template

---------

Signed-off-by: Ivan Mikheykin <[email protected]>
deckhouse-BOaTswain added a commit that referenced this pull request Aug 4, 2025
@deckhouse-BOaTswain @diafour
Backport: fix(module): base64 encoding for custom certificate Secret …
5b904e8 
…template (#1308)

fix(module): base64 encoding for custom certificate Secret template (#1297)

* fix(module): base64 encoding for custom certificate Secret template

---------

Signed-off-by: Ivan Mikheykin <[email protected]>
Co-authored-by: Ivan Mikheykin <[email protected]>
@deckhouse-BOaTswain
Copy link
Contributor

Cherry pick PR 1308 to the branch release-0.23 successful!

This was referenced Aug 11, 2025
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@universal-itengineer universal-itengineer universal-itengineer approved these changes

@fl64 fl64 Awaiting requested review from fl64 fl64 is a code owner

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

Assignees

@diafour diafour

Labels
status/backport/success
Projects
None yet
Milestone
v0.24.0
Development

Successfully merging this pull request may close these issues.
3 participants
@diafour @deckhouse-BOaTswain @universal-itengineer