Skip to content

fix(helm): honor empty clientCaSecretName for HTTPS-only mode#2235

Open
lunarwhite wants to merge 2 commits into
NVIDIA:mainfrom
lunarwhite:honor-client-ca
Open

fix(helm): honor empty clientCaSecretName for HTTPS-only mode#2235
lunarwhite wants to merge 2 commits into
NVIDIA:mainfrom
lunarwhite:honor-client-ca

Conversation

@lunarwhite

Copy link
Copy Markdown
Contributor

Summary

Fix a Helm chart bug where server.tls.clientCaSecretName="" was documented as HTTPS-only mode but the chart still rendered client_ca_path in gateway.toml and mounted the tls-client-ca volume when built-in PKI or cert-manager shared-CA paths were active. The gateway then required client certificates, causing browser ERR_BAD_SSL_CLIENT_AUTH_CERT failures on direct TLS + OIDC setups.

Introduce a shared openshell.gatewayClientCaEnabled predicate so an explicit empty value disables client-CA wiring in both the ConfigMap and the gateway workload, overriding built-in PKI and cert-manager defaults.

Related Issue

Fixes #2095

Changes

  • Add openshell.gatewayClientCaEnabled helper; use it in gateway-config.yaml and _gateway-workload.tpl for TOML, volume, and volumeMount
  • Treat server.tls.clientCaSecretName="" as an explicit HTTPS-only opt-out before PKI/cert-manager fallbacks
  • Fail fast when server.tls.clientCaSecretName is set to null (chart expects "" or omit the key)
  • Add Helm regression tests for TOML omission (built-in PKI, cert-manager shared CA, cert-manager without shared CA) and StatefulSet volume omission
  • Document HTTPS-only + OIDC configuration in docs/kubernetes/access-control.mdx and docs/reference/gateway-config.mdx

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated (if applicable)
  • Manual kind cluster verification with --set server.tls.clientCaSecretName="": no client_ca_path in ConfigMap, no tls-client-ca volume, gateway logs omit "TLS client certificate verification enabled"; upgrade path verified

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

@copy-pr-bot

copy-pr-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Comment thread docs/reference/gateway-config.mdx Outdated

# Gateway listener TLS (distinct from the per-driver guest_tls_*).
# client_ca_path is optional; omit it for HTTPS-only listeners that do not
# verify client certificates. The Helm chart omits this field when

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need to reference the helm chart here.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed. Thanks for your review!

Signed-off-by: Yuedong Wu <dwcn22@outlook.com>

@TaylorMutch TaylorMutch left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall. Helm unit tests (69/69), lint, and an HTTPS-only render all pass.

One follow-up: please update .agents/skills/debug-openshell-cluster/SKILL.md to note that clientCaSecretName: "" intentionally omits the client-CA config and volume, with authentication provided by OIDC or a trusted proxy. Repository instructions require this skill update for gateway deployment changes.

…ll-cluster

Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
@lunarwhite

Copy link
Copy Markdown
Contributor Author

One follow-up: please update .agents/skills/debug-openshell-cluster/SKILL.md to note that clientCaSecretName: "" intentionally omits the client-CA config and volume, with authentication provided by OIDC or a trusted proxy. Repository instructions require this skill update for gateway deployment changes.

Great suggestion. Added into a separate commit for easy review: 47199bd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug(helm): clientCaSecretName="" does not remove client_ca_path from gateway config

2 participants