fix(helm): honor empty clientCaSecretName for HTTPS-only mode#2235
fix(helm): honor empty clientCaSecretName for HTTPS-only mode#2235lunarwhite wants to merge 2 commits into
Conversation
|
|
||
| # Gateway listener TLS (distinct from the per-driver guest_tls_*). | ||
| # client_ca_path is optional; omit it for HTTPS-only listeners that do not | ||
| # verify client certificates. The Helm chart omits this field when |
There was a problem hiding this comment.
We don't need to reference the helm chart here.
There was a problem hiding this comment.
Removed. Thanks for your review!
Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
320bc9c to
8fcc2f5
Compare
TaylorMutch
left a comment
There was a problem hiding this comment.
Looks good overall. Helm unit tests (69/69), lint, and an HTTPS-only render all pass.
One follow-up: please update .agents/skills/debug-openshell-cluster/SKILL.md to note that clientCaSecretName: "" intentionally omits the client-CA config and volume, with authentication provided by OIDC or a trusted proxy. Repository instructions require this skill update for gateway deployment changes.
…ll-cluster Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
Great suggestion. Added into a separate commit for easy review: 47199bd |
Summary
Fix a Helm chart bug where
server.tls.clientCaSecretName=""was documented as HTTPS-only mode but the chart still renderedclient_ca_pathingateway.tomland mounted thetls-client-cavolume when built-in PKI or cert-manager shared-CA paths were active. The gateway then required client certificates, causing browserERR_BAD_SSL_CLIENT_AUTH_CERTfailures on direct TLS + OIDC setups.Introduce a shared
openshell.gatewayClientCaEnabledpredicate so an explicit empty value disables client-CA wiring in both the ConfigMap and the gateway workload, overriding built-in PKI and cert-manager defaults.Related Issue
Fixes #2095
Changes
openshell.gatewayClientCaEnabledhelper; use it ingateway-config.yamland_gateway-workload.tplfor TOML, volume, and volumeMountserver.tls.clientCaSecretName=""as an explicit HTTPS-only opt-out before PKI/cert-manager fallbacksserver.tls.clientCaSecretNameis set tonull(chart expects""or omit the key)docs/kubernetes/access-control.mdxanddocs/reference/gateway-config.mdxTesting
mise run pre-commitpasses--set server.tls.clientCaSecretName="": noclient_ca_pathin ConfigMap, notls-client-cavolume, gateway logs omit "TLS client certificate verification enabled"; upgrade path verifiedChecklist