Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zrok helm chart : configmap "ziti-controller-ctrl-plane-cas" not found #259

Open
7Kronos opened this issue Oct 11, 2024 · 4 comments
Open

zrok helm chart : configmap "ziti-controller-ctrl-plane-cas" not found #259

7Kronos opened this issue Oct 11, 2024 · 4 comments

Comments

@7Kronos
Copy link

7Kronos commented Oct 11, 2024

Hi,

Thank you for your amazing work !

I am trying to deploy a self zrok instance using the zrok helm chart alone.
I explored the repo and found that there is no templates or scripts creating this configMap. Is the zrok helm chart not self-sufficient ?
@qrkourier
Copy link
Member

You're welcome! I'm glad you found it useful.

You've stumbled upon a chart dependency that's less than obvious. I'll take this issue as a prompt to make it easier to figure out from the README.

The zrok chart uses a ConfigMap you provide by name to configure itself to trust the OpenZiti controller's certificate.

If you are self-hosting the OpenZiti controller in the same cluster, you can point the zrok charts values to the ConfigMap provided by the ziti-controller chart. It contains a bundle of root CA certs.

If there's no ziti-controller release in the same cluster, you can compose a configmap that satisfies the zrok chart's requirement. Let me know if you'd prefer that approach, have a ziti-controller release with the trust bundle ConfigMap, or would prefer to bypass cert verification.

@qrkourier
Copy link
Member

e.g., if you DO have a ziti-controller release in your cluster named "myziti1" then the existing trust bundle ConfigMap is named "myziti1-ctrl-plane-cas" and is, by default, propagated to all K8S namespaces.

helm upgrade --install --set ziti.ca_cert_configmap="myziti1-ctrl-plane-cas"

If, perchance, you customized the ziti-controller value ctrlPlaneCasBundle.namespaceSelector, and the zrok chart is in a different namespace than ziti-controller, then it's also necessary to label the zrok namespace according to your custom namespace selector to trigger the trust bundle ConfigMap propagating to the zrok namespace.

@7Kronos
Copy link
Author

7Kronos commented Oct 11, 2024

Thanks @qrkourier for your quick anwser !

OK I see, I overlooked the templates, I though zrok helm chart was a combination of "older" charts and include a controller instance. I understand now.

I can deploy a ziti-controller in the same namespace. But by curiousity, how could I create this configMap without the controller generating it ?

Thank you for mentioning the expected names, I will take a close look once the controller is deployed.

Let me know if I can help providing feedback or repo files used for this "minimal" deployment.

@qrkourier
Copy link
Member

If your zrok is in a different cluster than the ziti-controller then you would need create a ConfigMap manifest. The data would have a key=value map where the key is the value of zrok chart input value ziti.ca_cert_file. The default key is ctrl-plane-cas.crt, and its value is a PEM bundle of trusted root certs.

The easiest way would be to copy the manifest from the ziti-controller's cluster to the cluster where zrok is installed, but you can fetch the root CA bundle from any Ziti controller like this.

curl -sSk https://myziti.example.com/.well-known/est/cacerts \
| base64 -d \
| openssl pkcs7 -inform DER -outform PEM -print_certs

Example ConfigMap manifest:

apiVersion: v1
kind: ConfigMap
metadata:
  name: ziti-controller-ctrl-plane-cas
  namespace: myzrokns
data:
  ctrl-plane-cas.crt: |
    -----BEGIN CERTIFICATE-----
    MIIBkzCCATqgAwIBAgIQUmXpQT+/UvXW1rZIb1tZgjAKBggqhkjOPQQDAjAqMSgw
    JgYDVQQDEx96aXRpLWNvbnRyb2xsZXItY3RybC1wbGFuZS1yb290MB4XDTI0MTAx
    MDE3MjI0MVoXDTM0MTAxODE3MjI0MVowKjEoMCYGA1UEAxMfeml0aS1jb250cm9s
    bGVyLWN0cmwtcGxhbmUtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPx8
    S/ztKtk2KPPOZYcyUG0OTWZfsL4/UpA4D1+DMroX+7+IZMnJyQMq1fsYVc60v2GT
    s1sSOocthmjV5S7m5bOjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD
    AQH/MB0GA1UdDgQWBBSDrzUjjQzkwGPwiWoVbVkkcPda2zAKBggqhkjOPQQDAgNH
    ADBEAiAPafMlRcjaaib0f9vwV1Kk3Y5BlohbtvszNcHtkjvTGAIgKEcZLjHAegvA
    U00YjJ1gCjcSLdhzk8lEUcMmjiQ3+E8=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBkzCCATqgAwIBAgIQUmXpQT+/UvXW1rZIb1tZgjAKBggqhkjOPQQDAjAqMSgw
    JgYDVQQDEx96aXRpLWNvbnRyb2xsZXItY3RybC1wbGFuZS1yb290MB4XDTI0MTAx
    MDE3MjI0MVoXDTM0MTAxODE3MjI0MVowKjEoMCYGA1UEAxMfeml0aS1jb250cm9s
    bGVyLWN0cmwtcGxhbmUtcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPx8
    S/ztKtk2KPPOZYcyUG0OTWZfsL4/UpA4D1+DMroX+7+IZMnJyQMq1fsYVc60v2GT
    s1sSOocthmjV5S7m5bOjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD
    AQH/MB0GA1UdDgQWBBSDrzUjjQzkwGPwiWoVbVkkcPda2zAKBggqhkjOPQQDAgNH
    ADBEAiAPafMlRcjaaib0f9vwV1Kk3Y5BlohbtvszNcHtkjvTGAIgKEcZLjHAegvA
    U00YjJ1gCjcSLdhzk8lEUcMmjiQ3+E8=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBiDCCAS6gAwIBAgIQNjKZncHOdyAbG3ms/d45/DAKBggqhkjOPQQDAjAkMSIw
    IAYDVQQDExl6aXRpLWNvbnRyb2xsZXItZWRnZS1yb290MB4XDTI0MTAxMDE3MjI0
    NFoXDTM0MTAxODE3MjI0NFowJDEiMCAGA1UEAxMZeml0aS1jb250cm9sbGVyLWVk
    Z2Utcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABM2H/P3R2iy3Pl5tShNn
    1qCm13t1ZKiutHOtm8D+w9APUWEKso8PAx8rSwSqjJnVy4P0yy7sAiydut/OFXZV
    GDejQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
    BBQk4Z1HGY9rbVdnjuesR3pC2BdsuzAKBggqhkjOPQQDAgNIADBFAiEA/6b4GD/7
    ZZ96UbuaOtojpvvUS1Qn12+jimSUpTMxpI8CIA7ortUs54jQ7yIQwjW8GKf2rMtd
    pS4Da841DaCiL+Ka
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBiDCCAS6gAwIBAgIQNjKZncHOdyAbG3ms/d45/DAKBggqhkjOPQQDAjAkMSIw
    IAYDVQQDExl6aXRpLWNvbnRyb2xsZXItZWRnZS1yb290MB4XDTI0MTAxMDE3MjI0
    NFoXDTM0MTAxODE3MjI0NFowJDEiMCAGA1UEAxMZeml0aS1jb250cm9sbGVyLWVk
    Z2Utcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABM2H/P3R2iy3Pl5tShNn
    1qCm13t1ZKiutHOtm8D+w9APUWEKso8PAx8rSwSqjJnVy4P0yy7sAiydut/OFXZV
    GDejQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
    BBQk4Z1HGY9rbVdnjuesR3pC2BdsuzAKBggqhkjOPQQDAgNIADBFAiEA/6b4GD/7
    ZZ96UbuaOtojpvvUS1Qn12+jimSUpTMxpI8CIA7ortUs54jQ7yIQwjW8GKf2rMtd
    pS4Da841DaCiL+Ka
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBhzCCAS2gAwIBAgIRAOw396jdV5172urwG2JXKDowCgYIKoZIzj0EAwIwIzEh
    MB8GA1UEAxMYeml0aS1jb250cm9sbGVyLXdlYi1yb290MB4XDTI0MTAxMDE3MjI0
    NFoXDTM0MTAxODE3MjI0NFowIzEhMB8GA1UEAxMYeml0aS1jb250cm9sbGVyLXdl
    Yi1yb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElFgrKTeQ4J4dRom/DXOh
    0U5/aNBD1XXOhEgC99xjFj05k8xgua86oF7XDz1g8Jl3oU7EcnJvwNrvh7lJIggx
    0KNCMEAwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
    FM/6PhcNpwHzlpjUmVRNE7NLMZPmMAoGCCqGSM49BAMCA0gAMEUCIDNzle8W60rm
    ibQJq4uVGGImxkAu79HisLdUbKGpWrieAiEAyPJqLzLMLKyu1JqgYOVKWkhn2Ykg
    ACyhgyfS9RoSJ6Y=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBhzCCAS2gAwIBAgIRAOw396jdV5172urwG2JXKDowCgYIKoZIzj0EAwIwIzEh
    MB8GA1UEAxMYeml0aS1jb250cm9sbGVyLXdlYi1yb290MB4XDTI0MTAxMDE3MjI0
    NFoXDTM0MTAxODE3MjI0NFowIzEhMB8GA1UEAxMYeml0aS1jb250cm9sbGVyLXdl
    Yi1yb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElFgrKTeQ4J4dRom/DXOh
    0U5/aNBD1XXOhEgC99xjFj05k8xgua86oF7XDz1g8Jl3oU7EcnJvwNrvh7lJIggx
    0KNCMEAwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
    FM/6PhcNpwHzlpjUmVRNE7NLMZPmMAoGCCqGSM49BAMCA0gAMEUCIDNzle8W60rm
    ibQJq4uVGGImxkAu79HisLdUbKGpWrieAiEAyPJqLzLMLKyu1JqgYOVKWkhn2Ykg
    ACyhgyfS9RoSJ6Y=
    -----END CERTIFICATE-----

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@qrkourier @7Kronos