Hi Openziti crew,
I hope to find you well!
I have been working on my Helm deployment for a while now. I've gotten it working where I can tunnel to services running on my k8s cluster using my private altIssuers (with your help from this ticket OpenZiti Helm Chart - Using Enterprise PKI Instead of Self-Signed CA - #21 by Tetrusp)
I am onto a new issue, and I am curious what you guys think / if there is a solution.
In short, I would like to use Lets Encrypt certs on AltIngress objects so I don't expose my private PKI to the internet. Is that possible?
I originally wanted to try and see if I can have openziti sit behind a traditional VPN of sorts so that I wouldn't need to worry about that but I haven't been able to get that to work due to client side routing probably getting messed up with 2 Tunnels running on the same Windows machine trying to send the user to the same endpoint. There is probably some routing magic I could try but for now I am deciding i'll test with Openziti having a public controller and router.
Here comes my issue, I cant seem to get my Lets Encrypt certs to attach to the AltIngress hosts specified in my helm charts.
I know my Certmanager cluster-issuer using LE works as I see the certificate set as Ready. I also confirmed the tls.crt && tls.key are mounted on the controller pod, (i popped a shell to confirm). But when I navigate to my altingress hostname, I see my private PKI cert, not the LE cert.
I've tried many different iterations of my helm chart without success (disabling altingress, disabling altissuer, manually setting different hostnames, etc, etc,). I am assuming I am doing something wrong so here are my helm bits.
(I've tried playing around with the tls portion where there is a comment about AltServerCerts but anytime I put stuff in there the controller pod would not deploy, also enabling alt ingress on the mgt api would cause the controller pod to not deploy either)
clientApi:
containerPort: 1280
advertisedHost: "ziti-controller.<redacted>"
advertisedPort: 443
service:
enabled: true
type: ClusterIP
ingress:
enabled: true
ingressClassName: "nginx"
annotations:
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
altIngress:
enabled: true
advertisedHost: "ziti-controller-alt.<redacted>"
ingressClassName: "nginx"
annotations:
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
# certificate to project into the container in webBindingPki.altServerCerts
tls: {}
dnsNames: ["ziti-controller-alt.<redacted>"]
managementApi:
containerPort: 1281
advertisedHost: "ziti-controller-mgt.<redacted>"
advertisedPort: "{{ .Values.clientApi.advertisedPort }}"
service:
enabled: true
type: ClusterIP
ingress:
enabled: true
ingressClassName: "nginx"
annotations:
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
altIngress:
enabled: false
ctrlPlane:
service:
enabled: true
type: ClusterIP
ingress:
enabled: false
alternativeIssuer:
kind: ClusterIssuer
name: <redacted>
edgeSignerPki:
enabled: true
alternativeIssuer:
kind: ClusterIssuer
name: <redacted>
webBindingPki:
enabled: true
altServerCerts:
- mode: certManager
secretName: ziti-controller-alt-server-cert
dnsNames:
- "{{ .Values.clientApi.altIngress.advertisedHost }}"
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: <Lets Encrypt Issuer>
mountPath: /etc/ziti/alt-server-cert
alternativeIssuer:
kind: ClusterIssuer
name: <redacted>
Here is my certs output
NAME READY SECRET AGE
openziti-dev-controller-alt-cert-0 True ziti-controller-alt-server-cert 3m34s
openziti-dev-controller-ctrl-plane-client-identity True openziti-dev-controller-ctrl-plane-client-identity-secret 3m34s
openziti-dev-controller-ctrl-plane-identity True openziti-dev-controller-ctrl-plane-identity-secret 3m34s
openziti-dev-controller-ctrl-plane-intermediate-cert True openziti-dev-controller-ctrl-plane-intermediate-secret 3m34s
openziti-dev-controller-edge-signer-cert True openziti-dev-controller-edge-signer-secret 3m33s
openziti-dev-controller-web-client-identity True openziti-dev-controller-web-client-identity-secret 3m33s
openziti-dev-controller-web-identity-cert True openziti-dev-controller-web-identity-secret 3m33s
openziti-dev-controller-web-intermediate-cert True openziti-dev-controller-web-intermediate-secret 3m33s
trust-manager True trust-manager-tls 3m33s