charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon sysdiglabs

Modify the shield helm chart to work with cert-manager

Open yoderme opened this issue 4 months ago • 3 comments

The certificates in the shield helm charts do not play nicely with argocd. Since argocd will essentially call "helm template" to acquire the chart's yaml, the "lookup" function will never work, and the certificate generation will create a different certificate each time.

It's possible to tell ArgoCD to ignore this ever-changing certificate, but this also means that the certificate will never be rotated.

The most graceful solution to this is to integrate with the widely-used cert-manager project. See https://github.com/cert-manager/cert-manager

The idea is that you can create a certificate chain using cert-manager, and then refer to those certificate in the helm chart instead of asking the helm chart to generate them.

For our ppurposes there are two interesting cert-manager resources. The "Issuer" is a resource that is used to sign a certificate. A "Certificate" is actually a request to create an x509 certificate. It emits a k8s Secret containing the actual TLS certificate details.

See:

  • https://cert-manager.io/docs/concepts/issuer/
  • https://cert-manager.io/docs/usage/certificate/

Imagine that the customer has the following setup:

  • A) a "self-signed" root Issuer
  • B) a "CA" Certificate representing the root (using A above). It will be long-lived, like all root CAs are.
  • C) a "root cert" Secret containing the actual x509 root CA cert (created by cert-manager as a result of B)
  • D) a "CA" Issuer that uses the Secret from C above

At this point there is a long-lived root x509 certificate as well as an Issuer that will create certificates signed by that root.

At this point, the shield helm chart can include a Certificate resource that refers to the Issuer from step D above. This will generate a Secret with the actual x509 cert. This secret can be used by the shield Deployment for the TLS webhook port.

Additionally, the validating webhook can refer to the CA Certificate resource from step B above. It uses an annotation that tells cert-manger to edit the webhook and insert the appropriate caBundle information.

yoderme avatar Jul 19 '25 18:07 yoderme

Hi @yoderme. Thanks for your PR.

After inspecting your changes someone with write access to this repo needs to approve and run the workflow.

github-actions[bot] avatar Jul 19 '25 18:07 github-actions[bot]

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

github-actions[bot] avatar Sep 18 '25 02:09 github-actions[bot]

This PR has been closed due to inactivity.

github-actions[bot] avatar Sep 25 '25 02:09 github-actions[bot]

Handled in this PR https://github.com/sysdiglabs/charts/pull/2411 thanks @yoderme for your contribution! 🙌

francesco-furlan avatar Nov 10 '25 08:11 francesco-furlan