helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard
verified publisher icon crowdsecurity

TLS Secret name are hard coded and `tls.<component>.secret` are unused

Open Darkness4 opened this issue 2 months ago • 3 comments

Hello, I found many issues when manipulating TLS. The secret fields in

https://github.com/crowdsecurity/helm-charts/blob/46af5f33198f971a843d0052761b99b6b688d234/charts/crowdsec/values.yaml#L157-L213

are unused.

The secret names are also hardcoded:

  • https://github.com/crowdsecurity/helm-charts/blob/46af5f33198f971a843d0052761b99b6b688d234/charts/crowdsec/templates/tls/agent-certificate.yaml#L9-L10
  • https://github.com/crowdsecurity/helm-charts/blob/46af5f33198f971a843d0052761b99b6b688d234/charts/crowdsec/templates/tls/appsec-certificate.yaml#L47-L48
  • https://github.com/crowdsecurity/helm-charts/blob/46af5f33198f971a843d0052761b99b6b688d234/charts/crowdsec/templates/tls/bouncer-certificate.yaml#L9-L10
  • https://github.com/crowdsecurity/helm-charts/blob/46af5f33198f971a843d0052761b99b6b688d234/charts/crowdsec/templates/tls/lapi-certificate.yaml#L12-L13
  • https://github.com/crowdsecurity/helm-charts/blob/46af5f33198f971a843d0052761b99b6b688d234/charts/crowdsec/templates/lapi-deployment.yaml#L304-L311

It should be {{ tpl .Values.tls.<component>.secret $ }} in the secretName.

Additionally, when enabling tls and disabling agent, the lapi is still looking for an agent certificate. It should be wrapped between {{ if .Values.agent.enabled }}:

https://github.com/crowdsecurity/helm-charts/blob/46af5f33198f971a843d0052761b99b6b688d234/charts/crowdsec/templates/lapi-deployment.yaml#L308-L311

NB: I'm also using Appsec, I would probably like to also select the Appsec client tls certificate to be mounted on lapi instead of the agent tls certificate which doesn't exist.

I found this other issue about the different allowed OU which was already reported #239

Darkness4 avatar Nov 05 '25 17:11 Darkness4

@Darkness4: Thanks for opening an issue, it is currently awaiting triage.

If you haven't already, please provide the following information:

  • kind : bug, enhancementor documentation
  • area : agent, appsec, configuration, cscli, local-api

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the forked project rr404/oss-governance-bot repository.

github-actions[bot] avatar Nov 05 '25 17:11 github-actions[bot]

@Darkness4: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

  • /kind bug
  • /kind documentation
  • /kind enhancement
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the forked project rr404/oss-governance-bot repository.

github-actions[bot] avatar Nov 05 '25 17:11 github-actions[bot]

/kind bug

Darkness4 avatar Nov 05 '25 17:11 Darkness4