How can I tweak the helm chart to use the certificate generated by me using kub cert-manager

[himmakam]

Please search the existing issues for relevant questions, and use the reaction feature (https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to add upvotes to pre-existing questions.

Question

Please provide as many details as you can, including but not limited to

• Helm command you're running
• Any values you've configured
• Your current understanding, and what you're trying to figure out

More details will help us answer questions more accurately and with less delay :)

[david-yu]

Hi @himmakam thanks for filing! Could you describe how you'd like to use the certificate generated by cert-manager? There are various aspects of TLS that can be configured by the Helm chart, however configuring mTLS will require a CA so that Consul can dynamically generate certificates for services.

[himmakam]

Thanks for your response. You mean to say we might need intermediate CA with which we can generate the certs dynamically for the services in consul? Are the below values in helm chart referring to this intermediate cert and private key correspondinlgy ?

.Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName

[david-yu]

Yes you would need to provide the intermediate cert config with both the caCert and caKey as Kubernetes secrets which the Helm chart can pick up to generate mTLS certs for Consul Service Mesh. Here is the TLS config stanza for our Helm Chart if that helps: https://www.consul.io/docs/k8s/helm#v-global-tls

[himmakam]

ok. thanks a lot. And one more question, once the helm is successful using cert-manager, am able to see the consul UI using below -
kubectl port-forward service/consul-server 8501:8501 -n consul

Instead of this, can I enable ingress for the same. When I tried ingress with the same certificate, I get 503 bad gateway error. Could you please help me how to resolve this.

[lkysow]

Hi, we don't natively support an Ingress resource for the UI (see #510). If you've created your own I'm not sure why you're getting a 503 though.

[ishustava]

@himmakam

When I tried ingress with the same certificate, I get 503 bad gateway error. Could you please help me how to resolve this.

I think this might be because you need to configure your ingress controller to create connections to backends with TLS. This typically depends on the specific ingress provider you're using, but here are the docs on how to do that for NGINX ingress.

[david-yu]

Hi @himmakam you should now be able to use our helm chart to create an Ingress resource for the UI and provide the cert generated by cert-manager via the hosts.secretname parameter as of release 0.29:

consul-helm/values.yaml

Line 962 in 3fabe29

ingress:

There is also a writeup here from DO on how to leverage cert manager with NGINX ingress if you are using NGINX.