Skip to content

charts/redpanda: fix mTLS #1112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
chrisseto merged 1 commit into from
Sep 25, 2025
Merged

charts/redpanda: fix mTLS #1112

chrisseto merged 1 commit into from
Sep 25, 2025

Conversation

@chrisseto
Copy link
Contributor

@chrisseto chrisseto commented Sep 24, 2025

Prior to this commit the chart had a variety of bugs around mTLS. The majority of them were incorrect path construction and handling of .clientSecretRef. The primary issue, though, is that the chart incorrectly mints a single client certificate regardless of how many trust chains are in use.

This commit moves all name and path references into helper methods onto the TLSCert itself and generates client certs per unique trust chain with client auth enabled.

K8S-719

@chrisseto
Copy link
Contributor Author

chrisseto commented Sep 24, 2025

Lesson learned: PRs need to be rebased before deleting the branch they're targeting. #1100

@chrisseto
charts/redpanda: fix mTLS
cde7c52 
Prior to this commit the chart had a variety of bugs around mTLS. The majority
of them were incorrect path construction and handling of `.clientSecretRef`.
The primary issue, though, is that the chart incorrectly mints a single client
certificate regardless of how many trust chains are in use.

This commit moves all name and path references into helper methods onto the
`TLSCert` itself and generates client certs per unique trust chain with client
auth enabled.

K8S-719
@chrisseto chrisseto force-pushed the chris/p/redpanda-mtls-fix branch from 2def69f to cde7c52 Compare September 24, 2025 19:01
chrisseto
chrisseto commented Sep 24, 2025
View reviewed changes
pkg/helm/helm.go
return err

case <-ctx.Done():
_ = cmd.Process.Signal(os.Interrupt)
Copy link
Contributor Author

@chrisseto chrisseto Sep 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found an edge case in CI and locally that's pretty hard to reproduce. It's possible for Process to be nil here. It's unlikely to recur but I went ahead and fix it by using Cancel and WaitDelay instead.

It seems the only way this can be triggered is if ctx is cancelled ahead of cmd.Run actually executing. Using .Cancel performs the appropriate checks and would otherwise require reimplementing parts of .Run.

@chrisseto chrisseto merged commit 6c63e57 into main Sep 25, 2025
10 checks passed
@chrisseto chrisseto deleted the chris/p/redpanda-mtls-fix branch September 25, 2025 13:31
This was referenced Sep 25, 2025
Merged
Merged
@github-actions
Copy link

github-actions bot commented Sep 25, 2025

💚 All backports created successfully

Status Branch Result
release/v2.4.x
release/v25.1.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RafalKorepta RafalKorepta RafalKorepta approved these changes

@andrewstucki andrewstucki Awaiting requested review from andrewstucki andrewstucki is a code owner

@gene-redpanda gene-redpanda Awaiting requested review from gene-redpanda gene-redpanda is a code owner

Assignees

No one assigned

Labels

v2.4.x v25.1.x

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chrisseto @RafalKorepta