tls and extraTls

[cdenneen]

When adding something like a common-name to a certificate

    ingress:
      enabled: true
      className: nginx
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        cert-manager.io/common-name: "sealed-secrets.platform.example.com"
      tls: true
      hostname: sealed-secrets.kustomize-me.clusters.aws.platform.example.com
      extraHosts:
        - name: sealed-secrets.platform.example.com

The tls hosts in the template shouldn't be a single host from ingress.hostname but in fact a list of hosts (hostname AND common-name). Most helm templates for ingress include a range to allow for multiple host names to be provided to the dnsNames of the cert.

Using extraTls doesn't match this model because it creates a completely separate certificate.

Most helm ingress values provide list of hosts vs a single hostname so that's why it scales but in this template that isn't the case.

https://github.com/bitnami-labs/sealed-secrets/blob/main/helm/sealed-secrets/templates/ingress.yaml#L46

Most charts (except for bitnami) use this type of format to have multiple hostnames
https://github.com/dexidp/helm-charts/blob/master/charts/dex/templates/ingress.yaml#L33

However the values format should look something more like:

    ingress:
      enabled: true
      className: nginx
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        cert-manager.io/common-name: "sealed-secrets.platform.example.com"
      hosts:
        - host: sealed-secrets.kustomize-me.clusters.aws.platform.example.com
          paths:
            - path: /
              pathType: ImplementationSpecific
        - host: sealed-secrets.platform.example.com
          paths:
            - path: /
              pathType: ImplementationSpecific
      tls:
        - hosts:
            - sealed-secrets.kustomize-me.clusters.aws.platform.example.com
            - sealed-secrets.platform.example.com
          secretName: sealed-secrets-tls

[cdenneen]

Work around for now was to create a Certificate myself and use the following values (removed tls: true and the annotations):

    ingress:
      enabled: true
      ingressClassName: nginx
      hostname: sealed-secrets.kustomize-me.clusters.aws.platform.example.com
      extraHosts:
        - name: sealed-secrets.platform.example.com
      extraTls:
        - hosts:
            - sealed-secrets.platform.example.com
            - sealed-secrets.kustomize-me.clusters.aws.platform.example.com
          secretName: sealed-secrets-tls

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: sealed-secrets
  namespace: kube-system
spec:
  commonName: sealed-secrets.platform.example.com
  dnsNames:
    - sealed-secrets.platform.example.com
    - sealed-secrets.kustomize-me.clusters.aws.platform.example.com
  secretName: sealed-secrets-tls
  privateKey:
    rotationPolicy: Always
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt

[cdenneen]

Actually to avoid having to setup a Certificate resource directly I was able to use cert-manager annotation just had to keep tls: false and only use extraTls:

    ingress:
      enabled: true
      ingressClassName: nginx
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        cert-manager.io/common-name: sealed-secrets.platform.example.com
      hostname: sealed-secrets.kustomize-me.clusters.aws.platform.example.com
      extraHosts:
        - name: sealed-secrets.platform.example.com
      extraTls:
        - hosts:
            - sealed-secrets.platform.example.com
            - sealed-secrets.kustomize-me.clusters.aws.platform.example.com
          secretName: sealed-secrets-tls-secret