TLS Secret name are hard coded and `tls.<component>.secret` are unused

[Darkness4]

Hello, I found many issues when manipulating TLS. The secret fields in

helm-charts/charts/crowdsec/values.yaml

Lines 157 to 213 in 46af5f3

	tls:
	## @param tls.enabled Is tls enabled ?
	enabled: false
	## @param tls.caBundle pem format CA collection
	caBundle: true
	## @param tls.insecureSkipVerify
	insecureSkipVerify: false
	## @param tls.certManager [object] Use of a cluster certManager configuration
	certManager:
	## @param tls.certManager.enabled [default: true] Use of a cluster cert manager
	enabled: true
	# -- Use existing issuer to sign certificates. Leave empty to generate a self-signed issuer
	issuerRef: {}
	# name: ""
	# kind: "ClusterIssuer"
	# -- Add annotations and/or labels to generated secret
	## @param tls.certManager.secretTemplate [object] secret configuration
	secretTemplate:
	## @param tls.certManager.secretTemplate.annotations [object] add annotation to generated secret
	annotations: {}
	## @param tls.certManager.secretTemplate.labels [object] add annotation to generated labels
	labels: {}
	# -- duration for Certificate resources
	## @param tls.certManager.duration [string] validity duration of certificate (golang duration string)
	duration: 2160h # 90d
	# -- renewBefore for Certificate resources
	## @param tls.certManager.renewBefore [string] duration before a certificate’s expiry when cert-manager should start renewing it.
	renewBefore: 720h # 30d
	bouncer:
	## @param tls.bouncer.secret [string] Name of the Kubernetes Secret containing TLS materials for the bouncer
	secret: "{{ .Release.Name }}-bouncer-tls"
	reflector:
	## @param tls.bouncer.reflector.namespaces [array] List of namespaces from which the bouncer will watch and sync Secrets/ConfigMaps.
	namespaces: []
	agent:
	## @param tls.agent.tlsClientAuth [default: true] Enables mutual TLS authentication for the agent when connecting to LAPI.
	tlsClientAuth: true
	## @param tls.agent.secret [string] Name of the Secret holding the agent’s TLS certificate and key.
	secret: "{{ .Release.Name }}-agent-tls"
	reflector:
	## @param tls.agent.reflector.namespaces [array] Namespaces where the agent’s TLS Secret can be reflected/synced.
	namespaces: []
	appsec:
	## @param tls.appsec.tlsClientAuth [default: true] Enables mutual TLS authentication for the agent when connecting to LAPI.
	tlsClientAuth: true
	## @param tls.appsec.secret [string] Name of the Secret holding the agent’s TLS certificate and key.
	secret: "{{ .Release.Name }}-agent-tls"
	reflector:
	## @param tls.appsec.reflector.namespaces [array] Namespaces where the agent’s TLS Secret can be reflected/synced.
	namespaces: []
	lapi:
	## @param tls.lapi.secret [string] Name of the Secret holding the lapidary's’s TLS certificate and key.
	secret: "{{ .Release.Name }}-lapi-tls"
	reflector:
	## @param tls.lapi.reflector.namespaces [array] Namespaces where the LAPI TLS Secret can be reflected/synced.
	namespaces: []
	# If you want to specify secrets that will be used for all your crowdsec-agents

are unused.

The secret names are also hardcoded:

• helm-charts/charts/crowdsec/templates/tls/agent-certificate.yaml

  Lines 9 to 10 in 46af5f3

  	secretName: {{ .Release.Name }}-agent-tls
  	duration: {{ .Values.tls.certManager.duration }}

• helm-charts/charts/crowdsec/templates/tls/appsec-certificate.yaml

  Lines 47 to 48 in 46af5f3

  	secretName: {{ .Release.Name }}-appsec-server-tls
  	duration: {{ .Values.tls.certManager.duration }}

• helm-charts/charts/crowdsec/templates/tls/bouncer-certificate.yaml

  Lines 9 to 10 in 46af5f3

  	secretName: {{ .Release.Name }}-bouncer-tls
  	duration: {{ .Values.tls.certManager.duration }}

• helm-charts/charts/crowdsec/templates/tls/lapi-certificate.yaml

  Lines 12 to 13 in 46af5f3

  	secretName: {{ .Release.Name }}-lapi-tls
  	duration: {{ .Values.tls.certManager.duration }}

• helm-charts/charts/crowdsec/templates/lapi-deployment.yaml

  Lines 304 to 311 in 46af5f3

  	{{- if .Values.tls.enabled }}
  	- name: crowdsec-lapi-tls
  	secret:
  	secretName: {{ .Release.Name }}-lapi-tls
  	- name: crowdsec-agent-tls
  	secret:
  	secretName: {{ .Release.Name }}-agent-tls
  	{{- end }}

It should be {{ tpl .Values.tls.<component>.secret $ }} in the secretName.

Additionally, when enabling tls and disabling agent, the lapi is still looking for an agent certificate. It should be wrapped between {{ if .Values.agent.enabled }}:

helm-charts/charts/crowdsec/templates/lapi-deployment.yaml

Lines 308 to 311 in 46af5f3

	- name: crowdsec-agent-tls
	secret:
	secretName: {{ .Release.Name }}-agent-tls
	{{- end }}

NB: I'm also using Appsec, I would probably like to also select the Appsec client tls certificate to be mounted on lapi instead of the agent tls certificate which doesn't exist.

I found this other issue about the different allowed OU which was already reported #239

[github-actions]

@Darkness4: Thanks for opening an issue, it is currently awaiting triage.

If you haven't already, please provide the following information:

• kind : bug, enhancementor documentation
• area : agent, appsec, configuration, cscli, local-api

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the forked project rr404/oss-governance-bot repository.

[github-actions]

@Darkness4: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

• /kind bug
• /kind documentation
• /kind enhancement

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the forked project rr404/oss-governance-bot repository.

[Darkness4]

/kind bug