Certificate error due to invalid name in FluxCD HelmRelease installation

[heytrav]

Bug description

When installing capsule in FluxCD as a HelmRelease all services automatically get the HelmRelease name as a prefix. This is incompatible with the certificate generated internally.

 Warning  ReconciliationFailed     13s (x10 over 8m14s)  kustomize-controller  Namespace/ingress-nginx dry-run failed (InternalError): Internal error occurred: failed calling webhook "owner.name
space.projectcapsule.dev": failed to call webhook: Post "https://capsule-capsule-webhook-service.capsule.svc:443/namespace-owner-reference?timeout=30s": tls: failed to verify certificate: x509: c
ertificate is valid for capsule-webhook-service.capsule.svc, not capsule-capsule-webhook-service.capsule.s

How to reproduce

I'm installing capsule as a HelmRelease with the following yaml

---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: capsule
  namespace: flux-system
spec:
  chart:
    spec:
      chart: capsule
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: projectcapsule
      version: '>=0.7.2 < 0.8.0'
  install:
    crds: Create
    createNamespace: true
    remediation:
      retries: -1
  interval: 5m0s
  targetNamespace: capsule
  upgrade:
    crds: CreateReplace

The ingress-nginx controller which installs a little earlier attempts to make a webhook call to capsule and fails with the error mentioned earlier

Expected behavior

I'm trying to find some way to add an additional name into SANS but so far have not been able to find something in the helm chart values.

Logs

If applicable, please provide logs of capsule.

In a standard stand-alone installation of Capsule,
you'd get this by running kubectl -n capsule-system logs deploy/capsule-controller-manager.

Additional context

• Helm Chart version: 0.7.2

[prometherion]

We should make this configurable, or fixed:

capsule/charts/capsule/templates/certificate.yaml

Lines 27 to 29 in 20807ad

	dnsNames:
	- {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc
	- {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local

Are you up for a contribution? New contributors are always welcomed! 🫂 🤗

[heytrav]

Ah that's the line I was looking for. I'll see if I can do something with this in the next few days.
Thanks!

[heytrav]

I've created #1303 but after playing around with the helm chart I don't know if it's necessary.

In my case it looks like setting

fullnameOverride: capsule-capsule
certManager:
  generateCertificates: true

Solves the problem. I'll submit that PR anyway in case it might also be useful to be able to set additional SANS.

[prometherion]

I'll submit that PR anyway in case it might also be useful to be able to set additional SANS

Loving it, thanks! ❤️

[prometherion]

Closed via #1303