Skip to content

bug(helm): clientCaSecretName="" does not remove client_ca_path from gateway config #2095

Description

@akram

Agent Diagnostic

  • Explored deploy/helm/openshell/templates/gateway-config.yaml — the client_ca_path line is rendered unconditionally, regardless of server.tls.clientCaSecretName.
  • Explored deploy/helm/openshell/templates/_gateway-workload.tpl — the tls-client-ca volume mount is also unconditional. When clientCaSecretName is empty, it falls back to openshell-server-tls via clientCaFromServerTlsSecret: true.
  • Explored deploy/helm/openshell/values.yaml:229-231 — the comment says "Set to empty string to disable mTLS and run HTTPS-only", but the template does not condition on this value.
  • Verified by deploying with --set server.tls.clientCaSecretName="": gateway logs still show TLS client certificate verification enabled. Browsers get ERR_BAD_SSL_CLIENT_AUTH_CERT when connecting through a passthrough route.
  • Workaround: manually patch the ConfigMap to remove client_ca_path after each Helm install/upgrade.

Description

Setting server.tls.clientCaSecretName="" in the Helm values is documented as the way to disable mTLS and run HTTPS-only (for OIDC auth). However, the gateway config template still renders client_ca_path in the TOML, and the StatefulSet still mounts the tls-client-ca volume. The gateway starts with TLS client certificate verification enabled regardless.

Reproduction Steps

  1. Install the chart with mTLS disabled:
    helm install openshell oci://ghcr.io/nvidia/openshell/helm-chart \
      --version 0.0.70 -n openshell \
      --set server.tls.clientCaSecretName=""
  2. Check the rendered TOML:
    oc get configmap openshell-config -n openshell \
      -o jsonpath='{.data.gateway\.toml}' | grep client_ca_path
  3. Check gateway logs:
    oc logs statefulset/openshell -n openshell | grep -i "client cert"

Expected: No client_ca_path in the TOML, gateway logs show HTTPS-only without client cert verification.

Actual: client_ca_path = "/etc/openshell-tls/client-ca/ca.crt" is present. Gateway logs: TLS client certificate verification enabled.

Environment

  • OS: macOS 15.x (Apple Silicon)
  • OpenShift: ROSA HCP 4.21 (Kubernetes 1.34.2)
  • OpenShell: v0.0.70 chart

Logs

INFO openshell_server::cli: TLS enabled — listening on encrypted HTTPS
INFO openshell_server::cli: TLS client certificate verification enabled

After manual ConfigMap patch (removing client_ca_path):

INFO openshell_server::cli: TLS enabled — listening on encrypted HTTPS
# no "client certificate verification" line

Workaround

Manually patch the ConfigMap after each helm install/upgrade:

oc get configmap openshell-config -n openshell -o json | \
  python3 -c "
import json, sys
cm = json.load(sys.stdin)
toml = cm['data']['gateway.toml']
toml = toml.replace('client_ca_path        = \"/etc/openshell-tls/client-ca/ca.crt\"\n', '')
cm['data']['gateway.toml'] = toml
json.dump(cm, sys.stdout)
" | oc replace -f -
oc rollout restart statefulset openshell -n openshell

  • I pointed my agent at the repo and had it investigate this issue
  • I loaded relevant skills (e.g., debug-openshell-cluster, debug-inference, openshell-cli)
  • My agent could not resolve this — the diagnostic above explains why

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:clusterRelated to running OpenShell on k3s/dockerarea:gatewayGateway server and control-plane work

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions