Commit 2f521ef
committed
fix(site-agent): use mTLS for Flow gRPC and protect temporal-certs secret
Three related issues caused the site-agent to fail connecting to Flow gRPC:
1. FLOW_GRPC_SEC_OPT was missing from the site-agent Helm chart values, so
the Flow gRPC client defaulted to FlowServerTLS (1). Flow requires mTLS
(RequireAndVerifyClientCert); the server rejected the connection with
"tls: certificate required". Fix: add FLOW_GRPC_SEC_OPT: "2" as the
chart default so FlowMutualTLS is used by default.
2. The FlowMutualTLS case in NewFlowGrpcClient used tls.Config{Certificates: ...}
to present the client cert. Go's TLS stack only selects a cert from that
field when the cert's issuer matches the server's CertificateRequest acceptable
CA list; when there is no match it silently sends no cert, and the server
again rejects with "certificate required". Fix: use GetClientCertificate
instead, which unconditionally returns the cert — the same approach used in
rest-api/flow/pkg/certs/certs.go TLSConfig().
3. temporal-certs-secret.yaml created the secret with empty placeholder values
on every helm upgrade, overwriting certs written by the bootstrap process.
On the next pod restart the site-agent found the OTP gone, re-attempted
bootstrap (which fails because the OTP was already consumed), and blocked
forever — preventing FlowGrpc().Start() from running. Fix: add
helm.sh/resource-policy: keep so upgrades never touch this secret after
initial creation.1 parent 45cb7a1 commit 2f521ef
3 files changed
Lines changed: 19 additions & 3 deletions
File tree
- helm/rest/nico-rest-site-agent
- templates
- rest-api/site-workflow/pkg/grpc/client
Lines changed: 5 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | 3 | | |
4 | | - | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
5 | 7 | | |
6 | 8 | | |
7 | 9 | | |
8 | 10 | | |
9 | 11 | | |
10 | 12 | | |
11 | 13 | | |
| 14 | + | |
| 15 | + | |
12 | 16 | | |
13 | 17 | | |
14 | 18 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
82 | 82 | | |
83 | 83 | | |
84 | 84 | | |
| 85 | + | |
| 86 | + | |
85 | 87 | | |
86 | 88 | | |
87 | 89 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
158 | 158 | | |
159 | 159 | | |
160 | 160 | | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
161 | 169 | | |
162 | | - | |
163 | | - | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
164 | 174 | | |
165 | 175 | | |
166 | 176 | | |
| |||
0 commit comments