Avoid x509: certificate signed by unknown authority when providing the HEC certificate chain via user's secret.

[felicemcc]

Hello there, I was including this chart on a project and, according to the instructions, I just needed to provide the appropriate fields via a custom secret.

For the token it was not a problem as the verification hook passed if it was set, then its value is used an env variable.

However, the idea is not to provide the token nor the HEC certificate chain, but the latter is mounted as a volume, only if either splunkPlatform.clientCert, splunkPlatform.clientKey or splunkPlatform.caFile have a value. Which becomes evident only when inspecting the chart's code (search for: {{- if or .Values.splunkPlatform.clientCert .Values.splunkPlatform.clientKey .Values.splunkPlatform.caFile }}).

So, I would like to propose a small change in the documentation to avoid skipping the setup of the mentioned splunkPlatform values (when needed) and perhaps avoid confronting a x509: certificate signed by unknown authority that would make you think the chain is not correctly provided via the user's secret.

Here is my change proposal for the docs/advanced-configuration.md file. It might be great to get some feedback before submitting a PR.

Notice this is the simple workaround I found, but we could go further and modify the conditions for the volume mounting in order to check the secret values as well, or instead the .Values.splunkPlatform.xxx, in any case, if provided, the chain will always be a secret, open for discussion here.

Cheers

Felice

---

Provide tokens as a secret

Instead of having the tokens as clear text in the values, those can be provided via a secret that is created before deploying the chart. See secret-splunk.yaml for the required fields.

secret:
  create: false
  name: your-secret

Besides the splunk_platform_hec_token field, if you need to provide the splunk_platform_hec_client_cert,
splunk_platform_hec_client_key or splunk_platform_hec_ca_file fields within your-secret,
you will also have to provide a string (any string will do) for the following keys upon the chart's installation/upgrade:

splunkPlatform:
  clientCert: dummy_string
  clientKey: dummy_string
  caFile: dummy_string

Otherwise, the corresponding volume containing your-secret keys/values will not be mounted, as a result, the HEC certificate chain will not be available, risking encountering a x509: certificate signed by unknown authority error.

See: Config Template (splunk_hec/platform_logs.tls section)

[Nerkho]

I agree this should be at least added to the docs, I was pulling my hair on this earlier.
Best would be to modify the template.