Validate TLS and Certificate Configuration in Helm

TLS Configuration for Helm Charts

TLS configuration in Helm ingress values is essential for HTTPS. The validator checks that your TLS settings are structured correctly and consistent with your host definitions.

Standard TLS Pattern

ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: app.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: app-example-com-tls
      hosts:
        - app.example.com

What Gets Validated

1. TLS structure: tls must be an array of objects, each with secretName and hosts
2. Type checks: secretName should be a string, hosts should be an array of strings
3. Ingress enabled: TLS only matters when ingress.enabled is true

Cert-Manager Integration

When using cert-manager for automatic certificate provisioning, the annotation must match:

# For cluster-wide issuer
annotations:
  cert-manager.io/cluster-issuer: letsencrypt-prod

# For namespace-scoped issuer
annotations:
  cert-manager.io/issuer: letsencrypt-staging

Common Patterns

Single domain with wildcard:

tls:
  - secretName: wildcard-example-com-tls
    hosts:
      - "*.example.com"

Multiple domains, separate certificates:

tls:
  - secretName: app-tls
    hosts:
      - app.example.com
  - secretName: api-tls
    hosts:
      - api.example.com

Multiple domains, single certificate (SAN):

tls:
  - secretName: multi-domain-tls
    hosts:
      - app.example.com
      - api.example.com
      - admin.example.com

Common Mistakes

• Listing a host in tls.hosts that is not in ingress.hosts (or vice versa)
• Using a secretName that does not exist in the namespace (cert-manager will create it, but a manual secret must pre-exist)
• Forgetting to add the cert-manager annotation when relying on automatic certificate provisioning