Add a TLS SAN + DNS hostname preflight#682
Merged
Merged
Conversation
Adds replicated/preflight.yaml: a troubleshoot.sh Preflight that validates the uploaded TLS certificate covers every provisioned hostname (subdomain wildcard vs path-based exact runtime routing) and that those hostnames resolve in DNS. A proxied alpine/openssl runPod emits per-hostname warn outcomes. Adds the probe image to application.yaml additionalImages so air-gapped builds mirror it.
The standalone replicated/preflight.yaml (a top-level Preflight CR) is never discovered by KOTS for this Helm-based app — preflights are surfaced only via the chart-rendered Secret labeled troubleshoot.sh/kind: preflight. Move the check into the chart's troubleshoot templates (mirroring PR #459), reading the cert and hostnames from values already flowing into the chart (keycloak ingress secret, per-service ingress hosts, runtime-api env, laminar) — no new config plumbed through the HelmChart CR or values.yaml. The probe image reuses the proxy base already embedded in image.repository. Revert the now-unneeded replicated/preflight.yaml and the application.yaml additionalImages entry. Bump the openhands chart to 0.7.38.
aivong-openhands
approved these changes
Jun 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The Replicated config validates the shape of the uploaded TLS cert - PEM headers, recently (#679, #681). But nothing checks the cert actually covers the hostnames being provisioned, or that those hostnames resolve. A missing SAN or a forgotten DNS record installs fine and only shows up later as broken TLS or sandboxes stuck in
starting.This adds a preflight that runs at the pre-install gate (and is re-runnable from the Admin Console) to catch both early. It checks that every hostname OpenHands serves has a covering SAN, and that each resolves from inside the cluster.
It handles both sandbox routing modes, which have different cert requirements: subdomain routing serves
{id}.{runtime_base}and needs a wildcard*.{runtime_base}SAN, while path routing serves{runtime_base}/{id}and needs the exact name.Helm Chart Checklist
versionfield inChart.yamlfor each modified chartAdditional Notes