fix(meshcentral): disable certUrl when using TLSOffload

MeshCentral was failing to start with "Zipencryptionmodule failed" error because the service tried to fetch TLS certificates from an HTTPS endpoint during bootstrap. When using TLSOffload (reverse proxy terminating TLS), MeshCentral should not attempt to load certificates. Root cause: The existing config.json had "certUrl" set to HTTPS, causing MeshCentral to try fetching the certificate during startup. Since the pod was bootstrapping, this failed and cascaded into the Zipencryptionmodule failure. Fix: Add init container that runs before the main container to disable the certUrl by prefixing it with underscore (MeshCentral's convention for disabled settings). The sed command ensures the fix applies to both new and existing config.json files. This ensures MeshCentral behaves correctly with TLSOffload enabled: - Runs in plain HTTP mode on port 443 - Traefik/Ingress handles HTTPS termination - No certificate bootstrap failures
2026-04-06 13:22:59 +03:00 · 2026-04-06 13:22:59 +03:00 · cba79cde35
commit cba79cde35
parent b8120b22c0
1 changed files with 23 additions and 5 deletions
--- a/stacks/meshcentral/main.tf
+++ b/stacks/meshcentral/main.tf
@ -108,6 +108,24 @@ resource "kubernetes_deployment" "meshcentral" {
      }
      spec {

+        init_container {
+          name              = "fix-config"
+          image             = "alpine:latest"
+          image_pull_policy = "IfNotPresent"
+          command           = ["/bin/sh"]
+          args = ["-c", <<-EOT
+if [ -f /opt/meshcentral/meshcentral-data/config.json ]; then
+  # Replace "certUrl" with "_certUrl" to disable it when using TLSOffload
+  sed -i 's/"certUrl":/"_certUrl":/g' /opt/meshcentral/meshcentral-data/config.json
+fi
+EOT
+          ]
+          volume_mount {
+            name       = "data"
+            mount_path = "/opt/meshcentral/meshcentral-data"
+          }
+        }
+
        container {
          image = "typhonragewind/meshcentral:latest"
          name  = "meshcentral"
@ -211,11 +229,11 @@ module "ingress" {
  port            = 443
  protected       = true
  extra_annotations = {
-    "gethomepage.dev/enabled"                           = "true"
-    "gethomepage.dev/name"                              = "MeshCentral"
-    "gethomepage.dev/description"                       = "Remote management"
-    "gethomepage.dev/icon"                              = "meshcentral.png"
-    "gethomepage.dev/group"                             = "Infrastructure"
+    "gethomepage.dev/enabled"      = "true"
+    "gethomepage.dev/name"         = "MeshCentral"
+    "gethomepage.dev/description"  = "Remote management"
+    "gethomepage.dev/icon"         = "meshcentral.png"
+    "gethomepage.dev/group"        = "Infrastructure"
    "gethomepage.dev/pod-selector" = ""
  }
 }