From cba79cde35e620aaa39951ddb3f6c80d95f78187 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Mon, 6 Apr 2026 13:22:59 +0300
Subject: [PATCH] fix(meshcentral): disable certUrl when using TLSOffload

MeshCentral was failing to start with "Zipencryptionmodule failed" error
because the service tried to fetch TLS certificates from an HTTPS endpoint
during bootstrap. When using TLSOffload (reverse proxy terminating TLS),
MeshCentral should not attempt to load certificates.

Root cause: The existing config.json had "certUrl" set to HTTPS, causing
MeshCentral to try fetching the certificate during startup. Since the pod
was bootstrapping, this failed and cascaded into the Zipencryptionmodule
failure.

Fix: Add init container that runs before the main container to disable
the certUrl by prefixing it with underscore (MeshCentral's convention for
disabled settings). The sed command ensures the fix applies to both new
and existing config.json files.

This ensures MeshCentral behaves correctly with TLSOffload enabled:
- Runs in plain HTTP mode on port 443
- Traefik/Ingress handles HTTPS termination
- No certificate bootstrap failures
---
 stacks/meshcentral/main.tf | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/stacks/meshcentral/main.tf b/stacks/meshcentral/main.tf
index b81dfffa..4f3ac3b3 100644
--- a/stacks/meshcentral/main.tf
+++ b/stacks/meshcentral/main.tf
@@ -108,6 +108,24 @@ resource "kubernetes_deployment" "meshcentral" {
       }
       spec {
 
+        init_container {
+          name              = "fix-config"
+          image             = "alpine:latest"
+          image_pull_policy = "IfNotPresent"
+          command           = ["/bin/sh"]
+          args = ["-c", <<-EOT
+if [ -f /opt/meshcentral/meshcentral-data/config.json ]; then
+  # Replace "certUrl" with "_certUrl" to disable it when using TLSOffload
+  sed -i 's/"certUrl":/"_certUrl":/g' /opt/meshcentral/meshcentral-data/config.json
+fi
+EOT
+          ]
+          volume_mount {
+            name       = "data"
+            mount_path = "/opt/meshcentral/meshcentral-data"
+          }
+        }
+
         container {
           image = "typhonragewind/meshcentral:latest"
           name  = "meshcentral"
@@ -211,11 +229,11 @@ module "ingress" {
   port            = 443
   protected       = true
   extra_annotations = {
-    "gethomepage.dev/enabled"                           = "true"
-    "gethomepage.dev/name"                              = "MeshCentral"
-    "gethomepage.dev/description"                       = "Remote management"
-    "gethomepage.dev/icon"                              = "meshcentral.png"
-    "gethomepage.dev/group"                             = "Infrastructure"
+    "gethomepage.dev/enabled"      = "true"
+    "gethomepage.dev/name"         = "MeshCentral"
+    "gethomepage.dev/description"  = "Remote management"
+    "gethomepage.dev/icon"         = "meshcentral.png"
+    "gethomepage.dev/group"        = "Infrastructure"
     "gethomepage.dev/pod-selector" = ""
   }
 }