What's the recommended way to customize provisioners via helm?

[lunarwhite]

Background

I want to deploy a private ACME server in a Kubernetes cluster.

So I choose to install via helm, and try to change default provisioner from JWK to ACME.

Current solution

I couldn't find a suitable config parameters to set inject.config.authority.provisioners. So I have to modify the spec item manually.

Full steps like:

1. step ca init --helm > values.yaml
2. Refer to ACME doc and modify inject.config.authority.provisioners in values.yaml
3. helm install -f values.yaml step-certificates smallstep/step-certificates

Did I miss something? Is there a better way to customize provisioner when excuting helm install?

Additional info

I also notice there is a command step ca provisioner add acme --type ACME to configure that. (ref: doc
But it is done after a step-ca is deployed. I want to customize the provisioner when installing.

[maraino]

Hi @lunarwhite, there are two ways to configure the provisioner. The default one uses the ca.json, but it can also be configured in the database. If configured in the database, you can use commands like step ca provisioner add acme --type ACME.

To initialize a helm configuration with the database, you can use:

step ca init --helm --remote-management > values.yaml

The only difference is the enableAdmin: true on the authority. I think you can manually patch the ca.json and restart the deployment, and it will work. When the CA starts using this mode for the first time, it will create the admin step with the same password used in the intermediate key. You can use that user to create a new super-admin:

step ca admin add --super [email protected] provisionerName

Now, you can delete the default step admin. From now on, you can use a certificate from that provisioner to add provisioners and admins. The CLI will create one for you if none is provided.

--

If you want to keep using the ca.json only, and you initialized your deployment with a values.yaml created using the recommended method:

helm repo add smallstep https://smallstep.github.io/helm-charts/
step ca init --helm > values.yaml
echo "password" | base64 > password.txt
helm install -f values.yaml \
     --set inject.secrets.ca_password=$(cat password.txt) \
     --set inject.secrets.provisioner_password=$(cat password.txt) \
     --set service.targetPort=9000 \
     step-certificates smallstep/step-certificates

You can just manually edit the values.yml to add the new provisioner configuration, in YAML instead of JSON, and then just upgrade the release (helm upgrade) with the updated values.yaml. You might need to rollout restart your deployment if it's not automatically done.

If you initialized the CA using the deprecated bootstrap script, then you will need to manually patch the configmap with the ca.json. At this moment you will be able to enable the admin too.

Note that at this moment I'm not sure if you can enable the admin on a previously initialized database without it, but I think it works fine.