Move a stand-alone certificate server to a helm chart/k8s server

[ThomasADavis]

I currently have a working certificate server, doing ssh certs.

I'd like to move this server into a helm chart based server, without having to re-deploy all the ssh certs on the client hosts.

We currently renew the host ssh certs by generating all new ssh host certs, and replacing the current ssh host cert. This is to force end users to properly configure their SSH clients, and to make our security people happy.

Can I just take the current ssh secrets, and drop them into the helm chart inject portion as-is, along with the password (which I'd like to figure out some other way to inject, like using the Onepassword Connect server.) The SSH secrets are not in the format the helm chart asks for them to be in.. ie:

      # ssh_host_ca_key contains the contents of your encrypted SSH Host CA key
      host_ca_key: ""
      # host_ca_key: |
      #   -----BEGIN OPENSSH PRIVATE KEY-----
      #   ...
      #   -----END OPENSSH PRIVATE KEY-----

      # ssh_user_ca_key contains the contents of your encrypted SSH User CA key
      user_ca_key: ""
      # user_ca_key: |
      #   -----BEGIN OPENSSH PRIVATE KEY-----
      #   ...
      #   -----END OPENSSH PRIVATE KEY-----

and they are in:

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,d2225288159c8409cd6e919098b9d52c

..chop chop..
-----END EC PRIVATE KEY-----

[ThomasADavis]

well, I figured it out..

the helm chart values inject example appears to be out of date..

the ec private key ssh secrets work as-is; you simply drop the raw, non-base64 encoded certs/secrets in place and base64 encode the password.

Had to copy over the bits of the old ca.json bits to make it work.

using y without quotes doesn't work for some reason.. had to quote it.. ie 'y'.

and now I can move the CA server to the new cluster.

[maraino]

Yes, you need to write the injected ca.json as YAML. I've seen the problem with y before; in the YAML 1.1 yes and no can be also used as boolean values, and I think some interpreters support y and n too. This option was removed in the last version of YAML 1.2, but interpreters might require you to quote them to avoid problems.