Configurable custom CA #17
Conversation
There was a problem hiding this comment.
Hi @ondrejtomcik, thanks for the PR, I've added some comments so we can have more flexibility to add the sources of the root certificate and key.
step-certificates/README.md
Outdated
| @@ -60,6 +60,7 @@ chart and their default values. | |||
| | `ca.db.size` | Persistent volume size | `10Gi` | | |||
| | `ca.runAsRoot` | Run the CA as root. | `false` | | |||
| | `ca.bootstrap.postInitHook` | Extra script snippet to run after `step ca init` has completed. | `""` | | |||
| | `ca.bootstrap.rootCA.secret`| Name of the custom root CA secret (k8s tls secret) to be used. | `""` | | |||
There was a problem hiding this comment.
Can you split the root certificate and key in two configurations, and add name and key for both?
Although ideally, the both values should be YAML objects that you can set as you want, i.e
- name: step-certificate-ca-volume
secret:
name: rootbut also
- name: step-certificate-ca-volume
configMap:
name: certificatesor even more complex configurations like
- name: step-certificate-ca-volume
configMap:
name: certificates
items:
- key: ROOT_CERT
path: root_ca.crtSo basically, be able to define a full reference to anything you want. The volume names should be something fixed like the one you're proposing, {{ include "step-certificates.fullname" . }}-ca-volume, but the reference should be a YAML object instead of just a string.
There was a problem hiding this comment.
Hello @maraino . Thanks for your comments. Agree with parametrizing cert and key file names, but disagree with using configmap. Correct is to use kubernetes secret, which can be still used and meet your requirements as well.
I would propose to use generic k8s secret as follows:
kubectl create secret generic my-root-ca --from-file=certs/root_ca.crt --from-file=certs/root.key
and passing to smallstep helmchart rootCA.secret.name, rootCA.cert rootCA.key.
where values for my example would be: rootCA.secret.name: my-root-ca, rootCA.cert: root_ca.crt and rootCA.key: root.key
Do you agree?
There was a problem hiding this comment.
The certificate itself is not really secret, but what I wanted address here is to be able to mount from CSI interfaces, and get the key from for example Vault.
To simplify the integration makes sense to just add one volume instead of two. Both a secret and CSI can have multiple objects.
| - name: {{ include "step-certificates.fullname" . }}-ca-volume | ||
| secret: | ||
| secretName: "{{ .Values.ca.bootstrap.rootCA.secret }}" | ||
| {{- end }} |
There was a problem hiding this comment.
So, this will be two volumes, one for the certificate, and one for the key, and the code for one of them would look like:
volumes:
{{ - if .Values.ca.bootstrap.rootCertRef }}
- name: {{ include "step-certificates.fullname" . }}-root-volume
{{- toYaml .Values.ca.bootstrap.rootCertRef | nindent xx }}
{{- end}}And one similar for the key, but you'll have the flexibility to define both cert and key in just one volume.
There was a problem hiding this comment.
Based on my reply above it should be just one volume, following standard k8s secret.
There was a problem hiding this comment.
Just one volume, but being able to mount from different sources. I think this would make it:
{{- toYaml .Values.ca.bootstrap.rootRef | nindent xx }}Can you call it rootRef? or something similar to make clear that is a reference.
| @@ -107,7 +107,7 @@ data: | |||
| --provisioner "{{.Values.ca.provisioner.name}}" \ | |||
| --with-ca-url "{{include "step-certificates.url" .}}" \ | |||
| --password-file "$TMP_CA_PASSWORD" \ | |||
| --provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" {{ if not .Values.ca.db.enabled }}--no-db{{ end }} | |||
| --provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" {{ if not .Values.ca.db.enabled }}--no-db{{ end }} {{ if .Values.ca.bootstrap.rootCA.secret }}--root /tmp/certs/tls.crt --key /tmp/certs/tls.key{{ end }} | |||
There was a problem hiding this comment.
Can you add it in a new line, and now that you're on it, can you also add the --no-db to a new line :)
There was a problem hiding this comment.
Actually, not sure how as \ has to be on previous line, but only if values are available. Not sure how to parametrize new line properly. Any idea ?
There was a problem hiding this comment.
As we only adding one volume, we can not just use bash for this without making it complex, so I think you should name it in the way that step names those files when you do step ca init, so root_ca.crt and root_ca_key.
You can add variables for those, and you can leave those names as default because you can do the if with the rootRef.
|
@ondrejtomcik I think I've addressed all your questions. |
|
@ondrejtomcik are you going to add to this PR the support for a custom volume definition as I suggested? |
|
Yes, but not this week. Sorry. |
|
Sorry, it was de-prioritized a bit on our end @maraino . I will come back to it during the next week and finalize it. |
ondrejtomcik
force-pushed
the
custom-ca
branch
from
96b4756 to
dae1016
Compare
|
|
Dear smallstep team,
I was missing the functionality to set my custom CA certificate. Here is the proposal how it could be done.
Looking forward to your comments.