From dae10161b37114019e645ada07c15cfb208bd881 Mon Sep 17 00:00:00 2001 From: ondrejtomcik Date: Sun, 17 May 2020 23:43:10 +0200 Subject: [PATCH] configurable custom CA --- step-certificates/README.md | 1 + step-certificates/templates/bootstrap.yaml | 9 +++++++++ step-certificates/templates/configmaps.yaml | 2 +- step-certificates/values.yaml | 3 +++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/step-certificates/README.md b/step-certificates/README.md index 89782ed..6fa91f6 100644 --- a/step-certificates/README.md +++ b/step-certificates/README.md @@ -61,6 +61,7 @@ chart and their default values. | `ca.db.existingClaim` | Persistent volume existing claim name. If defined, PVC must be created manually before volume will be bound | `""` | | `ca.runAsRoot` | Run the CA as root. | `false` | | `ca.bootstrap.postInitHook` | Extra script snippet to run after `step ca init` has completed. | `""` | +| `ca.bootstrap.rootCA.secret`| Name of the custom root CA secret (k8s tls secret) to be used. | `""` | | `service.type` | Service type | `ClusterIP` | | `service.port` | Incoming port to access Step CA | `443` | | `service.targetPort` | Internal port where Step CA runs | `9000` | diff --git a/step-certificates/templates/bootstrap.yaml b/step-certificates/templates/bootstrap.yaml index 31323a2..06f6284 100644 --- a/step-certificates/templates/bootstrap.yaml +++ b/step-certificates/templates/bootstrap.yaml @@ -24,6 +24,11 @@ spec: serviceAccountName: {{ include "step-certificates.fullname" . }}-config restartPolicy: Never volumes: + {{- if .Values.ca.bootstrap.rootCA.secret }} + - name: {{ include "step-certificates.fullname" . }}-ca-volume + secret: + secretName: "{{ .Values.ca.bootstrap.rootCA.secret }}" + {{- end }} - name: bootstrap configMap: name: {{ include "step-certificates.fullname" . }}-bootstrap @@ -36,4 +41,8 @@ spec: - name: bootstrap mountPath: /home/step/bootstrap readOnly: true + {{- if .Values.ca.bootstrap.rootCA.secret }} + - name: {{ include "step-certificates.fullname" . }}-ca-volume + mountPath: /tmp/certs + {{- end }} {{- end }} diff --git a/step-certificates/templates/configmaps.yaml b/step-certificates/templates/configmaps.yaml index 994253f..2a7a782 100644 --- a/step-certificates/templates/configmaps.yaml +++ b/step-certificates/templates/configmaps.yaml @@ -108,7 +108,7 @@ data: --provisioner "{{.Values.ca.provisioner.name}}" \ --with-ca-url "{{include "step-certificates.url" .}}" \ --password-file "$TMP_CA_PASSWORD" \ - --provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" {{ if not .Values.ca.db.enabled }}--no-db{{ end }} + --provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" {{ if not .Values.ca.db.enabled }}--no-db{{ end }} {{ if .Values.ca.bootstrap.rootCA.secret }}--root /tmp/certs/tls.crt --key /tmp/certs/tls.key{{ end }} rm -f $TMP_CA_PASSWORD $TMP_CA_PROVISIONER_PASSWORD diff --git a/step-certificates/values.yaml b/step-certificates/values.yaml index 74a024c..699e9ec 100644 --- a/step-certificates/values.yaml +++ b/step-certificates/values.yaml @@ -83,6 +83,9 @@ ca: bootstrap: # Add script snippets here to be executed after the step ca init has been run postInitHook: "" + rootCA: + secret: + name: # autocert is used to configure the autocert chart that depends on step-certificates. autocert: