Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configurable custom CA #17

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+14 −1
Open

Configurable custom CA #17

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions step-certificates/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ chart and their default values.
| `ca.db.existingClaim` | Persistent volume existing claim name. If defined, PVC must be created manually before volume will be bound | `""` |
| `ca.runAsRoot` | Run the CA as root. | `false` |
| `ca.bootstrap.postInitHook` | Extra script snippet to run after `step ca init` has completed. | `""` |
| `ca.bootstrap.rootCA.secret`| Name of the custom root CA secret (k8s tls secret) to be used. | `""` |
| `service.type` | Service type | `ClusterIP` |
| `service.port` | Incoming port to access Step CA | `443` |
| `service.targetPort` | Internal port where Step CA runs | `9000` |
Expand Down
9 changes: 9 additions & 0 deletions step-certificates/templates/bootstrap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,11 @@ spec:
serviceAccountName: {{ include "step-certificates.fullname" . }}-config
restartPolicy: Never
volumes:
{{- if .Values.ca.bootstrap.rootCA.secret }}
- name: {{ include "step-certificates.fullname" . }}-ca-volume
secret:
secretName: "{{ .Values.ca.bootstrap.rootCA.secret }}"
{{- end }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, this will be two volumes, one for the certificate, and one for the key, and the code for one of them would look like:

volumes: 
{{ - if .Values.ca.bootstrap.rootCertRef }}
- name: {{ include "step-certificates.fullname" . }}-root-volume
 {{- toYaml .Values.ca.bootstrap.rootCertRef | nindent xx }}
{{- end}}

And one similar for the key, but you'll have the flexibility to define both cert and key in just one volume.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on my reply above it should be just one volume, following standard k8s secret.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one volume, but being able to mount from different sources. I think this would make it:

{{- toYaml .Values.ca.bootstrap.rootRef | nindent xx }}

Can you call it rootRef? or something similar to make clear that is a reference.

- name: bootstrap
configMap:
name: {{ include "step-certificates.fullname" . }}-bootstrap
Expand All @@ -36,4 +41,8 @@ spec:
- name: bootstrap
mountPath: /home/step/bootstrap
readOnly: true
{{- if .Values.ca.bootstrap.rootCA.secret }}
- name: {{ include "step-certificates.fullname" . }}-ca-volume
mountPath: /tmp/certs
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion step-certificates/templates/configmaps.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ data:
--provisioner "{{.Values.ca.provisioner.name}}" \
--with-ca-url "{{include "step-certificates.url" .}}" \
--password-file "$TMP_CA_PASSWORD" \
--provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" {{ if not .Values.ca.db.enabled }}--no-db{{ end }}
--provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" {{ if not .Values.ca.db.enabled }}--no-db{{ end }} {{ if .Values.ca.bootstrap.rootCA.secret }}--root /tmp/certs/tls.crt --key /tmp/certs/tls.key{{ end }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add it in a new line, and now that you're on it, can you also add the --no-db to a new line :)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, not sure how as \ has to be on previous line, but only if values are available. Not sure how to parametrize new line properly. Any idea ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we only adding one volume, we can not just use bash for this without making it complex, so I think you should name it in the way that step names those files when you do step ca init, so root_ca.crt and root_ca_key.

You can add variables for those, and you can leave those names as default because you can do the if with the rootRef.


rm -f $TMP_CA_PASSWORD $TMP_CA_PROVISIONER_PASSWORD

Expand Down
3 changes: 3 additions & 0 deletions step-certificates/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,9 @@ ca:
bootstrap:
# Add script snippets here to be executed after the step ca init has been run
postInitHook: ""
rootCA:
secret:
name:

# autocert is used to configure the autocert chart that depends on step-certificates.
autocert:
Expand Down