From 52e6ba790da986fc6d79a761c55ecb7fa8baa384 Mon Sep 17 00:00:00 2001 From: Chris Crook <643732+Cpcrook@users.noreply.github.com> Date: Mon, 14 Feb 2022 18:24:57 -0500 Subject: [PATCH] docs: #91 update README to reflect new chart config options as well as example values.yaml --- step-certificates/README.md | 4 ++++ step-certificates/templates/ca.yaml | 8 +++++--- step-certificates/templates/configmaps.yaml | 1 + step-certificates/values.yaml | 12 +++++++++++- 4 files changed, 21 insertions(+), 4 deletions(-) diff --git a/step-certificates/README.md b/step-certificates/README.md index f86932a..c27a336 100644 --- a/step-certificates/README.md +++ b/step-certificates/README.md @@ -134,6 +134,10 @@ chart and their default values. | `ca.db.accessModes` | Persistent volume access mode | `["ReadWriteOnce"]` | | `ca.db.size` | Persistent volume size | `10Gi` | | `ca.db.existingClaim` | Persistent volume existing claim name. If defined, PVC must be created manually before volume will be bound | `""` | +| `ca.kms.type` | Key management system to use. | `""` | +| `ca.kms.id` | Identifier for KMS authentication (e.g. Azure KeyVault ClientID) | `""` | +| `ca.kms.secret` | Secret/password for KMS authentication (e.g. Azure KeyVault ClientSecret) | `""` | +| `ca.kms.tenant` | Tenant for KMS authentication (e.g. Azure KeyVault TenantID) | `""` | | `ca.runAsRoot` | Run the CA as root. | `false` | | `ca.bootstrap.postInitHook` | Extra script snippet to run after `step ca init` has completed. | `""` | | `linkedca.token` | The token used to configure step-ca using the linkedca mode. | `""` | diff --git a/step-certificates/templates/ca.yaml b/step-certificates/templates/ca.yaml index f796c02..75a35dd 100644 --- a/step-certificates/templates/ca.yaml +++ b/step-certificates/templates/ca.yaml @@ -65,11 +65,13 @@ spec: env: - name: NAMESPACE value: "{{ .Release.Namespace }}" - {{- if eq .Values.ca.kms.type "azurekms"}} + {{- if .Values.ca.kms.type }} - name: AZURE_CLIENT_ID - value: {{ .Values.ca.kms.id | quote }} + value: "{{ .Values.ca.kms.id }}" - name: AZURE_CLIENT_SECRET - value: {{ .Values.ca.kms.secret | quote }} + value: "{{ .Values.ca.kms.secret }}" + - name: AZURE_TENANT_ID + value: "{{ .Values.ca.kms.tenant }}" {{- end }} {{- if or .Values.linkedca.token (and .Values.linkedca.secretKeyRef.name .Values.linkedca.secretKeyRef.key) }} - name: STEP_CA_TOKEN diff --git a/step-certificates/templates/configmaps.yaml b/step-certificates/templates/configmaps.yaml index 6115d7d..91bb572 100644 --- a/step-certificates/templates/configmaps.yaml +++ b/step-certificates/templates/configmaps.yaml @@ -148,6 +148,7 @@ data: --provisioner "{{.Values.ca.provisioner.name}}" \ --with-ca-url "{{include "step-certificates.url" .}}" \ --password-file "$TMP_CA_PASSWORD" \ + {{ if not (eq .Values.ca.kms.type "") }}--kms="{{.Values.ca.kms.type}}" \{{ end }} --provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" {{ if not .Values.ca.db.enabled }}--no-db{{ end }} rm -f $TMP_CA_PASSWORD $TMP_CA_PROVISIONER_PASSWORD diff --git a/step-certificates/values.yaml b/step-certificates/values.yaml index e57f068..90b49e6 100644 --- a/step-certificates/values.yaml +++ b/step-certificates/values.yaml @@ -236,7 +236,7 @@ ca: name: admin # password is the password used to encrypt the provisioner private key. password: - # db contains the step-certificate dataabase configuration. + # db contains the step-certificate database configuration. db: # enabled defines if the database is enabled. enabled: true @@ -257,6 +257,16 @@ ca: - ReadWriteOnce # size is the Persistent Volume size. size: 10Gi + # kms contains the step-certificates key management system configuration + kms: + # type of KMS to use (e.g. azurekms for Azure KeyVault) + type: "" + # identifier for KMS credentials (e.g. service principal ClientID for Azure) + id: "" + # secret for KMS credentials (e.g. service principal ClientSecret for Azure) + secret: "" + # secret for KMS credentials (e.g. service principal ClientSecret for Azure) + tenant: "" # runAsRoot runs the ca as root instead of the step user. This is required in # some storage provisioners. runAsRoot: false