Merge pull request #92 from Cpcrook/feature/#91-azurekms-support

Feature/#91 azurekms support

step-certificates/README.md

@@ -134,6 +134,8 @@ chart and their default values.
 | `ca.db.accessModes`           | Persistent volume access mode                                                                               | `["ReadWriteOnce"]`                      |
 | `ca.db.size`                  | Persistent volume size                                                                                      | `10Gi`                                   |
 | `ca.db.existingClaim`         | Persistent volume existing claim name. If defined, PVC must be created manually before volume will be bound | `""`                                     |
+| `ca.kms`                      | Key management system to use.                                                                               | `""`                                     |
+| `ca.env`                      | Environment variables to set in `step-certificates` container.                                              | `[]`                                     |
 | `ca.runAsRoot`                | Run the CA as root.                                                                                         | `false`                                  |
 | `ca.bootstrap.postInitHook`   | Extra script snippet to run after `step ca init` has completed.                                             | `""`                                     |
 | `linkedca.token`              | The token used to configure step-ca using the linkedca mode.                                                | `""`                                     |

step-certificates/templates/ca.yaml

@@ -65,6 +65,9 @@ spec:
           env:
           - name: NAMESPACE
             value: "{{ .Release.Namespace }}"
+          {{- if .Values.ca.env }}
+            {{- toYaml .Values.ca.env | nindent 10 }}
+          {{- end }}
           {{- if or .Values.linkedca.token (and .Values.linkedca.secretKeyRef.name .Values.linkedca.secretKeyRef.key) }}
           - name: STEP_CA_TOKEN
             valueFrom:

step-certificates/templates/configmaps.yaml

@@ -148,6 +148,7 @@ data:
       --provisioner "{{.Values.ca.provisioner.name}}" \
       --with-ca-url "{{include "step-certificates.url" .}}" \
       --password-file "$TMP_CA_PASSWORD" \
+      {{ if not (eq .Values.ca.kms.type "") }}--kms="{{.Values.ca.kms.type}}" \{{ end }}
       --provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" {{ if not .Values.ca.db.enabled }}--no-db{{ end }}
 
     rm -f $TMP_CA_PASSWORD $TMP_CA_PROVISIONER_PASSWORD

step-certificates/values.yaml

@@ -236,7 +236,7 @@ ca:
     name: admin
     # password is the password used to encrypt the provisioner private key.
     password:
-  # db contains the step-certificate dataabase configuration.
+  # db contains the step-certificate database configuration.
   db:
     # enabled defines if the database is enabled.
     enabled: true
@@ -257,6 +257,10 @@ ca:
     - ReadWriteOnce
     # size is the Persistent Volume size.
     size: 10Gi
+  # kms type to utilize 
+  kms: ""
+  # additional environment variables to set in the step-certificates container
+  env: []
   # runAsRoot runs the ca as root instead of the step user. This is required in
   # some storage provisioners.
   runAsRoot: false