Comments (13)
This is a known issue, right now the helm-chart only sets up the CA with the default configuration. Editing the configmap that has the ca.json won't be enough as you will need the keys too. So do get it you will need to edit the chart itself.
I'm not sure, because I haven't tested, but I think adding --ssh
here might be enough:
https://github.com/smallstep/helm-charts/blob/master/step-certificates/templates/configmaps.yaml#L106-L113
from helm-charts.
Thanks. Yes, I was thinking something like {{ if .Values.ca.ssh.enabled }}--ssh{{ end }}
, I'll try it and report back.
from helm-charts.
Yes, we need to add something like that for sure. SSH still in alpha stage and we didn't do it. We're working on providing a nicer experience with it.
from helm-charts.
I tried updating the values.yml
and templates\configmaps.yml
as mentioned, and I get this curious error:
(Usual messages about root cert location, config files, etc)
...
Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.
/home/step/bootstrap/bootstrap.sh: line 61: --ssh: not found
Not sure if I'm just getting my newline escaping wrong or something; it seems like the --ssh
is being interpreted by itself. Unless openssh needs to be installed on the Docker image?
I've attached a diff.
smallstep-diff.txt
from helm-charts.
OK, I did have issues with the line continuations, so just combined the lines. That unfortunately confirmed my hunch about the image, as we then get this error:
Initializating the CA...
Incorrect Usage: flag provided but not defined: -ssh
from helm-charts.
Interested in this as well.
from helm-charts.
Any movement on this at all?
from helm-charts.
Maybe the bootstrap image is not ready to manage the --ssh
flag?
I see that last build was from May, so maybe the binary in that image is too old for the --ssh
flag.
To support ssh in the helm chart it seems that it needs to
- Add the "ssh enable" configuration for Helm just as @tquid proposed
- Update the step-ca-bootstrap to support the --ssh flag
I suppose I could workaroudn by using the patch in this thread + building a new step-ca-bootstrap image and changing it in the bootstrapImage.repository
helm chart configuration variable... but... I would prefer to wait for an official update, if it's coming!
from helm-charts.
Is the source for the bootstrap image available anywhere?
from helm-charts.
@insertjokehere The actual bootstrap image is this one:
https://github.com/smallstep/helm-charts/blob/master/docker/step-ca-bootstrap/Dockerfile
But the script executed as an entry point is here:
helm-charts/step-certificates/templates/configmaps.yaml
Lines 104 to 111 in e09b6ed
It would be possible to add an if condition to add the --ssh
flag, or perhaps easier, I believe boolean flags can be passed as --ssh true
or --ssh false
too.
from helm-charts.
@tquid the chart now has an inject mode that allows you to configure all aspects of ca.json and the ability to inject all keys used by the CA.
It should now be possible to configure an SSH CA using this helm chart.
from helm-charts.
@tquid @maraino Are we able to close this issue now?
from helm-charts.
Yes, closing this now. Using the step ca init --ssh --helm
chart is now possible to enable SSH. The bootstrap script is deprecated.
from helm-charts.
Related Issues (20)
- Incorrect Prometheus scrape port in Service annotations [step-issuer]
- step-certificates: clarify optional `certificate_issuer_key` / `ssh_host_ca_key` and `ssh_user_ca_key` HOT 1
- step-certificates: allow enabling ssh HOT 3
- Add abililty to specify image pull secret(s) HOT 1
- [security] default registry image not available - step.sm - strange domain? HOT 3
- database dataSource as a secret HOT 2
- Typo on test-connection.yaml
- insecureAddress for SCEP provider HOT 2
- step-certificates repo is out of date HOT 1
- helm test fails for smallstep/step-certificates HOT 2
- Error getting root certificate with LinkedCA deployment on latest version HOT 3
- step-issuer fails because of helm annotation validation error HOT 1
- Simpler Way To Set Configmaps When Not Using The Bootstrap HOT 1
- step-issuer refuses to deploy if stepIssuer.create is set to true HOT 9
- Extra Containers HOT 9
- fix(step-certificates): Secrets are mounted event if we don't need them
- ServiceMonitor for Prometheus-Operator HOT 1
- step-certificates 0.26.1 has been released, Helm chart out-of-date HOT 1
- Allow usage of predefiend SSH templates HOT 2
- Test Connection Job should have SecurityContext for Restricted environments
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm-charts.