GithubHelp home page GithubHelp logo

Comments (5)

estenrye avatar estenrye commented on September 27, 2024 1

Yes, this can be changed. When I added the feature, I didn't consider that use case.

I might take a look a little bit later and see what I might be able to come up with.

from helm-charts.

opencommits avatar opencommits commented on September 27, 2024

Yeah, had to create it with inject.enabled=false, took the ssh keys and did a helm upgrade with injection. This is really not a good way..
But thanks for the helm-charts anyway. 👍

from helm-charts.

estenrye avatar estenrye commented on September 27, 2024

@jodygilbert I don't think you have to inject any ssh keys at all.

The default ca.json does not configure an SSH provisioner.

helm-charts/step-certificates/values.yaml

Lines 44 to 85 in 754c407

ca.json:
root: /home/step/certs/root_ca.crt
federateRoots: []
crt: /home/step/certs/intermediate_ca.crt
key: /home/step/secrets/intermediate_ca_key
address: 0.0.0.0:9000
dnsNames:
- ca.example.com
- mysteprelease-step-certificates.default.svc.cluster.local
- 127.0.0.1
logger:
format: json
authority:
claims:
minTLSCertDuration: 5m
maxTLSCertDuration: 24h
defaultTLSCertDuration: 24h
disableRenewal: false
minHostSSHCertDuration: 5m
maxHostSSHCertDuration: 1680h
defaultHostSSHCertDuration: 720h
minUserSSHCertDuration: 5m
maxUserSSHCertDuration: 24h
defaultUserSSHCertDuration: 24h
provisioners:
- type: ACME
name: acme
forceCN: true
claims: {}
tls:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_AES_128_GCM_SHA256
minVersion: 1.2
maxVersion: 1.3
renegotiation: false
defaults.json:
ca-url: https://mysteprelease-step-certificates.default.svc.cluster.local
ca-config: /home/step/config/ca.json
fingerprint: fingerprint
root: /home/step/certs/root_ca.crt

The helm chart sets the ssh certificate values as empty strings by default. Are you running into issues when you try to deploy the chart with those default values?

Here's an example Ansible Jinja2 template for configuring the helm chart values to deploy with the SSH provisioner enabled.

autocert:
  enabled: false
ca:
  db:
    enabled: false
    persistent: false
bootstrap:
  enabled: false
inject:
  enabled: true
  config:
    files:
      ca.json:
        root: /home/step/certs/root_ca.crt
        federateRoots: []
        crt: /home/step/certs/intermediate_ca.crt
        key: /home/step/secrets/intermediate_ca_key
        ssh:
          hostKey: /home/step/secrets/ssh_host_ca_key
          userKey: /home/step/secrets/ssh_user_ca_key
        address: 0.0.0.0:9000
        dnsNames:
          - "{{ step_certificates.helm_values.certificate_authority_url }}"
          - "{{ step_certificates.helm.name }}-step-certificates.{{ step_k8s_namespace }}.svc.cluster.local"
          - 127.0.0.1
        db:
          type: mysql
          datasource: "{{ step_mariadb.helm_values.auth.username }}:{{ step_mariadb.helm_values.auth.password }}@tcp({{ step_mariadb.helm.name }}:3306)/"
          database: "{{ step_mariadb.helm_values.auth.database }}"
        logger:
          format: json
        authority:
          claims:
            {{ step_certificates.helm_values.claims | to_nice_yaml | indent(12) }}
          provisioners:
            - type: ACME
              name: acme
              forceCN: true
              claims: {}
            - type: SSHPOP
              name: sshpop
              claims:
                enableSSHCA: true
            - type: JWK
              name: ansible_automation_token
              key: 
                alg: "{{ jwk_provisioner_pub.alg }}"
                crv: "{{ jwk_provisioner_pub.crv }}"
                kid: "{{ jwk_provisioner_pub.kid }}"
                kty: "{{ jwk_provisioner_pub.kty }}"
                use: "{{ jwk_provisioner_pub.use }}"
                x: "{{ jwk_provisioner_pub.x }}"
                'y': "{{ jwk_provisioner_pub.y }}"
              encryptedKey: "{{ jwk_provisioner_key.content | b64decode }}"
              claims:
                enableSSHCA: true
            - type: OIDC
              name: oidc
              clientID: "{{ step_certificates.helm_values.oidc.clientid }}"
              clientSecret: "{{ step_certificates.helm_values.oidc.clientsecret }}"
              configurationEndpoint: "{{ step_certificates.helm_values.oidc.configuration_endpoint }}"
              admins: {{ step_certificates.helm_values.oidc.admins | to_yaml }}
              domains: {{ step_certificates.helm_values.oidc.domains | to_yaml }}
              listenAddress: 127.0.0.1:{{ step_certificates.helm_values.oidc.ssh_client_listen_port }}
              ssh: true
              claims:
                enableSSHCA: true
        tls:
          cipherSuites:
            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
            - TLS_AES_128_GCM_SHA256
          minVersion: 1.2
          maxVersion: 1.3
          renegotiation: false
        templates:
          ssh:
            user:
              - name: include.tpl
                type: snippet
                template: /home/step/config/ssh_user_include.tpl
                path: ~/.ssh/config
                comment: "#"
              - name: config.tpl
                type: file
                template: /home/step/config/ssh_user_config.tpl
                path: ssh/config
                comment: "#"
              - name: known_hosts.tpl
                type: file
                template: /home/step/config/ssh_user_known_hosts.tpl
                path: ssh/known_hosts
                comment: "#"
            host:
              - name: sshd_config.tpl
                type: snippet
                template: /home/step/config/ssh_host_sshd_config.tpl
                path: /etc/ssh/sshd_config
                comment: "#"
                requires:
                  - Certificate
                  - Key
              - name: ca.tpl
                type: snippet
                template: /home/step/config/ssh_host_sshd_ca.tpl
                path: /etc/ssh/ca.pub
                comment: "#"
      defaults.json:
        ca-url: https://{{ step_certificates.helm.name }}-step-certificates.{{ step_k8s_namespace }}.svc.cluster.local
        ca-config: /home/step/config/ca.json
        fingerprint: "{{ root_ca_fingerprint.stdout }}"
        root: /home/step/certs/root_ca.crt
    templates:
      ssh_user_include.tpl: |-
        {{ lookup('file', 'ssh_user_include.tpl') | indent(8) }}
      ssh_user_config.tpl: |-
        {{ lookup('file', 'ssh_user_config.tpl') | indent(8) }}
      ssh_user_known_hosts.tpl: |-
        {{ lookup('file', 'ssh_user_known_hosts.tpl') | indent(8) }}
      ssh_host_sshd_config.tpl: |-
        {{ lookup('file', 'ssh_host_sshd_config.tpl') | indent(8) }}
      ssh_host_sshd_ca.tpl: |-
        {{ lookup('file', 'ssh_host_sshd_ca.tpl') | indent(8) }}
  secrets:
    enabled: true
    ca_password: "{{ certificate_intermediate_ca.password | b64encode }}"
    provisioner_password: "{{ jwk_provisioner.password | b64encode }}"
    x509:
      intermediate_ca_key: |-
        {{ intermediate_ca_key.content | b64decode | indent(8) }}
      root_ca_key: |-
        {{ root_ca_key.content | b64decode | indent(8) }}
    ssh:
      host_ca_key: |-
        {{ ssh_host_ca_key.content | b64decode | indent(8) }}
      user_ca_key: |-
        {{ ssh_user_ca_key.content | b64decode | indent(8) }}
  certificates:
    enabled: true
    intermediate_ca: |-
      {{ intermediate_ca_certificate.content | b64decode | indent(6) }}
    root_ca: |-
      {{ root_ca_certificate.content | b64decode | indent(6) }}
    ssh_host_ca: |-
      {{ ssh_host_ca_certificate.content | b64decode | indent(6) }}
    ssh_user_ca: |-
      {{ ssh_user_ca_certificate.content | b64decode | indent(6) }}
service:
  type: NodePort
  port: 443
  targetPort: 9000
  nodePort: 32400

from helm-charts.

jodygilbert avatar jodygilbert commented on September 27, 2024

Thanks for the example Jinja2 template. I do indeed run into issues if I deploy the chart with an empty string, here's the error I get:

Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: [unknown object type "nil" in ConfigMap.data.ssh_host_ca_key.pub, unknown object type "nil" in ConfigMap.data.ssh_user_ca_key.pub]

For now I'm adding dummy certs as I'm not using ssh, it would be nice to not have to include any though.

from helm-charts.

estenrye avatar estenrye commented on September 27, 2024

@jodygilbert you might want to checkout 1.16.1. I added the capability to optionally inject SSH keys.

from helm-charts.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.