Add enableAdmin and enableACME to Helm values.yml generation
#1075
Conversation
github-actions
bot
added
the
needs triage
hslatman
changed the title
enableAdmin and enableACMEenableAdmin and enableACME to Helm values.yml generation
hslatman
force-pushed
the
herman/remote-management-helm
branch
from
60a6088
to
acdf080
Compare
|
Right now we have the certificates/authority/authority.go Lines 600 to 616 in 9d4bef8 |
Provisioners stored in the CA configuration file are automatically migrated to the database. Currently no cleanup of the provisioners in the configuration file yet. In certain situations this may not work as expected, for example if the CA can't write to the file. But it's probalby good to try it, so that we can keep the configuration state of the CA consistent.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
At CA startup, a bit of additional logging was added: badger 2022/10/06 16:58:51 INFO: All 0 tables opened in 0s
2022/10/06 16:58:53 Starting migration of provisioners
2022/10/06 16:58:53 Migrated JWK provisioner "jwk@example.com" with admin permissions
2022/10/06 16:58:53 Migrated ACME provisioner "acme"
2022/10/06 16:58:53 Finished migrating provisioners
2022/10/06 16:58:53 Created super admin "step" for JWK provisioner "jwk@example.com"
2022/10/06 16:58:53 Starting Smallstep CA/0000000-dev (darwin/arm64)
2022/10/06 16:58:53 Documentation: https://u.step.sm/docs/ca
...I'll see if I can make it respect the |
|
Linting issue seems to be because of smallstep/workflows@825ed94. Unfortunately doesn't show in which files the errors exist: https://github.com/smallstep/certificates/actions/runs/3226727287/jobs/5280607978. |
|
@herman I'll take a look at those |
hslatman
force-pushed
the
herman/remote-management-helm
branch
from
e1ca385
to
9045192
Compare
The first super admin subject can now be provided through the `--admin-subject` flag when initializing a CA. It's not yet possible to configure the subject of the first super admin when provisioners are migrated from `ca.json` to the database. This effectively limits usage of the flag to scenarios in which the provisioners are written to the database immediately, so when `--remote-management` is enabled. It currently also doesn't work with Helm deployments, because there's no mechanism yet to pass this type of option to the Helm chart. This commit partially addresses smallstep/cli#697
hslatman
force-pushed
the
herman/remote-management-helm
branch
from
9045192
to
d981b9e
Compare
|
In 5700116 I changed the Helm template output to include a default There are a couple of things that I think can be improved when creating a configuration and initializing a CA to make it more maintainable and easier to reason about. I've left some notes and TODOs to remind myself. The tests for the Helm template should help with that, but we need more for the general PKI initialization. |
authority/authority.go
Outdated
| skipInit bool | ||
|
|
||
| // If true, does not output initialization logs |
There was a problem hiding this comment.
| // If true, does not output initialization logs | |
| // If true, do not output initialization logs |
To match the comments above.
|
@maraino I've adopted your suggestions and added logging of the token configuration at startup. |
This PR is an attempt at making it possible to process the
enableAdminandenableACMEoptions, so that the generated Helmvalues.ymlforstep-caincludes the properties corresponding to these options.It's an attempt, because it turns out to be more complicated for the
enableAdminoption. The option is set to true when--remote-managementis provided toca init. When remote management is enabled, provisioners are stored in the database. But when we're writing the Helm configuration, we can't add provisioners to the DB (which does happen for the non-Helm case), because at that time we don't have a database to write to. This results in the default provisioner not being stored in the database.@maraino, @dopey what do you think about this? I don't think an
Init Containersolves this, at least not without also adding some additional logic for handling this. I think we could use some kind of auto migration process that reads the provisioners fromca.json, stores them in the database and deletes them fromca.json. The problem with that is that specifically in this case theca.jsonis intended to be read-only, complicating this. One other way I thought of is adding the initial provisioners not through theca.json, but through another parameter. It would conceptually be fairly close to anInit Container, I guess. Noticed there's apostInitHookthat could be of use, maybe?