Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add --enable-admin and --acme flags for the step ca init command. #577

Closed
dopey opened this issue Nov 10, 2021 · 1 comment · Fixed by #758
Closed

Add --enable-admin and --acme flags for the step ca init command. #577

dopey opened this issue Nov 10, 2021 · 1 comment · Fixed by #758
Labels
enhancement good first issue needs triage Waiting for discussion / prioritization by team

Comments

@dopey
Copy link
Contributor

dopey commented Nov 10, 2021
edited
Loading

This will allow users to set up API mgmt for provisioners, and unblock users in environments where the ca.json is not easily accessible.

The --enable-admin flag would create the first provisioner and admin (this code already exists, just behind a boolean).
The --acme flag would create an ACME provisioner.

Related: smallstep/certificates#737
@dopey dopey added enhancement good first issue needs triage Waiting for discussion / prioritization by team labels Nov 10, 2021
@dopey dopey mentioned this issue Nov 10, 2021
Open
@dopey dopey removed the needs triage Waiting for discussion / prioritization by team label Nov 10, 2021
@JonathonRichardson
Copy link

The ACME user flag would be particularly useful. In addition to adding it to the CLI, it should probably be exposed as an option for the docker image via the entrypoint.sh script, so that we could set an environment variable (e.g. DOCKER_STEPCA_INIT_ACME_USER=true) in the container config to have a fully compliant ACME server on startup.

As a workaround for now, I use a modified version of the entrypoint to get the CA to be ready to go for ACME requests on startup/creation by updating the step_ca_init function to call step ca provisioner add acme --type ACME before finishing up, but it'd be nice to get back to just launching the image as is from Docker Hub.

# Initialize a CA if not already initialized
function step_ca_init () {
    local -a setup_args=(
        --name "${DOCKER_STEPCA_INIT_NAME}"
		--dns "${DOCKER_STEPCA_INIT_DNS_NAMES}"
		--provisioner "${DOCKER_STEPCA_INIT_PROVISIONER_NAME:-admin}"
		--password-file "${STEPPATH}/password"
        --address ":9000"
    )
    if [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then
        echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password"
    else
        generate_password > "${STEPPATH}/password"
    fi
    if [ -n "${DOCKER_STEPCA_INIT_SSH}" ]; then
        setup_args=("${setup_args[@]}" --ssh)
    fi
    step ca init "${setup_args[@]}"

    # https://smallstep.com/docs/step-ca/acme-basics#configure-step-ca-for-acme
    step ca provisioner add acme --type ACME
    
    mv $STEPPATH/password $PWDPATH
}

@dopey dopey added needs triage Waiting for discussion / prioritization by team and removed needs triage Waiting for discussion / prioritization by team labels Jun 14, 2022
@hslatman hslatman added the needs triage Waiting for discussion / prioritization by team label Aug 24, 2022
hslatman added a commit that referenced this issue Sep 27, 2022
@hslatman
Add --remote-administration flag to enable Admin API on ca init
736ea97 
This partially addresses #577,
but using `--remote-administration` as the flag name. It'll result
in the Admin API being enabled as well as a default provisioner and
corresponding admin credential being generated.

Currently this requires a DB to be configured too, as the logic
for creation of the new PKI stores the new provisioner and admin
in the DB at all times when the Admin API gets enabled.

The behavior this flag introduces might become the default at
some point.
hslatman added a commit that referenced this issue Sep 27, 2022
@hslatman
Update reference docs
ad7306c 
Closes #577
@hslatman hslatman mentioned this issue Sep 27, 2022
Merged
@hslatman hslatman linked a pull request Sep 27, 2022 that will close this issue
Add --remote-management and --acme flags to ca init command #758
Merged
hslatman added a commit to smallstep/certificates that referenced this issue Oct 14, 2022
@hslatman
Add --admin-subject flag to ca init
9045192 
The first super admin subject can now be provided through the
`--admin-subject` flag when initializing a CA.

It's not yet possible to configure the subject of the first
super admin when provisioners are migrated from `ca.json` to the
database. This effectively limits usage of the flag to scenarios
in which the provisioners are written to the database immediately,
so when `--remote-management` is enabled. It currently also doesn't
work with Helm deployments, because there's no mechanism yet to
pass this type of option to the Helm chart.

This commit partially addresses smallstep/cli#577
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement good first issue needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add --remote-management and --acme flags to ca init command smallstep/cli
3 participants
@hslatman @dopey @JonathonRichardson