helm-charts/step-certificates/templates/secrets.yaml at 99ec81eca49e6d8a516050cc13ac6d48a6c63a94 · smallstep/helm-charts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# Secrets that will be updated by the configuration job:
# 1. CA keys password.
# 2. Provisioner password.

{{- if or (and .Values.bootstrap.enabled .Values.bootstrap.secrets) (and .Values.inject.enabled (not (eq .Values.inject.secrets.ca_password ""))) }}
apiVersion: v1
kind: Secret
{{- if .Values.inject.enabled }}
type: smallstep.com/ca-password
{{- end }}
metadata:
  name: {{ include "step-certificates.fullname" . }}-ca-password
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "step-certificates.labels" . | nindent 4 }}
{{- if .Values.inject.enabled }}
data:
  password: {{ .Values.inject.secrets.ca_password }}
{{- end }}
{{- end }}
---
{{- if or (and .Values.bootstrap.enabled .Values.bootstrap.secrets) (and .Values.inject.enabled (not (eq .Values.inject.secrets.provisioner_password ""))) }}
apiVersion: v1
kind: Secret
{{- if .Values.inject.enabled }}
type: smallstep.com/provisioner-password
{{- end }}
metadata:
  name: {{ include "step-certificates.fullname" . }}-provisioner-password
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "step-certificates.labels" . | nindent 4 }}
{{- if .Values.inject.enabled }}
data:
  password: {{ .Values.inject.secrets.provisioner_password }}
{{- end }}
{{- end }}
---
{{- if and .Values.inject.enabled (and .Values.inject.secrets.certificate_issuer.enabled (not (eq .Values.inject.secrets.certificate_issuer.password ""))) }}
apiVersion: v1
kind: Secret
type: smallstep.com/certificate-issuer-password
metadata:
  name: {{ include "step-certificates.fullname" . }}-certificate-issuer-password
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "step-certificates.labels" . | nindent 4 }}
data:
  password: {{ .Values.inject.secrets.certificate_issuer.password }}
{{- end }}
---
{{- if and .Values.inject.enabled (and .Values.inject.secrets.ssh.enabled (not (eq .Values.inject.secrets.ssh.host_ca_password ""))) }}
apiVersion: v1
kind: Secret
type: smallstep.com/ssh-host-ca-password
metadata:
  name: {{ include "step-certificates.fullname" . }}-ssh-host-ca-password
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "step-certificates.labels" . | nindent 4 }}
data:
  password: {{ .Values.inject.secrets.ssh.host_ca_password }}
{{- end }}
---
{{- if and .Values.inject.enabled (and .Values.inject.secrets.ssh.enabled (not (eq .Values.inject.secrets.ssh.user_ca_password ""))) }}
apiVersion: v1
kind: Secret
type: smallstep.com/ssh-user-ca-password
metadata:
  name: {{ include "step-certificates.fullname" . }}-ssh-user-ca-password
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "step-certificates.labels" . | nindent 4 }}
data:
  password: {{ .Values.inject.secrets.ssh.user_ca_password }}
{{- end }}
---
{{- if and .Values.inject.enabled .Values.bootstrap.secrets}}
apiVersion: v1
kind: Secret
type: smallstep.com/private-keys
metadata:
  name: {{ include "step-certificates.fullname" . }}-secrets
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "step-certificates.labels" . | nindent 4 }}
stringData:
  {{- if and .Values.inject.secrets.certificate_issuer.enabled (not (eq .Values.inject.secrets.certificate_issuer.key "")) }}
  certificate_issuer_key: |-
    {{- .Values.inject.secrets.certificate_issuer.key | nindent 4 }}
  {{- end }}
  {{- if .Values.inject.secrets.x509.enabled }}
  intermediate_ca_key: |-
    {{- .Values.inject.secrets.x509.intermediate_ca_key  | nindent 4 }}
  root_ca_key: |-
    {{- .Values.inject.secrets.x509.root_ca_key | nindent 4 }}
  {{- end }}
  {{- if .Values.inject.secrets.ssh.enabled }}
  {{- if not (eq "" .Values.inject.secrets.ssh.host_ca_key) }}
  ssh_host_ca_key: |-
    {{- .Values.inject.secrets.ssh.host_ca_key | nindent 4 }}
  {{- end }}
  {{- if not (eq "" .Values.inject.secrets.ssh.user_ca_key) }}
  ssh_user_ca_key: |-
    {{- .Values.inject.secrets.ssh.user_ca_key | nindent 4 }}
  {{- end }}
  {{- end}}
{{- end }}
---
{{- if .Values.linkedca.token }}
apiVersion: v1
kind: Secret
type: smallstep.com/step-ca-token
metadata:
  name: {{ include "step-certificates.fullname" . }}-step-ca-token
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "step-certificates.labels" . | nindent 4 }}
data:
  token: {{ .Values.linkedca.token }}
{{- end }}