Skip to content

Commit 28de33e

Browse files
xunleiixunleii
committed
feat: use secret for private key certs during bootstrap
1 parent 541b737 commit 28de33e

File tree

4 files changed

+20
-8
lines changed

4 files changed

+20
-8
lines changed

docker/step-ca-bootstrap/entrypoint.sh

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -112,15 +112,15 @@ function kbreplace() {
112112
# It allows to properly remove them on help delete
113113
kbreplace -n $NAMESPACE create configmap $PREFIX-config --from-file $(step path)/config
114114
kbreplace -n $NAMESPACE create configmap $PREFIX-certs --from-file $(step path)/certs
115-
kbreplace -n $NAMESPACE create configmap $PREFIX-secrets --from-file $(step path)/secrets
116115

116+
kbreplace -n $NAMESPACE create secret generic $PREFIX-secrets --from-file $(step path)/secrets
117117
kbreplace -n $NAMESPACE create secret generic $PREFIX-ca-password --from-literal "password=${CA_PASSWORD}"
118118
kbreplace -n $NAMESPACE create secret generic $PREFIX-provisioner-password --from-literal "password=${CA_PROVISIONER_PASSWORD}"
119119

120120
# Label all configmaps and secrets
121121
kubectl -n $NAMESPACE label configmap $PREFIX-config $LABELS
122122
kubectl -n $NAMESPACE label configmap $PREFIX-certs $LABELS
123-
kubectl -n $NAMESPACE label configmap $PREFIX-secrets $LABELS
123+
kubectl -n $NAMESPACE label secret $PREFIX-secrets $LABELS
124124
kubectl -n $NAMESPACE label secret $PREFIX-ca-password $LABELS
125125
kubectl -n $NAMESPACE label secret $PREFIX-provisioner-password $LABELS
126126

@@ -160,4 +160,4 @@ echo -e "\e[1mStep Certificates installed!\e[0m"
160160
echo
161161
echo "CA URL: ${CA_URL}"
162162
echo "CA Fingerprint: ${FINGERPRINT}"
163-
echo
163+
echo

step-certificates/templates/ca.yaml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -95,8 +95,14 @@ spec:
9595
configMap:
9696
name: {{ include "step-certificates.fullname" . }}-config
9797
- name: secrets
98-
configMap:
99-
name: {{ include "step-certificates.fullname" . }}-secrets
98+
projected:
99+
sources:
100+
- configMap:
101+
name: {{ include "step-certificates.fullname" . }}-secrets
102+
optional: true
103+
- secret:
104+
name: {{ include "step-certificates.fullname" . }}-secrets
105+
optional: true
100106
- name: ca-password
101107
secret:
102108
secretName: {{ include "step-certificates.fullname" . }}-ca-password

step-certificates/templates/configmaps.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -121,15 +121,15 @@ data:
121121
# It allows to properly remove them on helm delete
122122
kbreplace -n {{ .Release.Namespace }} create configmap {{ include "step-certificates.fullname" . }}-config --from-file $(step path)/config
123123
kbreplace -n {{ .Release.Namespace }} create configmap {{ include "step-certificates.fullname" . }}-certs --from-file $(step path)/certs
124-
kbreplace -n {{ .Release.Namespace }} create configmap {{ include "step-certificates.fullname" . }}-secrets --from-file $(step path)/secrets
125124
125+
kbreplace -n {{ .Release.Namespace }} create secret generic {{ include "step-certificates.fullname" . }}-secrets --from-file $(step path)/secrets
126126
kbreplace -n {{ .Release.Namespace }} create secret generic {{ include "step-certificates.fullname" . }}-ca-password --from-literal "password=${CA_PASSWORD}"
127127
kbreplace -n {{ .Release.Namespace }} create secret generic {{ include "step-certificates.fullname" . }}-provisioner-password --from-literal "password=${CA_PROVISIONER_PASSWORD}"
128128
129129
# Label all configmaps and secrets
130130
kubectl -n {{ .Release.Namespace }} label configmap {{ include "step-certificates.fullname" . }}-config {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
131131
kubectl -n {{ .Release.Namespace }} label configmap {{ include "step-certificates.fullname" . }}-certs {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
132-
kubectl -n {{ .Release.Namespace }} label configmap {{ include "step-certificates.fullname" . }}-secrets {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
132+
kubectl -n {{ .Release.Namespace }} label secret {{ include "step-certificates.fullname" . }}-secrets {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
133133
kubectl -n {{ .Release.Namespace }} label secret {{ include "step-certificates.fullname" . }}-ca-password {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
134134
kubectl -n {{ .Release.Namespace }} label secret {{ include "step-certificates.fullname" . }}-provisioner-password {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
135135
@@ -144,4 +144,4 @@ data:
144144
echo
145145
echo "CA URL: {{include "step-certificates.url" .}}"
146146
echo "CA Fingerprint: $(step certificate fingerprint $(step path)/certs/root_ca.crt)"
147-
echo
147+
echo

step-certificates/templates/secrets.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,3 +12,9 @@ kind: Secret
1212
metadata:
1313
name: {{ include "step-certificates.fullname" . }}-provisioner-password
1414
namespace: {{ .Release.Namespace }}
15+
---
16+
apiVersion: v1
17+
kind: Secret
18+
metadata:
19+
name: {{ include "step-certificates.fullname" . }}-secrets
20+
namespace: {{ .Release.Namespace }}

0 commit comments

Comments
 (0)