configurable custom CA

ondrejtomcik · ondrejtomcik · commit 96b475644cc9 · 2020-05-17T23:43:10.000+02:00
diff --git a/step-certificates/README.md b/step-certificates/README.md
@@ -60,6 +60,7 @@ chart and their default values.
 | `ca.db.size`                | Persistent volume size                                                            | `10Gi`                        |
 | `ca.runAsRoot`              | Run the CA as root.                                                               | `false`                       |
 | `ca.bootstrap.postInitHook` | Extra script snippet to run after `step ca init` has completed.                   | `""`                          |
+| `ca.bootstrap.rootCA.secret`| Name of the custom root CA secret (k8s tls secret) to be used.                    | `""`                          |
 | `service.type`              | Service type                                                                      | `ClusterIP`                   |
 | `service.port`              | Incoming port to access Step CA                                                   | `443`                         |
 | `service.targetPort`        | Internal port where Step CA runs                                                  | `9000`                        |
diff --git a/step-certificates/templates/bootstrap.yaml b/step-certificates/templates/bootstrap.yaml
@@ -24,6 +24,11 @@ spec:
       serviceAccountName: {{ include "step-certificates.fullname" . }}-config
       restartPolicy: Never
       volumes:
+      {{- if .Values.ca.bootstrap.rootCA.secret }}
+      - name: {{ include "step-certificates.fullname" . }}-ca-volume
+        secret:
+          secretName: "{{ .Values.ca.bootstrap.rootCA.secret }}"
+      {{- end }}
       - name: bootstrap
         configMap:
           name: {{ include "step-certificates.fullname" . }}-bootstrap
@@ -36,4 +41,8 @@ spec:
           - name: bootstrap
             mountPath: /home/step/bootstrap
             readOnly: true
+          {{- if .Values.ca.bootstrap.rootCA.secret }}
+          - name: {{ include "step-certificates.fullname" . }}-ca-volume
+            mountPath: /tmp/certs
+          {{- end }}
 {{- end }}
diff --git a/step-certificates/templates/configmaps.yaml b/step-certificates/templates/configmaps.yaml
@@ -107,7 +107,7 @@ data:
       --provisioner "{{.Values.ca.provisioner.name}}" \
       --with-ca-url "{{include "step-certificates.url" .}}" \
       --password-file "$TMP_CA_PASSWORD" \
-      --provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" {{ if not .Values.ca.db.enabled }}--no-db{{ end }}
+      --provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" {{ if not .Values.ca.db.enabled }}--no-db{{ end }} {{ if .Values.ca.bootstrap.rootCA.secret }}--root /tmp/certs/tls.crt --key /tmp/certs/tls.key{{ end }}
 
     rm -f $TMP_CA_PASSWORD $TMP_CA_PROVISIONER_PASSWORD
 
diff --git a/step-certificates/values.yaml b/step-certificates/values.yaml
@@ -70,6 +70,9 @@ ca:
   bootstrap:
     # Add script snippets here to be executed after the step ca init has been run
     postInitHook: ""
+    rootCA:
+      secret:
+        name:
 
 # autocert is used to configure the autocert chart that depends on step-certificates.
 autocert:
