The documentation needs major clarifications

[spyesx]

I've followed the documentation, step by step (at https://artifacthub.io/packages/helm/smallstep/step-certificates) but I am so confused with the procedure. I think it needs a major clarification.

My end goal is to have a working ACME provider accessible from https://ca.step.example.com hosted on k8s.

I use a docker container to use step-cli.

# Open a shell in the container
docker run --rm  -it -v ./step:/home/step --name step-ca smallstep/step-ca bash

Then I generate the values.yaml file:

# Installing the chart
# https://artifacthub.io/packages/helm/smallstep/step-certificates#installing-the-chart
step ca init --helm > values.yaml

echo -n "password" | base64 > password-base64.txt

echo -n "password" | base64 > provisioner-password-base64.txt

First thing to not is this procedure creates a JWK provisioner by default. But how to Not an ACME one. Though, the info is here: https://smallstep.com/docs/step-ca/provisioners/#acme

# exit the container
exit

Now let's install the chart:

kubectl create namespace step

helm repo add smallstep https://smallstep.github.io/helm-charts/
helm repo update

helm install -f values.yaml \
    --set inject.secrets.ca_password="$(cat password-base64.txt)" \
    --set inject.secrets.provisioner_password="$(cat provisioner-password-base64.txt)" \
    step-certificates smallstep/step-certificates \
    --namespace step

The pod is stuck in a CrashLoopBackOff

kubectl get pods -n step
NAME                  READY   STATUS             RESTARTS        AGE
step-certificates-0   0/1     CrashLoopBackOff   6 (4m22s ago)   10m

And the log show an error:

kubectl logs step-certificates-0 -n step
badger 2025/04/14 14:24:32 INFO: All 0 tables opened in 0s
badger 2025/04/14 14:24:32 INFO: Replaying file id: 0 at offset: 0
badger 2025/04/14 14:24:32 INFO: Replay took: 91.945µs
error allocating terminal: open /dev/tty: no such device or address

Also, secrets are empty...

Am I missing something?

I have disabled the ingress as well and came with my own IngressRoute:

---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: step-certificates
  namespace: step
  annotations: 
    kubernetes.io/ingress.class: traefik-external
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`ca.step.example.com`)
      kind: Rule
      services:
        - name: step-certificates
          port: 443

[spyesx]

Answering part of my own question:

The documentation provides the same password for the CA and to the provisionner:

[...]
     --set inject.secrets.ca_password=$(cat password.txt) \
     --set inject.secrets.provisioner_password=$(cat password.txt) \
[...]

It was common sense to me to provide different passwords:

[...]
    --set inject.secrets.ca_password="$(cat password-base64.txt)" \
    --set inject.secrets.provisioner_password="$(cat provisioner-password-base64.txt)" \
[...]

Never the less, I ended up trying as a last resort. You guess it 🙂 Secrets are not empty anymore and the pod started!

Does someone know why these passwords must be identical?

[hslatman]

Hey @spyesx,

It's weird that the first case the secret(s) are (both) empty. I would expect at least a single secret to be available in that case. Is it possible you had a mismatch between the passwords generated at initialization time vs. when the CA was started?

I noticed the error stating this: error allocating terminal: open /dev/tty: no such device or address. I think the CA may be trying to prompt you for the password in that case, which won't work in a non-interactive environment. It's possible the CA wasn't able to read any password in that case.

Regarding the JWK vs. ACME provisioner: step-ca will always create a JWK provisioner. ACME provisioners are optional. You can add one at initialization time using step ca init --acme.

In general there's a difference between the step-ca documentation, and that in the Helm charts. It's possible to run step-ca in many ways, and deploying it via Helm is only one of the ways to do so. So the documentation describes the more general step-ca settings; not all the settings specific to the Helm chart.

[christian-westbrook]

@spyesx when I let step ca init generate my passwords for me, it generated two distinct passwords. I am currently using two unique passwords for a step-ca server in a kubernetes cluster.

By default the step-ca server will listen on port :9000. Do you know if your service is correctly routing traffic from :443 to :9000, or if your step-ca server has been configured to listen on :443? You can use --set service.targetPort=443 to change the port step-ca listens on from :9000 to :443, for instance.