Helm Setup with Immutable K8 (Talos)

[flashpixx]

Hello,

I'm hoping I can ask this question here at the right place.
I'm setting up a K8 with Talos Kubernetes https://www.talos.dev/ (an immutable K8).

I have generated with "step ca init --helm" the basic values.yaml, but this seems not to be working well, because in the values.yaml there are file path structure:

inject:
  enabled: true
  # Config contains the configuration files ca.json and defaults.json
  config:
    files:
      ca.json:
        root: /home/step/certs/root_ca.crt
        federateRoots: []
        crt: /home/step/certs/intermediate_ca.crt
        key: /home/step/secrets/intermediate_ca_key

But on Talos there are no users or any access to filesystem, I'm using PVCs with local-path-storage. For me it is not clear to setup Smallstep on the immutable K8.
I'm using the chart 1.38.3 and I would like to add autocert as well to apply the certs to my ingresses.

Can you help be with the setup?

[areed]

You can review the volumes backing each of those paths here. They are mostly secrets and configmaps, not anything mutable. However the db at /home/step/db refers to the path in the container where a PVC will be mounted. What's the error you're seeing? Is the PVC provisioned?

[flashpixx]

I have deployed a very basic test chart, but the step-certificate-0 pod does not start, it creates this error:

2025-05-13T23:55:43.255160787Z badger 2025/05/13 23:55:43 INFO: All 0 tables opened in 0s
2025-05-13T23:55:43.255228087Z badger 2025/05/13 23:55:43 INFO: Replaying file id: 0 at offset: 0
2025-05-13T23:55:43.255299647Z badger 2025/05/13 23:55:43 INFO: Replay took: 67.63µs
2025-05-13T23:55:43.306022558Z error allocating terminal: open /dev/tty: no such device or address

[hslatman]

@flashpixx can you try providing the password(s) using files instead, e.g. with --password-file /path/to/password.txt after mounting that too? The CA will prompt for password(s) when starting, and that can fail with that type of error.

[flashpixx]

I generate the data with step ca init --helm and did not change anything

[hslatman]

In that case, can you set the password(s) by passing it to helm install? See https://github.com/smallstep/helm-charts/tree/master/step-certificates#installing-the-chart.