configmaps to secrets, missing db config in inject block and ingress example structure. #56
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -39,13 +39,23 @@ type: smallstep.com/private-keys | |
| metadata: | ||
| name: {{ include "step-certificates.fullname" . }}-secrets | ||
| namespace: {{ .Release.Namespace }} | ||
| data: | ||
| intermediate_ca_key: {{ .Values.inject.secrets.x509.intermediate_ca_key }} | ||
| root_ca_key: {{ .Values.inject.secrets.x509.root_ca_key }} | ||
| ssh_host_ca_key: {{ .Values.inject.secrets.ssh.host_ca_key }} | ||
| ssh_user_ca_key: {{ .Values.inject.secrets.ssh.user_ca_key }} | ||
| {{- end }} | ||
| --- | ||
| {{- if .Values.inject.enabled }} | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| type: smallstep.com/certs | ||
| metadata: | ||
| name: {{ include "step-certificates.fullname" . }}-certs | ||
|
There was a problem hiding this comment. @maraino I don't have an issue with this moving from ConfigMaps to Secrets if @ricosega has a compelling reason for doing so. However, part of the reason I didn't when I introduced the inject capability was that I didn't have a security reason for doing so. If Kubernetes supported TLS ingress configurations with key passwords, I would have merged these two configuration objects into a single secret to take advantage of that capability. But without that support, I kept them separate to discourage people from creating root certificates without passwords to leverage the TLS Ingress capability. At the end of the day, my thought was that I was going to end up sprinkling the CA certificates absolutely everywhere in my environment so why does it need to be secret. I don't have any objection to this change, but would be very interested to hear why @ricosega thinks it should move. There was a problem hiding this comment. I agree when we say that a cert is public, the point is that probably many people can use a helm chart in a CI/CD environment, so they will have to substitute variables in the values.yaml and here it comes the problem. A certificate or a key, because of their structure and length are difficult to store in an environment variable to be replaced later, if you try it you will get an error. The only way to do it is to save the certificate in oneline and then do tricks and things to have it the same way. Instead if you save your certificate or key in base64 in oneline it will always preserves the structure and it is easier then to replace it. There was a problem hiding this comment. @ricosega Moving the ConfigMaps to secrets might be a breaking change for some users. Can you investigate if storing the data as PS: I've been on vacation. There was a problem hiding this comment. Sorry for the delay I've been on vacation too. There was a problem hiding this comment. @ricosega I think its best not to introduce a breaking change for this. I would be open to seeing a Also, you may want to update your branch to the latest master. Support for registration authorities was added while you were away and the latest version of the chart is now |
||
| namespace: {{ .Release.Namespace }} | ||
| data: | ||
| intermediate_ca.crt: {{ .Values.inject.certificates.intermediate_ca }} | ||
| root_ca.crt: {{ .Values.inject.certificates.root_ca }} | ||
| ssh_host_ca.pub: {{ .Values.inject.certificates.ssh_host_ca }} | ||
| ssh_user_ca.pub: {{ .Values.inject.certificates.ssh_user_ca }} | ||
| {{- end }} | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One note on the version bump.
Since this PR changed the expected format of several of the values parameters, we may want to bump a minor version instead of a patch version if anyone has taken a dependency on 1.15.17.