Helm Chart does not have an option to enable ssh certs
Closed this issue · 13 comments
There doesn't seem to be any way to have the Helm installation CA able to do ssh certs.
Using microk8s I'm able to install it, but get this result trying to create an ssh host cert:
➜ ~ step ssh certificate --host `hostname` ssh_host_ecdsa_key
✔ Provisioner: admin (JWK) [kid: yldB0QKmseHyvSCUwfmU87iKkp4GY-q9UeOB008ILwY]
✔ Please enter the password to decrypt the provisioner key: ��������������������������������
✔ CA: https://127.0.0.1:30537
Not ImplementedIs there a workaround to connect to the CA and do a fresh step ca init?
This is a known issue, right now the helm-chart only sets up the CA with the default configuration. Editing the configmap that has the ca.json won't be enough as you will need the keys too. So do get it you will need to edit the chart itself.
I'm not sure, because I haven't tested, but I think adding --ssh here might be enough:
https://github.com/smallstep/helm-charts/blob/master/step-certificates/templates/configmaps.yaml#L106-L113
Thanks. Yes, I was thinking something like {{ if .Values.ca.ssh.enabled }}--ssh{{ end }}, I'll try it and report back.
Yes, we need to add something like that for sure. SSH still in alpha stage and we didn't do it. We're working on providing a nicer experience with it.
I tried updating the values.yml and templates\configmaps.yml as mentioned, and I get this curious error:
(Usual messages about root cert location, config files, etc)
...
Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.
/home/step/bootstrap/bootstrap.sh: line 61: --ssh: not found
Not sure if I'm just getting my newline escaping wrong or something; it seems like the --ssh is being interpreted by itself. Unless openssh needs to be installed on the Docker image?
I've attached a diff.
smallstep-diff.txt
OK, I did have issues with the line continuations, so just combined the lines. That unfortunately confirmed my hunch about the image, as we then get this error:
Initializating the CA...
Incorrect Usage: flag provided but not defined: -ssh
Interested in this as well.
Any movement on this at all?
Maybe the bootstrap image is not ready to manage the --ssh flag?
I see that last build was from May, so maybe the binary in that image is too old for the --ssh flag.
To support ssh in the helm chart it seems that it needs to
- Add the "ssh enable" configuration for Helm just as @tquid proposed
- Update the step-ca-bootstrap to support the --ssh flag
I suppose I could workaroudn by using the patch in this thread + building a new step-ca-bootstrap image and changing it in the bootstrapImage.repository helm chart configuration variable... but... I would prefer to wait for an official update, if it's coming!
Is the source for the bootstrap image available anywhere?
@insertjokehere The actual bootstrap image is this one:
https://github.com/smallstep/helm-charts/blob/master/docker/step-ca-bootstrap/Dockerfile
But the script executed as an entry point is here:
helm-charts/step-certificates/templates/configmaps.yaml
Lines 104 to 111 in e09b6ed
It would be possible to add an if condition to add the --ssh flag, or perhaps easier, I believe boolean flags can be passed as --ssh true or --ssh false too.
@tquid the chart now has an inject mode that allows you to configure all aspects of ca.json and the ability to inject all keys used by the CA.
It should now be possible to configure an SSH CA using this helm chart.
Yes, closing this now. Using the step ca init --ssh --helm chart is now possible to enable SSH. The bootstrap script is deprecated.