search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.35k stars 415 forks source link

Feature request: Environment variables for database setup in container #1875

Open mikaelparkefelt opened 3 weeks ago

mikaelparkefelt commented 3 weeks ago

Discussed in https://github.com/smallstep/certificates/discussions/1428

Originally posted by **btrepp** June 11, 2023 Hi there, First of, this tool is amazing, an ACME provider that I can easily manage private certificates, its a great missing piece for hobby labs!. I've been integrating it with my k8s setup, and made some of the manifests/kustomizations https://git.sr.ht/~btrepp/environment/tree/main/item/dist/step-ca/latest/base One of the issues I've encountered, is there doesn't seem to be an easy way to container the docker container to use a database instead of the badger DB. My motivation to do this is that I already have some postgres bases that use rsnapshot to ensure I have backups, at the moment with a StatefulSet/PVC provisioner it works okay, but its fairly easy to 'remove' your pvc and potentially lose your data :). It would be great if the docker container could be pointed to databases as env vars (I've tried to look at the entry point, and it doesn't look like this is supported yet). That way it's easy to keep the data backed up if needed, plus also easy to run the step-ca as a deployment that could scale, and leave postgres as a stateful set for persistence.
mikaelparkefelt commented 3 weeks ago

Last comment in the discussion: And, you're welcome to open a feature request issue on this repo for this, if it's something you'd like us to consider adding.

jdoss commented 2 weeks ago

Hey @mikaelparkefelt thanks for opening this feature request. We can look into adding features to the step-ca container entrypoint to configure the CA to use PostgreSQL but in the meantime, I actually configure my step-ca container after the initial setup with this bash snipit from my automation scripts.

It should be a stopgap for users that want to automate launching step-ca with PostgreSQL support. You will need jq and sponge for it to work. I bootstrap my step-ca container and let it configure itself with BadgerDB and then I set it up to use PostgreSQL after the fact. You will want to adjust the if statements below to fit your needs and change ${SELFHOST_APP_DATA_DIR}/stepca/config/ca.json to the path to the ca.json file after it has been created.

You need to restart the step-ca container once the ca.json is adjusted to use PostgreSQL. It should be safe to remove the BadgerDB directory after everything has been setup to use PostgreSQL. I have those lines commented out in my example below.

Please note that this creates a fresh database in PostgreSQL and there is no path to import your existing BadgerDB currently.

# Update ${SELFHOST_APP_DATA_DIR}/stepca/config/ca.json to use PostgreSQL
if [ "${STEPCA_DATABASE}" = "postgres" ]; then
  CURRENT_STEPCA_DB_TYPE=$(jq -r .db.type < ${SELFHOST_APP_DATA_DIR}/stepca/config/ca.json)
  if [ "${CURRENT_STEPCA_DB_TYPE}" != "postgresql" ]; then
    cat ${SELFHOST_APP_DATA_DIR}/stepca/config/ca.json | jq  -r --arg STEPCA_POSTGRES_USER ${STEPCA_POSTGRES_USER} \
        --arg STEPCA_POSTGRES_PASSWORD ${STEPCA_POSTGRES_PASSWORD} \
        --arg STEPCA_POSTGRES_HOST ${STEPCA_POSTGRES_HOST} \
        --arg STEPCA_POSTGRES_PORT ${STEPCA_POSTGRES_PORT} \
    '.db = {"type": "postgresql", "dataSource": "postgresql://\($STEPCA_POSTGRES_USER):\($STEPCA_POSTGRES_PASSWORD)@\($STEPCA_POSTGRES_HOST):\($STEPCA_POSTGRES_PORT)/", "database": "stepca"}'\
    |sponge ${SELFHOST_APP_DATA_DIR}/stepca/config/ca.json
    # podman restart ${SELFHOST_APP_NAME}-app
    # rm -rf ${SELFHOST_APP_DATA_DIR}/stepca/db
  fi
fi
mikaelparkefelt commented 2 weeks ago

@jdoss Hi,

Thanks for your response.... I'm using Ansible to automate the init step and configuration of Step-CA.

I have figure out that I can run step ca init <arguments> first and change the configuration to connect to the PostgreSQL DB. Then I run a set of commands to recreate all provisioners with customization to recreate the init things that was not added to the database in the initial configuration.

It work but it is not very easy to understand and maintain.

So the feature is very important to me that there is a initial configuration that will use any of the supported database.

Then for the next problem I have had is that you use the same password every where and it needs to be a command to change a them in an easy way. For Providers it it not very simple and the instructions has a lot of steps and there should be only one command that will change the password for them.

Please tell me how to automate the change of password for the providers?